Summary
Wireless networks present a broad and often fragmented attack surface, making it difficult to know which tools or techniques to use in a given situation. Between WPA2-PSK, WPA2-Enterprise, WPS, Evil Twins, and captive portal attacks, each target requires a different approach. In Wi-Fi Penetration Testing Tools & Techniques, students will explore a wide range of tools, both widely adopted and lesser known, that are used in real-world wireless assessments. Through hands-on practice, learners will build the knowledge and confidence needed to identify network types, choose appropriate tools, and execute effective wireless attacks across a variety of scenarios.
In this module, we will cover:
-
Setting up GPSD -
Reconaissance with Airodump-ng, Kismet, LinSSID, WifiDB, and Sparrow WiFi -
Open source intelligence with WiGLE -
Online bruteforce attacks with Air-Hammer, Wacker, and WifiBF -
Automated attack frameworks such as H4rpy, Wifite2, and Fern WiFi Cracker -
Evil Twin and Captive Portal customization with Wfipumpkin3, Airgeddon, and EAPHammer -
Gathering and cracking passwords with Pyrit, Aircrack-ng, and Pmkidcracker -
Man-in-the-Middle attacks with Ettercap and Bettercap -
Router firmware vulnerabilities and exploitation
This module is broken down into sections with accompanying hands-on exercises to practice each of the tools, tactics, and techniques we cover. There are no specific WiFi hardware requirements for this module, as Hack The Box manages all necessary resources. You will need to RDP into the provided attacker VM to perform the exercises.
As you work through the module, you will see example commands and command outputs for the various tools and topics introduced. Reproducing as many examples as possible is recommended to reinforce the concepts presented in each section.
You can start and stop the module at any time and pick up where you left off. There is no time limit or grading, but you must complete all of the exercises and the skills assessments to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
This module is classified as "Medium" and assumes a working knowledge of Linux systems and network fundamentals. A firm grasp of the following modules can be considered a prerequisite for the successful completion of this module:
WiFi Security Essentials
Since the advent of the 802.11 standard, the use of WiFi for network and internet access has grown significantly due to the convenience it provides. In both corporate and personal environments, users rely on WiFi to access online services and perform daily tasks.
However, this widespread reliance has introduced serious security concerns. Wireless networks are vulnerable to a variety of attacks that can compromise user privacy, and in organizational settings, lead to financial loss or reputational damage. Despite this, many companies still lack proper safeguards to secure their wireless infrastructure.
In the sections ahead, we'll explore several common WiFi threats and the tools used to identify and exploit them.
| Threat | Description |
|---|---|
Eavesdropping and packet sniffing |
Attackers intercepting unencrypted data in transit. Often occurs through man-in-the-middle attacks or fake captive portals. |
Rogue access points and Evil Twins |
Unauthorized or deceptive WiFi hotspots designed to lure users. |
Weak encryption standards (WEP, WPA) |
Outdated protocols with known flaws; modern networks should use WPA2 or WPA3. |
Bruteforce and dictionary attacks |
Attempts to guess WiFi passwords by exploiting captured handshakes or using wordlists. |
WPS vulnerabilities |
Security flaws in the Wi-Fi Protected Setup feature that can be exploited to retrieve credentials. |
In order to assess and exploit these weaknesses, pentesters must use specialized tools tailored to different phases of a wireless engagement. Below is a categorized overview of the tools we'll be covering throughout this module.
Reconnaissance Tools
These tools are essential during the initial phase of testing. They help identify nearby networks, capture packet data, and analyze wireless traffic.
| Tool | Description |
|---|---|
| Airodump-ng | Part of the Aircrack-ng suite, used for packet capturing and wireless monitoring. |
| Kismet | A network detector, packet sniffer, and intrusion detection system. |
| Sparrow-WiFi | A graphical WiFi analyzer for Linux that provides real-time visibility into wireless networks. |
| wifi_db | Parses Aircrack-ng captures into a SQLite database for deeper analysis. |
| LinSSID | A graphical WiFi scanner similar to NetStumbler, built for Linux. |
| WiGLE | A global database of geolocated WiFi networks submitted by wardrivers. |
Password Cracking and Brute Force Tools
These tools are used to exploit cryptographic weaknesses based on data captured during reconnaissance.
| Tool | Description |
|---|---|
| Air-hammer | An automated WPA/WPA2 PSK attack tool. |
| Reaver | Designed for brute force attack against WPS registrar PINs and recover WPA/WPA2 passphrases. |
| WifiBF | A tool for brute-forcing WiFi passwords. |
| Wacker | A collection of scripts used to perform online dictionary attacks on WPA3 access points. |
| pyrit | Allows you to attack wireless networks using pre-computed hashes. |
| Aircrack-ng | A complete suite for breaking WiFi network security. |
| Cowpatty | Used to verify captured handshakes and brute-force WiFi passwords. Also capable of using a precomputed hash file (rainbow table). |
| pmkidcracker | Targets PMKID features of WPA2 for cracking passwords. |
Automated Attack Tools
These tools require minimal manual configuration and automate various steps to exploit weak or misconfigured WiFi networks.
| Tool | Description |
|---|---|
| Fern Wi-Fi Cracker | A GUI-based tool for auditing and recovering WEP/WPA keys. |
| h4rpy | Automates WPA/WPA2 handshake capture and dictionary attacks. |
| Wifite2 | A Python-based tool for automating wireless auditing tasks. |
Automated Evil Twin & MitM Attack Tools
These tools are used to simulate rogue access points and perform man-in-the-middle attacks on wireless clients.
| Tool | Description |
|---|---|
| EAPHammer | Targets WPA-Enterprise networks with Evil Twin and credential harvesting attacks. |
| Airgeddon | A multi-purpose wireless attack framework supporting Evil Twin attacks, DoS, and more. |
| Wirespy | A tool designed for network-level spying and MitM attacks. |
| WifiPumpkin3 | A rogue AP framework that supports phishing, DNS spoofing, and traffic manipulation. |
| Ettercap | A classic network sniffer and man-in-the-middle attack tool. |
| Bettercap | A powerful, modular network attack and monitoring tool with support for wireless attacks. |
Moving On
Now that we've covered the tool landscape at a high level, we'll shift our focus to the reconnaissance phase in more detail. In the next sections, we'll explore how tools like Airodump-ng and others are used to identify wireless networks, capture data, and build situational awareness before launching attacks.
