Wireless Hacker Actual Combat-Basics

Category: Tag:

One. Environmental preparation:
1. Software:
Kali and DClinux are used for wireless blasting, and airgeddon in Kali is used for DOS. As a basic platform for WIFI phishing, kali integrates many open source hacking tools to facilitate learning.

Kali: https://www.kali.org/downloads/

CDlinux: http://cdlinux.net/

CDLinux can be installed in a U disk for use, and the installation tutorial can be searched by yourself.

2. Hardware:
A 8812AU wireless network card that supports 802.11AC wireless protocol. The AWUS036ACH network card can pass through 6 load-bearing walls about 100 meters with full signal.

AWUS036ACH network card driver: https://github.com/gnab/rtl8812au

Run the following command after decompression:


sudo make install

modprobe 8812au


apt update 

apt install realtek-rtl88xxau-dkms

I didn’t have a network card at the beginning, so I just used the “portable WiFi USB flash drive” like the following USB flash drive. The function is also very powerful.

But I think ordinary network cards are more stable, such as the 8187 wireless network card (available on Amazon, and all brands can be used).

Advantages of 8187 wireless network card

1. First of all, no driver is required, and it can be recognized directly whether it is a real machine or a virtual machine.

2. The signal is very stable.

3. The support for WiFi-pumpkin (fishing platform) is also very good.

Finally, make sure that both kali or CDlinux can recognize the wireless network card.


Two. Wireless blasting
Wireless blasting is very applicable in actual combat. The first time I did an independent penetration test, I entered the user network through wireless blasting. The user’s intranet is generally vulnerable to protection, and after entering, it can bypass most security protections and directly attack the target system.

1. Blasting method: use kali blasting
The advantage of blasting with kali is that you don’t need to install CDLinux, and it supports many types of network cards (for example: 8812AU). The problem is that you need to enter some commands and install some network card drivers.

The following is a wireless password blasting through kali:

Steps: Modify the network card mode-capture packets, and use DOS to capture the handshake packet-brute force the captured handshake packet.

iwconfig //View network card

ifconfig wlan0 down //Disable the network card

iwconfig wlan0 mode monitor //Modify to monitor mode

ifconfig wlan0 up //Enable the network card

airmon-gn start wlan0 //Enable monitoring mode

airodump-ng mon0 //Capture the packet, just watch.

airodump-ng -c 1 -w 0914 mon0 //Capture 1 channel and save it to file 0914

aireplay-ng-0 10 -a BSSIDmac address -c client mac address mon0 //At the same time, capture the packet and perform a dos attack on the client to re-authenticate, thereby capturing the handshake packet

aircrack-ng -w /root/dictionary.lst 0914*.cap //After pressing enter, select the handshake package for brute force cracking

Successfully cracked

2. Blasting method two: Blasting with CDlinux
The advantage of using CDLinux is that it is surface-oriented, the whole process does not need to type commands, just a few clicks. CDLinux can be used directly after installing it in the U disk, which is easy to carry, just need to boot from the U disk. In addition, CDLinux supports most driver-free wireless network cards very well, but it is relatively more complicated if you need to install a driver.

After preparing CDLinux, first collect wireless signals, as shown in the figure below.

The more information collected, the higher the success rate for blasting. Here we choose the wireless signal ****1 for blasting.

Next, the tool will automatically obtain the handshake packet information, as shown in the figure below, this process takes about a few minutes.

After obtaining the handshake packet, the password cracking starts.

Blasting needs to load the password dictionary generated by the social engineering library we prepared before.

Choose a dictionary.

Start blasting. This process is based on the previous preparations and luck. Good luck, the blasting was successful! As shown in the figure below, the WPA KEY part is the wireless password.

Brute force cracking is not always successful, it depends on luck! In addition to finding some better dictionaries, a more effective way is to collect some social engineering dictionaries.


Three. Wireless DOS
Wireless DOS mentioned in the previous introduction of wireless blasting. The wireless client is destroyed by DOS and the authentication packet is sent again to obtain the handshake packet. Wireless DOS can also be used to set up a wireless base station to break the other party’s wireless through DOS. Then build a wireless base station to achieve flow control.

1. Use of Airgeddon

download tool


git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git

bash airgeddon.sh

First modify the network card mode to: monitor mode, otherwise the following will be prompted:

Select the network card: 2  wireless network card

Then the following options appear:

Option 4 is to pop up nearby wireless networks.

ctrl+c, stop sniffing and list wireless

Select 36, the wireless signal to be attacked

Choose attack type

Start attack

Then the wireless dropped.


Four. Wireless fishing
The idea of wireless phishing: You can directly intercept traffic through phishing, restore pictures, plain text passwords, etc., and you can build a phishing website to induce the other party to log in and authenticate to obtain personal information. You can also use APP push notifications to induce the other party to install with remote control Trojan horse program.

1. Manual wireless fishing
Environment: kali2.0, portable WiFi U disk

Goal: build wireless fishing WiFi

Steps: Configure DHCP configuration file-set network card mode-start wireless hotspot-establish virtual network card-open IP forwarding-start DHCP service-set nat.

1. Configure DHCPD service:

Modify /etc/dhcp/dhcpd.conf and add the following code:

default-lease-time 700;
max-lease-time 8000;
subnet netmask {
option routers;
option subnet-mask;
option domain-name-servers;

Then save.

2. To set the network card mode, you need to first insert the wireless network card into the USB port and map it to the kali virtual machine. The network card mapping is shown in the figure below, and the network card wlan0 has been identified.

Set the network card mode-three commands: turn off the wireless network card, set it to monitor mode, and start the network card.

Then use the airmon-ng tool to start the wireless network card, mainly for the next step to establish a wireless site.

3. Establish a wireless site:

At this time, the wireless station has been established, but the client cannot connect to WiFi yet because the DHCP service has not been started.

4. Create at0 virtual network card:

We will use the virtual network card at0 to make the traffic of the wifi go to the virtual network card

At this time, you need to open another command window, because the previous window is used to monitor all clients connected to WiFi after starting WiFi.

The above command does not require much explanation: the basic configuration of the virtual network card, and the route is pointed to the virtual network card.

5. Turn on IP forwarding

Is to make Kali routable like a router.

6. Open the DHCP service

Among them, /var/run/dhcpd.pid is the file created this time,Open service

Connect to WiFi, you can get the IP address, and the gateway is also connected:


If you pull out the network card, because the hardware has changed, you must restart Kali to reuse the network card.

7, nat settings

The previous only can connect to WiFi, but the WiFi built through kali cannot access the Internet, so you need to set up address translation NAT in the kali system, because we turned on IP forwarding in step 5, so now kali is already a router.

Through iptables, such a powerful function, set nat

Pay special attention to those names in uppercase, if you make a mistake, you will get an error. POSTROUTING represents the original address, I guess -A refers to all, and then converted to the address of eth0 when going online. According to the routing understanding, the same is true, because kali has two network cards eth0 that can access the Internet, and if at0 as a virtual network card wants to access the Internet through eth0, it must also perform SNAT original address translation through the eth0 interface address.

The second command: all the data sent by the wireless network card is sent to the eth0 interface.

Does this refer to the original address? It should be, because the IP address obtained by wireless is in this network segment, all of which are converted, and the maximum data length is 1356.

Test Results:

So far we tested it with a mobile phone, and the mobile phone can access google by connecting to a WiFi hotspot: Fishing.

Well, the rest is free to play, whether it is intercepting traffic (obtaining plaintext passwords), DNS, ARP, or browsing client Internet pictures, establishing a phishing website (deceiving users to disclose personal information) BEEF.

Get pictures

Get a picture of my son

Start the packet capture tool wirshack to capture the data traffic of at0 port:

You can get the phone model, email account cookie, etc. (the password may not be obtained due to encryption in the new version).


After shutting down the virtual machine and unplugging the wireless network card, restarting the client cannot obtain an IP address

After restarting, the virtual network card is unavailable because the wlan0 mapped by the virtual network card at0 is offline, so the DHCP server address is gone, so you must restart DHCP, re-establish the virtual network card at0 and other steps. The actual test also needs to add nat because of the configuration of the virtual network card by nat Doesn’t exist anymore.

2. WIFI-Pumpkin wireless fishing
8812au can support WIFI-Pumpkin

Accept cookies:

The process is described below:


Download https://github.com/P0cL4bs/WiFi-Pumpkin.git

Enter the directory after decompression:

cd WiFi-Pumpkin


./installer.sh -–install

Successful installation:


Client connects to WIFI (default SSID: PumpAP):

Similarly, receive pictures, driftnet

And there are more useful ones, you can view every request and plaintext authentication:



There are no reviews yet.

Be the first to review “Wireless Hacker Actual Combat-Basics”

Your email address will not be published. Required fields are marked *