Wireless notes - CraigDonkin/Infrastructure GitHub Wiki
- Identify available networks:
iwlist <interface> s | grep 'Cell\|Quality\|ESSID\|IEEE'
- Create a configuration file for the wireless network:
#WEP
network={
ssid="<SSID>"
key_mgmt=NONE
wep_key0=<key>
wep_tx_keyidx=0
}
#WPA
network={
ssid="<SSID>"
psk="<PSK>"
#comment line below if not WPA3
key_mgmt=SAE
}
# WPA Enterprise
network={
ssid="<SSID>"
key_mgmt=WPA-EAP
identity="<domain>\<username>"
password="<password>"
}
- Use wpa_supplicant to connect
wpa_supplicant -c <config> -i <interface>
- Might need to get an IP from dhclient:
dhclient <interface>
nmcli radio wifi on
nmcli device wifi connect "<SSID>" password "<password>"
nmcli device wifi connect <MAC of AP> password <password> hidden yes
- Wired Equivalent Privacy (WEP)
- Outdated
- Insecure
- WiFi Protected Access (WPA)
- Temporal Key Integrity Protocol (TKIP)
- WPA2
- AES
- WPA3
- Most secure option
- Passphrase complexity
- Configuration
- Encryption protocols
- Authentication methods
- Network segregation
- Infrastructure
- Clients
- MAC Frame
- Management frames
- Allows the access point and client to control the connection.
- Beacon Frame
- Used by the AP to communicated its presence to the client or station
- Includes information such as the ciphers, auth types and SSD
- Probe Request & Probe Response
- Allow the client to discover access points.
- Authentication Request & Response
- Used to identify the client to the AP
- Association/Reassociation Requests
- Sent after authentication to indicate if the client was able to associate with the AP.
- Disassociation/Deauthentication
- Sent from the AP to the client
- Used to terminate the connection
- Can be used to capture handshake captures and cause a Denial of Service
| Connection phase | Wireshark filter |
|---|---|
| Beacon Frames | (wlan.fc.type == 0) && (wlan.fc.type_subtype == 8) |
| Probe Request frames from the client | (wlan.fc.type == 0) && (wlan.fc.type_subtype == 4) |
| Probe request frames from the AP | (wlan.fc.type == 0) && (wlan.fc.type_subtype == 5) |
| Authentication Request and Response | (wlan.fc.type == 0) && (wlan.fc.type_subtype == 11) |
| Association Request from the station | (wlan.fc.type == 0) && (wlan.fc.type_subtype == 0) |
| Association response | (wlan.fc.type == 0) && (wlan.fc.type_subtype == 1) |
| View Eaopol frames | eapol |
| Disassosiation and deauthentication frames | (wlan.fc.type == 0) && (wlan.fc.type_subtype == 12) or (wlan.fc.type_subtype == 10) |
- Client sends an authentication request to the AP
- AP returns an authentication response
- Client sends an association request to the AP
- AP sends an association response to the client
| WEP (Shared Key) | WPA (TKIP) | 802.11i / WPA2 (CCMP/AES) | |
|---|---|---|---|
| Authentication method | Shared Key (challenge–response using WEP RC4 keystream) or Open System | 802.1X/EAP (Enterprise) or PSK (Pre-Shared Key) with TKIP key management | 802.1X/EAP (Enterprise) or PSK with RSN key management; 4-way handshake |
| Encryption | RC4 stream cipher (WEP) with static per-network key and weak IV handling | TKIP: RC4-based with per-packet key mixing, extended IV, and rekeying | CCMP with AES (AES-CCM) — strong per-packet keys and nonce handling |
| Message integrity | CRC-32 (no cryptographic MIC) — vulnerable to forgery | Michael MIC (cryptographic MIC) — better than WEP but has weaknesses and relies on countermeasures | AES-CCM provides strong integrity and authenticity (cryptographic MIC) |
| Security | Weak — easily broken (IV reuse, key recovery, message forgery) | Moderate — improved over WEP but deprecated; vulnerable to some attacks and downgrade/fallback issues | Strong — current recommended standard when properly configured (AES-CCM + robust key management) |
- Client sends an authentication request to the AP
- AP returns an authentication response with a challenge text
- The client responds with the challenge encrypted with the WEP key
- The AP decrypts the challenge and confirms the success or failure
- Client sends an authentication request
- AP returns an authentication response
- The client and AP calculate the PMK from the PSK
- The four-way handshake verifies the client and AP knows the PSK
WPA3 Authentication
- Client (supplicant) and AP (authenticator) perform the Simultaneous Authentication of Equals (SAE) exchange.Both parties generate ephemeral elliptic-curve or finite-field values and exchange commit messages containing scalar/public elements and element identifiers.
- Each side computes a shared secret from the exchanged values and their own password-derived secret (password-to-element step uses the passphrase).
- Both sides derive the Pairwise Master Key (PMK) and a PMK identifier (PMKID) from the shared secret and exchanged transcripts.
- A handshake (often called the SAE confirmation) follows: each side sends a confirm/message-authentication code proving possession of the derived keys and that the exchange wasn’t altered.
- Once confirms validate, the AP and client proceed to the 4-way handshake (or an equivalent key derivation step) to derive the Pairwise Transient Key (PTK) and install encryption keys for data traffic.
- Optionally, Protected Management Frames (PMF) and forward secrecy protections are enforced; SAE provides forward secrecy so compromise of the passphrase does not expose past session keys.
iw reg get
iw reg set <region>
ifconfig <interface> down
iwconfig <interface> txpower <value>
ifconfig <interface> up
iw list
iwlist <interface> scan | grep 'Cell\|Quality\|ESSID\|IEEE'
iwlist <interface> channel
ifconfig <interface> down
iwconfig <interface> channel <channel>
ifconfig <interface> up
iwlist <interface> frequency | grep Current
ifconfig <interface> down
iwconfig <interface> freq <frequency>
ifconfig <interface> up
- Used if we want the interface to act as a client or station.
- Normally the default interface mode
ifconfig <interface> down
iwconfig <interface> mode managed
- To connect to a network:
iwconfig <interface> essid <essid>
- Used for AP-AP communications
- Allows the wireless interfaces to communicate to each other
iwconfig <interface> mode ad-hoc
iwconfig <interface> essid <essid>
- The device acts as an AP
- Useful for deploying a Rogue AP or Evil Twin attack
- Requires a management daemon
- Commonly use hostapd for this
#Open.conf file
interface=<interface>
driver=nl80211
ssid=<SSID name>
channel=2
hw_mode=g
- Launch it with:
hostapd open.conf
- Interface participates in a mesh network with routing between nodes
iw dev <interface> set type mesh
- Network interface can capture all wireless traffic in range.
- Requires Sudo privileges
- Not all chipset support monitor mode
ifconfig <interface> down
iw <interface> set monitor control
ifconfig <interface> up
- With Airmon:
airmon-ng start <interface>
- iwconfig will show Mode:Monitor if it is in monitor mode.
- Can enable or disable monitor mode on a wireless interface
airmon-ng start <interface>
- Or on a specific channel:
airmon-ng start <interface> <channel>
-
iwconfig will show Mode:Monitor if it is in monitor mode.
-
To check for interfering processes and then kill them run the following:
airmon-ng check
airmon-ng check kill
- To stop the monitor mode:
airmon-ng stop <interfacename>
- Captures packets
- Captures WEP IVs and WPA/WPA2 handshakes
- Interface needs to be in monitor mode first
- Will scan on 2.4Ghz band
- The -w or --write will save the output
airodump-ng <interface> -w <filename>
- To dump on a specific channel:
airodump-ng -c <channel> <interface>
airodump-ng -c <channel>,<channel>,<channel> <interface>
- To scan on a different band
- a - 5Ghz
- b - 2.4Ghz
- g - 2.4Ghz
airodump-ng <interface> --band <a,b,g>
- The output will show the available APs at the top, and then the clients connected to the Wi-Fi network below that.
- When using the write option the following files will be generated
- .cap
- .csv
- .kismet.csv
- .kismet.netxml
- .log.csv
- Python script for generating a graphical representation of the wireless networks.
- Uses the CSV files made by airodump-ng
- Clients - AP Relationship graph
- Shows the connections between clients and APs
- The graph will show the AP colour-coded by the encryption type
- Green = WPA
- Red = Open
- Black = Unknown
- Yellow = WEP
- Clients probe graph
- Shows the probed networks by clients
airgraph-ng -i <file>.csv -g CAPR -o <output name>
airgraph-ng -i <file>.csv -g CPG -o <output name>
-
Used to inject frames.
-
Generates traffic that can be used when cracking WEP and WPA-PSK keys
-
Implements the following attacks
- Attack 0: Deauthentication
- Attack 1: Fake authentication
- Attack 2: Interactive packet replay
- Attack 3: ARP request replay attack
- Attack 4: KoreK chopchop attack
- Attack 5: Fragmentation attack
- Attack 6: Cafe-latte attack
- Attack 7: Client-oriented fragmentation attack
- Attack 8: WPA Migration Mode
- Attack 9: Injection test
-
For deauthantication you can also uise the --death flag.
- Disconnects clients from the AP
- Need the interface to be in monitor mode
- Run the following and see if the message "Injection is working!" is returned:
airplay-ng --test <interface>
- To deauthenticate run airodump-ng to identify APS and clients and then run the command:
airodump-ng <interface>
aireplay-ng -0 5 -a <MAC address of AP> -c <MAC address of target client> <interface>
-
If you don't use the -c flag then all clients will be deauthenticated
-
If continuing to run airodump at the same time you will capture the four-way handshake when the client disconnects and reconnects.
- The client disconnecting and reconnecting can be seen in the increase in Lost packets and Frames count.
-
For WEP to only capture the IVs use the --ivs option
-
Used to decrypt WEP/WPA/WPA2 capture files if you have the hexadecimal WEP key or the passphrase
-
Outputs a new file ending -dec.cap
-
To remove wireless headers from an unencrypted capture file:
airdecap-ng -b <bssid> <pcap>
- To decrypt a WEP capture:
- the key is in hexadecimal format
airdecap-ng -w <WEP KEY> <pcap>
- To decrypt WPA encrypted capture:
- The ESSID is the name of the network
airdecap-ng -p <passphrase> <pcap> -e essid
- This is used to crack WEP/WPA/WPA2 that use PSK or PMKID
- Offline attack
- Benchmark the host first, the output will show how many passphrases per second can be cracked.
aircrack-ng -S
- To crack WEP you need to have a decent amount of IVs
aircrack-ng -K <file>.ivs
- To crack WPA you need to have captured the 4-way handshake.
- To crack WPA PSK dictionary method is needed.
aircrack-ng <pcap> -w <wordlist>
Hidden SSIDs
- Interface needs to be in monitor mode
- Use airdump to scan for wifi networks
- Use aireplay to deauthenticate clients connected to the AP, the client will reconnect and airodump will capture the request with the SSID.
airodump-ng -c <channel> <interface>
aireplay-ng -0 10 -a <MAC of AP> -c <MAC of client> <interface>
- Can brute-force the name of a hidden SSID
- Specify a wordlist or the length of SSID
mdk3 <interface> <test mode> [test_options]
-
The -p test mode does basic probing and ESSID brute-forcing.
- -e Specify the SSID for probing.
- -f Read lines from a file for brute-forcing hidden SSIDs.
- -t Set the MAC address of the target AP.
- -s Set the speed (Default: unlimited, in Bruteforce mode: 300).
- -b Use full brute-force mode (recommended for short SSIDs only). This switch is used to show its help screen
-
The -b option has the following suboptions
- u - upper case
- n - digits
- a - all printed
- c - Lower and upper case
- m - lower and upper plus numbers
mdk3 <interface> p -b u -c 1 -t <MAC of AP>
- To brute-force with a wordlist:
mdk3 <interface> p -f <wordlist> -t <MAC of AP>
- Spoof MAC to match an already connected client.
- Disconnect the already connected client via deauth attack.
- To avoid collisions try to run on a different band. 2.4ghz vs 5ghz
macchanger <interface>
ifconfig <interface> down
macchanger <interface> -m <mac>
ifconfig <interface> up