Wireless Pentesting Checklist
How to perform real world Wifi Pentesting:
Unauthenticated
-
Collect details using
airodump-ng / Kismet / WiFi Analyzer: SSID, BSSID, channel, encryption type, WPS status -
If WPS is enabled → assess WPS exposure; if not → proceed with other authentication methods
-
Identify encryption type: Open / WEP / WPA2 / WPA3 (note handshake + authentication type)
-
Check WiFi signal leakage beyond intended physical boundary (office perimeter)
-
Use
airodump-ngto monitor target AP and clients; identify active stations -
Check for captive portal:
- Observe authentication flow
- Validate client binding/session behavior
-
Validate MAC filtering / access restrictions (if present)
-
Test network reachability (if any partial access exists): DNS / HTTP / ICMP behavior
-
Observe traffic patterns for exposed services or misconfigurations
If Enterprise Setup (802.1X)
- Identify WPA2/WPA3-Enterprise deployment
- Determine EAP method (PEAP / EAP-TLS / TTLS / others)
- Validate certificate authentication behavior (trusted / untrusted / pinned)
- Identify RADIUS dependency and authentication flow
- Assess misconfigurations in enterprise authentication policy
- Evaluate rogue AP / Evil Twin feasibility (only in authorized scope)
- Check client-side trust validation behavior
Authenticated (Access to Network Obtained)
- Enable Wireshark before connecting; inspect traffic (DNS / HTTP / SMB / mDNS / ARP)
- Identify internal service discovery protocols (Avahi / mDNS, NetBIOS, SSDP)
- Map internal devices (printers, IoT devices, smart TVs, Macs)
- Check VLAN / subnet segmentation between users, servers, and sensitive systems
- Validate outbound traffic restrictions (DNS / HTTP / HTTPS filtering)
- Check whether restricted content or services (malicious sites, Tor, etc.) are blocked or allowed
- Monitor internal communication patterns for exposed services or misconfigurations
Reference
Wireless Pentesting Tools
Aircrack-ng Suite
| Tool | Description |
|---|---|
| Aircrack-ng | Core WiFi auditing suite used for monitoring, capturing packets, and cracking WPA/WPA2-PSK handshakes. |
| Airodump-ng | Passive wireless sniffing tool used to capture SSIDs, BSSIDs, clients, and handshake data. |
| Aireplay-ng | Packet injection tool used for generating traffic and testing wireless authentication flows. |
| Airbase-ng | Used to create rogue access points for testing client behavior and network responses. |
WPS Attack Tools
| Tool | Description |
|---|---|
| Reaver | Exploits WPS PIN vulnerabilities to recover WPA/WPA2 passphrases. |
| Bully | Alternative WPS attack tool with improved stability in certain router implementations. |
Wireless Reconnaissance Tools
| Tool | Description |
|---|---|
| Kismet | Passive wireless network detector used for reconnaissance, discovery, and traffic monitoring. |
| Wifite | Automated WiFi attack framework that integrates multiple wireless tools for testing. |
Handshake & Capture Tools
| Tool | Description |
|---|---|
| hcxdumptool | Captures WPA/WPA2 handshakes and PMKID data for offline analysis. |
| hcxtools | Converts captured wireless data into formats compatible with cracking tools. |
WiFi Pentesting – Core Concepts
Wireless Fundamentals
| Concept | Description |
|---|---|
| 802.11 Standards | IEEE-defined WiFi communication standards (a/b/g/n/ac/ax) that define how wireless devices communicate, including speed, modulation, and frequency usage. |
| SSID | The public name of a wireless network broadcast by an access point to allow clients to identify and connect to it. |
| BSSID | The unique MAC address of a specific access point radio, used to differentiate individual APs even if they share the same SSID. |
| ESSID | A logical grouping of multiple access points under the same SSID to provide seamless roaming across larger coverage areas. |
| Channel | A specific frequency segment within a WiFi band used to transmit data while minimizing interference from nearby networks. |
| Frequency Band | The radio spectrum used for WiFi communication such as 2.4 GHz (range), 5 GHz (speed), and 6 GHz (high capacity). |
WiFi Architecture
| Concept | Description |
|---|---|
| Access Point (AP) | A networking device that provides wireless connectivity and bridges wireless clients to the wired network infrastructure. |
| Client / Station (STA) | Any device (laptop, phone, IoT device) that connects to a wireless access point. |
| WLAN | A Wireless Local Area Network formed by one or more access points and connected clients. |
| Infrastructure Mode | Standard WiFi communication model where all client traffic is routed through an access point. |
| Ad-Hoc Mode | A decentralized wireless mode where devices communicate directly without an access point. |
Authentication & Security Models
| Concept | Description |
|---|---|
| Open System Authentication | A basic authentication method where no credentials are required to join the network. |
| Shared Key Authentication | A legacy authentication mechanism that uses a shared secret key (now largely obsolete). |
| WPA/WPA2-PSK | A password-based authentication model where all users share a single pre-shared key. |
| WPA2-Enterprise (802.1X) | An enterprise authentication model where each user is individually authenticated through a central identity system. |
| RADIUS | A centralized authentication, authorization, and accounting server used in enterprise wireless networks. |
| WPA3 SAE | A modern authentication protocol that provides stronger resistance against offline password attacks. |
Encryption Standards
| Concept | Description |
|---|---|
| WEP | An outdated encryption standard with serious cryptographic weaknesses and no real security. |
| TKIP | A transitional encryption protocol designed to replace WEP but now considered insecure and deprecated. |
| AES-CCMP | A strong encryption standard used in WPA2 that provides confidentiality, integrity, and authenticity. |
| GCMP | A modern encryption mode used in WPA3 offering improved security and performance. |
WiFi Frame Types
| Concept | Description |
|---|---|
| Management Frames | Frames used for establishing, maintaining, and terminating wireless connections between clients and access points. |
| Control Frames | Frames that manage data transmission reliability and coordination between devices. |
| Data Frames | Frames that carry actual user data across the wireless network. |
| Beacon Frames | Periodic broadcasts from access points that advertise network presence and capabilities. |
| Probe Requests / Responses | Frames used during network discovery when clients search for available WiFi networks. |
| Authentication Frames | Frames used during the initial authentication phase before a client joins the network. |
Network Components
| Concept | Description |
|---|---|
| Basic Service Set (BSS) | A single access point and its associated wireless clients forming one coverage area. |
| Extended Service Set (ESS) | A collection of multiple access points sharing the same SSID to provide seamless roaming. |
| Distribution System (DS) | The wired backbone that connects multiple access points in an enterprise network. |
| WLAN Controller | A centralized management system used to configure and control multiple access points in enterprise environments. |
Frequency & Channels
| Concept | Description |
|---|---|
| 2.4 GHz Band | A lower-frequency band offering wider coverage but more interference and congestion. |
| 5 GHz Band | A higher-frequency band providing faster speeds and lower interference. |
| 6 GHz Band | A modern WiFi 6E band designed for high-speed, low-latency wireless communication. |
| Channel Width | The amount of spectrum used per channel (20/40/80/160 MHz), affecting throughput and stability. |
| DFS Channels | Dynamic frequency channels that avoid radar interference and are regulated in certain regions. |