offensive-wifi-recon

Wi-Fi Reconnaissance

The first phase of any wireless engagement. Build a complete picture of the airspace before you deauth, evil-twin, or capture handshakes — every later attack depends on knowing the right BSSID, channel, encryption, and client population.

Quick Workflow

1. Pick the right adapter for the target's band(s) and PHY
2. Verify monitor mode + injection actually work
3. Set the regulatory domain (legal channels and TX power)
4. Sweep all bands passively
5. Drill down on each in-scope BSSID for client population and PMF status
6. Record everything in a structured target list before any active attack

---

Adapter Selection

Chipset	Strengths	Notes
Atheros AR9271 (Alfa AWUS036NHA)	Solid 2.4 GHz monitor + injection	802.11n only
Realtek RTL8812AU (AWUS036ACH)	Dual-band, injection	Driver: aircrack-ng/rtl8812au
MediaTek MT7612U (AWUS036ACM)	Stable dual-band	In-tree driver on modern kernels
MediaTek MT7921AU	Wi-Fi 6 monitor (limited)	Patched drivers required
AWUS036AXML / AXM	Wi-Fi 6E (6 GHz)	Bleeding edge — verify per release

# Identify your radio
lsusb | grep -iE "(atheros|realtek|mediatek|alfa)"
iw dev
iw list | grep -A 8 "Supported interface modes"
iw list | grep -E "Frequencies:" -A 30

Monitor Mode Setup

# Kill conflicting services
sudo airmon-ng check kill

# Enable monitor mode
sudo airmon-ng start wlan0
# Or manually
sudo ip link set wlan0 down
sudo iw wlan0 set monitor control
sudo ip link set wlan0 up

# Verify monitor mode + injection
sudo aireplay-ng --test wlan0mon

The injection test should report 30/30 ack rates against nearby APs. Lower scores indicate driver, antenna, or position issues.

Regulatory Domain

# Check current
iw reg get

# Set explicitly (us = United States, jp = Japan extended, etc.)
sudo iw reg set US

Setting the right regdomain unlocks legitimate channels (US: 1–11 on 2.4, 36–165 on 5; JP adds 12–13 + 184+ DFS) and TX power. Operate within the regdomain you're authorized to use.

Passive Multi-Band Sweep

# All bands
sudo airodump-ng wlan0mon --band abg

# 5 GHz only (helps see UNII bands)
sudo airodump-ng wlan0mon --band a

# 6 GHz (requires 6E-capable adapter and updated airodump-ng)
sudo airodump-ng wlan0mon --band ax

# Hop only specific channels
sudo airodump-ng wlan0mon -c 1,6,11,36,40,44,48

Capture to file for later analysis:

sudo airodump-ng wlan0mon --band abg --write recon --output-format pcap,csv

Targeted Capture

Once you've identified an in-scope BSSID:

sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w target wlan0mon

Pin to the channel — channel-hopping during a focused capture loses frames.

Hidden SSIDs

Hidden APs broadcast beacons with empty ESSID. The name leaks during client probes (active scan) or association requests:

# Wait for legitimate client to associate, ESSID appears in airodump output
# Or, if a client is already associated, deauth them once to force reassociation:
sudo aireplay-ng --deauth 1 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

(Only deauth with explicit authorization — see offensive-deauth-disassoc.)

Kismet for War-Driving

sudo kismet -c wlan0mon
# Open https://localhost:2501 for the dashboard

Kismet handles GPS integration, plots APs to a map, fingerprints by IE order, identifies probable IoT vendors from OUI prefixes, and tags known-vulnerable models.

For long-running captures, drop --no-ncurses and run headless under tmux.

Wigle Submission

If the engagement permits:

# Export Kismet's .kismet → CSV → Wigle import format
kismetdb_dump_devices --in capture.kismet --out devices.csv

(Wigle aggregates wireless network observations geographically — useful for mapping but check ROE.)

Vendor / OUI Identification

# Quick OUI lookup
echo "AA:BB:CC" | wireshark-tools/manuf-lookup
# Or check the airodump CSV's BSSID prefix against /usr/share/wireshark/manuf

Vendor identification informs:

• Likely default credentials (router brand → known defaults)
• Known firmware bugs (CVE per chipset)
• Whether WPS is likely vulnerable (Pixie Dust per chipset)
• Whether KRACK / FragAttacks patches are likely applied (vendor patch cadence)

Data to Record per Target

Field	Why
BSSID	Required for every active attack
ESSID	Match against PNL probes; client probe correlation
Channel + width	Pin radio for capture
Band	Adapter selection
Encryption	WPA2-PSK / WPA2-Enterprise / WPA3-SAE / Open / WEP
PMF (Protected Management Frames)	Whether deauth works
RSSI	Position planning
Beacon interval / TIM	Anomaly detection vs. evil-twin defenders
Vendor (OUI)	Likely default creds, known bugs
Client list (MACs + RSSI)	Targets for deauth/relay
WPS enabled?	Pixie Dust candidate

Detection Considerations

A defender's WIDS sees:

• New device entering the airspace (probe requests reveal even before association)
• Channel hopping patterns of monitor-mode interfaces
• Non-standard probe behavior (KARMA-style universal responses, see offensive-evil-twin)

Pure passive recon (no probes from your radio) is invisible to most WIDS deployments. Stay passive until you're committed to the active phase.

Engagement Cheatsheet

# 1. Setup
sudo airmon-ng check kill && sudo airmon-ng start wlan0
sudo iw reg set US
sudo aireplay-ng --test wlan0mon          # confirm injection (skip if pure passive)

# 2. Sweep all bands, write to file
sudo airodump-ng wlan0mon --band abg --write recon --output-format pcap,csv

# 3. Kismet for sustained map (optional)
sudo kismet -c wlan0mon --no-ncurses --daemonize

# 4. Per BSSID drill-down
sudo airodump-ng -c <ch> --bssid <BSSID> -w <name> wlan0mon

# 5. Build target list with all fields above

---

Key References

• IEEE 802.11-2020 (combined spec)
• aircrack-ng documentation: aircrack-ng.org
• Kismet documentation: kismetwireless.net
• WIGLE: wigle.net (read the API ToS before automated submissions)
• Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md