Wireless Pentesting Checklist
Core Concepts
Wi-Fi pentesting evaluates the security of wireless networks and their clients to determine whether an attacker within radio range can gain unauthorized access, intercept traffic, or pivot into the internal network. The goal is to validate encryption, authentication, segmentation, and physical signal exposure.
Phases
- Recon and discovery: enumerate SSIDs, BSSIDs, channels, encryption types, and WPS status.
- Access attempt: attack the relevant auth model (WEP/WPA2 handshake capture and cracking, or enterprise 802.1X).
- Rogue/Evil Twin testing: assess client trust and credential capture via spoofed access points (in scope only).
- Post-access assessment: once on the network, probe segmentation, internal services, and outbound controls.
- Reporting: document exposure, weak controls, and remediation.
Key concepts
- Encryption matters: Open and WEP are trivially broken; WPA2-PSK is offline-crackable from a captured handshake; WPA3 and 802.1X raise the bar.
- WPS PINs and weak pre-shared keys are common fast paths to access.
- Enterprise (802.1X) security hinges on certificate validation and the EAP method; misconfig enables credential theft.
- Signal leakage beyond the physical perimeter expands the attack surface.
- Flat networks (no VLAN/segmentation) turn Wi-Fi access into full internal access.
How to perform real world Wifi Pentesting:
Unauthenticated
-
Collect details using
airodump-ng / Kismet / WiFi Analyzer: SSID, BSSID, channel, encryption type, WPS status -
If WPS is enabled → assess WPS exposure; if not → proceed with other authentication methods
-
Identify encryption type: Open / WEP / WPA2 / WPA3 (note handshake + authentication type)
-
Check WiFi signal leakage beyond intended physical boundary (office perimeter)
-
Use
airodump-ngto monitor target AP and clients; identify active stations -
Check for captive portal:
- Observe authentication flow
- Validate client binding/session behavior
-
Validate MAC filtering / access restrictions (if present)
-
Test network reachability (if any partial access exists): DNS / HTTP / ICMP behavior
-
Observe traffic patterns for exposed services or misconfigurations
If Enterprise Setup (802.1X)
- Identify WPA2/WPA3-Enterprise deployment
- Determine EAP method (PEAP / EAP-TLS / TTLS / others)
- Validate certificate authentication behavior (trusted / untrusted / pinned)
- Identify RADIUS dependency and authentication flow
- Assess misconfigurations in enterprise authentication policy
- Evaluate rogue AP / Evil Twin feasibility (only in authorized scope)
- Check client-side trust validation behavior
Authenticated (Access to Network Obtained)
- Enable Wireshark before connecting; inspect traffic (DNS / HTTP / SMB / mDNS / ARP)
- Identify internal service discovery protocols (Avahi / mDNS, NetBIOS, SSDP)
- Map internal devices (printers, IoT devices, smart TVs, Macs)
- Check VLAN / subnet segmentation between users, servers, and sensitive systems
- Validate outbound traffic restrictions (DNS / HTTP / HTTPS filtering)
- Check whether restricted content or services (malicious sites, Tor, etc.) are blocked or allowed
- Monitor internal communication patterns for exposed services or misconfigurations
Reference
Wireless Pentesting Tools
Aircrack-ng Suite
| Tool | Description |
|---|---|
| Aircrack-ng | Core WiFi auditing suite used for monitoring, capturing packets, and cracking WPA/WPA2-PSK handshakes. |
| Airodump-ng | Passive wireless sniffing tool used to capture SSIDs, BSSIDs, clients, and handshake data. |
| Aireplay-ng | Packet injection tool used for generating traffic and testing wireless authentication flows. |
| Airbase-ng | Used to create rogue access points for testing client behavior and network responses. |
WPS Attack Tools
| Tool | Description |
|---|---|
| Reaver | Exploits WPS PIN vulnerabilities to recover WPA/WPA2 passphrases. |
| Bully | Alternative WPS attack tool with improved stability in certain router implementations. |
Wireless Reconnaissance Tools
| Tool | Description |
|---|---|
| Kismet | Passive wireless network detector used for reconnaissance, discovery, and traffic monitoring. |
| Wifite | Automated WiFi attack framework that integrates multiple wireless tools for testing. |
Handshake & Capture Tools
| Tool | Description |
|---|---|
| hcxdumptool | Captures WPA/WPA2 handshakes and PMKID data for offline analysis. |
| hcxtools | Converts captured wireless data into formats compatible with cracking tools. |
WiFi Pentesting – Core Concepts
Wireless Fundamentals
| Concept | Description |
|---|---|
| 802.11 Standards | IEEE-defined WiFi communication standards (a/b/g/n/ac/ax) that define how wireless devices communicate, including speed, modulation, and frequency usage. |
| SSID | The public name of a wireless network broadcast by an access point to allow clients to identify and connect to it. |
| BSSID | The unique MAC address of a specific access point radio, used to differentiate individual APs even if they share the same SSID. |
| ESSID | A logical grouping of multiple access points under the same SSID to provide seamless roaming across larger coverage areas. |
| Channel | A specific frequency segment within a WiFi band used to transmit data while minimizing interference from nearby networks. |
| Frequency Band | The radio spectrum used for WiFi communication such as 2.4 GHz (range), 5 GHz (speed), and 6 GHz (high capacity). |
WiFi Architecture
| Concept | Description |
|---|---|
| Access Point (AP) | A networking device that provides wireless connectivity and bridges wireless clients to the wired network infrastructure. |
| Client / Station (STA) | Any device (laptop, phone, IoT device) that connects to a wireless access point. |
| WLAN | A Wireless Local Area Network formed by one or more access points and connected clients. |
| Infrastructure Mode | Standard WiFi communication model where all client traffic is routed through an access point. |
| Ad-Hoc Mode | A decentralized wireless mode where devices communicate directly without an access point. |
Authentication & Security Models
| Concept | Description |
|---|---|
| Open System Authentication | A basic authentication method where no credentials are required to join the network. |
| Shared Key Authentication | A legacy authentication mechanism that uses a shared secret key (now largely obsolete). |
| WPA/WPA2-PSK | A password-based authentication model where all users share a single pre-shared key. |
| WPA2-Enterprise (802.1X) | An enterprise authentication model where each user is individually authenticated through a central identity system. |
| RADIUS | A centralized authentication, authorization, and accounting server used in enterprise wireless networks. |
| WPA3 SAE | A modern authentication protocol that provides stronger resistance against offline password attacks. |
Encryption Standards
| Concept | Description |
|---|---|
| WEP | An outdated encryption standard with serious cryptographic weaknesses and no real security. |
| TKIP | A transitional encryption protocol designed to replace WEP but now considered insecure and deprecated. |
| AES-CCMP | A strong encryption standard used in WPA2 that provides confidentiality, integrity, and authenticity. |
| GCMP | A modern encryption mode used in WPA3 offering improved security and performance. |
WiFi Frame Types
| Concept | Description |
|---|---|
| Management Frames | Frames used for establishing, maintaining, and terminating wireless connections between clients and access points. |
| Control Frames | Frames that manage data transmission reliability and coordination between devices. |
| Data Frames | Frames that carry actual user data across the wireless network. |
| Beacon Frames | Periodic broadcasts from access points that advertise network presence and capabilities. |
| Probe Requests / Responses | Frames used during network discovery when clients search for available WiFi networks. |
| Authentication Frames | Frames used during the initial authentication phase before a client joins the network. |
Network Components
| Concept | Description |
|---|---|
| Basic Service Set (BSS) | A single access point and its associated wireless clients forming one coverage area. |
| Extended Service Set (ESS) | A collection of multiple access points sharing the same SSID to provide seamless roaming. |
| Distribution System (DS) | The wired backbone that connects multiple access points in an enterprise network. |
| WLAN Controller | A centralized management system used to configure and control multiple access points in enterprise environments. |
Frequency & Channels
| Concept | Description |
|---|---|
| 2.4 GHz Band | A lower-frequency band offering wider coverage but more interference and congestion. |
| 5 GHz Band | A higher-frequency band providing faster speeds and lower interference. |
| 6 GHz Band | A modern WiFi 6E band designed for high-speed, low-latency wireless communication. |
| Channel Width | The amount of spectrum used per channel (20/40/80/160 MHz), affecting throughput and stability. |
| DFS Channels | Dynamic frequency channels that avoid radar interference and are regulated in certain regions. |