| name | wifi-pentest |
| description | Wireless network assessment via monitor mode, handshake capture, and de-authentication testing. Use to assess WiFi security posture and crack WPA/WPA2. |
WiFi Pentest
When to use
Use this skill for wireless network assessment:
- Monitor mode and interface preparation
- AP/client discovery via passive scanning
- WPA2/WPA3 handshake or PMKID capture
- De-authentication and forced association (with confirmation)
- Dictionary or rule-based password cracking
Working Style
Passive-first minimizes detection; active only when authorized:
- Setup —
airmon_ng to enable monitor mode, verify RF compatibility [critical, ~10s]
- Discover —
airodump_ng passive scan to locate APs and clients [critical, ~30-120s]
- Capture — Passive PMKID or handshake capture via monitoring; avoid forcing traffic initially [critical, ~1-5 min]
- Crack —
hashcat (GPU preferred) or john on captured WPA2/WPA3 hash [critical, ~1-30 min]
- Active Testing — De-auth/injection only if passive capture fails AND scope permits [medium, ~10-30s]
Decision fields (aligned with wifi_attack_chain prompt):
- result_context: After
airodump_ng, check for "WPA handshake: {bssid}" in output. If present, skip de-auth (STEP 3) and go directly to cracking (STEP 4).
- result_context: After
aireplay_ng, check "Sent XX packets" — if 0, no associated clients.
- Fallback: If no handshake captured, try channel hopping or PMKID capture. If no clients visible, retry during peak hours.
Entry point:
airmon_ng(interface="wlan0", action="start")
Notes
- Requires Confirmation:
aireplay_ng de-auth (mode 0, 1, 9) and mdk4 require explicit approval due to service disruption
- Effectiveness: airodump_ng (1.0), hashcat WPA (0.95), PMKID capture (0.90)
- Detection: RF transmission is immediately observable; wireless assessment is always detected by admin
- PMKID Advantage: Can extract without forcing handshake; faster, lower detection
- Handoff: Cracked WiFi creds → network pivot or
password-cracking for credential validity
- Avoid: De-authing without scope authorization; unencrypted management frames in 802.11w networks
- Handshake Detection:
airodump_ng output shows "WPA handshake: XX:XX:XX:XX:XX:XX" when a 4-way handshake is captured. If present, cracking can proceed immediately.
- No Client Fallback: If
airodump_ng shows "0 stations", de-auth attacks will fail. Suggest channel hopping or retrying during peak hours.