Aircrack-ng

This is the most widely used wireless password cracking tool. Aircrack-ng is a wireless security framework
with a suite of tools used to capture wireless traffic. It is used to crack and recover WEP/WPA/WPA2
keys. The suite of tools can be used to perform the following: monitoring (capturing of network traffic),
attack (carry out de-authentication attacks and replay attacks), testing (testing of hardware wireless
capabilities) and cracking (WEP, WPA and WPA2 pre-shared keys).

Some of its features include:

 Can be run on Windows, Linux, iOS and Android platforms.

 Can be used to capture 802.11a/b/g traffic.

 Can be used to set up a rogue access point (evil twin attack).

 Can be used to crack and recover the WEP pre-shared key using the PTW approach or
FMS/KoreK method. (statistical attacks in combination with brute-forcing) making it faster than
other WEP password cracking tools.

 Can be used with any network interface card (NIC) which supports raw monitoring mode.

 Can be used for WPA/WPA2 pre-shared keys cracking using dictionary-based attacks.

Kismet

Kismet is an open-source wireless network device detector, sniffer, wardriving tool, GPS mapping tool
and wireless intrusion detection system framework. It is a passive sniffer which allows it to discover
hidden wireless networks while hiding itself. It works with Wi-Fi interfaces, Bluetooth interfaces and
other specialized capture hardware. Some of its features include:

 Can be run on Windows, macOS and Linux platforms.

 Can be used to sniff 802.11a/b/g/n traffic.

 Can be used for its radio frequency monitoring mode (rfmon) which allows the user to monitor
traffic and identify wireless networks without associating with an access point.

 Displays all the packets it captures without limiting it to those specific to one access point
broadcasting under one SSID.

 Identifies WAPs in use, SSIDS and the type of encryption used on a network.

 Can be used to identify common trends in network usage, network strength and WAP
configuration.

 Its logging standards are compatible with Tcpdump/WinDump and Wireshark.

3. Fern Wi-fi Cracker

This is a python-based tool with a graphical user interface used to perform wireless security audits and
attacks. It is used to crack and recover WEP/WPA/WPS keys. It can also be used to carry out other
network-based attacks on wireless and wired networks. Some of its features includes:
  Can be run on Windows, macOS and Linux platforms.

 Can be used for WEP cracking using attacks such as ARP Request Replay, Caffe-Latte attacks,
Chop-Chop attacks and more.

 Can be used for WPA/WPA2 cracking using dictionary-based attacks or WPS-based attacks.

 Can be used to perform brute force attacks on HTTP, HTTPS, TELNET and FTP servers.

 Can be used for session hijacking in various modes such as passive modes, ethernet modes and
more.

 Utilizes an automatic access point attack system.

4. Wifite

Wifite is used for attacking WEP/WPA/WPS encrypted wireless networks simultaneously. It can also be
used for auditing wireless networks via a "set it and forget it" method. It utilizes the tools associated
with Aircrack-ng, Reaver and PixieWPS. Some of its features include:

 Can be used to detect access points (targets) by their signal strengths and cracks the closest
access points first.

 Can be easily customizable to automate the attack process (with settings around
WEP/WPA/Both, above certain signal strengths, channels and more).

 Can be used to capture the required information needed for a pixie-dust attack by the PixieWPS
tool.

 Makes the attacker anonymous by changing the attacker's MAC address before the attack and
when the attack is completed.

5. PixieWPS

PixieWPS is a c-language-based tool used to brute-force the WPS pin offline (usually displayed at the
back of a router). It uses the "pixie-dust attack" by exploiting a WPS vulnerability allowing the WPS pin to
be recovered within seconds or minutes depending on the target (if vulnerable). Some of its features
include:

 Checksum optimizations.

 Reduces the entropy of the seed from 32 bits to 25 bits for some access points.

 Before it can be used, it requires the following: enrollee public key, registrant public key, enrollee
hash-1, enrollee hash-2, authentication session key and enrollee nonce. It is often run as part of
Wifite.

6. WireShark

WireShark is a network sniffer and protocol analyzer used in intercepting and capturing network traffic
and logging it for further analysis. These logs can be analyzed to detect data and information such as
passwords sent in data packets across the network. Some of its features include:
  Can be run on Windows, Linux and iOS platforms.

 Provides a large number of built-in protocol dissectors allowing it to be able to identify different
types of network traffic and breaks them into easily readable format.

 Provides built-in traffic coloring filtering and connection following to assist with log analysis.

 Can be run on promiscuous mode allowing Wireshark to capture all the packets it can over the
network.

 Can be used to intercept and analyze encrypted TLS traffic.

 Can be used to listen to a real-time network connection.

Bluetooth devices

7. Spooftooph

Spooftooph is a tool used to automate spoofing or cloning of Bluetooth device information such as
device name, class, address and more. Some of its features include:

 Can be used to clone and log Bluetooth device information

 Can be used to generate new Bluetooth profiles

 Can be used to change the Bluetooth profile every so many seconds

 Can be used to select devices to clone from a scan log

8. BlueMaho

BlueMaho is an open-source, python-based Bluetooth framework with a suite of tools used for testing
the security of Bluetooth devices. Some of its features includes:

 Can be used to scan devices for information such as Service Discovery Protocol ("SDP") records,
vendor information, device information and more.

 Can be used to track devices providing information about their location, the number of times the
device has been seen and its name change history.

 Sends an alert when a new Bluetooth device has been identified.

 Can be used to configure actions to be carried when a new device has been identified.

 Allows the use of more than one Bluetooth adapter for testing (one can be used for scanning
and the other used for running exploits).

 Can be used to test the device for known and unknown vulnerabilities.

 Can be used to change the name, class, mode and device address of local HCI devices.
### Tools for Web Attackers and Security Testers & Hacking Wireless Networks

This note provides a detailed overview of tools and techniques commonly used by web attackers and
security testers. It also includes methods for hacking wireless networks, emphasizing their functionality
and significance in penetration testing.

---

## **1. Tools for Web Attackers and Security Testers**

Web attackers and security testers use various tools to identify vulnerabilities in web applications. These
tools are categorized based on their purpose, such as scanning, exploiting, monitoring, and reporting.

### **1.1. Scanning and Reconnaissance Tools**

These tools gather information about the target web application or network to identify vulnerabilities.

#### **a. Nmap (Network Mapper):**

- **Purpose:** Scans networks for open ports and services.

- **Usage:** Detect live hosts, operating systems, and versions of running services.

- **Example:** Running `nmap -sS -p 80 example.com` scans port 80 (HTTP) for potential vulnerabilities.

#### **b. Nikto:**

- **Purpose:** Web server scanner that checks for outdated software and misconfigurations.

- **Features:**

- Detects known vulnerabilities in web servers.

- Identifies server information disclosure.

- **Use Case:** Scanning a server to ensure it is free from vulnerabilities like outdated Apache versions.
#### **c. OWASP ZAP (Zed Attack Proxy):**

- **Purpose:** Identifies vulnerabilities in web applications.

- **Features:**

- Proxy-based interception.

- Active and passive scanning.

- **Example:** Detecting SQL Injection or Cross-Site Scripting (XSS) flaws in a web form.

---

### **1.2. Exploitation Tools**

These tools help attackers or testers exploit identified vulnerabilities.

#### **a. Metasploit Framework:**

- **Purpose:** A comprehensive tool for exploiting security vulnerabilities.

- **Features:**

- Thousands of pre-built exploits for different software and systems.

- Automation for penetration testing workflows.

- **Example:** Exploiting an unpatched Windows machine to gain remote access.

#### **b. Burp Suite:**

- **Purpose:** A web vulnerability scanner and exploitation tool.

- **Features:**

- Customizable HTTP request manipulation.

- Automated vulnerability detection.

- Intruder module for brute-forcing credentials.

- **Example:** Testing for weak password protection on login pages.

---
### **1.3. Monitoring Tools**

These tools monitor real-time traffic and application behavior.

#### **a. Wireshark:**

- **Purpose:** A network packet analyzer for deep inspection.

- **Use Case:** Monitoring traffic to detect signs of intrusion or data leaks.

- **Example:** Analyzing an HTTP packet to identify sensitive data, such as passwords, sent in plaintext.

#### **b. Fiddler:**

- **Purpose:** A proxy tool that captures HTTP/HTTPS traffic.

- **Features:**

- Manipulates request/response headers.

- Useful for testing API security.

- **Example:** Intercepting a web API call to analyze its behavior.

---

### **1.4. Reporting Tools**

Tools that generate detailed reports after testing for vulnerabilities.

#### **a. Dradis Framework:**

- **Purpose:** Centralized platform for organizing penetration testing reports.

- **Features:**

- Combines data from various tools like Metasploit or Nmap.

- Templates for consistent report creation.

- **Use Case:** Summarizing vulnerabilities and mitigation steps in a professional format.

---

## **2. Hacking Wireless Networks**

Hacking wireless networks involves exploiting weaknesses in wireless communication protocols. Security
testers use these techniques to assess vulnerabilities in Wi-Fi networks.

---

### **2.1. Types of Wireless Attacks**

#### **a. Rogue Access Point Attack:**

- **Description:** An attacker sets up a fake Wi-Fi access point to intercept data.

- **Process:**

1. Create a rogue AP with the same SSID as a legitimate one.

2. Lure users to connect to the fake AP.

3. Capture sensitive data such as login credentials.

- **Tools Used:** Airbase-ng (from Aircrack-ng suite).

#### **b. Evil Twin Attack:**

- **Description:** A variation of the rogue access point attack, designed to mimic an actual Wi-Fi
network closely.

- **Impact:** Users connect unknowingly, allowing attackers to steal information.

---

### **2.2. Wireless Network Testing Tools**

#### **a. Aircrack-ng:**

- **Purpose:** A suite of tools for assessing Wi-Fi security.

- **Features:**

- Captures packets to break WEP and WPA keys.

- Includes tools like Airodump-ng for monitoring networks.

- **Example:** Breaking WEP encryption by collecting initialization vectors (IVs).

#### **b. Reaver:**

- **Purpose:** Exploits vulnerabilities in Wi-Fi Protected Setup (WPS).

- **Usage:** Performs brute-force attacks on WPS PINs to retrieve WPA/WPA2 keys.

- **Example:** Gaining access to a WPS-enabled router by repeatedly guessing the PIN.

#### **c. Kismet:**

- **Purpose:** Passive wireless network detector and sniffer.

- **Features:**

- Detects hidden SSIDs.

- Monitors wireless activity without transmitting packets.

- **Use Case:** Identifying unknown devices connected to a network.

---

### **2.3. Wireless Encryption Cracking**

#### **a. WEP Cracking:**

- **Methodology:**

- WEP uses weak encryption that can be cracked using tools like Aircrack-ng.

- Collect IVs from a network and use them to derive the encryption key.

#### **b. WPA/WPA2 Cracking:**

- **Methodology:**

- Capture the WPA handshake using Airodump-ng.

- Perform dictionary or brute-force attacks using tools like Hashcat.

---

### **2.4. Deauthentication Attacks**

- **Description:** Forcing devices to disconnect from a network.

- **Purpose:** Captures WPA handshake for cracking or disrupts legitimate users.

- **Tools:** Aireplay-ng.

- **Example:** Running `aireplay-ng --deauth` to disconnect a user temporarily.

---

### **2.5. Countermeasures for Wireless Network Security**

- **Using Strong Encryption:**

- Switch from WEP to WPA3 encryption.

- **Disabling WPS:**

- Prevents brute-force attacks targeting WPS PINs.

- **Network Segmentation:**

- Isolate sensitive data from the primary Wi-Fi network.

- **Regular Audits:**

- Use the tools mentioned above to identify and patch vulnerabilities.

---

### Conclusion
Understanding tools for web attackers and wireless hacking helps both attackers and security testers. For
attackers, these tools reveal vulnerabilities; for testers, they provide insights to strengthen systems.
Employing strong encryption, regular monitoring, and awareness of these tools is crucial for robust
cybersecurity.