Anyone is welcome to correct me.
I have cracked my own home WEP & WPA Network.
Only PSK can be cracked ( Pre-Shared Keys).
- Deauth a client
- Capture 4 way handshake as he reconnects
- Download a good dictionary file (eg passwords.txt)
The handshake is salted with the essid, so you can use a tool like airolib-ng to build your own database from your passwords.txt file and your targets essid. In turn instead of cracking at a rate of ~500keys/sec we can get to well over 100,000keys/sec & up to 300,000/sec has been reported.
My pc does 1 million keys in about 5-10 seconds compared to an hour the normal way.
Bottom line, if the password isn't in the dictionary it just doesn't work.
With TKIP its my understanding you can only inject packets, i think its 7 in total. But they could be malicious if someone was to be so devious. You cannot get a key form this.
Other methods?
What about Rogue AP. Setting up a fake access point to imitate the targets own, once they enter the key it gets passed in clear text because its not encrypted in anyway.
I havent tried this yet, but looks promising, Cracking WPA Without a Dicitonary