Robbb - You can do
to lock the channel. Obviously replace the 8 there with whatever channel it is you're trying to lock it on. Also, if you're having trouble with dhclient/dhclient3, you can try doing
airodump-ng -c 8 mon0
Sometimes when I want to authenticate with an AP I have to do this, with a combination of unplugging the thing and plugging it back in. Im not sure what it is that causes this, or a definite solution to the problem.
As far as collecting a handshake goes, it can be very difficult to do so, especially if you're far away, or there are no clients currently authenticated with the AP. The best way to do it is first to get you're antenna aimed at the thing as best you can. You can look at the power level in airodump to determine this. The power level in dbm is negative there, so note that a lower number reflects a higher power level. Once you're there, wait until you see that there is a client associated with the ap. You can filter airodump to STA (station only) by pressing 'a' while you have it running. It's also useful to use the -a switch when starting up airodump-ng, as this will filter out clients that aren't associated.
Once you have an associated client, then use
in this case, you would either have previously created the variables $APMAC and $STAMAC, but you can just replace $APMAC and $STAMAC with the mac address of the AP, and the mac of the client accordingly. You will see if you are getting acknowledge (ACK) packets from the AP and/or the client. Here's the important part: you MUST be able to receive packets from BOTH the client and the access point if you want to gather a handshake. If you aren't seeing acks from both, then you most likely won't be able to gather the shake. You can try repositioning the antenna to see if there's a 'sweet spot' where you can communicate with both of them, which can happen often depending on how powerful your antenna is.
aireplay-ng -0 -1 -a $APMAC -c $STAMAC mon0
By far the easiest way to see what's wrong is by using wireshark. If your cap file is beanbagcap-01.cap you would use:
This will show you all of the EAPOL packets in the capture, and you'll quickly be able to see whether its the AP or the client that you're not getting packets from. Wireshark is an extremely useful tool, and its very easy to learn to use. It's definitely essential in troubleshooting when you're trying to grab a shake.
wireshark -R eapol beanbagcap-01.cap
Another thing that can help you out is by upping the power to the adapter. You can go as high as 30dbm on that mother without any tweaks, and by creating you're own country code you can get it up to 31dbm. Here's how:
note that its an uppercase o in the iw command, not a 0 (BO represents bolivia's country code for regulation on the txpower). I've noticed a big difference in the success of this attack when you raise the power like this from 20dbm to 30dbm, but maybe it's just in my imagination, as I've gotten handshakes under both settings.
iw reg set BO
iwconfig wlan0 txpower 30