Hacking Wireless Networks 802.11 a/b/g/n/ac

Introduction – Hacking Wireless Networks

Nowadays Wireless networks are everywhere, my main goal here is to introduce you to the Wireless Security techniques. First, we will explain how the network works and them how to attack them to access private networks protected by password, after we learn how to attack, we definitely will teach how to defense and mitigate attacks on your network. There are many techniques to attack a Wireless network we just need to think a little bit before starting to do some damage.

This is a simple technical document to teach people how to design a Wireless network with minimum security

How Wireless Network Works?

In Wireless networks we need two devices, one Router (or an AP) and a client to associate with Router! We must differentiate these devices and understand how they work to successfully crack a secure network.

There are many techniques to crack a Wireless network we just need to think as an attacker and exploit the weaknesses we know or find something new, remember creativity is the key!

There are some differences in the low-level layers between a Wireless network and a cable network, on Wi-Fi the Layer 1 uses the normalization 802.11 and on layer 2 the sub layer LLC is the same but the sub layer MAC uses the protocol CSMA/CA to detect and correct errors on frames.

A wireless network use radio waves to communicate with the clients, there are two types of operation modes: infrastructure (ESS) and Ad hoc (IBSS).

The most common these days is the infrastructure (ESS) mode, use one AP and one client (STB), if there are more than one AP the link between both APs is called DS (distribution system).

Detecting DSs is very useful if we want to hijack some network or add our AP on foreign networks to monitor or use the network to our leverage.

Ad-hoc mode is used to communicate machines directly or in peer-to-peer mode, this tutorial is focus on infrastructure mode so I don’t go deep in this mode it is to extensive but we will crack it.

Router Perspective

            A router usually broadcasts his network name (ESSID) with beacons, MAC Address (BSSID), Chanel, cipher and encryption to air waiting some client connect to him. Let’s check what relevance this information has to us:

  • ESSID – It identifies the network name, could be useful sometimes with some routes from ISPs we can use Key generators to generate correct Wifi password even WPA.
  • BSSID – The BSSID is the mac address attributed to the wifi interface at router this is the interface we will connect when authenticated. The MAC address can give us some information like the router manufacture and the version of equipment (Thomson TG784n v3), if know this and we know this version of router have a bug in WPS system why wasting time trying to crack a WPA password?
  • Chanel – Wireless networks use frequencies in a defined range (2.443Mhz to 2.447Mhz) to communicate and use channels to
  • Cipher –
  • Encryption –

Clients Perspective

A client has less things to verify, besides everything we check on the router perspective that is necessary to establish a connection to the router.

But we are here to crack a Wireless network so we need a wifi card with a special feature like Injection with this we can inject packets between the AP and a client to force them deauthenticate and some more interest things.

  • Wifi Card with Injection – At these days there are many wifi cards with injection supported, you must verify the chipset of wifi card and install the proper drivers. But we already compile a list for you, check it here:
  • Drivers – Pay attention to the drivers they must be installed correctly without errors
  • Software – At this tutorial we will use some Linux commands and the Aircrack-ng pack and other tools like Wifi Pumpkin 3 , Airgeddon, Wifite



Hacking Wireless Networks

 Next, we will describe a list of most common techniques and vulnerabilities on Wireless networks

Wireless Attacks

Hacking Wireless Networks
Hacking Wireless Networks

Open Networks


  • With Clients
  • No Clients


Handshake Capture



Bruteforce WPS


Nulll Pin

Pins DataBase


Rainbow Tables

Key Generators

Real Scenario


Wifi Punpkin 3

Git Hub