WiFi Penetration Testing Guide
Ettercap - Check if you can do a MitM attack and sniff all the traffic in the network
7.3. Spoofing
Nmap/Zenmap - Security Scanner, Port Scanner, & Network Exploration Tool
Masscan - The faster version of nmap (it can break things, so be careful)
Netdiscover - ARP sniffing. Very useful if the networks are very well segmented
7.2. Types of scanners
Routersploit - Exploitation Framework for Embedded Devices - Test "use scanners/autopwn"
7.1. Attacking the router
Once you are connected to the network
7. Post-exploitation
Acrylic - Useful for recon phase
Ekahau - Useful for Wi-Fi planning
Vistumbler - Useful for wardriving
Windows:
Wifi Pumpkin - Framework for Rogue WiFi Access Point Attack
Eaphammer - Framework for Fake Access Points
WEF - Framework for different types of attacks for WPA/WPA2 and WEP, automated hash cracking and more
Linux:
6.4. Other frameworks
An example to deauthenticate all the devices except a Fake Acess Point:
Wifijammer - This program can send deauthentication packets to both APs and clients.
6.3. Wifi Jamming
6.2. OSINT
Krack Attack Scripts - Explained in this website
Frag Attack Scripts - Explained in this website
These are two advanced attacks discovered by the great Mathy Vanhoef:
6.1. Krack Attack and Frag Attack
6. Other attacks
Find supported EAP methods
5.3 EAP methods supported
5.2 Brute force
Hostapd-wpe
When a client connects, read logs with:
Start the Access Point using:
Hostapd & Freeradius-wpe
In case you do not want to use the virtual machine, you can install everything using:
Local installation
Ubuntu 16.04.5
VMware
ricardojoserf:wifi
3.25 GB
Kali 2019.1
VMware
root:wifi
4.99 GB
Ubuntu 16.04.5
VirtualBox (OVA)
ricardojoserf:wifi
3.18 GB
Kali 2019.1
VirtualBox (OVA)
root:wifi
5.56 GB
Virtual machines download
5.1 Fake Access Points
5. WPA2-Enterprise
For that, you have to create a Fake Access Point using hostpad with a configuration file like this one, with any password but the same network name. Create the fake network, the client device will try to connect to it and you get the 4-way handshake as in the 4.1 section in this guide.
If you have access to a client device with the Wifi connection turned on but there is not a network around, you can still attack that network if the client devices has previously connected to it.
4.3. AP-less attack
Crack it using Hashcat (option 16800)
The structure of each line is: PMKID * ROUTER MAC * STATION * ESSID (check at: https://www.rapidtables.com/convert/number/hex-to-ascii.html)
Create $HASH_FILE
Capture PMKID
Create a text file ($FILTER_FILE) and add the MAC address without ":". You can use sed and redirect the output to a file:
3a. If you want to attack a specific MAC address
Install Hcxdumptool and Hcxtool (you can use this script).
Stop Network Manager
You can use this script or follow these steps:
4.2. PMKID attack
Option 2: Crack the handshake using Pyrit
You can get wordlists from here.
Option 1: Crack the handshake using Aircrack-ng
Deauthenticate an user. Stop airodump capture when you see a message 'WPA handshake: $MAC'
Start capture
4.1. Cracking the 4-way-handshake
4. WPA2-PSK cracking
Crack the password using Aircrack-ng
Accelerate the IV capture using Fake authentication + Arp Request Replay Attack + Deauthenticate user. Stop Airodump at ~100.000 different IVs
Start capture
3. WEP cracking
ARP Spoofing attack using Ettercap
Sniff the traffic using Wireshark or TCPdump
Analyze the traffic using PCredz (Linux) or Network Miner (Windows)
Once you are in the network, you can test if it is vulnerable to Man in the Middle attacks.
2.2. Man in the Middle attack
Create the tunnel
Check if it works correctly in here
Execution in the client
Execution in the server
One "A record": dns.$DOMAIN pointing to the $SERVER_IP (Example: dns.domain.com 139.59.172.117)
One "NS record": hack.$DOMAIN pointing to dns.$DOMAIN (Example: hack.domain.com dns.domain.com)
Create 2 DNS records (in Digital ocean, Afraid.org...):
Check the domain names are resolved:
A second method is creating a DNS tunnel. For this, it is necessary to have an accessible DNS server of your own. You can use this method to bypass the captive portal and get "free" Wifi in hotel, airports...
2.1.3. Bypass 2: DNS tunnelling
Also, you can use scripts to automate the process like:
macchanger
A custom script like this(Bash)
Change your IP and MAC addresses. You can use:
nmap
Scan the network and get the list of IP and MAC addresses. You can use:
The first method to bypass a captive portal is to change your MAC address to one of an already authenticated user
2.1.2. Bypass 1: MAC spoofing
Clone a website using HTTrack
Install Wifiphiser. Add the HTTrack result in a new folder in wifiphisher/data/phishing-pages/new_page/html and a configuration file in wifiphisher/data/phishing-pages/new_page/config.ini.
Recompile the project using python setup.py install or the binary in bin.
This command works correctly in the latest Kali release after installing hostapd:
2.1.1. Fake captive portals
2.1. Captive portals
2. Open networks
For the character set it is possible to use l (lowercase letters), u (uppercase letters), n (numbers), c (lowercase+uppercase), m (lowercase+uppercase+numbers) or a (all printed).
2.b. Or execute a bruteforce attack
2.a. Execute a dictionary attack
List the networks using Airodump-ng and get the AP's MAC address ($AP_MAC) and one from a client ($CLIENT_MAC). Do not stop the capture.
List networks
Get hidden SSID without clients
In another terminal, deauthenticate a client or all of them. When Airodump-ng captures a handshake from this network, the name or ESSID will appear in the first terminal:
Deauthenticate
List the networks using Airodump-ng and get the AP's MAC address ($AP_MAC) and one from a client ($CLIENT_MAC). Do not stop the capture.
List networks
Get hidden SSID with clients
An Access Point (= all the clients in the AP)
Only one client
Deauthentication
Set monitor mode
Run Airodump-ng-ng
List networks
Set monitor mode
Check interface status
Check interface mode
Set environment variable
1. Basic commands
Last updated
