Classroom Glossary Public page

RF-201 Week 12 — Cross-Cut: PT-Track Wireless Pentesting

885 words

"The RF-201 student who arrives at ADV-101 already knows the protocol RE workflow. The ADV-101 instructor's job is to deploy that workflow against production adversarial targets, not teach it from scratch."

Lecture (90 min)

12.1 What This Week Is

Week 12 is a cross-cut integration week, not a new deep-dive. Its purpose is to connect RF-201's protocol-RE methodology to the Pentest Track's offensive toolchain — specifically the tools and techniques that ADV-101 (Adversarial Techniques) will build on. Students who complete RF-201 arrive at ADV-101 with an explicit RF-layer foundation; students who skip RF-201 and go directly to ADV-101 have a gap at this layer.

This week also gives WIR-101 graduates the opportunity to revisit the engagement tools they know (aircrack-ng, Reaver, Bettercap) with the intermediate-level RF understanding they have built in RF-201.

12.2 The Wireless Pentest Toolchain at RF-201 Depth

Reaver + WPS:

WPS (Wi-Fi Protected Setup) was introduced in 2007 to simplify AP setup. The PIN-based method uses an 8-digit PIN split into two 4-digit halves, validated in two rounds. Brute-forcing 8 digits would require 10^8 tries; the split-validation allows brute-forcing 10^4 + 10^4 = 20,000 combinations.

# Scan for WPS-enabled APs
wash -i wlan0mon

# Brute-force WPS PIN (authorized lab AP only)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -K 1
# -K 1: KDK attack (faster; works when AP sends PIN hash in M7)

Why WPS is still in scope for RF-201: WPS uses EAPOL-based exchanges at the 802.11 data layer. The Pixie Dust attack (-K 1) exploits weak random number generation in the WPS-key-derivation PRNG of some chipsets. An RF-201 student who has studied PRNG + cryptographic-handshake internals (from Bluetooth SSP analysis in Week 5) reads the Pixie Dust vulnerability as a specific instance of: "the PRNG seed was predictable, which made the key exchange reversible."

Bettercap:

Bettercap is a modular network attack framework with modules for 802.11, BLE, and Ethernet. At RF-201 depth:

# Start bettercap, load 802.11 module
bettercap -iface wlan0mon

# In bettercap REPL:
> wifi.recon on               # passive scan
> wifi.show                   # show discovered APs + clients
> wifi.deauth AA:BB:CC:DD:EE:FF   # targeted deauth (authorized only)
> wifi.assoc AA:BB:CC:DD:EE:FF    # attempt association (authorized only)

Bettercap's BLE module (ble.recon on, ble.enum <address>) performs BLE enumeration equivalent to the Python bleak workflow from Week 5, but with a persistent session and REPL interface. Useful for systematic enumeration during a pentest.

WiFiPhisher:

WiFiPhisher automates the evil-twin attack workflow: deauthenticate clients from the legitimate AP, bring up a cloned AP with a captive portal, capture credentials. From an RF-201 perspective: WiFiPhisher is a tool that combines the 802.11 management-frame injection skills from Week 4 (deauth) with an AP-configuration skill (hostapd) to produce a complete social-engineering attack workflow.

# Launch WiFiPhisher against a sandboxed target (authorized only)
sudo wifiphisher -aI wlan0 -jI wlan1mon --essid TargetNetwork
# wlan0: AP interface (for the evil twin)
# wlan1mon: monitor interface (for deauth)

The RF-201 analytical frame: Each of these tools is an application of a specific RF-layer technique:

  • Reaver exploits a WPS protocol-design weakness + cryptographic RNG weakness
  • Bettercap deauth exploits the unprotected management-frame weakness (802.11w absent)
  • WiFiPhisher exploits client association behaviour + lack of AP authentication

None of these is magic. Each has a clear chain from RF physical layer → MAC layer → protocol design flaw → attack.

12.3 Advanced Wireless Recon: Bettercap 802.11 Probes

Probe request analysis is an underutilised recon technique. Clients broadcast probe requests for previously associated SSIDs. An attacker who passively collects probe requests learns:

  1. Device's preferred network list (PNL)
  2. Whether the device has been on specific named networks (corporate VPN hotspots, hotel chains, coffee shops)
  3. Device MAC address (or randomised MAC behaviour under iOS 14+/Android 10+)
from scapy.all import sniff
from scapy.layers.dot11 import Dot11ProbeReq, Dot11Elt

probes = {}

def handle_probe(pkt):
    if pkt.haslayer(Dot11ProbeReq):
        ssid = pkt[Dot11Elt].info.decode('utf-8', errors='replace') if pkt.haslayer(Dot11Elt) else ""
        src = pkt.addr2
        if ssid and ssid not in probes.get(src, []):
            probes.setdefault(src, []).append(ssid)
            print(f"  {src} → '{ssid}'")

sniff(iface="wlan0mon", prn=handle_probe, store=0, timeout=60)

MAC randomisation: iOS 14+ and Android 10+ randomise the client MAC address per-network per-day. A randomised MAC makes cross-network tracking harder. But: the probe request still contains the SSID, and the sequence numbers in the 802.11 header are often device-specific even with MAC randomisation. Full device-fingerprinting from probe requests is still an active research area.

12.4 Forward-Look: ADV-101 RF Attack Surface

ADV-101 (Adversarial Techniques) covers:

  • Automated wireless assessment workflows
  • WPA Enterprise (EAP-PEAP, EAP-TLS) attack methodology
  • Advanced rogue-AP scenarios (RADIUS server clone, certificate substitution)
  • RF-layer persistence (hardware implants; remote RF exfil)
  • Cellular and IMSI catcher awareness (introduction only; ADV-101 goes deeper)

The RF-201 substrates that ADV-101 builds on: Week 4 (802.11 frame crafting + fuzzing), Week 5 (BLE protocol RE), Week 8-9 (SDR fundamentals for RF-layer hardware implant understanding), and this week's tool integration.

Homework

Reading (1.5 hr):

  • Bettercap documentation: wifi modules + ble modules (bettercap.org)
  • WPS Pixie Dust attack: original Dominique Bongard presentation (2014; freely available)
  • Probe request privacy: Apple "Enhanced Wi-Fi Privacy" (developer.apple.com; 2020)

Hands-on (2 hr): Lab 10: Wireless-Pentest Cross-Cut. See labs/lab-10.md.

Set up a sandboxed wireless lab: one authorized AP (controlled access point, isolated network) + one laptop as target client. Run the following workflow:

  1. bettercap: discover AP and associated client
  2. bettercap wifi.deauth: disconnect the client
  3. reaver: check if the AP has WPS enabled; if so, attempt Pixie Dust
  4. Passive probe-collection script above: collect 10 probe requests from any device in range
  5. Write a 1-page methodology note: what would an engagement report say for each finding?

Key Terms

  • WPS (Wi-Fi Protected Setup): 802.11 AP configuration protocol; PIN method's split-validation design allows ~20,000 guess attack; vulnerable to Pixie Dust on weak PRNGs
  • Pixie Dust attack: WPS attack exploiting predictable E-S1/E-S2 nonce values from vendor-specific RNG; allows offline derivation of the WPS PIN from a single exchange
  • Evil-twin attack: rogue AP impersonating a legitimate AP by cloning SSID; combines 802.11 deauth + hostapd + captive portal
  • Probe request: 802.11 client broadcast for a previously associated SSID; reveals preferred network list; MAC randomisation in modern devices mitigates tracking
  • MAC randomisation: privacy protection in iOS 14+/Android 10+; per-network per-day randomised MAC in probe requests; mitigates cross-location tracking
  • Bettercap: modular network/wireless/BLE attack framework; REPL interface; 802.11 and BLE module integration