Dave Monroe - Author


BOOKS BY ME - ART BY ME - RANDOM STUFF

*** ETHICAL HACKING - PEN TESTING ***

.htaccess - Tricks


*** NEW ***

MY CAT DOOR CAM


Click the pretty picture below to go back to the main page.


 

Dave Monroe - Author
This is a forest
Dave Monroe - Author
 

Ethical Hacking - Pen Testing Page

Let's begin. This is for educational purposes ONLY. And should only be used on your own
networks or networks you have explicit permission (like from your employer) to access.

These data collection options can and should only be used to discover illegal activities.

This is known as Ethical Hacking or Penetration Testing.

Most of the tools used are already built in to Kali Linux.
These tools including the use of Kali Linux ARE NOT illegal to use
Unless you use them for illegal purposes.

Check the laws of your specific Country, Province, State, and Local area.

Pictures, videos and links provided as is.

First get some dictionaries and install aircrack-ng on your Linux box. or get the
latest distro of Kali and you'll have all that. You can either install Kali on your system
or run it live from a USB Stick which is probably the best option if you don't like leaving
your own footprint or data trail.

Step 1

sudo macchanger -r wlan0



sudo airmon-ng start wlan0



if it asks you if you want to stop some processes or whatever just answer Y

as soon as it's done do this just to stop any PID's that might interfere

sudo airmon-ng check kill



that's it so far. right now you will be channel hopping. if you already know your
target and what channel they are on, doing this next will lock you on the channel
which will make capturing data for the handshake a little faster and will stop any
errors you get when doing a de-auth that says the AP/Client are on channel #11
but you're on channel #6. That error will stop the deauth (which we will get to later)

now we want to see everyone close enough to see...

sudo airodump-ng wlan0mon



select your target if you don't already know it. and ctrl-c to stop it now.

(You can also start grabbing everyone's data and capture multiple handshakes in a single file, but that's another lesson for another time)

Depending on how many AP's are near you and how big your display is you might have to ctrl+- to zoom out.

Look at the channel number of your target and enter (where 6 means channel 6)
Open a new terminal. You might want to open one in the same folder as you are going to write the cap file and where your dictionary files are.

sudo airmon-ng start wlan0mon 6

and now....

sudo airodump-ng --bssid F4:0E:83:BF:0A:97 -c 6 --write WhoreOnFloor wlan0mon



I am sure that you can figure out what --bssid , -c and --write mean. wlan0mon is your new wifi adapter name after you started wlan0.

(you can name the file anything you like and aircrack will put numbers before
the .cap in case you stop it at anytime and restart it.

Now as you will see this is your target. If no client is associated you will have to be patient.
If there is a client associated to the AP that was there basically when you got there
you will either again, have to be patient and wait for another client or that one to disconnect/reconnect.
OR we deauth the fucking connected client. and there are 2 ways to do that. I will show you both below..
The first one we are just going to send the deauth to the AP... this can be effective but sometimes takes a while. the second way we are still going to send a deauth to the AP but we are going to tell it what client it has to cut off.

(oh yeah, once you started the capture and writing the file you'll have to stop it once while the client is connected to be able to copy the client mac. or you can just write it down)

You are also going to do this in another terminal. sometimes if I'm not getting the handshake fast enough I'll do this in like 3 terminals at the same time. But once the handshake is captured you want to stop all deauths but keep the aireodump-ng going until you have at least 100 data packets or more.

sudo aireplay-ng --deauth 900 -a F5:0E:83:AA:0A:97 wlan0mon

or

sudo aireplay-ng --deauth 900 -a F5:0E:83:AA:0A:97 -c B0:AC:FA:99:07:4A wlan0mon



900 is packets... how many I like to send... 200 is fine, 500 better and 500000 even better but
the higher the number the higher the lag. --deauth is exactly that
-a is the access point mac -c is the clients mac

In the window where you are capturing the data, writing the .cap file and waiting for the handshake
you should see in the top right [WPA handshake: F5:0E:83:AA:0A:97]



That's it... you can continue to capture data but it's better to stop everything now

Now either use a terminal you have open now or open a new one.... I like to keep all my terminals open
because once I'm done with one AP I move on to the next and it saves me from starting all over in new
terminals and I can just use the arrow keys and change channels and mac addresses.

OR

use FILES to go to the directory that you wrote the .cap file. you'll see other files like .csv and .xml files
with the same name as your .cap file but you can delete them.

Remember your dictionary files should be in this directory. I have a kinda pyramid thing I do since I have so many dictionaries and if I don't get a password in my smaller dictionaries and since I'm usually cracking many AP's at the same time so I have multiple .cap files and dictionaries in folders within folders.

Now choose which .cap file you made (if you made more than one) and let's run a dictionary attack...

sudo aircrack-ng WhoreOnFloor-01.cap -w dictionary.txt



Now be patient depending on the size of the dictionary. could take minuets, hours, days or even weeks.

But depending on how good your dictionaries are too, you should eventually see something like:

KEY FOUND! [ CumSuckingGutterSlut ]

That's it. I'll make a video for ya...

But... aircrack is obviously a bit more complicated than it needs to be, and could be very time consuming.

Therefore... in another lesson... because I think you should learn this first... but in another
lesson we will skip all this shit and just go for the fake AP method. This could get you noticed but
not if it's done quickly and not if it's waiting for a phone or television to try to connect to the fake AP.
Phones and TV's are stupid. We will still use aireplay-ng to deauth the clients though.

Then after that lesson... we can dive into Wireshark and then.... the best one!! Man In The Middle!!!
No... Not 'Boy' In The Middle like "I'll take what is between Dana's legs for 500 Alex" but like the attack
where you take the FAKE AP thing to the next level, let them connect, and when they go to facebook or Gmail or whatever website and they try to login, your shit says... Nope, wrong username and password. and they try again, and again and by now you know every username and password they use for everything, you cut them lose from your box and then magically they are transported to the real website they are trying to log into and they get in. You log your discoveries and use them whenever you want to collect info on their illegal activities.

Or to avoid all that shit, just offer free wifi and collect, collect and collect since it's your network
and they have no legal action even if they did realize you were running Wireshark the whole time.

 
 
Dave Monroe - Author

 © dave monroe 1996-2024