Commands

SSID / ESSID = The network name (e.g. Casa_Mario, Vodafone1234).
BSSID = the MAC address of the Access Point (e.g. 00:1A:2B:3C:4D:5E).

Tools

WiFi security auditing tools suite. The Aircrack-ng suite encompasses over 20 tools tailored for auditing Wi-Fi networks (Airmon-ng, Airodump-ng, Airgraph-ng, Aireplay-ng, Airdecap-ng, Aircrack-ng, etc.).

Information

ifconfig [<IFACE>]
iwconfig [<IFACE>]

sudo airmon-ng

Driver Capabilities

iw list

Channel & Frequency

iwlist <IFACE> channel
iwlist <IFACE> frequency | grep Current

sudo ifconfig <IFACE> down
sudo iwconfig <IFACE> channel 64
sudo iwconfig <IFACE> freq "5.52G"
sudo ifconfig <IFACE> up

Interface Strenght

It depends on the region. Exceeding certain limits may be illegal in some countries.

iw reg get

sudo iw reg set US

In many cases, our interface will automatically set its power to the maximum in our region. To set it manually:

sudo ifconfig <IFACE> down
sudo iwconfig <IFACE> txpower 30
sudo ifconfig <IFACE> up

Monitor Mode

sudo ifconfig <IFACE> down
sudo iw <IFACE> set monitor control
sudo ifconfig <IFACE> up

sudo airmon-ng start <IFACE> [<CHANNEL>]
sudo airmon-ng stop <IFACEmon>

# Check for interfering processes
sudo airmon-ng check
# If we encounter problems during our engagement, we can terminate these processes
sudo airmon-ng check kill

Other Modes

sudo ifconfig <IFACE> down
sudo iwconfig <IFACE> mode managed
sudo ifconfig <IFACE> up

We cannot simply set this with the iwconfig utility. Rather, we need what is referred to as a management daemon. This management daemon is responsible for responding to stations or clients connecting to our network. Commonly we would utilize hostapd for this task. As such, we would first want to create a sample configuration.

open.conf

interface=<IFACE>
driver=nl80211
ssid=SSID-Hello-World
channel=2
hw_mode=g

This configuration would simply bring up an open network with the name SSID-Hello-World. With this network configuration, we could bring it up with the following command.

sudo hostapd open.conf

Scan

Available WiFi Networks

iwlist <IFACE> scan |  grep 'Cell\|Quality\|ESSID\|IEEE'

Scanning and Collecting

sudo airodump-ng <IFACEmon> [--write <FILENAME>] [-c <CHANNEL>,<OTHER>]

To scan across all available bands (2.4 GHz and 5 GHz)

sudo airodump-ng <IFACEmon> --band abg

Graph

Starting from an CSV airodump-ng dump.

Illustrates the connections between clients and access points.

sudo airgraph-ng -i <DUMP>.csv -g CAPR -o <OUTPUT>.png

N.B. it will not display any APs without connected clients.

Connect to a network

sudo iwconfig <IFACE> essid <WIFI-NAME>

wep.conf

network={
    ssid="<NAME-NETWORK>"
    key_mgmt=NONE
    wep_key0=3C1C3A3BAB
    wep_tx_keyidx=0
}

sudo wpa_supplicant -c wep.conf -i <IFACE>

Complete the connection setup by obtaining an IP address (-r to remove)

sudo dhclient <IFACE> -r
sudo dhclient <IFACE>

wpa.conf

network={
    ssid="<NAME-NETWORK>"
    psk="<PASSWORD>"
}

sudo wpa_supplicant -c wpa.conf -i <IFACE>

Complete the connection setup by obtaining an IP address

sudo dhclient <IFACE> -r
sudo dhclient <IFACE>

If the network uses WPA3 instead of WPA2, we would need to add key_mgmt=SAE to our wpa_supplicant configuration file to connect to it.

wpa_enterprsie.conf

network={
  ssid="<NAME-NETWORK>"
  key_mgmt=WPA-EAP
  identity="<DOMAIN>\<USER>"
  password="<PASSWORD>"
}

sudo wpa_supplicant -c wpa_enterprsie.conf -i <IFACE>

Complete the connection setup by obtaining an IP address

sudo dhclient <IFACE> -r
sudo dhclient <IFACE>

Decrypting

Eliminate numerous frames from unencrypted capture file that are not relevant to our analysis.

airdecap-ng -b <BSSID> <FILE.pcap>

Cracking

aircrack-ng -S  # Benchmark

Collect enough IVs

sudo airodump-ng --ivs <IFACEmon>

aircrack-ng -K <IVS.ivs>

MAC address spoofing

sudo ifconfig <IFACE> down
sudo macchanger <IFACE> -m 3E:48:72:B7:62:2A
sudo ifconfig <IFACE> up

Attacks

Finding Hidden SSIDs

We can use Deauthentication. we can use aireplay-ng to send deauthentication requests to the client. When the client reconnects to the hidden SSID, airodump-ng will capture the request and reveal the SSID. However, deauthentication attacks do not work on WPA3 networks. Or you can use bruteforce. We can see the length while using airodump-ng.

mdk3

Bruteforce SSIDs. <STYLE> = upper case (u), digits (n), all printed (a), lower and upper case (c), lower and upper case plus numbers (m) sudo mdk3 wlan0mon p -b <STYLE> -c 1 -t <BSSID> sudo mdk3 wlan0mon p -f <WORDLIST> -t <BSSID>

Deauthentication

Test for packet injection

sudo iw dev wlan0mon set channel 1
sudo aireplay-ng --test wlan0mon

Deauthentication attack

sudo aireplay-ng -0 5 -a 00:14:6C:7A:41:81 -c 00:0F:B5:32:31:31 wlan0mon

-0 Deauth Attack, 5 n. pack send (0=continuously), -a Access Point, -c Client.

Last updated 3 months ago

Was this helpful?