Complete Guide
Intermediate

Wireless Penetration Testing

Comprehensive WiFi, Bluetooth, and RF security assessment guide covering WPA/WPA2/WPA3 cracking, evil twin attacks, BLE exploitation, WPS attacks, captive portal bypass, and cutting-edge wireless attacks.

Why This Matters

Wireless is one of the highest-value attack surfaces on a physical engagement. A single unpatched AP, a rogue device on guest WiFi, or a WPS-enabled router can give an attacker a foothold inside a corporate network in minutes — without ever touching the front door.

Legal Warning

Wireless attacks can affect nearby networks. Only perform these attacks on networks you own or have explicit written authorization to test. Unauthorized wireless attacks are illegal.

What You'll Learn

  • Monitor mode and packet capture
  • WPA/WPA2 handshake cracking
  • Evil twin and rogue AP attacks
  • WPA-Enterprise exploitation
  • Bluetooth & BLE attacks
  • WPS exploitation and Pixie Dust
  • KRACK, FragAttacks, and advanced WPA3 attacks
  • Dragonblood SAE side-channel & WPA3 transition downgrade
  • SDR signal capture and sub-GHz replay attacks

Methodology Overview

Guide Sections

01

Setup

Hardware selection, driver installation, VM passthrough. → End state: wlan0mon ready for injection

● Beginner
02

Reconnaissance

airodump-ng scanning, hidden SSID probing, client enumeration. → Tools: airodump-ng, Kismet

● Beginner
03

WPA Cracking

4-way handshake, PMKID (clientless), GPU cracking. → Tools: aircrack-ng, hashcat

● Intermediate
04

Evil Twin

Rogue AP setup, captive portal credential harvesting. → Tools: hostapd-wpe, Fluxion, eaphammer

● Intermediate
05

Enterprise

802.1X/RADIUS attacks, EAP credential capture, MSCHAP cracking. → Tools: eaphammer, hostapd-wpe

● Advanced
06

Deauth Attacks

Force client disconnection, handshake harvesting, DoS. → Tools: aireplay-ng, MDK4, Bettercap

● Intermediate
07

WEP Cracking

Legacy IV-capture + ARP replay attacks. Included for legacy system testing. → Tools: aircrack-ng

● Beginner
08

WPA3 & Wi-Fi 6

SAE/Dragonblood side-channel, OWE downgrade, 6 GHz scanning. → Tools: hcxdumptool, hashcat

● Advanced
09

SDR & RF Hacking

RTL-SDR/HackRF signal analysis, replay attacks, garage/car fob interception. → Tools: GQRX, URH, Flipper Zero

● Advanced
10

Bluetooth & BLE

BLE MITM, BlueBorne, device tracking, Classic BT PIN attacks. → Tools: Ubertooth, btlejack, bettercap

● Intermediate
11

WPS Attacks

Pixie Dust (offline), Reaver PIN brute force, default vendor PINs. → Tools: Reaver, Bully, wifite2

● Intermediate
12

Captive Portal Bypass

MAC clone, DNS tunnel, HTTPS bypass for hotel/airport portals. → Tools: macchanger, iodine, sshuttle

● Intermediate
13

Advanced Attacks

KRACK, FragAttacks, Dragonblood, mesh/Wi-Fi Direct, drone hijacking. → CVEs: 2017-13077, 2020-24588

● Advanced
14

Tools & Hardware

40+ tools, recommended adapters, SDR hardware, Bluetooth sniffers. → Includes: Alfa, HackRF, Ubertooth

● Beginner
15

Post-Exploitation

Pivoting, ARP spoofing, NTLM relay, lateral movement from wireless to wired. → Tools: Responder, ntlmrelayx, bettercap

● Advanced

Related Tools

🔍

MAC / OUI Analyzer

Identify adapter vendors by MAC address
🧮

Subnet Calculator

Calculate ranges for network segmentation
🛡️

Nmap Builder

Build scan commands for post-compromise recon
🚪

Port Reference

Common services discovered post-wireless access

Ready to Begin?

Start by setting up your wireless interface in monitor mode.

Start the Guide

⚠️ Legal Disclaimer

Wireless attacks can affect nearby networks and devices. Only perform these attacks on networks you own or have explicit written authorization to test.

Related Topics

Physical Security

Often combined with wireless attacks for full physical/digital assessments.

Internal Network Pentesting

Post wireless compromise, pivot to internal network testing.

IoT Pentesting

Many IoT devices use WiFi, Bluetooth, Zigbee, and other wireless protocols.

Lab Setup

Build isolated wireless labs for safe practice.