In this demonstation I am using airodump, aireplay and aircrack to obtain the WPA passphrase in a WPA-PSK network.
The first command airodump ath0 dump 11 starts airodump, from this we can obtain the BSSID, the APs MAC address (usally the same as the BSSID) and the Clients MAC address.
The second command needs running in a new shell aireplay -0 1 -a <APs MAC address> This
carrys out a deauth attack (-0) and sends 1 packet to the AP. The
additon of -c <Clients MAC address> may be required, but is not
always necessary.
As this was a cloaked network we know the death attack was successful when the ESSID is displayed in the airodump capture shell.
Once a WPA handshake has been captured we can try to obtain the WPA key with aircrack dump.cap -w dict.txt where dump.cap is the capture file created with airodump ath0 dump 11 and -w dict.txt is
a wordfile. I have used a small file in this example to prove the
tools work in reality cracking time would be far higher.