Course 14 - Wi-Fi Pentesting | Episode 3: Targeted Wireless Network Discovery and Pre-Connection Bypasses

In this lesson, you’ll learn about:Sniffing wireless networks on both 2.4 GHz and 5 GHz bandsPerforming targeted packet capture on a specific access pointSaving and analyzing captured wireless trafficExecuting deauthentication attacks without knowing the passwordDiscovering the names of hidden wireless networksReconnecting to hidden networks after revealing their SSIDsHow MAC filtering works and how it is bypassedTargeted Wireless Discovery & Pre-Connection Access Wireless Band Sniffing (2.4 GHz & 5 GHz) Wireless networks broadcast on two main frequency bands:2.4 GHz5 GHzKey points:By default, airodump-ng only sniffs the 2.4 GHz bandTo sniff 5 GHz, you must use:--band ATo sniff both at once:--band ABGSniffing both bands:Requires a powerful wireless adapterIs usually slowerThe adapter must support 5 GHz, otherwise no data will be captured from that bandTargeted Sniffing & Data Capture Instead of capturing all networks, you can focus on:One specific target networkThis is done by specifying:BSSID: Target network MAC addressChannel: Operating channelTargeted capture allows you to:View only:The target access pointConnected clients (stations)Save captured packets to files:.cap filesEven though all packets are captured:If the network uses WPA/WPA2The data appears encrypted and unreadableWireshark will display it as gibberish without the keyThe Deauthentication Attack A deauthentication attack allows you to:Disconnect any connected deviceWithout:Knowing the Wi-Fi passwordBeing connected to the networkHow it works:The attacker pretends to be:The router when talking to the clientThe client when talking to the routerThis forces the device to disconnectTool used:aireplay-ngDiscovering Hidden Networks Hidden networks:Do not broadcast their SSID (name)Still broadcast:MAC addressChannelEncryption typeSteps to reveal a hidden SSID:Run airodump-ng against the hidden network onlyIf a client is connected:Launch a deauthentication attackSend a small number of packets (e.g., 4)When the client reconnects:It sends the network name in the airAirodump-ng captures:The previously hidden SSIDConnecting to Hidden Networks After discovering the SSID:The wireless card must return to:Managed modeThis can be done by:airmon-ng stopOr by:Disconnecting and reconnecting the wireless adapterIf the network manager service is stopped:Restart it using:service network-manager startOnce restored:Manually enter:The discovered SSIDThe correct security typeThen connect normallyBypassing MAC Filtering MAC filtering controls which devices can connect using:Their MAC addressTwo types: BlacklistBlocks specific MAC addressesEasily bypassed by:Changing your MAC address to a random oneWhitelistOnly allows specific MAC addressesHarder to bypass, but still possibleBypassing a whitelist:Use airodump-ng to detect:A client already connected to the target networkThat client’s MAC must be:On the whitelistUse macchanger with:-m to clone that MAC addressReturn to managed modeConnect to the network successfully using the spoofed MACYou can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy