cyberneticlibrary
← library

Penetration Test Wireless Networks

offensive-wifiskillsetup L32,144
SnailSploit/Claude-Red
What it does

Execute wireless 802.11 attacks including handshake capture, PMKID, evil-twin, KARMA, WPS, KRACK, and FragAttacks

Best for

Red-team wireless assessments where authorized testing of WPA/WPA2/WPA3 PSK, EAP, or WPS security is needed.

Inputs
  • · Target BSSID, ESSID, channel, encryption type, and client list from recon phase
  • · Wi-Fi adapter with monitor mode and packet injection
  • · Wordlist or mask for offline WPA/WPA2 cracking
Outputs
  • · WPA/WPA2 handshake or PMKID hash for hashcat/asleap offline cracking
  • · Cracked PSK and plaintext wifi password
  • · Captured EAP-MSCHAPv2 challenge-response (if WPA-Enterprise)
  • · Evil-twin RADIUS credentials (if successful)
Requires
  • · airodump-ng, aireplay-ng, airmon-ng (aircrack-ng suite)
  • · hcxdumptool / hcxpcapngtool (PMKID/handshake extraction)
  • · hashcat (GPU cracking, mode 22000 for WPA/PMKID)
  • · asleap (NetNTLMv1 / MSCHAPv2 cracking)
  • · eaphammer (rogue RADIUS for EAP)
  • · wifiphisher (captive portal evil-twin)
  • · mdk4 (DoS/testing)
  • · reaver / bully (WPS Pixie Dust)
Preconditions
  • · Prior recon phase completed (target BSSID, channel, encryption, client list known)
  • · Compatible adapter with monitor mode + injection verified working
  • · Targeting network within authorized scope (Rules of Engagement defined)
Failure modes
  • · PMF (Protected Management Frames) enabled blocks deauthentication attacks
  • · WPA3 / SAE requires downgrade to WPA2 or Dragonblood side-channel exploit
  • · Handshake capture fails if no clients reconnect during window (PMKID bypass needed)
  • · WPS lockout (after 3-6 failed attempts) prevents brute-force PIN recovery
  • · KRACK/FragAttacks require driver-level packet injection — not all adapters/kernels support patched exploitation
  • · Captive portal bypass requires client to actually visit the portal (social engineering)
Trust signals
  • · Covers entire 802.11 attack surface: PSK handshake, PMKID, evil-twin, KARMA, WPS, KRACK, FragAttacks
  • · Details adapter selection matrix (chipset by band + PHY)
  • · WPA3/SAE downgrade and Dragonblood side-channel attacks documented
  • · EAP-Enterprise variants (MSCHAPv2, GTC, TLS, PWD, FAST) covered