# airodump-ng

airodump-ng "is used for packet capture, capturing raw 802.11 frames."

# Find APs to attack with a CERTAIN word in their names

sudo airodump-ng mon0 --essid-regex CORP --band abg -w inscope --output-format csv

TIP

The columns you see:

BSSID - MAC address of access point
PWR - signal strength (closer to 0 indicates stronger signal)
Beacons - the AP brodcasts these periodically to advertise their presence
#Data/#s - number of data frames captured from the AP
CH - channel the AP is broadcasting
MB - max bitrate of the AP, measured in Mbps
ENC - encryption (like WPA3)
CIPHER - encryption cipher used to secure data (AES is common in WPA/WPA3 networks)
AUTH - authentication method (like SAE for WPA3)
ESSID - network name

# Listen for handshake on specific wifi name

sudo airodump-ng wlan0mon --essid "Name of Corp Wifi" -w capture.cap

TIP

The #Data field generally indicates how much traffic or activity is happening on that network, so I think it means it's a good target for handshake captures.

# Start listening for a handshake using specific BSSID and specific channel

sudo airodump-ng mon0 -c 1 --bssid 00:11:22:33:44:55 -w name-of-file-to-output

Now that you're taking a good dump (heh), you could speed the handshake-grabbing process along by disassociating clients using aireplay-ng!

# Scan all abg bands for specific wifi name

airodump-ng wlan0mon --essid "MEOW" --band abg

# Sort live results

See this page for more info, but some general keyboard shortcuts:

i - to inverse sort order
s - to sort by ESSID, data, beacons, etc.
Space bar - pauses/unpauses the live refresh of IDs
Tab - enables a mode where you can scroll through AP list

# Extract and crack captured handshakes

Check the hcxpcapngtool page for more info.