Tooling

Wireless / Wi-Fi Pentesting

Aircrack-ng, Bettercap, hcxdumptool — auditing Wi-Fi, WPA, WPS, captive portals.

Wireless engagements are still bread-and-butter for physical / on-site pentests and bug-bounty house-call work. WPA3 raised the bar but most environments are still WPA2-PSK or WPA2-Enterprise. For radio (sub-GHz / RFID / SDR) see Hardware Hacking (Flipper) and the SDR Receivers section.

Hardware (the prerequisite)

  • Alfa AWUS036ACM / AWUS036ACHM — dual-band, monitor + injection on Linux. The default field card.
  • Alfa AWUS036NHA (2.4 GHz only) — long-time classic for older networks.
  • Panda PAU09 / TP-Link TL-WN722N v1 — budget options; v1 only — newer revisions are not Atheros.
  • Hak5 Wi-Fi Pineapple Mark VII / Enterprise — purpose-built rogue-AP / evil-twin platform.
  • Flipper Zero + Marauder dev board — pocketable Wi-Fi attacks (via ESP32-S2/S3); see Hardware Hacking.
  • ESP32-Marauder — DIY ESP32 Wi-Fi multitool.

Capture / dump

  • hcxdumptool (ZerBea) — modern WPA/WPA2 PMKID + handshake captor; the contemporary replacement for airodump-ng write-pcap-and-pray. Free.
  • hcxtools — companion: convert .pcapng → .hc22000 hashcat format (hcxpcapngtool).
  • airodump-ng (Aircrack-ng suite) — the classic; still works fine.
  • Kismet — passive 802.11 + Bluetooth + ZigBee / Z-Wave wardriving and detection.
  • Wireshark + airmon-ng — hands-on packet analysis.

Crack / replay / inject

  • Aircrack-ng suiteairodump-ng, aireplay-ng, aircrack-ng, airmon-ng. Decades old, still ubiquitous. Free.
  • Wifite — automation wrapper around Aircrack / hcxtools / Reaver — runs every attack against every nearby AP. Great for on-site engagements.
  • Bettercap 2 — Go-based MitM platform; Wi-Fi recon, deauth, ARP/DNS spoof, BLE. Modern Ettercap successor. Free.
  • Reaver / Bully / OneShot — WPS PIN brute-forcers; still pulls credentials from old SOHO routers.
  • Pyrit (legacy) — GPU-accelerated WPA cracker; mostly superseded by Hashcat.

Hash cracking (offline)

  • ★ ★ Hashcat with mode 22000 — modern WPA/WPA2 PMKID + handshake mode (replaces 16800 / 2500). The GPU king. Free. See Password Cracking.
  • John the Ripper jumbo — alternate.
  • wpa-sec.stanev.org / WPA-SEC — community hash submission / collaborative cracking.

Evil twin / captive portal / phishing AP

  • eaphammer — WPA-Enterprise evil-twin → cred capture + relay.
  • airgeddon — bash menu wrapper around evil-twin / handshake / WPS workflows.
  • WiFiPhisher — automated rogue-AP phishing with templated captive-portal pages.
  • Fluxion — handshake-capture driven evil-twin.
  • MANA / hostapd-wpe — fake-AP daemons supporting WPA-Enterprise EAP relay.

Bluetooth / BLE adjacents

  • Bettercap BLE module, bluez tooling, gatttool, Sniffle (TI dongle), Ubertooth One (legacy hardware).
  • BlueDucky / Flipper Zero BLE — see Hardware Hacking.

Wi-Fi mapping / wardriving

  • WiGLE — global SSID / BSSID database; mobile + web; submit your wardrive logs.
  • Kismet — local mapping during a drive.
  • iSniff-GPS — older.

WPA3 / 802.11w considerations

  • WPA3 SAE blocks PMKID-based offline attacks; "transition mode" networks still leak via the WPA2 side.
  • Dragonblood PoCs (Vanhoef) — WPA3 implementation flaws; some still affect old firmware.
  • 802.11w (PMF) blocks deauth-style attacks; check airmon-ng / Bettercap support.

Pick this if…

  • Default WPA2 PSK capture: hcxdumptool → hcxtools → Hashcat mode 22000.
  • One command to attack everything nearby: Wifite or airgeddon.
  • MitM / live deauth / BLE recon: Bettercap.
  • WPA-Enterprise evil-twin: eaphammer.
  • Recon / wardriving / mapping: Kismet + WiGLE.
  • Pocketable demo: Flipper Zero + ESP32-Marauder.
  • Hash cracking: Hashcat with WPA-friendly wordlists.

On this page