How to effectively crack a WPA or WPA2 WiFi Passphrase
I have finally found an easy and clear way to crack a WPA or WPA2 WiFi Passphrase. This is the source
Note: You can find the interface that is in monitor mode by using iwconfig.
Active Attack
Passive attacks have the advantage of being undetectable because they only listen to traffic from the target network. But if your target doesn't have a lot of traffic, you can wait a long time to capture the four-way handshake. Fortunately, you have the faster, but less-stealthy option of running an active attack.
Using the information we gathered with Kismet during the recon step, we can send associated client(s) of the target AP forged deauthentication packets, which should cause the client(s) to disassociate from the AP. We then listen for the reassociation and subsequent authentication.
After identifying our target AP with associated clients, we need to set up the wireless hardware for packet injection. The aircrack suite has a little bash script to do just that.
First bring down the managed VAP (Virtual Access Point) with:
airmon-ng stop ath0
Figure 2: Bringing down the managed interface
Next, start up a VAP in "Monitor" mode:
airmon-ng start wifi0
Figure 3: Creating a monitor mode interface
Now we need to simultaneously deauthenticate a client and capture the resulting reauthentication. Open up two terminal windows. Start airodump-ng in one terminal:
General Form:
airodump-ng -w capture_file_prefix --channel channel_number interface
Example:
airodump-ng -w cap --channel 6 ath0
Figure 4: airodump-ng, up and running
Note: You can find the interface that is in monitor mode by using iwconfig.Next, run the deathentication attack with aireplay-ng in the other terminal:
General Form:
aireplay-ng --deauth 1 -a MAC_of_AP -c MAC_of_client interface
Example:
aireplay-ng --deauth 1 -a 00:18:E7:02:4C:E6 -c 00:13:CE:21:54:14 ath0
In alternative, you can simply use the AP Mac only:
aireplay-ng --deauth 1 -a MAC_of_AP
Example:
aireplay-ng --deauth 1 -a 00:18:E7:02:4C:E6
Figure 5: A successfully sent deathentication packet
If all goes well, the client should be deauthenticated from the AP and will usually reauthenticate. If remaining undetected is important, send only one deauth and be patient. This helps keep you under the radar, since programs like Kismet can detect deauthentication floods.
If the deauthentication was successful, airodump-ng displays a notification of the captured reauthentication event (boxed in red in Figure 6).
Figure 6: Successful WPA handshake capture
Finding the Four-way Handshake
To make sure we captured an authentication handshake, we can use the network protocol analyzerWireshark (formerly Ethereal). Wireshark allows us to view packet contents and sort by type of packet captured to pull out the WPA handshake.
Open up Wireshark (Backtrack > Privilege Escalation > Protocol Analysis > Network Sniffers > WireShark) and open the Kismet capture "dump" file (Kismet-.dump) to view all the captured packets. The WPA four-way handshake uses the Extensible Authentication Protocol over LAN (EAPoL).
Using Wireshark, we can filter the captured packets to display only EAPoL packets by entering "eapol" in the filter field (Figure 7).
Figure 7: EAPoL filter applied to captured packets
Here, we're basically looking for four packets that alternate source, client-AP-client-AP (I've highlighted them in red in Figure 7). 
Now that we've confirmed that we've captured a four-way handshake, it's time to perform the crack.
Dictionary Attack
Start a dictionary attack against a WPA key with the following:
General Form:
aircrack-ng -e AP_SID -w dictionary_file capture_file
Example (BackTrack 5 R3):
aircrack-ng -e 9105GirardCh6 -w passwords2.txt Ch6-01.cap
Aircrack-ng shows the hex hashes of the keys as it tries them, which is nice since some attacks can take a long time. Figure 8 shows that Aircrack-ng took 3 minutes to find the test key "gilbert28", which was added in the dictionary on purpose.
