Run any Skill in Manus with one click

wireless-overview

Name: Wireless Overview
Author: PurpleAILAB

Top-level index for the Decepticon 802.11 wireless attack suite. Routes the WirelessOperator to the correct leaf skill based on the target AP's crypto column (PSK / SAE / MGT / WPS) and engagement posture. BLE, Zigbee, Z-Wave, LoRaWAN, and sub-GHz live under iot/ by design — link provided below to prevent duplication.

Run Skill in Manus

Skill metadata

Stars4,252

Forks845

UpdatedJune 2, 2026 at 21:04

File Explorer

8 files

SKILL.md

readonly

name	wireless-overview
description	Top-level index for the Decepticon 802.11 wireless attack suite. Routes the WirelessOperator to the correct leaf skill based on the target AP's crypto column (PSK / SAE / MGT / WPS) and engagement posture. BLE, Zigbee, Z-Wave, LoRaWAN, and sub-GHz live under iot/ by design — link provided below to prevent duplication.
allowed-tools	Bash Read Write
metadata	{"subdomain":"wireless","when_to_use":"Wi-Fi, 802.11, WPA2, WPA3, EAP, enterprise, evil-twin, deauth, WPS, PSK, SAE, wireless attack, airspace, WLAN, rogue AP","tags":["wifi",802.11,"wpa2","wpa3","eap","evil-twin","deauth","wps"],"mitre_attack":"T1040, T1557, T1110.001"}

802.11 Wireless Attack Suite — Operator Index

Load your wireless workflow (loaded into your system prompt) first on every iteration (hardware mode check, phase progression, scope rules, KG node contract). This file is the routing layer on top of it.

Playbook table

Leaf skill	Crypto column / trigger	Primary MITRE	Status
wpa2-psk	`WPA2 PSK`, `WPA PSK`	T1040, T1110.001	shipped
wpa3-sae	`WPA3 SAE`, `WPA2 WPA3` transition mode	T1557, T1040	shipped
wpa-enterprise-eap	`MGT`, `WPA-Enterprise`, `802.1X`	T1557, T1110.001	shipped
wps-pixie-dust	WPS column non-empty, `WPS` flag in wash	T1110.001, T1040	shipped
evil-twin-karma	Open / PSK, PNL probe leakage, captive portal	T1557, T1556	shipped
deauth-pmf	Any target needing client reconnect or 802.11w posture finding	T1498, T1040	shipped
krack-fragattacks	Legacy / embedded supplicant, key-reinstallation / fragmentation test	T1557, T1040	shipped

BLE GATT, Zigbee Touchlink, Z-Wave, LoRaWAN, and sub-GHz attacks are scoped to standard/iot/. Cross-reference that suite when the objective targets non-802.11 RF.

Hardware mode pointer

Leaf skills inherit the mode check from the wireless workflow:

mode = plan/roe.json:machine_enforcement.wireless.mode
  "in_sandbox"  → USB passthrough, monitor mode inside Kali
  "dropbox"     → ssh <dropbox> -- '<cmd>' for every wireless op
  "none"        → refuse, return outcome=blocked

Crypto-mode decision tree

airodump-ng --write-interval 1 --output-format csv ...
Read the ENC/CIPHER/AUTH columns:

  ENC=WPA2, AUTH=PSK          → wpa2-psk
  ENC=WPA3, AUTH=SAE          → wpa3-sae
  ENC=WPA2+WPA3, AUTH=SAE+PSK → wpa3-sae (transition-mode downgrade path)
  AUTH=MGT / 802.1X            → wpa-enterprise-eap
  WPS column non-empty          → wps-pixie-dust (run in parallel with PSK path)
  Open / no credential needed  → evil-twin-karma (KARMA/portal capture)

After selecting the primary leaf, always check:
  - deauth-pmf: needed if Path B (four-way) is chosen OR as standalone PMF finding
  - krack-fragattacks: applicable when target is legacy/embedded/poor-patch-cadence

KG node contract

All wireless leaf skills write the same node types (mirrors the wireless workflow):

Node kind	Typical props
`Network`	ssid, bssid, channel, crypto, pmf_state
`Host`	mac, oui, last_seen_bssid
`Credential`	secret_type, ssid, bssid, psk/eap_identity/eap_challenge
`Finding`	title, cve_ids (if applicable), severity, remediation

OPSEC posture cross-reference

posture	techniques permitted
`stealth`	PMKID (wpa2-psk Path A), passive PMF detect (deauth-pmf), Pixie-Dust only
`standard`	+ targeted deauth (1 frame), EAP capture, WPS Pixie-Dust
`loud`	+ broadcast deauth, evil-twin, KARMA, beacon flood, online WPS brute

Evil-twin always requires explicit permitted_actions: evil_twin in plan/roe.json regardless of posture — see the wireless workflow scope rules in your system prompt.

More from this repository

same repository

web

PurpleAILAB/Decepticon

Web application exploitation — the primary category skill for all web-based attacks. This is a routing skill: read this first to identify the attack type, then load the appropriate specialized sub-skill for detailed procedures. Covers 11 technique areas across injection, file access, authentication, and API exploitation.

2026-06-024.3k

smuggling

PurpleAILAB/Decepticon

HTTP Request Smuggling (HRS) — front-end / back-end parser disagreement attacks that desync the proxy stack. Covers CL.TE, TE.CL, TE.TE, CL.0, HTTP/2 downgrade (h2.cl, h2.te), pipelining, and connection-state pinning. Includes a confirm-desync gate, header obfuscation catalog, and minimal raw-socket Python harnesses (no smuggler.py available in sandbox).

2026-06-024.3k

mobile-overview

PurpleAILAB/Decepticon

Use when the engagement target is an Android (APK / AAB) or iOS (IPA) application. Covers static analysis (jadx, apktool, class-dump), dynamic instrumentation via Frida and Objection, SSL-pinning bypass, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported-component attacks, IPC redirection, WebView vulnerabilities, and biometric / Face ID / Touch ID bypass.

2026-06-024.3k

web-recon

PurpleAILAB/Decepticon

Web application enumeration hub — directory/file fuzzing, vhost discovery, API enumeration, CMS scanning, WAF detection, auth surface mapping, cookie audit.

2026-06-024.3k

evil-twin-karma

PurpleAILAB/Decepticon

Evil-twin rogue AP with KARMA/Mana PNL-probe response, captive-portal credential capture, and post-association MITM for PSK/open networks. Distinct from wpa-enterprise-eap which targets 802.1X.

2026-06-024.3k

exploit-reporting

PurpleAILAB/Decepticon

Exploitation finding documentation — initial access reports, exploit chain documentation, CVSS v4.0 scoring, shell/credential inventory, detection gap analysis.

2026-06-024.3k

Source

PurpleAILAB

PurpleAILAB/Decepticon

View GitHub Repository View Creator Repositories

Install

Download

Run Skill in Manus

Useful forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name	wireless-overview
description	Top-level index for the Decepticon 802.11 wireless attack suite. Routes the WirelessOperator to the correct leaf skill based on the target AP's crypto column (PSK / SAE / MGT / WPS) and engagement posture. BLE, Zigbee, Z-Wave, LoRaWAN, and sub-GHz live under iot/ by design — link provided below to prevent duplication.
allowed-tools	Bash Read Write
metadata	{"subdomain":"wireless","when_to_use":"Wi-Fi, 802.11, WPA2, WPA3, EAP, enterprise, evil-twin, deauth, WPS, PSK, SAE, wireless attack, airspace, WLAN, rogue AP","tags":["wifi",802.11,"wpa2","wpa3","eap","evil-twin","deauth","wps"],"mitre_attack":"T1040, T1557, T1110.001"}

802.11 Wireless Attack Suite — Operator Index

Load your wireless workflow (loaded into your system prompt) first on every iteration (hardware mode check, phase progression, scope rules, KG node contract). This file is the routing layer on top of it.

Playbook table

Leaf skill	Crypto column / trigger	Primary MITRE	Status
wpa2-psk	`WPA2 PSK`, `WPA PSK`	T1040, T1110.001	shipped
wpa3-sae	`WPA3 SAE`, `WPA2 WPA3` transition mode	T1557, T1040	shipped
wpa-enterprise-eap	`MGT`, `WPA-Enterprise`, `802.1X`	T1557, T1110.001	shipped
wps-pixie-dust	WPS column non-empty, `WPS` flag in wash	T1110.001, T1040	shipped
evil-twin-karma	Open / PSK, PNL probe leakage, captive portal	T1557, T1556	shipped
deauth-pmf	Any target needing client reconnect or 802.11w posture finding	T1498, T1040	shipped
krack-fragattacks	Legacy / embedded supplicant, key-reinstallation / fragmentation test	T1557, T1040	shipped

BLE GATT, Zigbee Touchlink, Z-Wave, LoRaWAN, and sub-GHz attacks are scoped to standard/iot/. Cross-reference that suite when the objective targets non-802.11 RF.

Hardware mode pointer

Leaf skills inherit the mode check from the wireless workflow:

mode = plan/roe.json:machine_enforcement.wireless.mode
  "in_sandbox"  → USB passthrough, monitor mode inside Kali
  "dropbox"     → ssh <dropbox> -- '<cmd>' for every wireless op
  "none"        → refuse, return outcome=blocked

Crypto-mode decision tree

airodump-ng --write-interval 1 --output-format csv ...
Read the ENC/CIPHER/AUTH columns:

  ENC=WPA2, AUTH=PSK          → wpa2-psk
  ENC=WPA3, AUTH=SAE          → wpa3-sae
  ENC=WPA2+WPA3, AUTH=SAE+PSK → wpa3-sae (transition-mode downgrade path)
  AUTH=MGT / 802.1X            → wpa-enterprise-eap
  WPS column non-empty          → wps-pixie-dust (run in parallel with PSK path)
  Open / no credential needed  → evil-twin-karma (KARMA/portal capture)

After selecting the primary leaf, always check:
  - deauth-pmf: needed if Path B (four-way) is chosen OR as standalone PMF finding
  - krack-fragattacks: applicable when target is legacy/embedded/poor-patch-cadence

KG node contract

All wireless leaf skills write the same node types (mirrors the wireless workflow):

Node kind	Typical props
`Network`	ssid, bssid, channel, crypto, pmf_state
`Host`	mac, oui, last_seen_bssid
`Credential`	secret_type, ssid, bssid, psk/eap_identity/eap_challenge
`Finding`	title, cve_ids (if applicable), severity, remediation

OPSEC posture cross-reference

posture	techniques permitted
`stealth`	PMKID (wpa2-psk Path A), passive PMF detect (deauth-pmf), Pixie-Dust only
`standard`	+ targeted deauth (1 frame), EAP capture, WPS Pixie-Dust
`loud`	+ broadcast deauth, evil-twin, KARMA, beacon flood, online WPS brute

Evil-twin always requires explicit permitted_actions: evil_twin in plan/roe.json regardless of posture — see the wireless workflow scope rules in your system prompt.