ADCS ESC6: Edi�_atributesubjectaltname2

1|Page
 ADCS ESC6: Editf_attributesubjectaltname2

Contents
Introduc�on ............................................................................................................................................ 3
Install Airgeddon & Usage ....................................................................................................................... 3
Airgrddon Features: ............................................................................................................................ 3
Capturing Handshake & Deauthen�ca�on ............................................................................................. 6
Launch Deauthen�ca�on Atack ............................................................................................................. 9
Aircrack Dic�onary Atack for WPA Handshake .................................................................................... 11
Airacrack Brute Force Atack for WPA Handshake ................................................................................ 14
Hashcat Rule-Based Atack for WPA Handshake ................................................................................... 16
Evil Twin Atack ..................................................................................................................................... 18
Capturing WPA Handshake and Saving Creden�als ...................................................................... 22
Se�ng Up the Cap�ve Portal ........................................................................................................ 22
PMKID Atack ........................................................................................................................................ 27

2|Page
 ADCS ESC6: Editf_attributesubjectaltname2

Introduction
You'll discover how to use airgeddon for Wi-Fi hacking in this ar�cle. It enables the capture of the
WPA/WPA2 and PKMID handshakes in order to start a brute force assault on the Wi-Fi password key.
It also aids in the crea�on of a fic��ous AP for launching Evil Twin Atack by luring clients into the
cap�ve portal.

Let start by iden�fying the state for our wireless adaptor by execu�ng the ifconfig wlan0 command.
Wlan0 states that our wifi connec�on mode is enabled in our machine.

Install Airgeddon & Usage

Airgrddon Features:
• Full support for 2.4Ghz and 5Ghz bands
• Assisted WPA/WPA2 personal networks Handshake file and PMKID capturing
• Interface mode switcher (Monitor-Managed)
• Offline password decryp�ng on WPA/WPA2 captured files for personal networks
(Handshakes and PMKIDs) using a dic�onary, bruteforce and rule-based atacks with aircrack,
crunch and hashcat tools. Enterprise networks captured password decryp�ng based on john
the ripper, crunch, asleap and hashcat tools.
• Evil Twin atacks (Rogue AP)
• WPS features

Download and run the airgeddon script by running the following commands in Kali Linux.

Note: execute the script as root or superuser.

git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git

cd airgeddon
./airgeddon.sh

3|Page
 ADCS ESC6: Editf_attributesubjectaltname2

It will first check for all dependencies and necessary tools before launching this framework. It will
atempt to instal the essen�al tools if they are missing, which may take some �me. As indicated
in the picture once the installa�on is complete, you will see the OK status for both required and
op�onal tools.

4|Page
 ADCS ESC6: Editf_attributesubjectaltname2

Now choose the network interface; for a wireless connec�on, this will be wlan0; hence, choose
op�on 3 as seen in the image.

Next, we'll put the Wi-Fi card in monitor mode; the card is in managed mode by default, which
means it can't capture packets from various networks; however, Wi-Fi in monitor mode can capture
packets passing across the air.

5|Page
 ADCS ESC6: Editf_attributesubjectaltname2

Select op�on 2 for Monitor mode.

Note:

Monitor mode is the mode for monitoring traffic, usually on a particular channel. A lot of wireless
hardware is capable of ENTERing monitor mode, but the ability to set the wireless hardware into
monitor mode depends on support within the wireless driver. As such, you can force many cards into
monitor mode in Linux, but in Windows, you will probably need to write your own wireless network
card driver.

Capturing Handshake & Deauthentication

The wlan0mon is in monitor mode, we try to can capture the handshake packets of the wireless
network for WPA and WPA2 protocol.

Choose op�on 5 to obtain the tool for capturing Handshake/PMKID

6|Page
 ADCS ESC6: Editf_attributesubjectaltname2

Choose op�on 6 to select capture the handshake.

When you select op�on 6, a new window will appear, scanning for WPA and WPA2 networks and
atemp�ng to capture the 4-way handshake in a.cap file. A�er ge�ng Target's AP (Access Point), you
can press CTRL^C.

7|Page
 ADCS ESC6: Editf_attributesubjectaltname2

It will display a list of all ESSIDs (Wi-Fi names) examined, as well as their BSSID (MAC Address) and
ENC encryp�on protocol type. Then, as we did for ESSID "Raaj," you can pick your target by supplying
a Serial Number.

NOTE: The asterisks (*) indicate client access points; they are maybe the best "clients" for acquiring
handshakes. Any Access Point that implements the WEP ENC protocol will be ignored by Airgeddon.

8|Page
 ADCS ESC6: Editf_attributesubjectaltname2

Launch Deauthentication Attack

This atack sends disassociate packets to one or more clients which are currently associated with a
par�cular access point. Disassocia�ng clients can be done for several reasons:

• Recovering a hidden ESSID. This is an ESSID that is not being broadcast. Another term for this
is “cloaked”.
• Capturing WPA/WPA2 handshakes by forcing clients to reauthen�cate

9|Page
 ADCS ESC6: Editf_attributesubjectaltname2

• Generate ARP requests (Windows clients some�mes flush their ARP cache when
disconnected)

Now it will prompt you to select an atack-type; choose op�on 2 for Death replay atack, which will
u�lise deauth atack to disconnect all clients before capturing the AP-client handshake. Then, for a
�meout, select a period in seconds.

You'll see that two windows appear. A�er deauthen�ca�on, one will atempt to undertake a deauth
atack, while the other will atempt to record the 4 Way handshake between the client and the
access point.

Wait un�l the WPA Handshake shows in the top right corner of the window, then press CTRL^C.

10 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

As you can see, the WPA handshake for AP "raaj". You can now store this .cap file to your systems.

Aircrack Dictionary Attack for WPA Handshake

The Wi-Fi password was kept in a handshake file, but because it was encrypted, we had to decrypt it
to get the password. Return to the main menu by selec�ng op�on 0.

It will show you the atack op�ons; select op�on 6 for the offline WPA/WPA2 decrypt menu.

11 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

Choose op�on 1 to select Personal.

Now we will use a dic�onary to decrypt the handshake captured file. Select op�on 1 as shown in the
image. By default, it will take the last captured file to be brute force, ENTER Y to select the path and
BSSID the last the captured file. Then provide the path of your dic�onary or rockyou.txt and press
ENTER key to start a dic�onary atack against the WPA handshake.

12 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

The password or Wi-Fi key will then be shown, as illustrated in the figure below. If you want to save
the key, it will prompt you to do so.

13 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

Airacrack Brute Force Attack for WPA Handshake

Select op�on 2 to conduct a brute force atack against the WPA handshake file, which will decode
the packets using crunch and aircrack. By default, it will brute force the last captured file. ENTER Y to
pick the directory, and BSSID the last captured file. Then ENTER the path to your dic�onary or
rockyou.txt and click the ENTER key to begin a brute force atack on the WPA handshake.

14 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

Select the character set, in this instance op�on 6 to select the Lowercase + Numeric chars that will
atempt to brute force the Wi-Fi key using an alphanumeric character set. To begin the atack, press
the ENTER key.

If the atempt is successful, the password or Wi-Fi key will be displayed, as illustrated in the figure
below.

15 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

Hashcat Rule-Based Attack for WPA Handshake

Because we are all familiar with the capability of hashcat, airgeddon provides the opportunity to
u�lise hashcat to crack the Wi-Fi key. Choose op�on 5 and enter the path to your WPA handshake
file, dic�onary, or rule-based file.

Here we provide the path to the best64.rule file, which will be used to perform a hashcat rule bashed
atack.

Press ENTER to start the atack, and it will try to decrypt the WPA encrypted communica�on.

16 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

A�er a successful trial, it will prompt you to save the output result. To save the enumerated key, use
the ENTER key.

17 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

You can access the saved file to read the decrypted Wi-Fi password.

Evil Twin Attack

An evil twin is a forgery of a Wi-Fi access point (Bogus AP) that masquerades as genuine but is
purposefully set up to listen in on wireless traffic. By crea�ng a fake website and en�cing people to it,
this type of atack can be used to obtain creden�als from the legi�mate clients.

From the main menu, select op�on 7 for Evil Twin atack.

Then select op�on 9, which will scan for nearby Access Points.

18 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

Con�nue by pressing the ENTER key, and a window for scanning WPA/WPA2 access points will
appear.

To terminate the scan, use CTRL^C, and it will display a list of all Access Points that it has scanned.
Choose the AP that piques your curiosity.

19 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

Select op�on 2 for a Deauth atack to disconnect the client from a selected AP. A�er that, it may ask
to enable DoS pursuit mode, which we reject.

Before launching the deauth and atemp�ng to capture the handshake, it will ask a few ques�ons
such as:

Do you want to spoof your Mac address during this atack [y/N]: y
Do you already have a captured file [y/N]: N
Time value in second:20
Press ENTER key to accept the proposal.

20 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

The two windows will appear again. One will atempt a deauth atack, while the other will atempt to
capture the WPA handshake between the client and the access point a�er deauthen�ca�on.

Wait un�l the WPA Handshake shows in the top right corner of the window, then press CTRL^C.

21 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

Capturing WPA Handshake and Saving Credentials

As you can see, we now have the WPA handshake for AP "raaj." Accept the proposal by saving the
cap file to your systems and pressing the ENTER key. Then, if you're using a cap�ve portal, you'll be
asked to specify a path for the file that will hold the Wi-Fi password.

If the password for the Wi-Fi network is achieved with the cap�ve portal, you must decide where to
save it: /root/rajpwd.txt

Setting Up the Captive Portal

Create a cap�ve portal to phish your client and select the language in which the web portal will be
displayed to the client.

For English, we chose op�on 1. Six windows will open as soon as you submit the selected op�on.

AP: create a fake AP “raaj” for client.

DHCP: Start a bogus DHCP service to provide malicious IP to the client.
DNS: Ini�ate with the malicious DNS query
Deauth: Deauthen�cate the client from the original AP “raaj”.
Webserver: Start a service to host the cap�ve portal.
Control: Try to sniff the Wi-Fi password once the client connects with a fake AP.

22 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

Note: Do not close the windows; they will dissipate a�er the password has been captured.

All clients connec�ng to the original AP "raaj" will be disconnected, and when they atempt to
reconnect, they will discover two APs with the same name. When the client connects to the bogus
AP, it is lured to the cap�ve portal.

23 | P a g e
ADCS ESC6: Editf_attributesubjectaltname2

24 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

The cap�ve web portal will ask to submit the Wi-Fi password key to get internet access.

25 | P a g e
ADCS ESC6: Editf_attributesubjectaltname2

26 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

If the client gives the Wi-Fi key, the password will be captured in plaintext in the control window.

Addi�onally, save the password in the file you gave during the proposal.

PMKID Attack
PMKID is the unique key iden�fier used by the AP to keep track of the PMK being used for the client.
It is a deriva�ve of AP MAC, Client MAC, PMK, and PMK Name. Read more from here

Let us capture PMKID by running the airgeddon script, select op�on 5 as shown below.

27 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

Then again press 5 and wait for the script to capture SSIDs around.

Now you'll see a list of targets. Our goal for number 6 is “Amit 2.4 G.” Then simply ENTER the �meout
in seconds that you want the script to wait for before capturing the PMKID. Let's suppose 25 seconds
is ample �me.

28 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

Sure enough, we can see a PMKID being captured here!

29 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

Then simply store this PMKID as a cap file. First press Y then ENTER the path and done.

Now, with an integrated aircrack-ng we can crack the cap file within airgeddon script itself like this:

Just choose dic�onary atack and yes and then the dic�onary file.

Sure enough, we have the password we needed

30 | P a g e
 ADCS ESC6: Editf_attributesubjectaltname2

Reference:

htps://www.oreilly.com/library/view/network-security-tools/0596007949/ch10s03s01.html

htps://www.aircrack-ng.org/doku.php?id=deauthen�ca�on

31 | P a g e
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in