Windows 10 wireless hacking

Windows has some built in wireless tools that can help you figure out wireless.  On a windows server or windows 7,8 or 10 machine, type this at a command prompt:

netsh wlan show networks mode=bssid

You get a list of nearby networks,  the current channel they are operating at, supported speeds also.  And details of the encryption, if any.  This is a bit of a weakness with wireless encryption,  I don’t know why the industry agreed to display details of the encryption method!  If you don’t know the network,  you have no business connecting with a secure net.  Why show that it uses WPA2-enterprise,  or just WPA?  Good for tech support people that were left in the dark and have no documentation on their network.

Need to know wireless signal strength?  The NETSH command will show you.  Note it seems to read the cache of networks and maybe a few seconds or even over a minute old,  so the NETSH command does NOT appear to refresh the list of available networks.  Or if it does,  you will have to run it again to see the updated list.

Wireless survey?  Cut below and save as survey.bat.  Run as survey.bat %name% to identify the survey area.  Here is a shell script for windows that will output a basic wireless survey data as you drive around (or walk around) your survey area:

REM loops netsh command for basic wireless survey. Run with
REM >survey.bat hallway to make a survey of hallway. Then hit ctrl C, then
REM do next survey with >survey.bat arena. The files data_arena and data_hallway are created 
REM with wireless data. Ping with payload checks for network connection, if you have one. Drops in
REM pings with payload show weak signal to associated network SSID.
REM Rod Deluhery 2019
netsh wlan show networks mode=bssid >> data_%1.txt
ping -l 500 >> data_%1.txt
echo "Hit control c" to stop survey. Survey data will be in data_%option%.txt 
goto loop

Example netsh output.  Notice this public wifi has four BSSID mac addresses,  which probably means there is four (4) access points.  Or maybe two access points with dual radios. . . but why different BSSID but all on the same channel (channel 11)??  Interference!!  Actually channel 11 is 2.4 ghz and travels farther than 802.11a radio signals at 5 gigahertz.   NETSH simply was not showing the 802.11a radio signals as they were too weak.   Another scan, done when closer to the venue,  shows 802.11 channels on both spectrum (2.4 gigahertz frequency and 5 gigahertz frequency).

Network type : Infrastructure
Authentication : Open
Encryption : None
BSSID 1 : 3a:18:0a:28:0c:ae
Signal : 31%
Radio type : 802.11n
Channel : 11
Basic rates (Mbps) : 11
Other rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 2 : 3a:18:0a:28:0f:e2
Signal : 35%
Radio type : 802.11n
Channel : 11
Basic rates (Mbps) : 11
Other rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 3 : 3a:18:0a:28:0c:22
Signal : 31%
Radio type : 802.11n
Channel : 6
Basic rates (Mbps) : 11
Other rates (Mbps) : 6 9 12 18 24 36 48 54
BSSID 4 : 3a:18:0a:28:0f:ce
Signal : 31%
Radio type : 802.11n
Channel : 11
Basic rates (Mbps) : 11
Other rates (Mbps) : 6 9 12 18 24 36 48 54

Note that the BSSID listed here do not equate to any specific vendor.  Several wireless devices do this, they create random MAC addresses.  I noticed my iPhone hotspot also does this, creates a random MAC address.  Why?  This prevents one from doing a lookup on the electronic vendor.  You can lookup vendor using the mac address, using a website like this:

Hope this makes you awesome.   Now that you have some deep technical skills.    You go. Go deep.

Copyright 2019 Rod Deluhery

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s