Recon

In this section, the Wi-Fi network recon part is tested.

01. What is the channel that the wifi-global Access Point (AP) is currently using?

To get the network channel first we put the card in monitor mode with “airmon-ng”, then we scan all the channels using “airodump-ng” to find the “wifi-global” network (including the 5Ghz channels).

I recommend to create Wi-Fi folder and store all the captures there.

mkdir ~/wifi

sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon -w ~/wifi/scan --manufacturer --wps --band abg

• sudo: This stands for "superuser do," and it runs the command with elevated privileges (as root). This is often required when working with networking tools that interact with hardware or require access to sensitive resources.

• airodump-ng: This is the command for the airodump-ng tool, which is used to capture wireless network traffic. It scans for all the wireless networks in range and can display detailed information about the networks (SSID, BSSID, channel, encryption type, etc.).

• wlan0mon: This refers to the name of your wireless interface. wlan0mon suggests that the network interface wlan0 is in "monitor mode." Monitor mode allows your wireless card to capture all wireless traffic (even traffic not destined for your device) instead of just your own connection.

• -w ~/wifi/scan: This option specifies the output directory and file prefix where captured data will be saved.

  • ~/wifi/scan means the scan data will be saved in the wifi directory in your home directory. The file will start with scan as its name.

  • Airodump-ng will create files like scan-01.cap, which will store the captured packets in the .cap file format.

• --manufacturer: This option tells airodump-ng to display the manufacturer information of the devices in the capture. It attempts to identify the manufacturers of the access points (APs) based on the MAC address.

• --wps: This enables the display of WPS (Wi-Fi Protected Setup) information. WPS is a feature that simplifies the process of connecting devices to a wireless network. However, it’s often a target for attacks, and showing this information can be helpful in penetration testing.

• --band abg: This option specifies which frequency bands the tool should scan. The a, b, and g bands correspond to:

  • a: 5 GHz (802.11a)

  • b: 2.4 GHz (802.11b)

  • g: 2.4 GHz (802.11g) By using abg, you're telling airodump-ng to scan networks operating on these frequency bands.

02. What is the MAC of the wifi-IT client?

FLAG: the wifi-IT client MAC

In this challenge we perform the same process looking for the wifi-IT network and once we know its channel we run again “airodump-ng” only on that channel with “-c” and the channel number.

sudo airodump-ng wlan0mon -w ~/wifi/scan --manufacturer --wps --band abg
sudo airodump-ng wlan0mon -w ~/wifi/scanc11 --manufacturer --wps -c11

03. What is the probe of 78:C1:A7:BF:72:46 that follows the format of the other networks in the range (wifi-)?

For this challenge we performed a scan with “airodump-ng” as in the previous one, but verifying the lower part where the clients are located, where in the last column the client probes appear.

sudo airodump-ng wlan0mon -w scan --manufacturer --wps --band abg

04. What is the ESSID of the hidden AP (mac F0:9F:C2:6A:88:26)?

In this challenge we start the same as the previous ones, since we need the BSSID of the AP with the hidden ESSID, so we need to know its channel and BSSID. As there are no clients we have to perform a brute force with a list of possible ESSID. Once we have this information we must modify the usual dictionary (rockyou) including the prefix “wifi-” as in the rest of APs.

cat ~/10-million-password-list-top-100000.txt | awk '{print "wifi-" $1}' > ~/wifi-rockyou.txt 

Once we have the modified dictionary we can use “mdk4” to launch probes with each of the ESSIDs until the AP responds.

sudo airmon-ng start wlan1
iwconfig wlan1mon channel 11
mdk4 wlan1mon p -t F0:9F:C2:6A:88:26 -f ~/wifi-rockyou.txt

Resources