Wifi pre-connection attack


Hello how are you guys , In this blog i will show you how to gain access to wifi networks . Before we start i want to tell you that you need a wifi adapter connected to the machine so you can start.

Enabling monitor mode

So at the beginning we will start with the pre-connection attack which is the first important part that you should do to perform an attack.

First of all make sure that your interface is on monitor mode by doing the following commands:

sudo ifconfig wlan0 down

# Running the above command will turn down the interface so we can change it sudo airmon-ng check kill

# This command will kill all the process so we get better results when running the attacks, also you will notice that you have completely loosed your internet connection but this is fine because we only need to be in monitor mode when we are running pre-connection attacks which is the attacks that dont require internet connection.

sudo iwconfig wlan0 mode monitor

# The above command will enable the monitor mode for the interface After we have enabled monitor mode now we need to bring back up the interface which is wlan0 by the following command:

sudo ifconfig wlan0 up

Packet-sniffing using airodump-ng

*Airodump-ng is a part of tool from aircrack-ng

* Airodump-ng is a packet sniffer that will sniff packets for us.

* It is used to capture all the packets within range.

* It displays a detailed info about the network around us and connected clients etc..

Discovering networks using Airodump-ng

- Open the terminal in your machine and type Airodump-ng [interface] followed by the interface Example: Sudo Airodump-ng wlan0

After running the command you will have an output like the above picture, But what each of the output means? So

BSSID: shows the MAC address of the target network

PWR: is the signal strength of the network so the higher the number the better the signal.

Beacons: these are frames sent by network in order to broadcast its existence and tell all the wireless networks that i exist and this is my name and encryption type etc..

#Data: These are the useful packets (data)

#/s: shows the data that have been collected in that past few seconds.

CH: Which is the channel that the network works on.

MB: Maximum speed supported by the network

ENC: shows the encryption type of the network example: WPA,WPA2 ,WEP , OPN etc..

CIPHER: is the cipher used in the network example WEP , CCMP etc..

AUTH: The authentication used in the network

ESSID: Is the name of the network


* Decides the frequency range that can be used

* Determines the channels that can be used

* Clients need to support band used by router to communicate with it. * Data can be sniffed from a certain band if the wireless adapter used supports that band.

Most common band are:

* a uses 5Ghz frequency only.

* b,g both uses 2.4Ghz frequency only.

* n uses 5 and 2.4Ghz.

* ac uses frequencies lower than 6Ghz.

If your adapter supports 5Ghz then run the following command to see 5Ghz networks

NOTE: its important that your adapter supports 5ghz to capture 5Ghz networks. airodump-ng — band [specify a band] [interface]

Example: airodump-ng — band a wlan0

After running this command airodump-ng will show you the 5ghz networks around you.

Also you can specify more than one band at the same time for example: airodump-ng — band [specifying bands] [interface]

Example: airodump-ng — band abg wlan0

This will capture more networks that uses 2.4Ghz and 5Ghz at the same time but this is slower process and it needs a powerful wifi adapter, so if you want a faster process of capturing just use the first method of specifying only one band.

Targeting network after packet sniffing using airodump-ng

Now we have some basic information about the each network.Now lets see how we can use airodump-ng to collect more information about the specified network(not all networks)

To run the program we will type this command:

First we will type airodump-ng after we will specify a specific BSSID by typing — bssid followed by the MAC address of the specified BSSID, next we will specify a channel for airodump-ng to sniff on and to specify a channel we will type — channel followed by the channel number, and we want the data be stored in a file and to do that we will type — write followed by [filename] and finally we specify our interface.

Example: airodump-ng — bssid F4:EC:38:A4:1C:E2 — channel 4 — write networkfile wlan0

As you can see after running this command we have another section down with more BSSID’S ,STATION etc.. so this section is the client section or the devices that are connected to the network. The STATION is the MAC address

of the clients that are connected to the network

We use CTRL + C to quit the program

After quitting the program we should have file stored our data in our directory which we named it networkfile as you can see above in the example. so if we press (ls) command it will list for us all the files in the current directory, you will notice that you have 4 files named with networkfile but the one that we need is networkfile.cap , this file with the CAP extension stores the data and everything send and received inside the network. But if the target network uses WPA2 encryption you will not be able to see the data because its encrypted!

You can use a program called WireShark to gather more information and we can guess what computers are there and used but still its not detailed enough because the network uses WPA2 encryption.

So In the next section i will explain to you about the Deauthentication attack.

Deauthentification attack.

#NOTE: Make sure that you are running airodump-ng before using this attack so it doesn’t fail.

airodump-ng — bssid F4:EC:38:A4:1C:E2 — channel 4 wlan0

Deauthentication attack is an attack that disconnects client from any network:

* This attack works on all the encryptions (WEP, WPA&WPA2)*No need to know the network key*No need to connect to the network

And this is how you use the command:

Aireplay-ng — deauth [#deauthpackets] -a [NetworkMac] -c [TargetMac] [interface]

So Aireplay-ng : is the name of the program that we will use. — deauth : is the command that will let us specify how many packets we want to send and how for long we want to send packets.-a command : will let us specify the network Mac address which is the BSSID.-c command : will let us specify the target Mac address in STATION.

Example: Aireplay-ng — deauth 100000 -a F4:EC:38:A4:1C:E2 c 5O:B7:C3:3B:FC:0E wlan0

What will happen in this attack that we will pretend to be the client that we want to disconnect by changing our Mac address to the targeted client Mac address and tell the router that i want to disconnect from you, Then we are going to pretend that we are the router by changing our Mac address to the router Mac address and tell the client that you requested to be disconnected so i will disconnect you! So this will help us to successfully disconnect or Deauthenticate the client from the network!

And to connect back just use CTRL + C to quit the program

If you used that on WPA encryption you will capture a handshake and get the key of the network.For example if the key was F7:ED:38:A3:9C:P3Just remove the colon : ( F7ED38A39CP3) and you will be able to connect to the network.



Hello there my name is mohammed , I am 17y , I am just a computer guy who is interested in CyberSecurity

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Msecurity BH

Hello there my name is mohammed , I am 17y , I am just a computer guy who is interested in CyberSecurity