RFID Fundamentals

I realized I didn’t have any good notes on Radio Frequency Identification (RFID) tags/badges/etc, so I figured it was time to compile that and update it while I’m at it.  This post is just a quick run-down of the frequencies, types, and common cards/IDs.  If you don’t know what an RFID is, for the purposes of most pentesting it’s a security badge or a key fob, like you can see in the image at the top of this posting.

Continue reading “RFID Fundamentals”

Bruteforcing ESSID Values

If you need to reveal an (E)SSID you can do this simply through MDK3.  To do so we’ll use the “p” mode, as follows:

mdk3 {INTERFACE} p -f /path/to/file/of/potential_names -t {AP_MAC_ADDRESS} -b {CHARSET}

For the “CHARSET” you can use “a” (for all characters, not recommended except for tiny names), or one or more of the following:

  • u – Uppercase
  • l – Lowercase
  • n – Numbers
  • s – ASCII symbols

Good hunting!

WPA Handshake Stripping

Many thanks to INIT_SIX for also pointing out a quick way to reduce the size of your WPA handshake captures using pyrit:

pyrit -r /path/to/capture.cap -o /path/to/handshake-only-output.cap strip

Add the “-e” or “-b” switches to filter down to just a single AP by ESSID or BSSID respectively:

pyrit -r capture.cap -o output.cap -b "99:88:77:66:55:44" strip

That’s it! Good hunting!

Wireless Attack: WPA

The following is a quick-hit list of commands for attacking a WPA wireless network. It assumes you are using a 2016 variant of Kali linux with the aircrack-ng suite installed and a wireless network card that can be placed into monitor mode (which should be about 100% of them). It also assumes that there is a WPA network with an associated client that is transmitting, and that you are running as a user with sufficient permissions to execute each of these commands.

For the sake of this tutorial the AP will be assumed to have a MAC address of “99:88:77:66:55:44” and the client will be assumed to have a MAC address of “00:11:22:33:44:55”. The wireless network card we will use will be assumed to be “wlan0”.

If a presentation is more your style of learning you can access training on this topic here: Wireless Attacks – WPA & WPS (basic_0x01)

Continue reading “Wireless Attack: WPA”

Wireless Attack: WEP

The following is a quick-hit list of commands for attacking a WEP wireless network. It assumes you are using a 2016 variant of Kali linux with the aircrack-ng suite installed and a wireless network card that can be placed into monitor mode (which should be about 100% of them). It also assumes that there is a WEP network with an associated client that is transmitting, and that you are running as a user with sufficient permissions to execute each of these commands.

For the sake of this tutorial the AP will be assumed to have a MAC address of “DE:AD:DE:AD:DE:AD” and the client will be assumed to have a MAC address of “BE:AD:ED:BE:AD:ED”. The wireless network card we will use will be assumed to be “wlan0”.

UPDATE 2017-01-01: If a presentation is more your style of learning you can access training on this topic here: Wireless Attacks – WEP (basic_0x00)

First up, boot up Kali and shut down any potentially interfering programs:

airmon-ng check kill

Continue reading “Wireless Attack: WEP”

Create a website or blog at WordPress.com

Up ↑