Wireless networks are everywhere, and so are their vulnerabilities. From corporate offices running WPA2-Enterprise to small businesses still relying on outdated WEP encryption, the wireless attack surface is massive. WiFi pentesting, or wireless penetration testing, is the structured process of probing these networks to identify security weaknesses before malicious actors do.
This guide walks through the methodology, tools, and real-world techniques used by security professionals to assess wireless network security. Whether you are a seasoned penetration tester looking to sharpen your skills or a security-conscious IT manager wanting to understand what an assessment involves, this breakdown covers everything from reconnaissance to post-exploitation.
WiFi pentesting is a subset of penetration testing focused exclusively on wireless infrastructure. It involves simulating the techniques a real-world attacker would use to gain unauthorized access to a wireless network, capture credentials, intercept traffic, or pivot into an internal network.
The stakes are high. A compromised wireless network can give an attacker direct access to internal systems, sensitive data, or the ability to intercept unencrypted communications. Many organizations invest heavily in perimeter security while leaving wireless access points dangerously misconfigured.
If your organization has never had a formal wireless security assessment, the risk exposure is likely higher than you realize. Redfox Cybersecurity offers professional wireless penetration testing services designed to uncover these hidden vulnerabilities before attackers exploit them. Visit https://redfoxsec.com/services to learn more.
Before any testing begins, you need the right setup. The most critical piece of hardware is a wireless adapter capable of monitor mode and packet injection. Popular choices include the Alfa AWUS036ACH and the Alfa AWUS036NHA.
On the software side, Kali Linux remains the standard operating system for wireless pentesting, bundling most necessary tools out of the box.
Confirm your adapter supports monitor mode:
iw list | grep -A 10 "Supported interface modes"
[cta]
Enable monitor mode on your interface:
sudo airmon-ng start wlan0
[cta]
Check for interfering processes that may disrupt packet capture:
sudo airmon-ng check kill
[cta]
Your interface will typically be renamed to wlan0mon after enabling monitor mode.
The first step in any WiFi pentest is passive reconnaissance. This means listening to the wireless environment without transmitting any packets, making it completely undetectable.
sudo airodump-ng wlan0mon
[cta]
This command reveals all nearby access points, their BSSIDs, channels, signal strength, encryption types, and connected clients. Key columns to note:
To focus on a specific network and save the capture to a file:
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
[cta]
Some administrators hide their SSIDs under the mistaken belief that obscurity provides security. Passive scanning will show these networks with blank ESSIDs. Once a client connects, the SSID is broadcast in the probe response and can be captured.
You can also use active probing to force the disclosure:
sudo mdk4 wlan0mon p -t AA:BB:CC:DD:EE:FF
[cta]
WEP (Wired Equivalent Privacy) is obsolete and trivially broken. If you encounter a WEP network during an assessment, it should be flagged as a critical finding immediately.
Start by capturing traffic:
sudo airodump-ng -c 1 --bssid AA:BB:CC:DD:EE:FF -w wep_capture wlan0mon
[cta]
To accelerate IV collection, perform an ARP replay attack:
sudo aireplay-ng -3 -b AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
[cta]
Once you have collected enough IVs (typically 20,000 to 40,000), crack the key:
sudo aircrack-ng wep_capture-01.cap
[cta]
WEP can be cracked in minutes. No organization should still be using it, yet assessments still occasionally uncover it in legacy environments.
WPA2 with a strong passphrase is significantly more resilient than WEP, but it is not immune to attack. The most common attack vector is the four-way handshake capture followed by an offline dictionary or brute-force attack.
Begin capturing traffic on the target network:
sudo airodump-ng -c 11 --bssid AA:BB:CC:DD:EE:FF -w wpa_capture wlan0mon
[cta]
To capture the handshake, wait for a client to connect naturally, or accelerate the process by sending a deauthentication frame to force a reconnection:
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:AA:BB wlan0mon
[cta]
The -0 5 sends five deauthentication frames. When the client reconnects, the handshake is captured. Airodump-ng will display "WPA handshake" in the top-right corner of the terminal when successful.
Run a dictionary attack against the captured handshake:
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF wpa_capture-01.cap
[cta]
For faster processing, use Hashcat, which leverages GPU acceleration:
sudo hashcat -m 22000 wpa_capture-01.hc22000 /usr/share/wordlists/rockyou.txt --force
[cta]
To convert the capture file to Hashcat's format:
hcxpcapngtool -o wpa_capture-01.hc22000 wpa_capture-01.cap
[cta]
The speed advantage of GPU-based cracking is significant. A mid-range GPU can test hundreds of millions of passwords per second against a WPA2 hash. This makes weak and common passphrases extremely vulnerable.
If your organization's wireless security relies solely on a passphrase, a professional assessment from Redfox Cybersecurity can identify exactly how resilient that passphrase is under real-world attack conditions: https://redfoxsec.com/services.
A significant advance in WPA2 cracking came with the discovery of the PMKID attack, which does not require capturing a four-way handshake or waiting for a client to connect.
Use hcxdumptool to extract the PMKID:
sudo hcxdumptool -i wlan0mon -o pmkid_capture.pcapng --enable_status=1
[cta]
Convert and crack:
hcxpcapngtool -o pmkid.hc22000 pmkid_capture.pcapng
hashcat -m 22000 pmkid.hc22000 /usr/share/wordlists/rockyou.txt
[cta]
This technique makes it possible to attack WPA2 networks without any active clients present, dramatically expanding the attack surface.
An evil twin is a rogue access point that impersonates a legitimate network. Clients connecting to it have their traffic routed through the attacker, enabling credential harvesting and man-in-the-middle interception.
Using hostapd-wpe (Wireless Pwnage Edition) is common for this attack, particularly against WPA2-Enterprise environments:
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
[cta]
A basic hostapd-wpe configuration targeting a WPA2-Enterprise network:
interface=wlan0
driver=nl80211
ssid=TargetCorpWiFi
hw_mode=g
channel=6
eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ca_cert=/etc/hostapd-wpe/certs/ca.pem
server_cert=/etc/hostapd-wpe/certs/server.pem
private_key=/etc/hostapd-wpe/certs/server.key
eap_server=1
ieee8021x=1
wpa=2
wpa_key_mgmt=WPA-EAP
[cta]
When clients connect and attempt to authenticate, hostapd-wpe captures the MSCHAPv2 challenge and response hashes. These can then be cracked offline:
asleap -C <challenge> -R <response> -W /usr/share/wordlists/rockyou.txt
[cta]
For open network impersonation:
sudo airbase-ng -e "Free_Airport_WiFi" -c 6 wlan0mon
[cta]
Combine this with a DHCP server and traffic forwarding to perform full man-in-the-middle interception. This is a common technique used to demonstrate risk in public-facing environments during authorized assessments.
WPA3 was designed to address the shortcomings of WPA2, but it is not without vulnerabilities. The Dragonblood research disclosed in 2019 revealed several side-channel and denial-of-service vulnerabilities in the WPA3-Personal Dragonfly handshake.
In transition mode, access points support both WPA2 and WPA3 simultaneously. An attacker can force clients to connect using WPA2 by broadcasting a rogue AP with only WPA2 enabled, then conducting a standard WPA2 attack.
sudo airbase-ng -e "TargetNetwork" -z 4 -c 6 wlan0mon
[cta]
The -z 4 flag sets the cipher to CCMP (WPA2). Clients that accept the downgrade are then vulnerable to handshake capture and offline cracking.
WPA3 adoption is still gradual, and most environments running WPA3 are doing so in transition mode. This makes downgrade attacks a practical real-world concern that Redfox Cybersecurity specifically evaluates during wireless assessments. For a detailed look at what a professional wireless assessment covers, visit https://redfoxsec.com/services.
Gaining access to a wireless network is rarely the final objective of a pentest. The real goal is to understand what an attacker can do once they are on the network.
sudo nmap -sn 192.168.1.0/24
[cta]
sudo ettercap -T -q -i wlan0 -M arp:remote /192.168.1.1// /192.168.1.0/24//
[cta]
sudo bettercap -iface wlan0
Within the bettercap interactive session:
net.probe on
net.sniff on
arp.spoof on
https.proxy on
[cta]
These commands enable ARP spoofing and HTTPS downgrade attacks, allowing the capture of credentials from clients that fail to enforce strict HSTS.
A WiFi pentest is only as valuable as the report it produces. Findings should be categorized by severity and include:
Common high-severity findings in wireless assessments include WEP or WPA usage, weak passphrases susceptible to dictionary attacks, absence of wireless intrusion detection systems (WIDS), rogue access points operating on the network, and missing certificate validation in EAP configurations.
Remediation recommendations typically cover upgrading to WPA3 where supported, enforcing strong passphrases of at least 20 characters, deploying a WIDS solution, implementing certificate pinning for EAP-TLS, and conducting regular wireless audits.
WiFi pentesting is a technically demanding discipline that requires deep knowledge of wireless protocols, cryptography, and network behavior. The attack techniques covered here, from WEP cracking and WPA2 handshake capture to evil twin attacks and WPA3 downgrade exploitation, represent the real-world toolkit that security professionals and adversaries alike use to probe wireless networks.
For most organizations, the gap between perceived wireless security and actual wireless security is wider than expected. A passphrase that feels strong may fall in hours against a GPU-accelerated dictionary attack. A hidden SSID provides no meaningful protection. WPA2-Enterprise deployments with misconfigured certificate validation are trivially exploited through rogue access points.
Conducting regular wireless penetration testing is not optional for organizations that take security seriously. Redfox Cybersecurity delivers comprehensive wireless assessments that mirror real attacker techniques, providing actionable intelligence to harden your wireless infrastructure. Explore the full range of security testing services at https://redfoxsec.com/services and take the first step toward a defensible wireless environment.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
