From 9fe1cb4409e8c8db0b8bd23a694807f0075596d4 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 18 Apr 2026 18:57:42 +0000 Subject: [PATCH] Add content from: HTB: AirTouch --- .../pentesting-wifi/README.md | 33 ++++++++++++++++--- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/README.md b/src/generic-methodologies-and-resources/pentesting-wifi/README.md index 4040438a683..ab76f9641b7 100644 --- a/src/generic-methodologies-and-resources/pentesting-wifi/README.md +++ b/src/generic-methodologies-and-resources/pentesting-wifi/README.md @@ -437,6 +437,32 @@ apt-get install pyrit #Not working for newer versions of kali pyrit -r psk-01.cap analyze ``` +### Join the cracked WLAN and decrypt captured traffic + +Once the PSK is known, join the SSID from a clean interface and request a lease to start interacting with the internal segment: + +```bash +wpa_passphrase CorpWifi 'SuperSecretPassphrase' > /tmp/corpwifi.conf +wpa_supplicant -B -i wlan2 -c /tmp/corpwifi.conf +dhclient -v wlan2 +ip addr show wlan2 +``` + +This is useful when you need direct access to the Wi-Fi-only subnet after recovering the password from a handshake. + +If you also captured the original 802.11 traffic, the PSK can be reused to decrypt application data in Wireshark: + +1. Open the capture in Wireshark. +2. Go to `Edit --> Preferences --> Protocols --> IEEE 802.11`. +3. Add the recovered PSK in **Decryption Keys**. +4. Filter plaintext protocols such as `http` and inspect interesting flows with **Follow TCP Stream**. + +This commonly exposes session identifiers, internal hostnames, and sensitive requests if the WLAN relies on WPA2-PSK but the application itself still uses plaintext HTTP. Replaying the recovered cookie may be enough for session hijacking, and client-controlled authorization cookies can often be tampered with further. Check the cookie abuse techniques in: + +{{#ref}} +../../pentesting-web/hacking-with-cookies/README.md +{{#endref}} + #### Faster online PSK guessing via `wpa_supplicant` ctrl socket (no clients/PMKID) When no clients are around and the AP refuses PMKID, you can iterate PSKs online without respawning supplicants: @@ -932,6 +958,8 @@ Some consumer IoT relays/controllers keep the commissioning **open AP** active a For persistence, leave the commissioning AP enabled. +TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) (login con facebook e imitacionde WPA en captive portals) + ## References - [https://www.pentestpartners.com/security-blog/shelly-iot-door-controller-config-fail-leaving-your-garage-home-and-security-exposed/](https://www.pentestpartners.com/security-blog/shelly-iot-door-controller-config-fail-leaving-your-garage-home-and-security-exposed/) @@ -950,9 +978,6 @@ For persistence, leave the commissioning AP enabled. - [3GPP TS 33.402 – 3GPP system architecture evolution (SAE); Security aspects of non-3GPP accesses](https://www.3gpp.org/ftp/Specs/archive/33_series/33.402/) - [Wireless-(in)Fidelity: Pentesting Wi-Fi in 2025 (Synacktiv)](https://www.synacktiv.com/en/publications/wireless-infidelity-pentesting-wi-fi-in-2025.html) - [PEAP relay attacks with wpa_sycophant (SensePost)](https://sensepost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/) - - -TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) (login con facebook e imitacionde WPA en captive portals) +- [0xdf - HTB: AirTouch](https://0xdf.gitlab.io/2026/04/18/htb-airtouch.html) {{#include ../../banners/hacktricks-training.md}} -