2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

Bugcrowd Achieves Global CREST Accreditation For Pen Testing Learn More

LEVELUPX

WiFi hacking
tools and how Request
a Demo

to use them Contact

Us

July 24, 2024 | By Bugcrowd

Back to blog

Hi there 👋 Want to speak with an

Introduction expert to learn more about

Bugcrowd? We're ready to help you
1

We are living in the era of WiFi 6 and WiFi Protected with...

Access version 3 (WPA3). Processing speeds and security

https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 1/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

technologies over the past decade have improved

dramatically. Gone are the days of crackable handshakes
and cryptographic vulnerabilities. Nevertheless, the
adoption of new security protocols and hardware has
remained slow. As a result, many vulnerable WPA2 and
open access points (APs) still linger today. In this blog
post, we’ll revisit some classic WiFi blasts from the past,
talk about cool WiFi recon and hacking tools, and explore
how properly implemented WPA3 isn’t hackable—yet.
There is very little research on WPA3 security design.
However, WPA3 is not as vulnerable as WPA2 to offline
brute force attacks, making WPA3 much safer to use. Request
a Demo

Types of WiFi attacks Contact

Sniffing Us

Sniffing is simply the act of listening to the wireless traffic

in proximity by placing a WiFi card on “monitoring mode.”
Monitoring mode is only supported by certain devices and
drivers, but given the right hardware, it can easily be Category
enabled on any operating system with tools like Wireshark
and the aircrack-ng suite. USB WiFi cards from Alfa
Tag
networks and TP-Link Archer series usually do well at
monitor mode and packet injection. The same applies to
the internal WiFi cards on MacBooks.

Sniffing and decrypting encrypted packets can be

performed on WEP and WPA/2 (WPA or WPA2) networks
after knowing or cracking the password with tools like
airdecap-ng and Wireshark. Of course, for open (non-
WPA3) WiFi networks, you can just simply sniff the data
https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 2/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

packets on any channel and get all network traffic, from

DNS and HTTP to encrypted TLS packets.

Injection
The physical layer (layer one) of WiFi is made up of radio
waves, making WiFi different from wired networks where
one has to be “plugged in” for access. The injection of
WiFi management and data packets can therefore be
performed easily as long as you are in the transmitting
proximity of the receiving device (be it an AP or a client).
Tools such as aireplay-ng and bettercap offer mature
support for different types of injection. Request
a Demo
Depending on the security of the target WiFi networks,
injection of management frames can be performed Contact
without knowing the WiFi passwords or encryption keys to Us
trick devices into disassociating, deauthenticating, or even
joining a new attack-controlled network. The repeat
injection of disassociation and deauthentication frames
can kick all clients off a network, essentially creating a
denial-of-service situation. The injection of data packets
such as Address Resolution Protocol (ARP) packets can
also be executed on open networks or WPA2 networks
with a known password.

Cracking
Older WiFi security standards (WPA2, WPA, and WEP) are
vulnerable to offline cracking, as long as you capture the
right data via sniffing. For WPA and WPA2, capturing the
first two packets in a four-way handshake via sniffing
when a new client is joining the network (or rejoining the
https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 3/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

network after you had kicked them off) is all you need to
start cracking.

WPA3 password-protected APs are only vulnerable to

online cracking, where the attacker repeatedly
authenticates to the AP by guessing passwords in a list.
This takes significantly longer and is very noisy but can be
done if the password is weak enough.

Rogue AP
Anyone, including attackers, can host a WiFi AP. A rogue
AP (sometimes called an “evil twin”) can be created to Request
attract clients that are meant to connect to the real APs. a Demo
The real APs are the ones they have saved on their
device via the service set identifier (SSID), which is the Contact
name of the AP. This technique can trick the end device to Us
authenticate with real credentials, be it a pre-shared key
(PSK) for WPA/2 networks that can be cracked or the
Extensible Authentication Protocol (EAP) username and
passwords in encrypted or even plaintext form.

Client devices will treat the rogue AP like the real network
after authentication and therefore send network traffic
that you can mine for sensitive information (e.g., internal
company domain names) or manipulate (e.g.,
impersonating a Windows server to receive NetNTLM
credentials). This is especially useful if an IoT device you
are testing is trying to connect to the internet and you
want to sniff/intercept its traffic to break into the device.

https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 4/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

Aircrack-ng suite: The

old guard
Aircrack-ng is a large suite of tools for assessing WiFi
network security. It’s the most complete tool set of our
time and supports all types of WiFi attacks. It comes pre-
installed on Kali Linux, which should be run on a physical
laptop/desktop (bare metal) with injection-capable WiFi
cards or in a virtual machine with a USB WiFi card passed
through to it.

Request
To check if your WiFi card is injection-capable, run:
a Demo

aireplay-ng -9 wlan0
Contact
(where wlan0 is the name of your WiFi interface). Us

Airodump-ng is arguably the most useful tool in the suite;

it allows you to sniff all available WiFi frequency channels
(via frequency hopping), pick up information about all APs
and clients (e.g., SSID, MAC address, channels, and
encryption method in use), and so on. It can also detect
when a handshake is captured for an AP, letting you know
when you can start cracking the password.

When using airodump-ng, make sure to use -w when

writing output files:

airodump-ng wlan0 -w capture

The airodump-ng program will keep running and capturing

data until you hit Ctrl-C to interrupt the program.

https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 5/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

You may want to focus on one specific channel so that

you can sniff data from a target AP. For example, if your Request
a Demo
target AP of interest is on channel 1, you can run:

airodump-ng wlan0 -c 1 -w channel1 Contact

Us
This will ensure that you are getting all the data on that
channel without losing any during channel hopping, and
when new clients authenticate to any APs on that channel,
you will receive the handshake.

The aircrack-ng suite also supports injection. You can use

aireplay-ng to perform deauthentication attacks on target
APs and clients using their MAC address on another
terminal window while airodump-ng is running. Running it
with just -a to specify the MAC address of the AP will
cause it to send deauthentication packets to all clients:

aireplay-ng -0 1 -a 00:11:22:33:44:55 wlan0

For greater accuracy, send deauthentication packets to

only a specific connected client (found via airodump-ng)

https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 6/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

with -c:

aireplay-ng -0 1 -a 00:11:22:33:44:55 -c
11:22:33:44:55:66 wlan0

When the client reconnects, airodump-ng will report that a

WPA handshake has been captured, if it’s listening on the
right channel.

To crack passwords using aircrack-ng with your CPU

(since there’s no GPU support for it), pass it the capture
file (and optionally, a wordlist with -w). An example WPA
capture file for practice can be found here on the aircrack- Request
ng website. a Demo

aircrack-ng -w rockyou.txt wpa.full.cap Contact

Us

Now that we know the password, we can decrypt any

captured encrypted WPA packets after the point of the
handshake in the capture file using airdecap-ng:

https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 7/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

airdecap-ng -p 44445555 ./wpa.full.cap -e teddy

The decrypted packets will show up in wpa.full-dec.cap.

This is especially useful in scenarios where you want to Request
see plaintext traffic flows in a WiFi network (e.g., DNS a Demo
requests and HTTP packets).
Contact
Bettercap: The new Us

Swiss army knife

Bettercap is a newer suite of network hacking tools for
WiFi, Bluetooth, IPv4, and IPv6. It supports WiFi sniffing
and newer injection attacks, such as PMKID-based
clientless attacks on vulnerable WPA/2 APs to obtain key
material for cracking passwords. It’s available on
Windows, Linux, and Mac. Good news for Mac users: it
also works on Apple silicon, which we tested to ensure it
has monitor mode and packet injection support. Just
install it with Homebrew by running brew install
bettercap.

You can start bettercap with the interface name specified

with -iface. Then, when the bettercap console pops up,
https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 8/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

you can type in wifi.recon on to start sniffing packets and

discovering APs:

To focus on one channel, run wifi.recon.channel

<channel>, such as wifi.recon.channel 1. By default,
when bettercap picks up any WPA handshakes, it will be
saved to ~/bettercap-wifi-handshakes.pcap. Request
a Demo
You can list the APs found by running wifi.show:
Contact
Us

Injection attacks, such as associating to APs to obtain

crackable PMKIDs, can be done with wifi.assoc all for
all found APs:

https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 9/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

For other attacks, including deauthentication and rogue

AP, check the help page in bettercap’s WiFi module.

WiGLE: Worldwide
wireless reconnaissance
Ever wondered how many wireless hotspots/APs there
are in a particular area in the world? Have you been
curious about what SSIDs, MAC addresses, and
encryptions are used for each one? Look no further than
WiGLE.net for worldwide wireless recon.
Request
a Demo

Contact
Us

After signing up for an account, you can search for any

SSIDs in any geological area and view details on each AP.
If you are doing a wireless pen test, you can scope out the
target location well in advance and plan your trip
accordingly.

https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 10/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

hcxtools and hashcat:

Speed up your WiFi Request

cracking
a Demo

You may wish to crack WiFi passwords at a much faster Contact

Us
speed and go through much bigger wordlists in less time
(e.g., weakpass_3w specialized for WPA passwords),
which can be achieved with the mighty power of modern
GPUs that the aircrack-ng suite does not utilize. This is
where hcxtools comes in; it can convert your capture files
(e.g., from airodump-ng or bettercap) to hashes that can
be used with hashcat to crack WPA/2 passwords much
faster using available GPUs than aircrack-ng.

hcxtools can be installed on Kali via apt install hcxtools

and Mac via brew install hcxtools.

To use it, simply specify the capture file (in pcap or

pcapng format) and the desired location for an output
hash file to hcxpcapngtool:

https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 11/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

hcxpcapngtool ./wpa.full.cap -o test.22000

Now, test.22000 can be used with hashcat mode 22000

to crack WPA handshakes with a wordlist:

hashcat -m 22000 test.22000

/usr/share/wordlists/rockyou.txt

Request
a Demo

Contact
Us

Wacker: WPA3 online

cracking
Wacker is one of the few operational tools that can be
used to attack WPA3 APs. It allows you to use a wordlist to
perform an online brute-force attack and repeatedly
authenticate to an AP until the current password is found.
A wordlist, target SSID, BSSID (which is the MAC address
of the AP), the frequency of the AP’s channel, and an
interface have to be specified to wacker when starting it,
as the example shows:

./wacker.py --wordlist cyberpunk.words --ssid WCTF_18

--bssid 02:00:00:00:00:00 --interface wlan2 --freq

https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 12/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

2412

The frequency of a 2.4 GHz WiFi channel can generally be

calculated using the following formula:

2412 + 5 * ( 1 - channel number )

Or you can simply look it up in this article.

Request
a Demo
One limitation of this tool is that the source MAC address
stays the same between attempts, so the APs could start
blocking the attempts. This can be mitigated by constantly Contact
Us
running macchanger, but the architecture of the tool, which
uses wpa_supplicant, would cause the attack to slow
further.

Wacker can be run simultaneously with multiple interface

cards and wordlists in multiple terminal windows to speed
things up:

Conclusion
From old classics to new toys, there are certainly many
cool tools for hacking WiFi networks out there. However,
at the time of writing this article, there is very limited
https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 13/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

research on WPA3 hacking; in fact, aside from denial-of-

service and downgrade attacks to WPA2 and some
implementation vulnerabilities, no design flaw in WPA3
password-protected setups has allowed the offline
cracking of passwords and the decryption of traffic like in
WPA2. You can learn more about WPA3 vulnerabilities
from this talk. All in all, this means a thoroughly password-
protected, firmware-patched WPA3 setup is pretty secure
(as long as passwords are not easily guessable), and we
should all transition our old WPA/2 networks to WPA3.

Request
bug bounties a Demo

Contact
bug bounty hacking hacker Us

hacker advice

Tags: hacker community LevelUp

researcher

researcher community

vulnerabilities

https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 14/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

More from the blog

Request
a Demo

Contact
Us

https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 15/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

Request
a Demo

Contact
Us

https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 16/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

Request
a Demo

Contact
Us

Subscribe for updates

First Name

Last Name

Email*

https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 17/18
2/10/25, 12:14 AM WiFi hacking tools and how to use them | @Bugcrowd

Submit

PRODUCTS
Request
a Demo
SOLUTIONS

Contact
HACKERS Us

RESOURCES

ABOUT

Copyright ©2025 Bugcrowd Security Terms & Conditions Privacy Policy

Your Privacy Rights

General Data Protection Regulation

https://www.bugcrowd.com/blog/wifi-hacking-tools-and-how-to-use-them/ 18/18