Advance Wi-fi Network Pentesting Notes:-

Advanced Wireless Network Pentesting Notes:-

First of all make sure to randomize your MAC address and clean your ARP tables, Use an ALPA usb wirless adapter device or whatever

I- airdump-ng To Sniff The Traffic :

All people whom they do pentesting know this part i will not say all how packets works and how wireless AP works and how to use this tool by detail

just commands all people know out there

commands :

1) ifconfig wlan0 up

2) macchanger –random wlan0

3) airmon-ng start wlan0

4) airodump-ng mon0

Now you will get all neighbors ( don’t do any pentest on peoples stuff please use this on your own lab )

II- WEP Cracking:-

Is easy that any noob can say i can hack the pantagon with this trick

collecting IV keys :

minimal 5000 on 64 bit and 250000 on 128 bit

Commands :

1) airodump-ng -c (channel) -w (file name) —bssid (bssid) (interface)

2) aireplay-ng -1 0 -a (bssid) -h (Your bssid) -e (essid) (interface)

3) aircrack-ng -b (bssid) (file name-01.cap)

III- WPA and WPA2 The Hard Part :-

This is what all people fears 128 bit to 256 bit encryption but if you do a pact with the devil you will take over your enemys ( i wouldn’t talk about RAID cause it will take long time to explain so, just i will explain how to pwnage APs using some social enginering methods and usual technical skills

1) Random Passwords :

Some people are very laisy to change thier configuration, so how we know they use default configs ?

For exemple you sniff the perimeter of AP signal you see sometimes people have default SSID like “DLINK_1DE62A3″,”Thomson_A1B2H3R5″, you fear if he use a strong password i say he don’t 90% of people who don’t have any knowledge about technical stuff wouldn’t change thier password, so go to any website like this one :

http://www.nickkusters.com/Services/Thomson-SpeedTouch

Here we see that this service can calculate random SSID to get the password

and its magicly works

2) Numerical Password :

The title discribe itself its about numerical bassed password like this one “012345678″ here people will kill thier self, so how do you know they use only numerical chars ?

Its easy try to capture 4 Way hand shake and use numerical chars first before trying anything else, make sure to use rainbow tables to make the brute force attack works faster, but it may not work 100% its up to your team work and material is it powerful or not to crack faster, for num chars it will be better than alpha num chars.

Commands :

airodump-ng -c (channel) -w (file name) —bssid (bssid) (interface)

I use this nasty tool MDK3 :

mdk3 d “stands for deauh ” -t “stands for target” “mac address” (interface)

exmple: mdk3 d -t xx:xx:xx:xx:xx:xx mon0

3. pentest/passwords/crunch/crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ | pyrit -e BTHub3 -i – -o – passthrough | cowpatty -d – -r wpafile.cap -s WPAnum

And let it bump

3) WPS Brute Force :-

Everyone use this lol exploit, you just brute force the WPS that will take less than 10 hours by doing this simple commands right down her

Commands :

1) Reaver -i mon0 -b xx:xx:xx:xx:xx:xx -c “channel” –session=”any name you like” ( this option to save your work even if they close the AP ) -vv -a (stands for automatic to make the work problem free )

Exemple :

Reaver -i mon0 -b ff:ff:ff:ff:ff:ff -c 1 –session=wps -a -vv

4) Online Rainbow Tables And Online Brute Force Services :

4-1) Online Rainbow Tables Services :

This part is simple take your dumped CAP file and upload it to any online website but wait ! we ain’t finished yet, cause you must have one rule to have success on this step, you need a random SSID like “Linksys”, “Cisco”…

if so upload and you get your enemy under your feet bagin you to forgive him !!

in real world pentesting no one still use default ssid’s because its very causty and you will sounds dummy to your work mate

Trarget : WPA-PSK

Free :

http://wpa.darkircop.org/

Free and Payed services :

http://www.renderlab.net/projects/WPA-tables/

http://www.onlinehashcrack.com/WPA-WPA2-RSNA-PSK-crack.php

https://www.cloudcracker.com/

4-2) Online Brute Force Services :-

This works the same as Rainbow Tables but here you don’t need to bother yourself pay and wait to have your key, this part its costy if you use Amazon clouds it will cost you +1000$/hour so 24 hours will cost 24k make sure to use this service if you know that the company you do pentest for will pay you more than what you will spint x5 or more time

Free and Payed services :-

https://gpuhash.com/

https://www.cloudcracker.com/

http://aws.amazon.com/ec2/ (very costy but very fast)

Conclusion :-

These are dome major attacks that can be used to get the password but we hope someone find new vulnerabilities like the last one based on SSID but not effective, to kick AP asses, make sure to practice everyday to be ready.

More practices means more skills.

Enjoy

Assembly Language Step-by-step: Programming with DOS and Linux-

(-Assembly Language Step-by-step: Programming with DOS and Linux-) The bestselling guide to assembly language-now updated and expanded to include coverage of Linux . This new edition of the bestselling guide to assembly programming now covers DOS and Linux! The Second Edition begins with a highly accessible overview of the internal operations of the Intel-based PC and systematically covers all the steps involved in writing, testing, and debugging assembly programs. Expert author Jeff Duntemann then presents working example programs for both the DOS and Linux operating systems using the popular free assembler NASM. He also includes valuable information on how to use procedures and macros, plus rare explanations of assembly-level coding for Linux, all of which combine to offer a comprehensive look at the complexities of assembly programming for Intel processors. Providing you with the foundation to create executable assembly language programs, this book: * Explains how to use NASM

Hacks

Search This Blog