• Home
  • Wireless Penetration Testing: Theory for Pentesters

Wireless Penetration Testing: Theory for Pentesters

Wireless Penetration Testing: Theory for Pentesters

Introduction to Wireless Penetration Testing

Wireless penetration testing in on rise nowadays wireless networks are everywhere, my main goal here is to introduce you to the wireless penetration testing methodology.

First, I will explain how the technology works by layer and them what happen between each layer and what fields can be exploited. After the basics of technology explained I will try to explain to attack all security mechanisms of a wireless network.

There are many techniques to attack a Wireless network we just need to think a little bit before starting to do some damage.

My goal here is to study and understand the technology better and share everything I learn with the community will I improve my English. This is a simple technical document to help people how to design a Wireless network with minimum security and be aware of the risks.

Security Wireless network

In Wireless networks we need at least two devices, one Access Point (Router) and a STA (Client PC or Mobile) to associate with access point!

Wireless 802.11 Layer 1

The 802.11 standard defines the wireless technology it defines the frequency, bandwidth and the modulation used by devices.

802.11 Frame Types

Management , Control ,Data , Extension

Frame TypeType DescriptionSub Type ValueClass
00Management0000Association Request
00Management0001Association Response
00Management0010Reassociation Request
00Management0011Reassociation Response

There are some differences in the low-level layers between a Wireless network and a cable network, on Wi-Fi the Layer 1 uses the normalization 802.11 and on layer 2 the sub layer LLC is the same but the sub layer MAC uses the protocol CSMA/CA to detect and correct errors on frames.

A wireless network use radio waves to communicate with the clients, there are two types of operation modes: infrastructure (ESS) and Ad hoc (IBSS).

The most common these days is the infrastructure (ESS) mode, use one AP and one client (STB), if there are more than one AP the link between both APs is called DS (distribution system).

Detecting DSs is very useful if we want to hijack some network or add our AP on foreign networks to monitor or use the network to our leverage.

Ad-hoc mode is used to communicate machines directly or in peer-to-peer mode, this tutorial is focus on infrastructure mode so I don’t go deep in this mode it is to extensive but we will crack it.

Router Perspective

            A router usually broadcasts his network name (ESSID) with beacons, MAC Address (BSSID), Chanel, cipher and encryption to air waiting some client connect to him. Let’s check what relevance this information has to us:

  • ESSID – It identifies the network name, could be useful sometimes with some routes from ISPs we can use Key generators to generate correct Wifi password even WPA.
  • BSSID – The BSSID is the mac address attributed to the wifi interface at router this is the interface we will connect when authenticated. The MAC address can give us some information like the router manufacture and the version of equipment (Thomson TG784n v3), if know this and we know this version of router have a bug in WPS system why wasting time trying to crack a WPA password?
  • Chanel – Wireless networks use frequencies in a defined range (2.443Mhz to 2.447Mhz) to communicate and use channels to
  • Cipher –
  • Encryption –

Clients Perspective

A client has less things to verify, besides everything we check on the router perspective that is necessary to establish a connection to the router.

But we are here to crack a Wireless network so we need a wifi card with a special feature like Injection with this we can inject packets between the AP and a client to force them deauthenticate and some more interest things.

  • Wifi Card with Injection – At these days there are many wifi cards with injection supported, you must verify the chipset of wifi card and install the proper drivers. But we already compile a list for you, check it here:
  • Drivers – Pay attention to the drivers they must be installed correctly without errors
  • Software – At this tutorial we will use some Linux commands and the Aircrack-ng pack and other tools like WifiPumpkin 3 , Airgeddon, Wifite



Offensive Security Wireless Attacks

 Next, we will describe a list of most common techniques and vulnerabilities on Wireless networks. Wireless pentesting can be easy or tricky most of the times it depends on the hardware being attacked.

Wifi Attacks

wireless penetration testing
wireless penetration testing

Open Networks


  • With Clients
  • No Clients


Deauthentication Attack

Handshake Capture



Bruteforce WPS


Nulll Pin

Pins DataBase


Rainbow Tables

Key Generators

Real Scenario


wireless penetration testing,wireless penetration testing services,what is wireless penetration testing,wireless security course,wifi penetration testing

Git Hub

Offensive Devices

assessing and auditing wireless networks