N-ARP-RECONReconnaissance

ARP Sweep / LAN Discovery

arp-scan / netdiscover map the local broadcast domain — first move on a fresh foothold.

§ Where this technique fits

N-ARP-RECON is catalogued under the Reconnaissance tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 1.3 on average.

§ Dossiers chaining this technique

Evil twin + captive portal → credential harvest
Spoof the corporate SSID with a stronger signal and a captive portal that looks like the company AD login. Auto-connecting clients submit creds to the attacker page.
step 1 / 5
WPA2-PSK handshake capture + crack → LAN access
Deauth a connected client to force re-association, capture the 4-way handshake with airodump-ng, crack the PSK offline with hashcat.
step 1 / 6
802.1X NAC bypass via printer MAC spoof
Plug into the LAN, sniff a printer / IP-phone MAC, clone it on your laptop, get full LAN access via MAC-Auth-Bypass — bypass NAC entirely.
step 2 / 6

§ What commonly comes next

01
Deauthentication DoS
WIFI-DEAUTH · Impact
seen 1×
02
Evil Twin / Rogue AP
WIFI-EVIL-TWIN · Initial Access
seen 1×
03
NAC Bypass via MAC Spoof
N-NAC-BYPASS-MAC · Defense Evasion
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Evil twin + captive portal → credential harvest

WPA2-PSK handshake capture + crack → LAN access

802.1X NAC bypass via printer MAC spoof

§ What commonly comes next