Hacknetics
  • Hacknetics
  • Active Directory Management
    • How to Join a Windows 11 PC to a Domain
    • Allow RDP in the domain
  • Active Directory AD Attacks
    • Bloodhound
      • Bloodhound Cypher Queries
    • Impacket-install
    • Kerberos cheatsheet
    • Domain Controllers
    • Overpass The Hash/Pass The Key (PTK)
    • Bloodhound Python
    • Rubeus to Ccache
    • Silver Ticket
    • Golden Ticket
    • Abusing GPO Permissions
    • AppLocker Bypasses
    • SharpView Enumeration
    • DonPapi
    • AD Overview
    • Enumerating Forests
    • NOPAC Priv esc
  • buffer-overflows
    • Buffer Overflows
  • c2-frameworks
    • Sliver
    • Powershell Empire
      • IronPython Empire
    • Metasploit
      • Metasploit Basics
      • Custom MSF Resource Scripts
      • Meterpreter Device Survey
      • Paranoid Mode
    • Pwncat-cs
    • Cobalt Strike
    • Dcrat
      • Modules
      • Builder
      • Dcrat AV Evasion
      • C2 Comms
    • FFM Documentation
  • covering-tracks
    • Evading Logging and Monitoring
    • Linux Logging
    • Tor
    • Windows Log Clearing
    • Ghost Writing Binaries
    • Backdoor Linux Commands
  • Data Exfiltration
  • Exploit Development
    • ROP Finding the vulnerable function
    • Useful Tools for Exploit Dev
    • ropeme
    • Obtaining MSFT Patches for Analysis
    • Mutiny Fuzzer
    • GDB
  • file-transfers
    • Transfering Files
  • lateral-movement
    • Pivoting Enumeration
      • Proxychains and FoxyProxy
      • SSH Tunneling and Port Forwarding
      • Plink.exe
      • socat
      • Chisel
      • SShuttle
  • lin-priv-esc
    • Linux Privilege Escalation
    • Bash Jails
    • ssh agent
  • Things I have Pwn'd before
    • Tomcat
    • Jenkins
  • persistence
    • Linux Persistence
    • Windows Persistence
      • Assign Group Memberships
      • Guest Windows Account Persistence
      • WMI Persist With Event Filters
      • SAM SYSTEM Exfil / Pass The Hash
      • Backdoor Executable
      • Special Privileges and Security Descriptors
      • RID Hijacking
      • Task Scheduler
      • Hijacking File Associations
      • Abusing Services
      • Logon Triggered Persistence
      • MSSQL Enabling xp cmdshell
      • Sticky Keys
      • Using Web Shells
  • recon-enumeration
    • Exploit Research
    • Pentesting DNS
    • Pentesting Kerberos
    • Pentesting FTP
    • Pentesting Email
    • Pentesting SMB
    • Pentesting Redis
    • Banner Grabbing
    • Pentesting Rsync
    • Pentesting MsSql
    • Scanning
    • Pentesting SNMP
    • Pentesting NFS
    • Pentesting LDAP
    • Pentesting Finger
    • User Recon
  • resources
    • resources
    • Youtube / Book List
    • CS/Software Engineer Resources
  • shells
    • Shells
    • web-shells
      • PHP Reverse Shell
      • wwwolf's PHP web shell
  • tool-guides
    • Asymmetric File Encrypt and Decrypt
    • Aws Buckets
    • cewl-crunch
    • Creating a Custom Wordlist
    • evil-winrm
    • Git
    • gobuster
    • Hashcat
    • Hydra User Guide
    • John
    • Linux Basics
    • Mimikatz
    • netcat
    • Nmap
    • nuclei
    • PowerView
    • r2
    • Resources
    • tcpdump
    • T-Shark User Guide
    • tmux
    • ssh
    • Vim
    • Wireshark
    • kwp
    • LAPS
    • KeePass KeeThief
    • FileCryptography.psm1
    • Impacket Pastable Commands
    • crackmapexec Pastable Commands
    • feroxbuster
    • NetExec
    • Ligolo-ng
    • gs-netcat
    • Scarecrow
  • Web Path
    • Testing for LFI
    • Testing for RFI
    • Testing for SQL
    • Testing for XSS
    • Authentication Bypass
    • Cmd Injection
    • Javascript Vulnerabilities
    • SSTI
    • Web Servers
    • JWT Tokens
    • Adobe Coldfusion
    • NoSQL Injection
    • vhost Enumeration
  • Wifi/Bluetooth/ZigBee/SDR/SmartCards
    • Wifi Capture Filters
    • Bluetooth Basics
    • Wifi Overview
    • Bettercap Bluetooth / Wifi
    • Aircrack-ng
    • Airdecap-ng
    • Aireplay-ng
    • RTL-SDR Radio
    • Bluetooth Low Energy
    • Smart Cards
    • Airodump-ng Airgraph-ng
    • gqrx
  • Windows
    • powershell-cheatsheet
    • Windows Privlage Escalation
    • Anti-Virus Evasion
    • Windows Registry
    • exploits
      • printspoofer
    • Windows Kernel Vulnerabilities
    • Windows Defender
    • AMSI Bypasses
    • pktmon Packet Capture Windows
    • Powershell Constrained Language Mode
    • Windows Survey
    • Windows Persistence
    • Windows World Writeable Dirs
  • firewalls
    • iptables
    • ufw
    • netsh advfirewall
  • Malware Analysis
    • Malware Analysis Fundamentals
    • Packer Identification by File section names
    • Analyzing Malicious Documents
    • In Depth Malware Analysis
    • Reversing Malicious Code
  • Infrastructure Development
    • SSL Cert Generation
    • Pfsense
      • OpenVPN Server on Pfsense
    • Proxmox OVA Import
  • Python3 Reference
    • Python3 Cheatsheet
    • Regex Python3
  • EDR
    • Velociraptor EDR
  • Host Forensics
    • Windows Host Forensics
    • Windows NT Versions
    • Windows Logs
  • Cloud
    • AWS
  • OSINT
    • Spiderfoot
    • Shodan Dorks
  • Phishing
  • Random
  • Linux
    • awk
    • cut
    • grep
    • sort
    • Cups CVE2024
  • Windows Malware Development
    • Win32 API
    • Processes Threads Handles
      • Message Box Example (Basic)
      • CreateProcess Example (Basic)
  • Golang
  • Mikrotik
    • Implementing a Password Reset Function for Persistent Access in MikroTik RouterOS
    • Cleaner Wrasse
  • Firmware Reversing
Powered by GitBook
On this page
  • WPA2 Networks
  • WPA2 PMKID
  • WPS Detection
  • WEP Networks
  • BSSID
  • Handshakes
  • Beacons
  • Management Frames
  • Probe Requests
  • WPA3 PSK networks
  • Find Data packets with no Frame Body Encryption
  • WPA3 Transition networks
  • Tcpdump no Beacons / Control frames

Was this helpful?

Edit on GitHub
  1. Wifi/Bluetooth/ZigBee/SDR/SmartCards

Wifi Capture Filters

WPA2 Networks

  • identify a network that is using WPA2-PSK

wlan.tag.number == 221 or wlan.tag.number == 48

WPA2 PMKID

  • PMKID is a unique, per client key identifier found in the first EAPOL frame

  • Contained in optional RSN IE for AP roaming

  • Assigned at the time of joining a network to track with PMK should be used for the network

  • The PMKID is used to identify to the AP which PMK should be used for the newly roamed client.

wlan.rsn.ie.pmkid
# OR
wlan.tag.number eq 221

WPS Detection

  • We can see if an AP supports WPS, allowing for WPS attacks

wps.wifi_protected_setup_state eq 0x02

WEP Networks

  • Per Wigle.net as of 2024, WEP networks make up less than 5% of all wireless networks, however they can still be found!

  • In every WEP packet is an:

    • initialization vector

    • key index number

    • integrity check value.

  • Display only WEP encrypted data packets

wlan.wep.iv

BSSID

  • Filtering on BSSIDs

!wlan.bssid eq 58:6d:8f:07:4e:8d
wlan.bssid eq 58:6d:8f:07:4e:8d

Handshakes

  • To filter for four-way handshake packets in Wireshark 

eapol

  • To filter for four-way handshake packets in tcpdump or to set a capture filter to only grab four-way handshake packets.

ether proto 0x888e

Beacons

  • wireshark filter for beacon frames 

wlan.fc.type_subtype == 0x0008

Management Frames

  • wireshark filter for management frames 

wlan.fc.type == 0

Probe Requests

  • Find clients looking for SSID names. Useful if you are looking to stand up an Evil Twin and would like a specific client to connect to you.

  • Probe requests can have privacy implications. If you capture SSID names and they are unique, you are able to query https://wigle.net to potentially find home locations/work locations

(wlan.fc.subtype == 4) && (wlan.fc.type == 0)
# filter out probe requests
!(wlan.fc.subtype == 4) && !(wlan.fc.type == 0)

WPA3 PSK networks

  • We can identify these networks in a wireshark pcap by filtering off the Auth Key Management suite in use 

wlan.fc.type_subtype == 0x0008 && wlan.rsn.akms == 0x00FAC08

  • above AKMS identifies the most common key type in use GCMP-128

Find Data packets with no Frame Body Encryption

  • Encryption can still be used at the application layer i.e. TLS

  • Can catch protocols that are not encrypted 

wlan.fc.protected == 0 && wlan.fc.type == 2

WPA3 Transition networks

  • wireshark filter for WPA3 transition networks. They will have to broadcast two cipher suites at once 

wlan.fc.type_subtype == 0x0008 && wlan.rsn.akms ==  0x000FAC02 && wlan.rsn.akms == 0x000FAc08

  • 0x000FAC02 == WPA2

  • 0x000FAC08 == WPA3

Tcpdump no Beacons / Control frames

tcpdump -i wlan0mon -s 0 -n -w out.pcap 'not type mgt subtype beacon and not type ctl'

  • capture the whole packet with -s 0

  • capture everything that are not beacon frames + control frames (loud)

    • generally 10 beacon frames a second from each AP. If you are in range of 20 APs that can get rough quickly on pcap size

  • Great assessment tcpdump filter for assessments on smaller devices like a Pi

PreviousWifi/Bluetooth/ZigBee/SDR/SmartCardsNextBluetooth Basics

Last updated 9 months ago

Was this helpful?