WiFi security remains one of the most common blind spots in the corporate attack surface. A poorly configured wireless network exposes credentials, allows pivoting into the internal network and offers a physical entry vector that never has to cross the perimeter firewall. This wireless pentesting guide walks through the full methodology of a 802.11 audit: reconnaissance, attacks against WPA2 and WPA3, WPS, rogue access points and evil twins, attacks against the Enterprise plane (EAP and 802.1X), and the defences that actually reduce risk.
Wireless pentesting essentials
- The 802.11 attack surface includes unencrypted management frames, the authentication handshake, WPS, the AP configuration and the RADIUS/EAP plane.
- Against WPA2-PSK you capture the 4-way handshake or the PMKID and crack it offline with hashcat (mode 22000).
- WPA3-SAE removes the classic offline crack, but opens new vectors: transition-mode downgrade and the Dragonblood side channels.
- The evil twin and rogue AP are not a one-off trick but a methodology to capture both PSK and Enterprise (MSCHAPv2) credentials.
- Effective defence combines 802.1X with EAP-TLS, PMF (802.11w), VLAN segmentation and a WIDS/WIPS that detects unauthorised APs.
The 802.11 attack surface and audit methodology
The 802.11 standard separates traffic into three frame types: management (beacons, probe, deauth, authentication), control (RTS/CTS, ACK) and data. The historical problem is that management frames travel unencrypted and unauthenticated unless PMF (Protected Management Frames, 802.11w) is enabled. That allows deauthentication denial attacks and makes the evil twin easier.
A serious wireless audit follows a repeatable sequence: passive spectrum reconnaissance, SSID and cipher identification, vector selection (PSK, WPS, Enterprise or rogue AP), controlled exploitation and, finally, verification of segmentation once inside. This methodology dovetails with infrastructure penetration testing internal and external, because compromising the WiFi is rarely the final objective: it is the foothold used to move towards internal systems.
Reconnaissance: monitor mode and airodump-ng
The first step is putting the card into monitor mode, which captures every frame on the medium rather than only those addressed to the NIC. With the Aircrack-ng suite:
airmon-ng start wlan0
airodump-ng wlan0mon
airodump-ng shows, for each network, the BSSID, channel, cipher class (WPA2, WPA3), cipher (CCMP, GCMP), authentication method (PSK, SAE, MGT for Enterprise) and associated clients. To capture handshakes you lock channel and BSSID:
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
For broad reconnaissance, Kismet adds passive multi-channel detection and AP geolocation, while hcxdumptool is optimised for PMKID capture at scale. This whole phase is, in essence, radio-frequency sniffing, an area that overlaps with what is covered in what is a sniffer and network traffic analysis.
Attacking WPA2-PSK: handshake and PMKID
WPA2 with a pre-shared key derives the session key (PTK) from the PSK using PBKDF2-HMAC-SHA1 with 4096 iterations. The attacker does not need to break the cipher in real time: capturing enough material to validate password candidates offline is sufficient.
4-way handshake
The 4-way EAPOL handshake (messages M1 to M4) exchanges the nonces (ANonce, SNonce) and a MIC derived from the PTK. Those fields let you test passwords offline. To force a client to re-authenticate and capture the handshake, you send a targeted deauth:
aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
When airodump-ng shows "WPA handshake" in the header, the material is captured. Deauth is intrusive and noisy, and with PMF enabled (mandatory in WPA3) it stops working, which is a healthy defensive signal.
Clientless PMKID
The PMKID attack (Steube, 2018) removes the need for a connected client. Many APs include the PMKID in the first EAPOL message, computed as HMAC-SHA1 over the PMK, the string "PMK Name", the AP MAC and the client MAC. Capturing it enables offline cracking with no deauth and no victim:
hcxdumptool -i wlan0mon -o dump.pcapng
hcxpcapngtool -o hash.22000 dump.pcapng
It only works on APs that expose the PMKID (common with roaming and 802.11r), but when it applies it is stealthy and highly efficient.
Cracking with hashcat
Both vectors converge on the unified 22000 format in hashcat, which replaced the old modes 2500 (EAPOL) and 16800 (PMKID):
hashcat -m 22000 hash.22000 rockyou.txt
hashcat -m 22000 hash.22000 -a 3 ?d?d?d?d?d?d?d?d
Because PBKDF2 is deliberately slow, success depends on password quality. A default router PSK (MAC-based patterns, 8 digits, ISP name) falls in minutes or hours. A random 16-character-or-longer passphrase is infeasible with realistic hardware. That is exactly why the number-one defensive recommendation is, simply, length and entropy.
WPA3, SAE and downgrade attacks
WPA3 replaces the PSK handshake with SAE (Simultaneous Authentication of Equals, also called Dragonfly). SAE provides mutual authentication and forward secrecy, and removes the capturable handshake that underpins offline cracking: there is no hash to feed hashcat.
That does not make it invulnerable. The Dragonblood research (Vanhoef and Ronen, 2019) documented timing and cache side channels that leak information about the password (CVE-2019-9494 and CVE-2019-9496), plus a timing leak with Brainpool curves (CVE-2019-13377). The most practical vector in an audit is the transition-mode downgrade: when a network advertises WPA3 and WPA2 at the same time for compatibility, an evil twin offering only WPA2 forces clients to negotiate the weak protocol, bringing the scenario back to the crackable handshake. It is also worth remembering KRACK (CVE-2017-13077 and following), the key reinstallation in the 4-way handshake that affected WPA2 implementations and still shows up on unpatched IoT devices.
WPS: the toggle everyone forgets to disable
WPS (Wi-Fi Protected Setup) uses an 8-digit PIN that, by design, is validated in two halves with a checksum, reducing the real space to around 11,000 attempts. Reaver and Bully automate that online brute force. Worse still, the Pixie Dust attack (with pixiewps) exploits weak nonce generation (E-S1 and E-S2) in certain chipsets and recovers the PIN offline in seconds. A compromised PIN reveals the full PSK, no matter how strong it is. The practical takeaway is blunt: WPS must be disabled on any corporate network.
Rogue AP and evil twin as a methodology
The evil twin involves standing up an AP with the same SSID as the legitimate one, forcing victims to disconnect with deauth and capturing the traffic or credentials of anyone who joins the fake. It is not an isolated attack but a complete methodology that tools like airgeddon, eaphammer, hostapd-wpe and wifiphisher orchestrate end to end. Against WPA2-PSK it is paired with a cloned captive portal that requests the password, a technique that intersects with phishing and its variants. Against the network plane, the fake AP is combined with poisoning to intercept sessions, exactly the scenario described in what is a man in the middle attack.
WPA2/WPA3-Enterprise: attacking EAP and 802.1X
Enterprise mode replaces the PSK with 802.1X authentication against a RADIUS server using EAP. Security depends on the EAP method and, above all, on whether the client validates the server certificate:
- EAP-TLS: certificates on both ends. This is the strong method and the defensive target.
- PEAP-MSCHAPv2 and EAP-TTLS: credential-based authentication inside a TLS tunnel. Vulnerable when the client does not verify the server certificate.
The canonical attack is a rogue RADIUS server built with hostapd-wpe or eaphammer: the evil twin advertises the Enterprise SSID, and misconfigured clients hand the MSCHAPv2 challenge/response to the attacker's server. That NetNTLM material is cracked offline with hashcat -m 5500, or the underlying DES is broken with asleap and services such as crack.sh. The root cause is almost never the protocol: it is a deployment that fails to enforce server CA validation on the supplicants.
Defence: segmentation, 802.1X and WIDS
A hardened wireless network applies several layers cumulatively:
- WPA3-Enterprise with EAP-TLS and client certificates, or the 192-bit mode for high-security environments. If WPA2 stays, require passphrases of 16 characters or more and avoid transition mode where possible.
- PMF (802.11w) mandatory, to neutralise deauth attacks and make the evil twin harder.
- Strict server certificate validation on every Enterprise supplicant, with CA pinning. This is the countermeasure that nullifies the MSCHAPv2 attack.
- VLAN segmentation and client isolation: the guest SSID must never reach the internal network, and corporate WiFi should be treated as an untrusted zone with NAC.
- WPS disabled across the entire AP fleet.
- WIDS/WIPS to detect rogue APs, deauth patterns and evil twins, integrated with the SOC.
Validating all of this in practice, not just in the configuration, is the goal of our wireless network audit, where we reproduce these vectors within an authorised scope and deliver a prioritised remediation plan.
Frequently asked questions
Can WPA3 be cracked?
Not with the classic WPA2 offline crack, because SAE exposes no reusable handshake. The real vectors against WPA3 are different: transition-mode downgrade to WPA2, the Dragonblood side channels (CVE-2019-9494) and implementation bugs in unpatched hostapd or wpa_supplicant. A pure WPA3 network, with an up-to-date implementation and no transition mode, resists the dictionary attack that sinks WPA2-PSK.
What is the difference between capturing the handshake and the PMKID?
The 4-way handshake requires a connected client to force into re-authentication with deauth, which is noisy. The PMKID is obtained directly from the AP in the first EAPOL message, with no victim and no deauth, as long as the AP includes it. Both end up in the same hashcat 22000 format for offline cracking.
Is it legal to audit my own WiFi network?
Yes, on your own infrastructure or with express written authorisation. Capturing traffic from or attacking third-party networks without permission is a criminal offence in Spain (Penal Code, article 197) and in most European frameworks. Any professional audit starts from a signed scope that defines networks, time windows and intrusiveness limits.
What WiFi card do I need for wireless pentesting?
One that supports monitor mode and packet injection. The Atheros AR9271 chipset and Realtek RTL8812AU-based adapters (with 5 GHz support) are common choices. For PMKID at scale, hcxdumptool requires an adapter with compatible drivers. The 5 GHz and 6 GHz bands (WiFi 6E) are increasingly relevant and not every adapter covers them.
Does the evil twin work against WPA3?
It is harder, because SAE provides mutual authentication and PMF protects management frames, which complicates the preceding deauth. The viable vector is the downgrade: if the network runs in WPA3/WPA2 transition mode, the evil twin advertises WPA2 only and drags clients onto the weak protocol. Disabling transition mode largely closes that door.
Related resources
- What is a sniffer and network traffic analysis
- What is a man in the middle attack
- Infrastructure penetration testing internal and external
- How to avoid phishing
- What is social engineering
WiFi audits with Secra
At Secra we assess real wireless networks within an authorised scope: spectrum reconnaissance, tests against WPA2 and WPA3, WPS, rogue AP detection and segmentation validation once access is compromised. We deliver reproducible evidence and a prioritised remediation plan. If you need to measure the real exposure of your corporate WiFi, contact us and we will scope the engagement for your environment.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

