When Wi-Fi Encryption Fails Protecting Your Enterprise from ...#2157
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
When Wi-Fi Encryption Fails Protecting Your Enterprise from ...#2157carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://unit42.paloaltonetworks.com/air-snitch-enterprise-wireless-attacks/ Content Categories: Based on the analysis, this content was categorized under "Pentesting Wifi (new page/subsection for "Enterprise Wi‑Fi Client Isolation Bypasses / AirSnitch primitives"; cross-link from "Pentesting Network" and possibly from spoofing/MitM sections)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title / context
Unit 42 summarizes research presented at NDSS Symposium 2026 introducing AirSnitch: a set of enterprise Wi‑Fi meddler‑in‑the‑middle (MitM) primitives that break the common assumption that WPA2/WPA3 (including WPA2/3‑Enterprise) + “client isolation” prevents client‑to‑client interception/injection. The key idea is that even if over‑the‑air payloads are encrypted, attackers can exploit protocol–infrastructure interactions across encr...
🔧 Technical Details
Shared-key abuse for injection (GTK misuse): In WPA, the four-way handshake distributes a shared Group Temporal Key (GTK) to all clients in the same BSSID to support multicast/broadcast. If an attacker can obtain the GTK (e.g., by modifying wpa_supplicant to extract it), they can encrypt attacker-crafted 802.11 multicast/broadcast frames with GTK but embed unicast IP payloads destined for a victim. This turns group-key support into a client-isolation bypass, enabling packet injection on WPA2/WPA3-Enterprise networks.
L2-only isolation bypass via routing (Gateway Bouncing): If an AP enforces client isolation at Layer 2 (e.g., hostapd ap_isolate=1) but not at Layer 3, an attacker can send frames to the gateway’s MAC (permitted) while setting the vi...
🤖 Agent Actions
I’m mapping the repository first, then I’ll read the existing Wi-Fi and network pages to decide whether this belongs in an existing Wi-Fi page or needs a new page.
I found the obvious candidate sections. Next I’m reading the existing Wi-Fi and network pages in detail to avoid duplicating techniques that HackTricks already covers.
The network README already has a generic L3 private-VLAN bypass, but not the enterprise Wi-Fi specifics from AirSnitch. I’m checking whether the Wi-Fi page already covers GTK misuse, broadcast reflection, or port-stealing before deciding on a single-file edit.
I’ve confirmed the main gap: HackTricks covers WPA cracking, evil twins, and a generic routed private-VLAN bypass, but not the enterprise Wi-Fi client-isolation bypass primitives introduced here. I’m checking the Wi-Fi page’s ending structure so I can insert one concise subsection and update references in the same file only.
I’ve settled on a single-file update in the Wi-Fi methodology page. The addition will sit under the WPA-Enterprise section because these are not generic network MITM tricks; they are enterprise Wi-Fi client-isolation bypass primitives that depend on WPA/BSSID/AP behavior.
The edit is in place. I’m doing a final pass on the rendered section and the diff to make sure the insertion point, references, and single-file constraint are all clean.
Updated src/generic-methodologies-and-resources/pentesting-wifi/README.md with a new
WPA Enterprise (MGT)subsection for AirSnitch-style enterprise Wi-Fi client-isolation bypasses.I kept it to one file and focused on the parts HackTricks was missing:
Gateway Bouncing,Port Stealing,GTK misuse,Broadcast Reflection, chaining into full MitM, and concise detection/hardening notes. I also added the Unit 42 blog and NDSS paper to the existing## Referencessection. No new page was created because the Wi-Fi methodology page was the best fit, and the generic routed-isolation angle was already partially covered in the network README.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.