Wireless / Wi-Fi Pentesting
Aircrack-ng, Bettercap, hcxdumptool — auditing Wi-Fi, WPA, WPS, captive portals.
Wireless engagements are still bread-and-butter for physical / on-site pentests and bug-bounty house-call work. WPA3 raised the bar but most environments are still WPA2-PSK or WPA2-Enterprise. For radio (sub-GHz / RFID / SDR) see Hardware Hacking (Flipper) and the SDR Receivers section.
Hardware (the prerequisite)
- ★ Alfa AWUS036ACM / AWUS036ACHM — dual-band, monitor + injection on Linux. The default field card.
- Alfa AWUS036NHA (2.4 GHz only) — long-time classic for older networks.
- Panda PAU09 / TP-Link TL-WN722N v1 — budget options; v1 only — newer revisions are not Atheros.
- Hak5 Wi-Fi Pineapple Mark VII / Enterprise — purpose-built rogue-AP / evil-twin platform.
- Flipper Zero + Marauder dev board — pocketable Wi-Fi attacks (via ESP32-S2/S3); see Hardware Hacking.
- ESP32-Marauder — DIY ESP32 Wi-Fi multitool.
Capture / dump
- ★ hcxdumptool (ZerBea) — modern WPA/WPA2 PMKID + handshake captor; the contemporary replacement for
airodump-ngwrite-pcap-and-pray. Free. - hcxtools — companion: convert .pcapng → .hc22000 hashcat format (
hcxpcapngtool). - airodump-ng (Aircrack-ng suite) — the classic; still works fine.
- Kismet — passive 802.11 + Bluetooth + ZigBee / Z-Wave wardriving and detection.
- Wireshark + airmon-ng — hands-on packet analysis.
Crack / replay / inject
- ★ Aircrack-ng suite —
airodump-ng,aireplay-ng,aircrack-ng,airmon-ng. Decades old, still ubiquitous. Free. - Wifite — automation wrapper around Aircrack / hcxtools / Reaver — runs every attack against every nearby AP. Great for on-site engagements.
- Bettercap 2 — Go-based MitM platform; Wi-Fi recon, deauth, ARP/DNS spoof, BLE. Modern Ettercap successor. Free.
- Reaver / Bully / OneShot — WPS PIN brute-forcers; still pulls credentials from old SOHO routers.
- Pyrit (legacy) — GPU-accelerated WPA cracker; mostly superseded by Hashcat.
Hash cracking (offline)
- ★ ★ Hashcat with mode 22000 — modern WPA/WPA2 PMKID + handshake mode (replaces 16800 / 2500). The GPU king. Free. See Password Cracking.
- John the Ripper jumbo — alternate.
- wpa-sec.stanev.org / WPA-SEC — community hash submission / collaborative cracking.
Evil twin / captive portal / phishing AP
- eaphammer — WPA-Enterprise evil-twin → cred capture + relay.
- airgeddon — bash menu wrapper around evil-twin / handshake / WPS workflows.
- WiFiPhisher — automated rogue-AP phishing with templated captive-portal pages.
- Fluxion — handshake-capture driven evil-twin.
- MANA / hostapd-wpe — fake-AP daemons supporting WPA-Enterprise EAP relay.
Bluetooth / BLE adjacents
- Bettercap BLE module, bluez tooling, gatttool, Sniffle (TI dongle), Ubertooth One (legacy hardware).
- BlueDucky / Flipper Zero BLE — see Hardware Hacking.
Wi-Fi mapping / wardriving
- WiGLE — global SSID / BSSID database; mobile + web; submit your wardrive logs.
- Kismet — local mapping during a drive.
- iSniff-GPS — older.
WPA3 / 802.11w considerations
- WPA3 SAE blocks PMKID-based offline attacks; "transition mode" networks still leak via the WPA2 side.
- Dragonblood PoCs (Vanhoef) — WPA3 implementation flaws; some still affect old firmware.
- 802.11w (PMF) blocks deauth-style attacks; check
airmon-ng/ Bettercap support.
Pick this if…
- Default WPA2 PSK capture: hcxdumptool → hcxtools → Hashcat mode 22000.
- One command to attack everything nearby: Wifite or airgeddon.
- MitM / live deauth / BLE recon: Bettercap.
- WPA-Enterprise evil-twin: eaphammer.
- Recon / wardriving / mapping: Kismet + WiGLE.
- Pocketable demo: Flipper Zero + ESP32-Marauder.
- Hash cracking: Hashcat with WPA-friendly wordlists.