Things I've learned and want to share
I realized I didn’t have any good notes on Radio Frequency Identification (RFID) tags/badges/etc, so I figured it was time to compile that and update it while I’m at it. This post is just a quick run-down of the frequencies, types, and common cards/IDs. If you don’t know what an RFID is, for the purposes of most pentesting it’s a security badge or a key fob, like you can see in the image at the top of this posting.
If you need to reveal an (E)SSID you can do this simply through MDK3. To do so we’ll use the “p” mode, as follows:
mdk3 {INTERFACE} p -f /path/to/file/of/potential_names -t {AP_MAC_ADDRESS} -b {CHARSET}For the “CHARSET” you can use “a” (for all characters, not recommended except for tiny names), or one or more of the following:
Good hunting!
Let’s say you’re in a location where the WEP network you’ve found is a bit guarded with replay attacks, or are practically no clients from which to capture a target packet. How can you get around this to generate data and crack the encryption?
Many thanks to INIT_SIX for also pointing out a quick way to reduce the size of your WPA handshake captures using pyrit:
pyrit -r /path/to/capture.cap -o /path/to/handshake-only-output.cap stripAdd the “-e” or “-b” switches to filter down to just a single AP by ESSID or BSSID respectively:
pyrit -r capture.cap -o output.cap -b "99:88:77:66:55:44" stripThat’s it! Good hunting!
Many thanks to INIT_SIX for recommending this quick-hit update to the previous WPA wireless attack article. If you find yourself making packet captures and airodump-ng reports that the handshake was captures, but aircrack-ng (or your tool of choice) is having issues, it’s time to break out some manual packet analysis. Let’s verify that capture!
The following is a quick-hit list of commands for attacking a WPA wireless network. It assumes you are using a 2016 variant of Kali linux with the aircrack-ng suite installed and a wireless network card that can be placed into monitor mode (which should be about 100% of them). It also assumes that there is a WPA network with an associated client that is transmitting, and that you are running as a user with sufficient permissions to execute each of these commands.
For the sake of this tutorial the AP will be assumed to have a MAC address of “99:88:77:66:55:44” and the client will be assumed to have a MAC address of “00:11:22:33:44:55”. The wireless network card we will use will be assumed to be “wlan0”.
If a presentation is more your style of learning you can access training on this topic here: Wireless Attacks – WPA & WPS (basic_0x01)
The following is a quick-hit list of commands for attacking a WEP wireless network. It assumes you are using a 2016 variant of Kali linux with the aircrack-ng suite installed and a wireless network card that can be placed into monitor mode (which should be about 100% of them). It also assumes that there is a WEP network with an associated client that is transmitting, and that you are running as a user with sufficient permissions to execute each of these commands.
For the sake of this tutorial the AP will be assumed to have a MAC address of “DE:AD:DE:AD:DE:AD” and the client will be assumed to have a MAC address of “BE:AD:ED:BE:AD:ED”. The wireless network card we will use will be assumed to be “wlan0”.
UPDATE 2017-01-01: If a presentation is more your style of learning you can access training on this topic here: Wireless Attacks – WEP (basic_0x00)
First up, boot up Kali and shut down any potentially interfering programs:
airmon-ng check kill
Hermit's Cave 