I have a bit of a feature request for all wireless assessment tools out there:
Many times before arriving on site for an assessment, I’ll know the ESSIDs of a target wireless network for a client. Getting channels and BSSIDs isn’t usually an option. Also, many times during the assessment I’m performing there are physical aspects to it, like guards or cameras, so sitting down in the lobby and typing out commands to De-auth that client or BSSID isn’t really great OPSEC. SO this is my ask:
Please make a mode or setting where I can specify a ESSID ahead of time (so I am only targeting the client networks I know of) that I can just leave running on a RaspberryPI or other small device + wireless card in my backpack. This mode would then search for WPA-PSK APs with that name, find ones with clients on it by hopping, deauth and try to capture the handshake, but would then go-back to hopping after a few minutes if failing (as I’m probably walking around the inside and outside of the building). A nice to have would that it would then exclude that network from the list provided and move on. Possibly also going after the ones with the most clients in the list automatically would be a plus as well.
The end result would be that I would have a couple WPA handshakes that I could then crack off-line just by walking around the building doing other things.
The key to this whole thing is not to get stuck on a single BSSID or client, and be able to reliably move on to another channel, BSSID or target ESSID without interaction. Let the WPA Handshake Hunting begin!