

Direct PMKID is captured in this attack and then cracked. Traditional handshake capture and brute force methods wait for client to de-authenticate and re-authenticate while PMKID attack doesn’t. You can repeat the process from step 2 with a more complex password to show how much longer a better password takes to crack.PMKID attack was developed by Team Hashcat. Try rockYou.txt from John the Ripper or a customer dictionary. Note – dictionary_file is the name of the dictionary file. If a single client handshake is captured useĬommand: aircrack-ng captfile -01.cap -w dictionary_fileĬommand: aircrack-ng -w dictionary_file -b captfile-01.cap When airodump-ng captures a handshake the top line changes. Use host wifi or another device to connect to the safe wifi access point. Initially, it will look like the following: This is sometimes easier using a separate terminal window. Step 3 – capture the handshake and save it to a file called captfileĬonsider changing directory to Documents so the captured handshake is saved there.Ĭommand: airodump-ng –bssid -c 6 –write captfile wlan0monĬopy and paste the appropriate details of the safe wifi access point. Network names (ESSIDs) this client has probed The upper data block shows the access points found and the lower block shows the clients. Note – airodump-ng hops from channel to channel and shows all access points it can receive beacons from. Initially set the password for the safe wifi access point to something like testtest or password, which can quickly be cracked. Step 2 – display wifi access point in range To confirm it is in monitor mode, use command iwconfig and check the mode. The adapter might be referred to as something like wlan0mon. Start by putting the wireless adapter into monitor mode ( monitor mode allows packets to be captured without having to associate with an access point or ad-hoc network first).

