▓█████▄ ██░ ██ ▄████▄ ██████ ▓█████ ██ ▄█▀ ▒██▀ ██▌▓██░ ██▒▒██▀ ▀█ ▒██ ▒ ▓█ ▀ ██▄█▒ ░██ █▌▒██▀▀██░▒▓█ ▄ ░ ▓██▄ ▒███ ▓███▄░ ░▓█▄ ▌░▓█ ░██ ▒▓▓▄ ▄██▒ ▒ ██▒▒▓█ ▄ ▓██ █▄ ░▒████▓ ░▓█▒░██▓▒ ▓███▀ ░▒██████▒▒░▒████▒▒██▒ █▄ ▒▒▓ ▒ ▒ ░░▒░▒░ ░▒ ▒ ░▒ ▒▓▒ ▒ ░░░ ▒░ ░▒ ▒▒ ▓▒

CYBERSEC LAB

VIRTUAL PENETRATION TESTING ENVIRONMENT

MODULE 7 — WI-FI CRACKING & NETWORK INTRUSION

Initializing kernel modules...

📡 ASSIGNMENT GOALS

Enable monitor mode on the wireless adapter.

Scan for networks and identify the target SSID and BSSID.

Capture the WPA2 4-way handshake.

Crack the handshake password using aircrack-ng.

Connect to the target WiFi network.

Retrieve the flag from the router admin page and submit via the Incident Report.

PHASE 1 — WIRELESS RECONNAISSANCE

💻

Terminal

🌐

Web Browser

📝

Notepad

📋

Report

📖

Reference Manual

⚠ CLASSIFIED — WIRELESS PENTEST

MISSION BRIEFING

Operation: AirStrike | Phase Count: 4

SCENARIO

You have been contracted to perform a wireless penetration test on a target organization — Apex Systems Inc.

A wireless adapter has been placed into the target environment and is available to you in monitor mode. Your objective is to capture a WPA2 handshake from the corporate WiFi network, crack the password using a dictionary attack, and gain access to the internal network to retrieve a flag from the router admin panel.

Use only the tools available. Document your findings in Notepad.

PHASE OVERVIEW

RECON — Enable monitor mode and scan for nearby WiFi networks using airodump-ng.

CAPTURE — Focus on the target BSSID and force a WPA2 handshake using a deauth attack.

CRACK — Run aircrack-ng against the captured handshake using the provided wordlist.

INTRUDE — Connect to the network and access the internal router admin panel to retrieve the flag.

TOOLS AVAILABLE

💻

Terminal

airmon-ng, airodump-ng, aireplay-ng, aircrack-ng, iwconfig, ifconfig, connect

🌐

Web Browser

Access internal resources once connected to the network

📝

Notepad

Record findings during the engagement

TARGET INFO

📡

Target SSID

ApexCorp_Office (discover via scan)

🔒

Encryption

WPA2-PSK

📁

Wordlist

wordlist.txt (pre-loaded on system)

TERMINAL — root@kali

Kali Linux 2024.1 — Wireless Penetration Testing Toolkit

Wireless adapter: wlan0 detected

Type 'help' for available commands.

root@kali:~#

WEB BROWSER

＋

←

→

↻

LAB BROWSER

Connect to the WiFi network first to access internal resources.

        📡 Network status: Not connected

        🌐 Internal resources: Unavailable

        🔗 Router admin: 192.168.50.1 (unreachable)

⛔ NO NETWORK ACCESS

        You are not connected to the target network.

        Connect to ApexCorp_Office first using the terminal,
then try accessing internal resources.
      

Status

Wireless

DHCP

Firewall

Admin

WIRELESS STATUS

SSIDApexCorp_Office

Band2.4 GHz / 5 GHz

Channel6

SecurityWPA2-PSK ⚠

BSSIDAA:BB:CC:DD:EE:FF

Clients3 connected

NETWORK STATUS

WAN IP203.0.113.45

LAN IP192.168.50.1

Subnet255.255.255.0

Your IP192.168.50.105

DNS8.8.8.8

Uptime14d 6h 22m

⚑ CAPTURE THE FLAG — ROUTER ADMIN ACCESS CONFIRMED

FLAG{w1f1_cr4ck_4ir0du mp_0wn3d}

          ⚠ Security Notice: This router is using WPA2-PSK with a weak passphrase. Upgrade to WPA3 or enforce a stronger password policy. The use of default or dictionary-based passwords represents a critical security risk.
        

INCIDENT REPORT — FLAG SUBMISSION

📡 WiFi Cracking — Operation AirStrike

Connect to the target network, access the router admin panel, retrieve the flag, and paste it below to complete the engagement.

Target Network

Capture Flag — paste the FLAG{...} from the router admin page

NOTEPAD — submission.txt

Ln 1, Col 1UTF-8submission.txt

REFERENCE MANUAL — WI-FI CRACKING

WORKFLOW OVERVIEW

The standard WPA2 cracking process follows 4 phases:
1. Enable monitor mode → 2. Scan & capture handshake → 3. Crack password → 4. Connect

PHASE 1 — MONITOR MODE (airmon-ng)

      iwconfig                        — check wireless interfaces

      airmon-ng check kill            — kill interfering processes

      airmon-ng start wlan0           — enable monitor mode → wlan0mon

      airmon-ng stop wlan0mon         — disable monitor mode

PHASE 2 — CAPTURE HANDSHAKE (airodump-ng + aireplay-ng)

      # Step 1: Scan all networks

      airodump-ng wlan0mon

      # Step 2: Focus on target BSSID + channel

      airodump-ng -c <CH> --bssid <BSSID> -w capture wlan0mon

      # Step 3: Force client reconnect (deauth attack)

      aireplay-ng --deauth <count> -a <BSSID> wlan0mon

The deauth attack disconnects clients from the AP, forcing them to re-authenticate and generating the WPA2 4-way handshake.

PHASE 3 — CRACK PASSWORD (aircrack-ng)

      aircrack-ng capture.cap -w wordlist.txt
    

A dictionary attack tests each word in the wordlist as a potential WPA2 passphrase. Weak/common passwords like password123 are cracked in seconds.

PHASE 4 — CONNECT TO NETWORK

      # Connect using cracked password

      iwconfig wlan0 essid "SSID" key PASSWORD

      # Verify IP assignment

      ifconfig

AIRODUMP-NG OUTPUT GUIDE

COLUMN	MEANING
BSSID	MAC address of the access point
PWR	Signal strength (closer to 0 = stronger)
CH	WiFi channel (1–13 for 2.4GHz)
ENC	Encryption type (WPA2, WPA, WEP, OPN)
ESSID	Network name (SSID)
STATION	MAC of connected client device

WPA2 4-WAY HANDSHAKE EXPLAINED

When a client connects to a WPA2 network, a 4-message exchange occurs between the client and access point to derive encryption keys. This handshake contains enough information to perform an offline dictionary attack — no connection to the AP is needed after capture.

The handshake is captured passively (client reconnects naturally) or actively via a deauthentication attack that forces clients to reconnect immediately.