/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?

action=ACTI-5

HackTown
Cyber Criminal University - Home

Forum Courses Armory Reviews Register Login

Adjust the webpage by zooming in or out to ensure that the yellow line above is within this navigation bar for optimal viewing

You are not logged in. You will only be able to access the courses in GREEN from the course list.

Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Conclusion

The Required Wi-Fi Pre- Hacking Wi-Fi Unable to hack Increase the Locating the Access WPA3 The END of
Introduction hardware Requisites Networks Wi-Fi POWER! Point (AP) Networks course.

ACT I - Hacking Wi-Fi Networks

Chapter 5 - Unable to hack Wi-Fi
Once a wordlist has been exhausted it's time to use other resources for cracking the password. It's better to outsource
password cracking to online services that can utilize way more CPU/GPU power then you'll want to invest into buying
yourself. Ultimately you could setup a separate desktop dedicated to password cracking, but this isn't really necessary or
needed today and that's fucking expensive.

Here is a website with many large wordlists should you choose to download and use them.
https://weakpass.com/wordlist

Online WPA/WPA2 cracking services highly recommended:

https://www.onlinehashcrack.com
https://gpuhash.me
https://hashc.co.uk

1 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Creating your own wordlists

Here's a good tip when attacking Wi-Fi networks associated to stores, businesses, and companies. Once you've
obtained the 4-way handshake you can create a custom wordlist designed to target that specific business which may yield
success.

Most stores, businesses, and some companies might have weaker passwords for their Wi-Fi networks because those
types of passwords are easier to give out to customers and employees without trying to remember complex ones.

For example, you live right next to a clothing store called "BeautyClothes" that has a WPA/WPA2 protected Wi-Fi network
and you have great signal strength to it so of course you want to use their Wi-Fi. If you walked into their store to browse
their bullshit clothes that don't fit your body you politely ask for their Wi-Fi network password. Of course, the store
employee replies with "BeautyClothes2023". It's a password simple enough to remember, easier to give out to customers,
and is somewhat complex enough to deter most beginner hacker fuck faces from guessing it. Not us though! We want to
try everything because we want/need to get onto that Wi-Fi network to do XYZ maniac things with it.

We can create custom wordlist based on our targets of interest by using a tool called CeWL and another one known as
CUPP.

CeWL
Humans are not always very creative and often fall victim to the familiar and easiest way of getting things done, especially
when creating passwords. If we understand that this can be helpful to finding potential passwords when generating a
relevant password list to use when cracking the WPA/WPA2 handshake file.

For example, employees at a coffee shop are more likely to use words for passwords that are used in their industry, such
as coffee, espresso, latte, teabags, beans, etc. where as people working at a shoe store more likely have passwords such
as shoes, Airforceones, sneakers, icedshoes, etc.

I'm sure some people can relate to encountering this at some point.

It's simply human nature the words that we use in our everyday experience will first pop into our heads when we are
considering passwords. That's why so many people use their pet's name, partner's names, children's names, birthdates,
street addresses, etc. Most people aren't very creative and use words and numbers that first come to mind.

We target that lack of creativity people fall back on to develop a specific wordlist for a specific company we're targeting.
This is what CeWL can do for us. CeWL is designed to scrape words from the company's website to create a wordlist

2 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

specific to that company that we can use to try and crack the password.

Before we continue it's important to note that sometimes this tool can take minutes or it can take hours so be patient
when running the commands and don't flip your lid if it doesn'st finish quickly.

In Kali VM:
cewl --help

3 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

We only want to create a wordlist with a minimum of 8 characters since this is the minimum amount needed for a
WPA/WPA2 password. Remember?!

4 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

cewl --with-numbers -w WORDLIST.txt -d 5 -m 8 WEBSITE

--with-numbers accepts words with numbers in it.

-w write the output to a file.
-d 5 means to crawl the website of a depth of 5 pages.
-m 8 means a minimum of an 8-character generated password

Once you have the WORDLIST.txt make sure it didn't go fucking nuts and make passwords longer than the 63 allowed
character limit for WPA/WPA2. This happened to me once and if I knew this at the time it wouldn've saved me a lot of time
so maybe it too can save you some time!

grep -E '^.{,63}$' WORDLIST.txt > Newlist.txt

CUPP
Common User Passwords Profiler (CUPP) is a great tool when generating passwords for a specific target in mind whether
that's a business or an individual. A good example of how this tool can be of use is say you're targeting a person named
"Lucia" who has a birthdate of 05/22/2003 then they could have created a password such as "Lucia05222003". Right?
Don't leave any stone unturned when launching your attacks. Maximize success!

I recommend in changing the number range in the CUPP config file range to reflect different years when targeting year
2000, 2010, up to 2023 or whatever. On line 46 and 47 I added the minimal year to maximum year I wanted to be added
to my password list. It's good to include a few older years up to the current one when making your list.

We can do this by doing the following.

In Kali VM:
sudo gedit /etc/cupp.cfg

5 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Next we need to tell CUPP to use a 8 character minimum and a 63 character maximum for our password list.
sudo gedit /etc/cupp.cfg

OK we have CUPP setup so let's let it rip and interact with it to create our wordlist. It'll ask some questions that will help
formulate a wordlist we can use against our target(s).

cupp -i

You can also use CUPP with an existing wordlist such as the one you produced using CeWL.
cupp -w WORDLIST.txt

You can download other wordlists for different languages if needed as well.

6 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

cupp -l

Attacking the Wi-Fi network users who know the password

OK if you've been hacking Wi-Fi networks or just learning how to hack them you'll soon realize that you're unable to hack
onto every Wi-Fi network you come across. This means you've tried attacking WEP & WPS, you've run the .cap file with
the WPA/WPA2 handshake against every wordlist in your arsenal, and you've used online dedicated services for cracking
WPA/WPA2 passwords, and still you're unable to crack the Wi-Fi password. There are times when you'll want and need
more networks or want to gain access to a certain network so you'll need to figure out how to get this shit done.

7 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Some people skip to using this method without trying to crack the WPA/WPA2 password because it works without going
through a brute force dictionary attack and taking more time then needed. I suggest starting off with passive attacks
before actively engaging your target. Think it over.

Remember, the closer you are to the target Wi-Fi network the better chance of success you'll have when launching these
attacks. You want to be the best and closet transmitting signal for this attack to properly work. This is very important. So
you're either in the same area as the network you're trying to hack with the better antennas OR you have a
directional/parabolic aimed directly at the target area. Again, your goal is to be the strongest transmitting powered source
around so people connect to you easily.

You will need (2) network cards capable of injection (Alfa network cards or similar) for this attack to work. As you've
learned from watching the videos in the Wi-Fi megaprimer you're able to setup your own access point and name it
whatever you'd like. If you're targeting "HOME-Wi-Fi" then you would set your rogue AP up to broadcast "HOME-Wi-Fi" as
well. One network card will be used to bring up your rogue AP and the other network card will be used to launch a Denial
of Service (DoS) attack against the real "HOME-Wi-Fi". The goal with the DoS attack is to overwhelm and take down the
real "HOME-Wi-Fi" preventing people from connecting to it while at the same time bringing up your rogue AP tricking
people into connecting to you instead. The victims will think they're connecting to their "HOME-Wi-Fi" network and not
realize they are indeed connected directly to you!

When you DoS the Wi-Fi network this will bring down the real "HOME-Wi-Fi" network and will knock everyone offline
who's connected to it. The people connected to the "HOME-Wi-Fi" network would eventually notice they do not have
internet connection anymore and have been knocked off their Wi-Fi. Wouldn't you notice this? What do you do when you
don't have a Wi-Fi connection on your home network? How would you trouble shoot it? In this type of Wi-Fi attack we're
targeting the people and not anything to do with technology per se and is known as an EvilTwin attack. We're using social
engineering 101 against the Wi-Fi network owners who know the password that we want.

The "average" user is capable of knowing when they do not have a Wi-Fi connection and are capable of trouble shooting
a little bit to the best of their ability. They will click and search for their Wi-Fi network or at least troubleshoot a little bit.
The goal with an EvilTwin attack is the only Wi-Fi network the people will be able to connect to will be your EvilTwin
network which has the same name as theirs. The only difference is it will be open and unencrypted.

The reality is if they want Internet they will end up connecting to your rogue access point. Maybe they don't right away but
most users are not that bright, impulsive, and impatient. Most "average" users get frustrated and go through the process
even if they have doubts. The average user will connect to the network and even if they take the time to call their Internet
Service Provider (ISP) their ISP will tell them their internet is working fine. Which it is. Seeing that it's their router that's the
problem they will advise to contact their router manufacturer or connect to the new open network that has the same name
to see if that works. Almost all of the time the tech will tell them to logon to the open network to troubleshoot the

8 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

connection. I've experienced this professionally when dealing with companies/employees during a wireless network
assessment.

The EvilTwin attack in the old days would require so many lines of syntax setting up the AP properly, trouble shooting,
and all this shit but since people have modernized these attacks and created programs to automate the process we'll use
an automated tool as well. This is the most effective way to obtain the Wi-Fi password after password cracking has failed
you.

Not every Wi-Fi routers will be vulnerable to a DoS attack. In fact, some modern day Wi-Fi
routers have anti-DoS technologies in place so keep that in mind as these techniques may not
always work %100!

Click HERE if you're using the AWUS036NH network card.

Click HERE if you're using the AWUS036NHA network card.

Click HERE if you're using the AWUS036ACH network card.

9 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

10 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

AWUS036NH and AWUS036NHA network card maniacs these are your instructions for madness.

Common problems people encounter

Make sure the proper VM USB settings are for the card you're using or it will not function
properly!

AWUS036NH uses USB 3.0

AWUS036NHA uses USB 2.0

When testing everything out it's advisable to use either your other mobile devices or another computer to

11 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

connect to the EvilTwin. This way you can see how everything works and understand what your victims will
be presented and the actions they will need to perform.

When you have used a device to test everything out that connected to your EvilTwin ensure you Forget that
network on that device before testing it again or it'll fuck up. Obviously your targets wouldn't have to do
this but when testing it yourself you do. Always try and start everything "fresh" instead of launching it
against yourself 9000 times wondering why it only worked once.

Tools we will be using:

wifiphisher
airgeddon
wifipumpkin3

Each tool is different as you'll come to see.

The first tool we're going to use is called wifiphisher

"Wifiphisher is a rogue Access Point framework for conducting red team engagements or Wi-Fi security testing.
Using Wifiphisher, penetration testers can easily achieve a man-in-the-middle position against wireless clients by
performing targeted Wi-Fi association attacks. Wifiphisher can be further used to mount victim-customized web
phishing attacks against the connected clients in order to capture credentials (e.g. from third party login pages
or WPA/WPA2 Pre-Shared Keys) or infect the victim stations with malwares".

The 4-way handshake is not required with this tool which makes it super easy to launch. The down fall is you'll
have to rely on your victims entering the password correctly since we do not have a handshake.cap file to
compare the entered password to. If possible always try to obtain a 4-way handshake .cap file!

Running "sudo airmon-ng check kill" should be used every time you launch Wi-Fi attacks to
ensure there is no other applications that will interfere with our attacks. Good habit to do this
every time you plan on hacking a Wi-Fi network.

12 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Make sure you have (2) wireless network cards (Alfa or otherwise) plugged into your Kali VM.
Using Terminal in Kali:
sudo airmon-ng check kill
sudo wifiphisher

Warning!
Sometimes the Wi-Fi cards will display 0% PWR for the Wi-Fi networks around you as seen in
the screenshot below.

Unfortunately, this is a bug with some Alfa cards using this specific tool so you'll need to ignore that shit.

The best Wi-Fi networks to focus your efforts on are the ones that are the closet to you. Use your host machine
to check the Wi-Fi networks around you to target the ones with the best connection strength. This makes sense
of course?

You can also use other techniques discussed in Chapter 7 - Locating the Access Point (AP) to hone in on the
network you're after by using directional antennas and wanting to specifically target a network (across the street,

13 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

unit below you, store across the way, etc.).

Reminder, the AWUS036ACH Alfa network card does not work with wifiphisher so don't use it. There is an issue
with the rtl8812au drivers used for that specific card and that tool.

Let wifiphisher scan the air for a couple of minutes to gain all the information possible. When you're ready select
the Wi-Fi network you plan on targeting. It's best to target Wi-Fi networks with the best signal strength and that
have clients connected to it to maximise all the attacks.

We target best signal strength for obvious reasons as these Wi-Fi networks are the closet to you. A good idea is
to use your own laptops Wi-Fi card or iPhone/mobile device to see which have the best signal strength as these
are the closet to you. The Alfa Wi-Fi cards might show a better signal strength for some networks when in fact
your laptop Wi-Fi network card can't connect to them. The closer the Wi-Fi access point you're targeting is to you
the better.

14 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Once you've selected the targeted Wi-Fi network select "Firmware Upgrade Page".

15 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Next wifiphisher will de-authenticate everyone connected to the targeted network.

16 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Wait 1-3 minutes before checking the Wi-Fi network you've targeted to see if your attacks are working. After a
few minutes you should notice the real Wi-Fi network is offline and you've cloned the Wi-Fi network name with an
open Wi-Fi network for victims to connect. This is where we rely on the people that know the Wi-Fi password of
the Wi-Fi network you're targeting to connect to the open Wi-Fi of their Wi-Fi network name and enter the Wi-Fi
credentials.

I suggest using this attack against your own Wi-Fi network to see exactly how your victim will be prompted with
this attack.

This is what is prompted to the people when they're tricked into connecting to your EvilTwin.

17 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Once they've entered the Wi-Fi password it will be displayed in the terminal window where wifiphisher is running
and the victims will be presented with an update screen. You'll want to take this attack down within 1-2 minutes
after capturing the password if wifiphisher doesn't automatically to avoid raising suspicion.

18 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

19 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

It's important to check your terminal screen that wifiphisher is running in and to PAY ATTENTION to who
connects to your rogue Wi-Fi network because you do not want to take down the target Wi-Fi network all day and
have them call their ISP. You want them to connect, enter the credentials, and then you want to shut down your
attack which will bring up their Wi-Fi network again. Wifiphisher is supposed to do this automatically but if it
doesn't ensure you CTRL+Z it. Timing is key here not to raise suspicion but honestly this depends on whom
you're targeting. Don't launch your attack in the morning and then leave it running all day/night because that will
be a problem, potentially.

Either way do what you think is best but understand by taking their Wi-Fi network down all day will draw

20 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

unwanted attention. Maybe yes, maybe no.

You can obvious change the default html files wifiphisher uses and just replace the "Netgear" files with the
router you're targeting and images. Learn a little html and go through the source code of wifiphisher to find the
html files of the example used. Easy to edit.

If you're looking to use your own custom phishing pages then you would type:
sudo wifiphisher -pPD path_to_your_web_files

The second tool we're going to use is called airgeddon

airgeddon will require a 4-way WPA/WPA2 handshake .cap file so it can compare the captured credentials to that
of the .cap file to ensure the password is correct! This tool will allow you to capture the 4-way WPA/WPA2
handshake and then launch an EvilTwin attack against that Wi-Fi network. Very easy to setup and launch.

Make sure your host computer is connected to a network and make sure you have (2) wireless network cards
(Alfa or otherwise) plugged into your Kali VM.

Running "sudo airmon-ng check kill" should be used every time you launch Wi-Fi attacks to
ensure there is no other applications that will interfere with our attacks. Good habit to do this
every time you plan on hacking a Wi-Fi network.

21 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Using Terminal in Kali:

sudo airmon-ng check kill
sudo airmon-ng start wlan0
sudo airmon-ng start wlan1

If you're using Kali in a VM your interfaces will be wlan0 and wlan1 respectively. If not change them accordingly!

cd airgeddon
sudo bash airgeddon.sh

Running this for the first time will require you to download the requirements. Let it run through the auto-installation going
through the prompts then select one of the Wi-Fi cards you have plugged in.

You will then be prompted with the screen as seen below.

22 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Select "7" for the Evil Twin attacks menu and you'll be presented the Menu below.

Select "9" for the Evil Twin AP attack with captive portal (monitor mode needed)" then hit "ENTER" twice on your
keyboard.

23 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

This will open another window so don't click anywhere, be patient. It's best to only let it collect the APs around you for 5 -
10 seconds or whenever you see the Wi-Fi network you're after.

When you're satisfied with the networks collected hold "CTRL" on your keyboard and hit the letter "C". It will now prompt
you to enter the targeted network so look through the list to find the one you're after and enter the corresponding number
for it.

You will now be taken to the DoS menu. In the top of the screen you'll notice the BSSID and other information is now filled
out with the target network.

We will DoS the target Wi-Fi network router by selecting "1" for the Deauth / disassoc amok mdk4 attack and enable "DoS
pursuit mode" by hitting "Y".

24 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Go through the prompts and let the tool launch as seen below.

Go through all the self-explanatory prompts and when you're ready you can finally launch your EvilTwin!

This will open (5) separate windows so don't click anywhere, just be patient. Once all (5) windows are opened your
EvilTwin is up and running. Once someone has connected to your EvilTwin and successfully entered the right password
(4) windows will close with one remaining window staying open showing you the captured credentials.

Once it has successfully captured the WPA/WPA2 hadnshake it will notify you. Hit "ENTER" on your keyboard.

25 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Airgeddon will automatically disable the Fake AP once you've successfully captured the credentials and shut everything
down.

You'll notice when you connect to your EvilTwin it prompts you with a captive portal. You can change what is prompted
and specifically design it for your targets (router information, etc.) by going through the airgeddon source code. Push
yourself to learn the basics because all you need to do is search for "Enter your wireless network password to get internet
access" through airgeddon source code and change it as desired. Easyyyyyyy and not rocket science.

Remember, you just need to know the basics of programming so you can alter things to your liking. No need to re-invent
the wheel.

The last tool we're going to use is called wifipumpkin3

"wifipumpkin3 is powerful framework for rogue access point attack, written in Python, that allow and offer to security

26 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

researchers, red teamers and reverse engineers to mount a wireless network to conduct a man-in-the-middle attack."

This tool is the best, in my opinion, and the easiest when setting up an EvilTwin attack, targeting the people around you
with Wi-Fi phishing attacks or delivering malware. It has many functions and I highly suggest you tinker around with this
tool but for now we're going to focus on EvilTwin Wi-Fi attacks. You'll learn more about how to use this tool to deliver your
malware to the people around with network and specific Wi-Fi attacks in the next course.

We're going to use a basic example for you to see how this tool functions and what's displayed to your victims. I'm going
to use this basic example for a reason so you can play around with it yourself but if you're looking for more information on
how to create your own captive portals place refer to ACT II - Chapter 11.

As always make sure you have your Alfa network cards plugged in and attached to your Kali VM before launching this
tool.

Running "sudo airmon-ng check kill" should be used every time you launch Wi-Fi attacks to
ensure there is no other applications that will interfere with our attacks. Good habit to do this
every time you plan on hacking a Wi-Fi network.

Using Terminal in Kali:

sudo airmon-ng check kill
sudo wifipumpkin3
sudo wifipumpkin3 -i INTERFACE
Example: sudo wifipumpkin3 -i wlan0

ap

We can see the default SSID for the AP is called "WiFi Pumpkin 3". We can change this to whatever we feel like with the

27 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

"set ssid" command and for this example we'll name our Access Point (AP) "TESTING".

set ssid TESTING

proxies

There are many different proxies we can utilize when using this tool but we're going to create a captive portal for fuck
faces to connect to our AP in an attempt to gleam some credentials. We'll be using the "captiveflask" proxy to create a
captiveportal.

ignore pydns_server
set plugin sniffkin3 false
set proxy captiveflask

28 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

proxies

We are now using the "captiveflask" proxy and you can see there is different Captive Portal plugins to choose from. For
now we'll leave it on the default DarkLogin setting so you can see what it's all about. Alright so now get your phone or
other laptop/computer and turn off the Wi-Fi so it's easier to see the new AP you're about to create.

start

29 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

I removed a bunch of stuff from the screenshot above so yours will look a little different but will end in the same way.
Once you see "Running on http://0.0.0.0:80/" then your fake AP is up and running. It's party time. Grab your phone or
computer and turn the Wi-Fi back on and search for "TESTING". Once you find the Wi-Fi network "TESTING" go ahead
and connect to it to see what your presented on that device. When you get the captive portal screen enter USERNAME
for the username and PASSWORD for the password then click "SIGN IN" while keeping your eyes on the wifipumpkin3
console to see the credentials on the screen.

Let's shutdown our attack for now.

stop

30 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Remember, if your testing this multiple times be sure to Forget the network on your device
used for testing and re-launch wifipumpkin3 before testing it against yourself again or you'll
encounter issues.

Also, each device will react differently to your fake AP so test it out on every device you have
lying around to understand the pros and cons of this tool. Nothing is perfect.

The point of this example was for you to see how you're able to create an Access Point (AP) of you're choosing, create a
captive portal that automatically opens up when someone connects to it, and to see how you're able to capture the data
entered on the captive portal website. So now that you know how to do it I'm sure you're mind is wandering like crazy with
potential attacks vectors you can add to make this even more wicked and more professional. The possibilities are endless
since you can create a "Free Wi-Fi" hotspot with a Facebook OAUTH login webpage to capture FB credentials, phishing
for credit cards with a paywall website, or deliver malware to your target(s).

If you were at a coffee shop and connected to "Free-Wi-Fi" and were presented the captive portal below with the coffee
shop logo somewhere on it would you feel good? Does it look legitimate? How many people fall for this? How many
credentials can we gather this way? Hmmmmm....Interesting times :)

31 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

I wanted you to see the basics before we push forward. Here's a real life scenario. Let's go.

You have determined you want access to a specific Wi-Fi network in your area but you're unable to crack the WPA/WPA2
password. This happens a lot right? When that happens we then switch tactics to perform a Denial of Service (Dos) attack
on the target Wi-Fi router to bring it offline and make it unavailable for people to connect to it. Once someone's Wi-Fi
network goes down most people will try to search for their network manually to see what the fuck is going on. Once we've
brought the target Wi-Fi router down then use wifipumpkin3 to bring up an AP with the same name as the target router
waiting for the owners/people to connect to it. It will be an open Wi-Fi network but the point is they'll recognize their Wi-Fi
network is down and go searching for it manually then they'll see the their "own network" and most likely connect to it. You
would do this too let's get serious. When that happens a captive portal designed by you will be presented to them and
depending on how you've set it all up you should be able to social engineer their WPA/WPA2 password. Excellent.

32 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

You will need (2) Alfa network cards to continue as one Alfa card will be dedicated to DoSing
the Wi-Fi router whereas the other one will be used to spawn the fake AP.

Router DoS
It's best to target your own best to target your own Wi-Fi router to determine if the following techniques are capable of
taking down your own router. Again, test everything out on yourself so you get the feel for it all and you're sure your shits
working as expected. Personally, I found most of the time my attacks were successful against individual homes to small
business type of networks. As long as I was close enough to the target Wi-Fi network (store, house, building, etc.) or I
was using proper antenna facing it towards my target(s) of interest I had good success knocking the routers offline. Try it
on yourself and then on your neighbours! They won't notice you knocked their Wi-Fi out for 5 minutes :) Test things out
before launching them against others in the wild don't be a fucking lemming!

For the example below we'll be targeting a Wi-Fi network called "Deadzone" and my Alfa network card is wlan0.

Running "sudo airmon-ng check kill" should be used every time you launch Wi-Fi attacks to
ensure there is no other applications that will interfere with our attacks. Good habit to do this
every time you plan on hacking a Wi-Fi network.

Using Terminal in Kali:

sudo airmon-ng check kill
sudo airmon-ng start INTERFACE
Example: sudo airmon-ng start wlan1

Now we want to search for the Wi-Fi network we want to target and obtain the BSSID.

sudo airodump-ng INTERFACE

33 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Once you have found the BSSID of your target you can hold "CTRL" and hit the letter "C" on your keyboard.

As you can see in the screenshot above the DeadZone Wi-Fi network has a BSSID of "E8:FC:AF:8C:3E:68". Now we
have the information we need to knock the router offline.

I now would launch a DoS attack against the router and attempt to de-authenticate everyone connected to that network
kicking them off the network and preventing anyone from joining it again. Most personal home routers won't be able to
withstand this type of attack for too long but there's so many routers out there so you'll figure it out. When you launch the
DoS attack wait at least 3-5 minutes before launching your fake AP with wifipumpkin3 to ensure the target Wi-Fi network
is down. Eventually someone will notice their Wi-Fi network is down persuading them to connect to your fake AP and
when they do they'll be presented with your captive portal page. Of course you can design this page to phish their
credentials for XYZ or deliver malware to their faces.

We take down Wi-Fi routers using a combination of techniques with one being De-Authenticating the whole network to

34 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

take the router offline or prevent anyone from joining it. If you went through the SecurityTube Wi-Fi megaprimer then you
should remember the data frames and management frames.

Click for SecurityTube Wi-Fi Megaprimer Videos

A little refresher is the Wi-Fi network uses the 2.4GHz and 5GHz frequency band of the radio spectrum and anyone in
close proximity with the proper Wi-Fi hardware can eavesdrop or transmit malicious packets on these bands. In today's
Wi-Fi day and age the data frames travelling through the air are usually encrypted. However, management frames cannot
be encrypted since these frames must be heard and understood by all clients which includes (de) authentication, (de)
association, beacons and probes. Because of that we can spoof those Wi-Fi packets and send de-authentication packets
to continuously disconnect a client device from a Wi-Fi network.

DoSing a router can take 3-5 minutes or longer depending on the router make and model.
When testing this out against your own home router see how long it takes to knock yours
offline.

Some may seem their router go completely offline whereas others might still see they can
connect to their Wi-Fi network but when you try to do so you'll be unable to.

In a fresh Terminal in Kali:

sudo mdk4 INTERFACE a -a E8:FC:AF:8C:3E:68
sudo aireplay-ng --deauth 0 -a E8:FC:AF:8C:3E:68 INTERFACE
Examples:
sudo mdk4 wlan1 a -a E8:FC:AF:8C:3E:68
sudo aireplay-ng --deauth 0 -a E8:FC:AF:8C:3E:68 wlan1

Some people will see that their router is no longer available to connect to whereas others might still see their router online
but not be able to connect to it. It will all depend on what type of router you're targeting. Even if you see your Wi-Fi
network available to connect to you will be unable to actually connect to it. Now you can bring up your fake AP using
wifipumpkin3 with your other Wi-Fi network card, wait patiently for the people to connect, and let them fall right into your
devilish trap.

These are the methods used to obtain the WPA/WPA2 password when all other avenues have failed you!

35 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

If you're wanting to know more about how to customize your own captive portals please check out ACT II - Chapter 11. It's
highly advisable to learn a little HTML so you can customize your phishing/malware pages yourself and tailor them for
your target(s). You truly do not need to know HTML in and out so tackle the basics and begin create your own malicious
pages! Set a few hours aside to educate yourself for fucks sake!

For now let's continue on with this course as it's best not to overwhelm yourself when learning this all for the first time.

Click here to continue to Chapter 6

36 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

AWUS036ACH network card owners these are your instructions for chaos.

Common problems

37 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Make sure you have the proper settings for the card you're using or it will not function properly!

AWUS036ACH uses USB 3.0

When testing everything out it's advisable to use either your other mobile devices or another computer to
connect to the EvilTwin. This way you can see how everything works and understand what your victims will
be presented and the actions they will need to perform.

When you have used a device to test everything out that connected to your EvilTwin ensure you Forget that
network on that device before testing it again or it'll fuck up. Obviously your targets wouldn't have to do
this but when testing it yourself you do.

Always try and start everything "fresh" instead of launching it against yourself 9000 times wondering why
it only worked once.

Tools we will be using:

airgeddon
wifipumpkin3

The first tool we're going to use is called airgeddon

airgeddon will require a 4-way WPA/WPA2 handshake .cap file so it can compare the captured credentials to that of the
.cap file to ensure the password is correct! This tool will allow you to capture the 4-way WPA/WPA2 handshake and then
launch an EvilTwin attack against that Wi-Fi network. Very easy to setup and launch.

Make sure your host computer is connected to a network and make sure you have (2) wireless network cards (Alfa or
otherwise) plugged into your Kali VM.

38 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Running "sudo airmon-ng check kill" should be used every time you launch Wi-Fi attacks to
ensure there is no other applications that will interfere with our attacks. Good habit to do this
every time you plan on hacking a Wi-Fi network.

Using Terminal in Kali:

sudo airmon-ng check kill
sudo airmon-ng start wlan0
sudo airmon-ng start wlan1

If you're using Kali in a VM your interfaces will be wlan0 and wlan1 respectively. If not change them accordingly!

cd airgeddon
sudo bash airgeddon.sh

Running this for the first time will require you to download the requirements. Let it run through the auto-installation going
through the prompts then select one of the Wi-Fi cards you have plugged in.

You will then be prompted with the screen as seen below.

39 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Select "7" for the Evil Twin attacks menu and you'll be presented the Menu below.

40 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Select "9" for the Evil Twin AP attack with captive portal (monitor mode needed)" then hit "ENTER" twice on your
keyboard.

41 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

This will open another window so don't click anywhere, just be patient. It's best to only let it collect the APs around you for
5 - 10 seconds or whenever you see the Wi-Fi network you're after.

When you're satisifed with the networks collected hold "CTRL" on your keyboard and hit the letter "C". It will now prompt
you to enter the targeted network so look through the list to find the one you're after and enter the corresponding number
for it.

You will now be taken to the DoS menu. In the top of the screen you'll notice the BSSID and other information is now filled
out with the target network.

We will DoS the target Wi-Fi network router by selecting "1" for the Deauth / disassoc amok mdk4 attack and enable "DoS

42 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

pursuit mode" by hitting "Y".

Go through the prompts and let the tool launch as seen below.

Go through all the self-explanatory prompts and when ready finally launch your EvilTwin!

This will open 5 separate windows so don't click anywhere. Once all (5) windows are opened yout EvilTwin is successfully
launching. Once someone has connected to your EvilTwin and successfully entered the right password (4) windows will
close with one remaining showing you the captured credentials.

43 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Once it has successfully captured the WPA/WPA2 handshake it will notify you. Hit "ENTER" on your keyboard.

Airgeddon will automatically disable the Fake AP once you've successfully captured the credentials and shut everything
down.

You'll notice when you connect to your EvilTwin it prompts you with a captive portal. You can change what is prompted
and specifically design it for your targets (router information, etc.) by going through the airgeddon source code. Push
yourself to learn the basics because all you need to do is search for "Enter your wireless network password to get internet
access" through airgeddon source code and change it as desired. Easyyyyyyy and not rocket science.

Remember, you just need to know the basics of programming so you can alter things to your liking. No need to re-invent
the wheel.

The second tool we're going to use is called wifipumpkin3

"wifipumpkin3 is powerful framework for rogue access point attack, written in Python, that allow and offer to security
researchers, red teamers and reverse engineers to mount a wireless network to conduct a man-in-the-middle attack."

44 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

This tool is the best, in my opinion, and the easiest when setting up an EvilTwin attack, targeting the people around you
with Wi-Fi phishing attacks or delivering malware. It has many functions and I highly suggest you tinker around with this
tool but for now we're going to focus on EvilTwin Wi-Fi attacks. You'll learn more about how to use this tool to deliver your
malware to the people around with network and specific Wi-Fi attacks in the next course.

We're going to use a basic example for you to see how this tool functions and what's displayed to your victims. I'm going
to use this basic example for a reason so you can play around with it yourself but if you're looking for more information on
how to create your own captive portals place refer to ACT II - Chapter 11.

As always make sure you have your Alfa network cards plugged in and attached to your Kali VM before launching this
tool.

Running "sudo airmon-ng check kill" should be used every time you launch Wi-Fi attacks to
ensure there is no other applications that will interfere with our attacks. Good habit to do this
every time you plan on hacking a Wi-Fi network.

Using Terminal in Kali:

sudo airmon-ng check kill
sudo wifipumpkin3 -i INTERFACE
Example: sudo wifipumpkin3 -i wlan0

ap

We can see the default SSID for the AP is called "WiFi Pumpkin 3". We can change this to whatever we feel like with the
"set ssid" command and for this example we'll name our Access Point (AP) "TESTING".

45 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

set ssid TESTING

proxies

There are many different proxies we can utilize when using this tool but we're going to create a captive portal for fuck
faces to connect to our AP in an attempt to gleam some credentials. We'll be using the "captiveflask" proxy to create a
captive portal.

ignore pydns_server
set plugin sniffkin3 false
set proxy captiveflask
proxies

46 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

We are now using the "captiveflask" proxy and you can see there is different Captive Portal plugins to choose from. For
now we'll leave it on the default DarkLogin setting so you can see what it's all about. Alright so now get your phone or
other laptop/computer and turn off the Wi-Fi so it's easier to see the new AP you're about to create.

start

47 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

I removed a bunch of stuff from the screenshot above so yours will look a little different but will end in the same way.
Once you see "Running on http://0.0.0.0:80/" then your fake AP is up and running. It's party time. Grab your phone or
computer and turn the Wi-Fi back on and search for "TESTING". Once you find the Wi-Fi network "TESTING" go ahead
and connect to it to see what your presented on that device. When you get the captive portal screen enter USERNAME
for the username and PASSWORD for the password then click "SIGN IN" while keeping your eyes on the wifipumpkin3
console to see the credentials on the screen.

Let's shutdown our attack for now.

stop

48 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Remember, if your testing this multiple times be sure to Forget the network on your device
used for testing and re-launch wifipumpkin3 before testing it against yourself again or you'll
encounter issues.

Also, each device will react differently to your fake AP so test it out on every device you have
lying around to understand the pros and cons of this tool. Nothing is perfect.

The point of this example was for you to see how you're able to create an Access Point (AP) of you're choosing, create a
captive portal that automatically opens up when someone connects to it, and to see how you're able to capture the data
entered on the captive portal website. So now that you know how to do it I'm sure you're mind is wandering like crazy with
potential attacks vectors you can add to make this even more wicked and more professional. The possibilities are endless
since you can create a "Free Wi-Fi" hotspot with a Facebook OAUTH login webpage to capture FB credentials, phishing
for credit cards with a paywall website, or deliver malware to your target(s).

If you were at a coffee shop and connected to "Free-Wi-Fi" and were presented the captive portal below with the coffee
shop logo somewhere on it would you feel good? Does it look legitimate? How many people fall for this? How many
credentials can we gather this way? Hmmmmm....Interesting times :)

49 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

I wanted you to see the basics before we push forward. Here's a real life scenario. Let's go.

You have determined you want access to a specific Wi-Fi network in your area but you're unable to crack the WPA/WPA2
password. This happens a lot right? When that happens we then switch tactics to perform a Denial of Service (Dos) attack
on the target Wi-Fi router to bring it offline and make it unavailable for people to connect to it. Once someone's Wi-Fi
network goes down most people will try to search for their network manually to see what the fuck is going on. Once we've
brought the target Wi-Fi router down then use wifipumpkin3 to bring up an AP with the same name as the target router
waiting for the owners/people to connect to it. It will be an open Wi-Fi network but the point is they'll recognize their Wi-Fi
network is down and go searching for it manually then they'll see the their "own network" and most likely connect to it. You
would do this too let's get serious. When that happens a captive portal designed by you will be presented to them and
depending on how you've set it all up you should be able to social engineer their WPA/WPA2 password. Excellent.

50 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

You will need (2) Alfa network cards to continue as one Alfa card will be dedicated to DoSing
the Wi-Fi router whereas the other one will be used to spawn the fake AP.

Router DoS
It's best to target your own best to target your own Wi-Fi router to determine if the following techniques are capable of
taking down your own router. Again, test everything out on yourself so you get the feel for it all and you're sure your shits
working as expected. Personally, I found most of the time my attacks were successful against individual homes to small
business type of networks. As long as I was close enough to the target Wi-Fi network (store, house, building, etc.) or I
was using proper antenna facing it towards my target(s) of interest I had good success knocking the routers offline. Try it
on yourself and then on your neighbours! They won't notice you knocked their Wi-Fi out for 5 minutes :) Test things out
before launching them against others in the wild don't be a fucking lemming!

For the example below we'll be targeting a Wi-Fi network called "Deadzone" and my Alfa network card is wlan0.

Running "sudo airmon-ng check kill" should be used every time you launch Wi-Fi attacks to
ensure there is no other applications that will interfere with our attacks. Good habit to do this
every time you plan on hacking a Wi-Fi network.

Using Terminal in Kali:

sudo airmon-ng check kill
sudo airmon-ng start INTERFACE
Example: sudo airmon-ng start wlan1

Now we want to search for the Wi-Fi network we want to target and obtain the BSSID.

sudo airodump-ng INTERFACE

51 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

Once you have found the BSSID of your target you can hold "CTRL" and hit the letter "C" on your keyboard.

As you can see in the screenshot above the DeadZone Wi-Fi network has a BSSID of "E8:FC:AF:8C:3E:68" and is on
channel 1. Now we have the information we need to knock the router offline.

First let's make sure our wireless card is on the same channel as our target.

sudo airmon-ng start INTERFACE CHANNEL

Example: sudo airmon-ng start wlan0 1

I now would launch a DoS attack against the router and attempt to de-authenticate everyone connected to that network
kicking them off the network and preventing anyone from joining it again. Most personal home routers won't be able to
withstand this type of attack for too long but there's so many routers out there so you'll figure it out. When you launch the
DoS attack wait at least 3-5 minutes before launching your fake AP with wifipumpkin3 to ensure the target Wi-Fi network

52 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

is down. Eventually someone will notice their Wi-Fi network is down persuading them to connect to your fake AP and
when they do they'll be presented with your captive portal page. Of course you can design this page to phish their
credentials for XYZ or deliver malware to their faces.

We take down Wi-Fi routers using a combination of techniques with one being De-Authenticating the whole network to
take the router offline or prevent anyone from joining it. If you went through the SecurityTube Wi-Fi megaprimer then you
should remember the data frames and management frames.

Click for SecurityTube Wi-Fi Megaprimer Videos

A little refresher is the Wi-Fi network uses the 2.4GHz and 5GHz frequency band of the radio spectrum and anyone in
close proximity with the proper Wi-Fi hardware can eavesdrop or transmit malicious packets on these bands. In today's
Wi-Fi day and age the data frames travelling through the air are usually encrypted. However, management frames cannot
be encrypted since these frames must be heard and understood by all clients which includes (de) authentication, (de)
association, beacons and probes. Because of that we can spoof those Wi-Fi packets and send de-authentication packets
to continuously disconnect a client device from a Wi-Fi network.

DoSing a router can take 3-5 minutes or longer depending on the router make and model.
When testing this out against your own home router see how long it takes to knock yours
offline.

Some may seem their router go completely offline whereas others might still see they can
connect to their Wi-Fi network but when you try to do so you'll be unable to.

In a fresh Terminal in Kali:

sudo mdk4 INTERFACE a -a E8:FC:AF:8C:3E:68
sudo aireplay-ng --deauth 0 -a E8:FC:AF:8C:3E:68 INTERFACE
Examples:
sudo mdk4 wlan1 a -a E8:FC:AF:8C:3E:68
sudo aireplay-ng --deauth 0 -a E8:FC:AF:8C:3E:68 wlan1

Once you notice the router is offline then you can bring up your fake AP using wifipumpkin3 with your other Wi-Fi network
card, wait patiently for the people to connect, and let them fall right into your devilish trap.

53 of 54 12/11/23, 23:48
/ HackTown http://hacktowns3sba2xavxecm23aoocvzciaxirh3vekg2ovzdjgjxedfvqd.onion/misc.php?action=ACTI-5

You can use multiple Alfa cards to DoS the router if need be. Some routers will go offline or
not allow anyone to connect to them whereas others may need more than (1) Alfa card to
bring them down. Try it on your own router to see what happens to yours!

Remember to wait 3-5 minutes before seeing if your router is offline. If you still see it when
looking for Wi-Fi networks you shouldn't be able to connect to it.

These are the methods used to obtain the WPA/WPA2 password when all other avenues have failed you! Modern routers
offer the newer standard of 802.11w or WPA3 which will mitigate any DoS attacks (specifically deauth attacks).

In the wild DoSing a router works %75 of the time I'd say.

If you're wanting to know more about how to customize your own captive portals please check out ACT II - Chapter 11. It's
highly advisable to learn a little HTML so you can customize your phishing/malware pages yourself and tailor them for
your target(s). You truly do not need to know HTML in and out so tackle the basics and begin create your own malicious
pages! Set a few hours aside to educate yourself for fucks sake!

For now let's continue on with this course as it's best not to overwhelm yourself when learning this all for the first time.

Click here to continue to Chapter 6

54 of 54 12/11/23, 23:48