Skip to content

HTB AirTouch #2146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+29 −4
Open

HTB AirTouch #2146

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 29 additions & 4 deletions src/generic-methodologies-and-resources/pentesting-wifi/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -437,6 +437,32 @@ apt-get install pyrit #Not working for newer versions of kali
pyrit -r psk-01.cap analyze
```

### Join the cracked WLAN and decrypt captured traffic

Once the PSK is known, join the SSID from a clean interface and request a lease to start interacting with the internal segment:

```bash
wpa_passphrase CorpWifi 'SuperSecretPassphrase' > /tmp/corpwifi.conf
wpa_supplicant -B -i wlan2 -c /tmp/corpwifi.conf
dhclient -v wlan2
ip addr show wlan2
```

This is useful when you need direct access to the Wi-Fi-only subnet after recovering the password from a handshake.

If you also captured the original 802.11 traffic, the PSK can be reused to decrypt application data in Wireshark:

1. Open the capture in Wireshark.
2. Go to `Edit --> Preferences --> Protocols --> IEEE 802.11`.
3. Add the recovered PSK in **Decryption Keys**.
4. Filter plaintext protocols such as `http` and inspect interesting flows with **Follow TCP Stream**.

This commonly exposes session identifiers, internal hostnames, and sensitive requests if the WLAN relies on WPA2-PSK but the application itself still uses plaintext HTTP. Replaying the recovered cookie may be enough for session hijacking, and client-controlled authorization cookies can often be tampered with further. Check the cookie abuse techniques in:

{{#ref}}
../../pentesting-web/hacking-with-cookies/README.md
{{#endref}}

#### Faster online PSK guessing via `wpa_supplicant` ctrl socket (no clients/PMKID)

When no clients are around and the AP refuses PMKID, you can iterate PSKs online without respawning supplicants:
Expand Down Expand Up @@ -932,6 +958,8 @@ Some consumer IoT relays/controllers keep the commissioning **open AP** active a

For persistence, leave the commissioning AP enabled.

TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) (login con facebook e imitacionde WPA en captive portals)

## References

- [https://www.pentestpartners.com/security-blog/shelly-iot-door-controller-config-fail-leaving-your-garage-home-and-security-exposed/](https://www.pentestpartners.com/security-blog/shelly-iot-door-controller-config-fail-leaving-your-garage-home-and-security-exposed/)
Expand All @@ -950,9 +978,6 @@ For persistence, leave the commissioning AP enabled.
- [3GPP TS 33.402 – 3GPP system architecture evolution (SAE); Security aspects of non-3GPP accesses](https://www.3gpp.org/ftp/Specs/archive/33_series/33.402/)
- [Wireless-(in)Fidelity: Pentesting Wi-Fi in 2025 (Synacktiv)](https://www.synacktiv.com/en/publications/wireless-infidelity-pentesting-wi-fi-in-2025.html)
- [PEAP relay attacks with wpa_sycophant (SensePost)](https://sensepost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/)


TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) (login con facebook e imitacionde WPA en captive portals)
- [0xdf - HTB: AirTouch](https://0xdf.gitlab.io/2026/04/18/htb-airtouch.html)

{{#include ../../banners/hacktricks-training.md}}