Wireless Attacks
Methodologie
# Detecting wireless card name
iwconfig
# Airmon-ng enabling monitor mode on wlan0
sudo airmon-ng start wlan0
# Scan 2.4GHz and 5GHz
sudo airodump-ng wlan0mon --manufacturer --wps --band abg
# Targeted scan : fix chanel, see clients and encryption
sudo airmon-ng start wlan0 3
sudo airodump-ng -c 3 --bssid 34:08:04:09:3D:38 -w wifi-it wlan0mon
cat wifi-it.csvWi-Fi Attack Map
# Wi-Fi Encryption
WEP => RC4
WPA => Temporal Key Integrity Protocol (TKIP)
WPA 2 => Counter Mode with CBC-MAC (CCMP)
WPA encryption comes in two flavors:
- WPA Personal: Makes use of pre-shared key authentication WPA-PSK, a passphrase shared by all peers of the network.
- WPA Enterprise: Uses 802.1X and a Radius server for Authentication, Authorization, and Accounting AAA.
Wi-Fi Attack Map
├── WEP
│ ├── AUTH = OPN
│ │ ├── With client
│ │ │ ├── # ARP Request Replay Attack
│ │ │ ├── # Fragmentation Attack
│ │ │ ├── # Korek Chop Chop Attack
│ │ │ ├── # Interactive Packet Replay Attack
│ │ │ ├── # Cafe Latte Attack
│ │ │ └── # Deauthentication Attack
│ │ └── Without client
│ │ └── # Fake Authentication
│ │ ├── → Fragmentation Attack → ARP Request Replay Attack
│ │ └── → Korek ChopChop Attack → ARP Request Replay Attack
│ └── AUTH = SKA
│ └── With client (required)
│ ├── # Deauthentication Attack (capture SKA keystream)
│ ├── # Fake Shared Key Authentication (replay captured keystream)
│ └── # ARP Request Replay Attack (generate IVs)
├── WPA2-PSK
│ ├── WPS enabled
│ │ └── # WPS PIN Attack (Reaver / Bully)
│ ├── With client
│ │ └── # Deauthentication Attack → capture 4-way handshake
│ ├── Without client
│ │ └── # PMKID Attack (hcxdumptool) → no handshake needed
└── WPA2-MGT (Enterprise)
└── # Evil Twin / Rogue AP
└── hostapd-mana / hostapd-wpeTroubleshooting
Ressource
Last updated