refabr1k's Pentest Notebook
  • refabr1k's Pentest Notebook
  • Steganography
  • Kali USB with persistence memory
  • useful tools
  • Understanding ICACLS permissions
  • INFO GATHERING
    • Port Knocking
    • 22 tcp - SSH
      • SSH Tunneling
    • 25 tcp - SMTP
    • 53 tcp/udp - DNS
    • 88 tcp - Kerberos
    • 161 udp - SNMP
    • 445 tcp - SMB
    • 1098,1099 tcp - Java RMI
    • 8009 tcp - AJP
    • 5901,5902 tcp - VNC
  • Web
    • XSS cookie stealing
    • PHP
    • Webdav
    • Wordpress
    • XML RPC
    • SQL Injection
    • SSRF
  • EXPLOITATION
    • File Transfers
    • Buffer Overflow
    • Bruteforce
      • Hashcat
      • Ophcrack (rainbow tables)
      • John The Ripper
    • PHP rce
    • Compiling
    • msfvenom
    • Reverse shell
    • Using ENV to escape Bad Characters
    • shellshock
    • Ncat Persistent Backdoor
  • PRIVESC - LINUX
    • Basic checks
    • Upgrading Shells
    • SUID
  • Privesc - Windows
    • Basic checks / powershell
    • Privesc Openings
    • LonelyPotato - SeImpersonatePrivilege
    • Enable RDP @ Firewall
    • NTLM (Pass The Hash)
  • Windows
    • NTDS.dit
    • Responder / SMB Relay
    • Attacking AD
      • AD Hacking Lab Setup
  • Metasploit
    • Basic Usage
    • Meterpreter
      • Pivoting
      • Windows Post Exploitation
  • Unsorted
    • other notes
  • eLearnSecurity eJPT
    • eJPT notes
  • OSWP
  • Getting started
  • WEP Attacks
    • WEP Attack (OPEN) - Clients connected
    • WEP Attack (OPEN) - Clientless
    • WEP Attack (SKA)
  • WPA/WPA2 Attacks
  • Scripts
    • get port from nmap
    • Curl response
    • ping sweep
    • iptables-counter.sh
    • (DNS) zonetransfer_check.sh
    • (DNS) dns-rev-brute.sh
    • (DNS) dns-fwd-brute.sh
    • (SMB) vuln-scan.sh
    • (SMB) samba-checker.sh
    • (SMTP) vrfy.py
    • (SNMP) mib-check.sh
  • Zeroday vulnerabilities explained
    • 2020-12 Solarwind supply chain
Powered by GitBook
On this page
  • Setting up
  • Wireless ALFA AWUS036NH
  • Basic iw usage
  • IEEE wireless device
  • Airmon-ng
  • Airodump-ng
  • Aireplay-ng

Was this helpful?

Getting started

PreviouseJPT notesNextWEP Attacks

Last updated 4 years ago

Was this helpful?

Setting up

Wireless ALFA AWUS036NH

After plugin usb wireless adapter) ALFA AWUS036NH

# list usb device check that device is detected 
lsusb
# Bus 002 Device 028: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter

# install drivers
apt-get install realtek-rtl88xxau-dkms

# Unload current driver
rmmod r8187

# load new driver
modprobe r8187

# verifiy that driver is loaded correctly
iwconfig

Basic iw usage

# wlan1     IEEE 802.11  ESSID:off/any  
#          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
#          Retry short  long limit:2   RTS thr:off   Fragment thr:off
#          Encryption key:off
#          Power Management:off

# detail informtion of wireless interface
iw list

# list of SSID in range
iw dev wlan1 scan|grep SSID
#wlan1     14 channels in total; available frequencies :
#          Channel 01 : 2.412 GHz
#          Channel 02 : 2.417 GHz
#          Channel 03 : 2.422 GHz
#          Channel 04 : 2.427 GHz
#          Channel 05 : 2.432 GHz


# list of SSID frequency
iwlist wlan1 frequency
#wlan1     14 channels in total; available frequencies :
#          Channel 01 : 2.412 GHz
#          Channel 02 : 2.417 GHz
#          Channel 03 : 2.422 GHz
#          Channel 04 : 2.427 GHz
#          Channel 05 : 2.432 GHz

# list what channel AP points are transmitting on - useful for filtering background noise used later
iw dev wlan1 scan | egrep "DS\ Parameter\ set|SSID"

#Setting wireless in monitor mode
iw dev wlan1 interface add mon0 type monitor
ifconfig mon0 up
iwconfig
# mon0     IEEE 802.11  Mode:Monitor  Tx-Power=20 dBm   
#          Retry short  long limit:2   RTS thr:off   Fragment thr:off
#          Power Management:off
tcp -i mon0 -s 65000 -p
#delete interface
iw dev mon0 interface del
iwconfig

IEEE wireless device

#to find out currently loaded wlan
lspci
#0c:00.0 Network controller: Intel Corporation PRO/Wireless 
lspci -vv -s 0c:00.0
#        Kernel driver in use: r8169
#        Kernel modules: r8169

# get a list of ESSID
iwlist wlan0 scanning | egrep "ESSID|Channel"

#monitor on channel 3
iwconfig wlan0 mode monitor channel 3
iwconfig wlan0 mode managed

Airmon-ng

# check process that may interfere with airmon-ng
airmon-ng check 

# kill all interfering processes
airmon-ng check kill

# monitor mode
airmon-ng start wlan0

airmon-ng stop mon0

# set airmon-ng on listening mode on channel 3
airmon-ng start wlan0 3

iwlist mon0 channel

Airodump-ng

# start wlan0 in monitor mode first
airmon-ng start wlan0

# start monitoring
airodump-ng mon0
#CH 10 ][ Elapsed: 0 s ][ 2020-11-11 15:40                                                                        
#                                                                                    #                              
# BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                  
#                                                                                                                  
# CC:22:3d:AF:AA:67  -55        1        1    0   9  270   WPA2 CCMP   PSK  Mkpg                                   



#sniffing the traffic
airodump-ng -c <channel> --bssid <bssid>
airodump-ng -c <channel> --essid <SSID name> -w <capture_file_name> mon0

Aireplay-ng

for replay attacks

# first put wlan0 in monitor mode eg. airmon-ng start wlan0
# injection test 
aireplay-ng -9 mon0

# card to card injection test - tests if we can perform air replay with the card
# aireplay-ng -9 -i <transmitter> <receiving_card>
aireplay-ng -9 -i wlan1 mon0

https://medium.com/@adam.toscher/configure-your-new-wireless-ac-1fb65c6ada57