Skillfade Logo

Wifi hacking

⏳ 9 min read

Table of Contents

    Cybersecurity Illustration

    I crouch under the humming neon grid of access points, the air vibrating with electrons and modulated white noise. The hum of packets, like distant gunfire in a bad warzone. A rogue AP flickers in the corner, its SSID broadcast a siren song: “Free_WiFi”, “CoffeeShop_5G”, “Guest_Network_01”. Smoke spins off my fingers from a cheap cigar, and in the glow of LED indicators I feel the pulse of every radio-frequency wave. Here, in this smoky expanse between antennas and firmware, is where the hack begins.

    Out through fibre or copper, through firewalls, through NATs, through the heart of VPN tunnels, I slip in via the side-doors, tucked in vulnerabilities in the handshake, masked MACs, misconfigured routers. The network is alive, breathing. Every device, laptop, phone, IoT bulb, does something. Some send BEACONs, others PROBE. When no one is watching, I listen. When no one is vigilant, I strike. This is not theory: this is code, air, logic, and danger.

    Wifi Hacking 101: Tools, Threat Models, and Setup

    Before you crack open the shell, know your battlefield. Your adversary is not just another script-kiddie, but firmware bugs, weak handshakes, incorrect configurations, and social engineering. Assume you have:

    • Legitimate access to a WiFi environment for testing (lab network, or with explicit permission).
    • Hardware: A wireless card that supports monitor mode and packet injection (e.g. Atheros, Ralink, or some Realtek chips, depending on driver support).
    • A controlled environment: ideally isolated, no unintentional collateral damage.

    Major threat models to explore:

    Threat Model Attack Goal
    Handshake capture + offline cracking Recover WPA2 pre-shared key
    Rogue AP / Evil Twin Man-in-the-middle / credential theft
    Deauth + Evil Twin Force re-authentication / strip encryption
    WPS push-button or PIN attack Bypass WPA2 PSK via misconfigured WPS
    Hidden SSID & MAC filtering bypass Access restricted networks

    Practical Workflow: “Handshake Capture & Crack”

    Here I sketch out the most canonical attack: capture the 4-way WPA2 handshake, then crack the PSK offline. As always, only in authorised labs.

    1. Scouting & Reconnaissance

    • Put your wireless interface into monitor mode.

    Bash snippet:

    ⚠️ Warning: The following commands may be considered offensive or malicious if used without authorisation. Only execute in controlled, legal environments for learning or penetration testing. 

    bash
  sudo ip link set wlan0 down
  sudo iwconfig wlan0 mode monitor
  sudo ip link set wlan0 up
    • Scan for networks, logging SSIDs, BSSIDs, channel numbers: 
    bash
  sudo airodump-ng wlan0mon

    2. Target Selection

    Choose a target network with:

    • WPA2-PSK encryption
    • Non-trivial but weak passphrase potential (dictionary-crackable)
    • Visible SSID and decent signal strength

    Record its channel, BSSID, the MAC of clients if possible.

    3. Forcing a Handshake

    To capture the handshake you often need a client to reconnect or drop. Use deauth frames:

    bash
sudo aireplay-ng --deauth 5 -a <AP_MAC> -c <CLIENT_MAC> wlan0mon
    • “5” is the count of deauth packets sent.
    • If you don’t have a known client, broadcast deauth to all: skip “-c ”.

    4. Capturing the Handshake

    Use airodump-ng:

    bash
sudo airodump-ng --bssid <AP_MAC> -c <CHANNEL> -w capture wlan0mon

    Wait until you see “WPA handshake:” in the output. Then you have the exchange.

    5. Cracking the PSK

    Offline attack using hashcat or aircrack-ng:

    bash
aircrack-ng -w /path/to/wordlist.txt -b <AP_MAC> capture-01.cap

    Or using hashcat GPU acceleration:

    bash
hashcat -m 22000 handshake.hccapx /path/to/wordlist.txt --force

    Mini-lab Checklist

    • Set up a test WiFi network (WPA2-PSK), connect at least one client.
    • Capture the handshake using deauth.
    • Crack the PSK using wordlists of increasing complexity.

    Advanced Architectures: Rogue APs, Evil Twins & TLS Stripping

    Once you can crack PSKs, the darker arts beckon: tricking users, hijacking traffic, breaking encryption down.

    1. Setting up a Rogue AP

    Use hostapd (Linux) and DNS spoofing.

    bash
sudo apt install hostapd dnsmasq

    Configure hostapd.conf with the cloned SSID and softer security (e.g. open or weak WPA2):

    interface=wlan1
driver=nl80211
ssid=TargetNetwork
channel=6
hw_mode=g
wpa=2
wpa_passphrase=weakpass
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP

    2. DNS & DHCP Manipulation

    Configure dnsmasq to serve DNS responses, force traffic through your mitm proxy.

    3. Captive Portal & Phishing Pages

    Present fake login pages, SSL warning pages. If users accept self-signed certificates, exploit.

    4. TLS Stripping

    Use tools like mitmproxy or Bettercap to intercept HTTP->HTTPS redirects:

    • Force HTTP connections
    • Replace “upgrade-insecure-requests” headers
    • Inject JavaScript or scripts to force insecure content

    Actionable Takeaways

    • Rogue APs are potent only if users trust unverified certificates.
    • DNS poisoning + captive-portal pages = classic phishing, combine with social engineering.
    • TLS stripping is less effective in modern browsers and HSTS-protected sites, test edge cases.
    • Combine analytics: watch ARP tables, observe browser warnings, certificate mismatches.

    Edge-Case Techniques & Hardware Exploits

    Here is where your mindset must sharpen. The net always finds cracks.

    A. PMK-ID / PMK-Handshake capture on open / WEP networks

    Tools like hcxpcaptool can extract PMKID frames even without client interaction on WPA2 networks using RSN-PMKID capability. Attack works even if no deauth or connection.

    Bash snippet:

    bash
sudo hcxdumptool -i wlan0mon --enable_status=15 -o pmkid_essid.pcapng
sudo hcxpcaptool -z pmkid_hashes pmkid_essid.pcapng

    Then crack pmkid_hashes with hashcat.

    B. WPA3 Dragonfly and Transition Mode Problems

    WPA3’s SAE is strong but many networks operate in transition mode or allow fallback. These weak links, downgrade attacks, can be abused. Tools exist (e.g. SAE handshake capture tools) to force or exploit those fallbacks.

    C. Firmware Backdoors / Driver Bugs

    Certain wireless NICs in monitor mode have driver bugs leaking information, or fail to validate frames properly. Exploits may allow you to inject malformed frames, cause buffer overflows. Requires reverse engineering: capture with Wireshark, examine unusual 802.11 frame fields.

    Workflow for a Penetration Exercise

    Here is a full end-to-end workflow you can follow in a lab.

    1. Acquire a router with customisable firmware (OpenWrt, DD-WRT) and a wireless card capable of monitor mode + inject.
    2. Set up two networks:
      a. WPA2-PSK with weak passphrase, no WPA3.
      b. Mixed WPA3 transition mode network.
    3. Connect clients: laptop, phone. Enable HSTS, use modern browsers.
    4. Simulate deauth attack, capture handshake for WPA2 network, crack PSK.
    5. For transition mode network, attempt downgrade or block SAE, force using WPA2.
    6. Deploy a rogue AP mimicking SSID. Use DNS spoofing + captive portal to capture credentials.
    7. Try PMKID capture without probing clients.

    Checklist & Tools Summary

    • Wireless card supporting monitor + inject
    • Tools: aircrack-ng, hashcat, hcxdumptool, bettercap or mitmproxy, hostapd, dnsmasq
    • Wordlists: rockyou, custom dictionaries
    • Protocols knowledge: WPA2 v/s WPA3, SAE, PMKID, TKIP v/s CCMP, HSTS, TLS versions
    • Monitoring: Wireshark, tcpdump

    Mastering Wi-Fi Hacking Techniques for Cybersecurity Learners

    Aim

    To equip you with hands-on methods and tools that ethical security professionals use to test, breach and secure Wi-Fi networks.

    Learning Outcomes

    By the end of this guide you will be able to:
    - Set up a wireless network interface in monitoring mode and capture packets.
    - Perform de-authentication attacks to force reconnections and capture WPA/WPA2 handshakes.
    - Use tools to crack WEP, WPA/WPA2-PSK encryption.
    - Exploit WPS-PIN vulnerabilities.
    - Analyse captured traffic and verify network weaknesses.

    Prerequisites

    You need:
    - A computer running Kali Linux or Parrot OS (or a VM if hardware supports wireless card passthrough).
    - A wireless network card that supports monitor mode and packet injection.
    - Root or sudo privileges.
    - Basic command-line experience in Bash.
    - Familiarity with wireless encryption standards (WEP, WPA, WPA2, WPS).

    Step-by-Step Guide

    1. Discover Wireless Networks in Range

    Use airmon-ng and airodump-ng from the Aircrack-ng suite to list all wireless networks: 

    bash  
sudo airmon-ng check kill  
sudo airmon-ng start wlan0  
sudo airodump-ng wlan0mon

    This will show SSIDs, BSSIDs, channels, encryption types and connected clients. (en.wikipedia.org)

    2. Capture WPA/WPA2 Handshake

    Identify a WPA/WPA2 network, note its channel (e.g. channel 6) and target BSSID, then focus capture: 

    bash  
sudo airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture_file wlan0mon

    To force a handshake, send a de-authentication packet: 

    bash  
sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF wlan0mon

    Once a client reconnects, the handshake is captured. (en.wikipedia.org)

    3. Crack the Password Using Dictionary Attack

    Using the captured handshake and a wordlist, attempt to crack WPA/WPA2-PSK: 

    bash  
aircrack-ng -w /path/to/wordlist.txt -b AA:BB:CC:DD:EE:FF capture_file.cap

    If password isn’t in any common list, consider custom wordlist tools (e.g. Crunch) or hybrid attacks. (reddit.com)

    4. Crack WEP Encryption

    If the target network uses WEP, inject ARP packets to speed up IV collection, then use Aircrack-ng on those IVs: 

    bash  
airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 6 --ivs wlan0mon  
aireplay-ng --arp-inject -b AA:BB:CC:DD:EE:FF wlan0mon  
aircrack-ng -b AA:BB:CC:DD:EE:FF capture_file.ivs

    WEP is weak and flawed in design; it can be cracked swiftly once enough IVs are gathered. (en.wikipedia.org)

    5. Exploit WPS Vulnerabilities

    Use Reaver to test for weak WPS-PIN implementations: 

    bash  
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

    This may retrieve WPA/WPA2 passphrase by brute forcing the WPS PIN. Many routers have poor or zero protections around this. (web.nwkings.com)

    6. Passive Reconnaissance and Hidden Networks

    Use Kismet to monitor all traffic passively, detect hidden SSIDs, clients, and unusual frames: 

    bash  
sudo apt install kismet  
sudo kismet -c wlan0mon

    Learning traffic patterns and device behaviour helps in understanding attack surfaces. (edureka.co)

    Actionable Insights

    • Always get consent before testing security of any network that is not your own.
    • Maintain up-to-date wordlists and use tools like Crunch to generate custom ones.
    • Use GPU-accelerated cracking tools like Hashcat when offline cracking becomes necessary.
    • Regularly update firmware and disable WPS on your own routers to defend against these attacks.

    Use these steps responsibly to practise core skills.

    You breathe, listening to the crackle of RF, counting deauth packets, watching the client fall back, watching the handshake materialise like shattered glass. You marshal your code, bash, python snippets and tools, into order, aligning your attacks but alert to the charred edges of legal and ethical collapse. The neon city may be static, but inside the frame of every beacon and probe you danced through WPA handshakes, rogue APs, PMKIDs and downgrade traps. The routers, the cards, the driver bugs all part of you now, pulsing in your veins like dangerous software waiting to be unleashed.