Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
WLAN Penetration Testing: Tools, Methods and Attack Vectors
Offensive Security

WLAN Penetration Testing: Tools, Methods and Attack Vectors

How penetration testers attack Wi-Fi networks: Evil Twin, PMKID attacks, deauthentication, WPS brute-force attacks, WiFi Pineapple, and format string attacks—with specific countermeasures for each attack scenario.

Chris Wojzechowski Chris Wojzechowski Geschäftsführender Gesellschafter
14 min read read
IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)

TL;DR

A WLAN penetration test checks whether your wireless network can be compromised using real attack methods. Classic attack vectors include the PMKID attack against WPA2-PSK (offline brute-force without client contact), Evil Twin attacks with rogue access points, WPS brute-force (only 11,000 effective combinations), deauthentication DoS, and format string vulnerabilities in WLAN processing. Professional pentesters use hardware like the WiFi Pineapple from Hak5 along with tools like Aircrack-ng, hcxdumptool, and Kismet. The results of a WLAN pentest form the basis for prioritized hardening measures - from switching to WPA3 to disabling WPS to implementing 802.1X.

Table of Contents (8 sections)

Your Wi-Fi network has no physical boundaries. The signal penetrates walls, floors, and building facades. An attacker in a neighboring building, in the parking lot, or on the street outside can pick up your wireless signal—and, if security is inadequate, launch an attack without ever physically entering your premises.

A Wi-Fi penetration test simulates exactly these attacks under controlled conditions. This article explains the methods used, the tools pentesters employ, and what the results of such a test mean.

What a Wi-Fi Penetration Test Encompasses

A professional Wi-Fi penetration test examines the entire Wi-Fi infrastructure for exploitable vulnerabilities. Typical areas of testing:

  • Encryption standard: Which WPA version is in use? Is WEP still active? Is WPS offered?
  • Password strength: Can the WPA2-PSK password be cracked using an offline brute-force attack?
  • 802.1X configuration: Are certificates set up correctly? Does the RADIUS server accept self-signed certificates?
  • Network Segmentation: Is the guest Wi-Fi actually separated from the production network?
  • Rogue Access Points: Can fake APs be infiltrated without being detected?
  • Management Frame Protection: Is 802.11w active? Can deauthentication attacks be carried out?
  • Client Security: Do clients automatically connect to open networks with the same name?

The test is always conducted on behalf of the owner of the infrastructure being tested. Wi-Fi testing without explicit written permission is a criminal offense—even against one’s own home network from a remote location.

Attack Vectors in Detail

PMKID Attack Against WPA2-PSK

The PMKID attack is one of the most effective attacks against WPA2-Personal networks because it does not require an active client. Classic WPA2 attacks required the so-called 4-way handshake, which can only be intercepted when a client establishes a connection. In a PMKID attack, a single frame from the access point itself is sufficient.

Technical Process:

The PMKID (Pairwise Master Key Identifier) is calculated from the PMK, the AP’s MAC address, and the client’s MAC address:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" || BSSID || Client-MAC)

The PMK, in turn, is derived from the WPA2-PSK password. If an attacker knows the PMKID, they can try passwords offline without ever having to disconnect and reconnect a client.

Tools:

# Step 1: Collect PMKID frames
hcxdumptool -i wlan0mon -o capture.pcapng --enable_status=1

# Step 2: Convert to hashcat format
hcxtools/hcxpcapngtool -o hash.hc22000 capture.pcapng

# Step 3: Offline cracking with a wordlist
hashcat -m 22000 hash.hc22000 wordlist.txt

# Step 4: With rule sets for password variations
hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/best64.rule

Protection: WPA3-SAE makes the PMKID attack impossible because SAE no longer derives the PMK statically from the password. If WPA2-PSK is still in use: Choose a password with at least 25 random characters — this makes brute-force attacks computationally infeasible.

Evil Twin / Rogue Access Point

An Evil Twin attack is a man-in-the-middle attack at the Wi-Fi level. The attacker operates their own access point with an SSID identical to the target network and a stronger signal — clients automatically connect to the stronger signal.

How an Evil Twin attack works:

  1. Attacker scans the environment for SSIDs (Aircrack-ng, Kismet)
  2. Attacker creates an AP with the same SSID and a custom DHCP server
  3. Optional: Deauthentication attack against the legitimate AP to force clients to reconnect
  4. Clients connect to the attacker’s rogue AP
  5. The attacker forwards traffic—as a man-in-the-middle, they can read and manipulate unencrypted connections

Tools:

# Create a rogue AP with hostapd
# /etc/hostapd/rogue.conf:
interface=wlan1
driver=nl80211
ssid=TargetNetwork
channel=6
hw_mode=g

# Provide DHCP for clients
dnsmasq --interface=wlan1 --dhcp-range=192.168.100.10,192.168.100.100,12h

# Forward traffic
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Why 802.1X protects against this: With WPA2/WPA3-Enterprise, not only does the client authenticate to the network, but the network also authenticates to the client—via a server certificate. An Evil Twin without the correct certificate is rejected by properly configured devices. Clients must be configured to validate the server certificate and not accept unknown certificates.

Deauthentication attacks (DoS and precursor to Evil Twin)

For a long time, the IEEE 802.11 standard did not include authentication for management frames. Deauthentication frames could be spoofed by any device—using any source MAC address.

Impact:

An attacker sends spoofed deauth frames to all clients on a network. The clients lose their connection and reconnect—either to the legitimate AP or, if an Evil Twin is present, to the rogue AP.

# Deauthentication with aireplay-ng
aireplay-ng --deauth 10 -a  <bssid-des-ap>wlan0mon

# Targeted against a single client
aireplay-ng --deauth 10 -a <bssid-des-ap> -c  <client-mac>wlan0mon

Protection: 802.11w (Management Frame Protection / MFP) cryptographically signs management frames. Faked deauth frames are ignored by devices that support 802.11w. WPA3 enforces 802.11w—another reason to migrate.

WPS Brute Force

WPS (Wi-Fi Protected Setup) was developed to simplify device connection. However, the eight-digit WPS PIN has a fundamental design flaw: The access point checks the first four and last three digits separately (the eighth digit is a checksum). This reduces the effective number of combinations from 100 million to 10,000 + 1,000 = 11,000.

Attack with Reaver:

# WPS scan
wash -i wlan0mon

# WPS PIN brute force
reaver -i wlan0mon -b <bssid> -vv

# With Pixie Dust optimization (works immediately against many older routers)
reaver -i wlan0mon -b <bssid> -K 1 -vv

The Pixie Dust attack exploits weak random number generators in some routers and can determine the WPS PIN in seconds—regardless of password length or complexity.

Protection: Completely disable WPS. Many routers also have a physical WPS button that must be disabled separately—otherwise, an attacker can reactivate WPS by pressing the button.

Format string attacks via SSIDs

In 2021, a curious vulnerability in iPhones came to light: If an iPhone connects to a Wi-Fi network with the SSID %p%s%s%s%s%n, the Wi-Fi function is permanently disabled—even a restart does not fix the issue. The Wi-Fi switch can no longer be enabled.

Cause: The SSID string is not properly escaped at one point in the iOS network stack and is interpreted as a format string. The character %p is a format specifier for pointer addresses in C-like languages. The operating system interprets the SSID name as program commands, leading to a memory access error.

Format string attack in general:
  Expected input:  &quot;My Wi-Fi Name&quot;
  Malicious input:  &quot;%p%s%s%s%s%n&quot;

  System interprets:
    %p → Output pointer address
    %s → Read string from memory
    %n → Write number of output bytes to memory location
         (can lead to write operations to arbitrary addresses)

This type of attack demonstrates that Wi-Fi attacks are not limited to the network layer—vulnerabilities can occur in any software component that processes Wi-Fi metadata.

Protection: Install iOS updates. Do not automatically trust public Wi-Fi networks with unusual SSIDs. Exercise caution with known network names containing special characters, particularly percent signs.

WiFi Pineapple: The Preferred Penetration Testing Tool

The WiFi Pineapple from Hak5 is a router specifically designed for Wi-Fi penetration testing, featuring its own browser interface. It combines the most common Wi-Fi attack tools into a single platform and significantly reduces setup effort.

What the WiFi Pineapple Does

  • Reconnaissance: Detects all Wi-Fi networks within range, including SSIDs, encryption standards, signal strength, and connected clients
  • Client Detection: Which devices are searching for which networks? (Probe requests)
  • Rogue Access Points: Deploying fake networks with configurable SSIDs
  • Deauthentication: Targeted disconnection of clients from the legitimate AP
  • Traffic Analysis: MITM analysis of forwarded traffic

Two Variants

The WiFi Pineapple is available in two hardware variants:

ModelPriceFeatures
Tetra$199More antennas, longer range, more USB ports
Nano$99More compact, portable, for discreet operations

Both devices run on a pre-installed OpenWrt-based system. The web interface is accessible via a browser, allowing for use even without in-depth Linux knowledge. The modular system enables extensions for specific attack methods.

Battery Operation for Covert Testing

A key advantage for red team operations: The WiFi Pineapple can be powered by a standard USB battery pack. This allows it to be placed unattended inside a building—under a conference table, in a storage room, or in a utility closet. The device connects to the internet via smartphone tethering, and the pentester can retrieve the collected data remotely.

With its Cloud C2 platform, Hak5 offers an infrastructure for remotely controlling multiple pentest devices—relevant for larger red team engagements with distributed locations.

Alternatives Without Specialized Hardware

The same attacks can also be carried out using a standard Linux computer and a supported USB Wi-Fi adapter. The necessary software is freely available:

# Aircrack-ng Suite (industry standard)
sudo apt install aircrack-ng

# Enable monitor mode
sudo airmon-ng start wlan0

# Scan networks
sudo airodump-ng wlan0mon

# Capture handshake
sudo airodump-ng -c 6 --bssid <bssid> -w capture wlan0mon

# Kismet (Passive scanner + Rogue AP detection)
sudo apt install kismet
kismet -c wlan0mon
# Web GUI: localhost:2501

The advantage of the WiFi Pineapple lies not in exclusive capabilities, but in its integrated user interface and quick deployment without manual configuration.

Reconnaissance: What Pen Testers Do First

Before an attack takes place, pen testers gather information about the Wi-Fi infrastructure.

Passive Reconnaissance

In monitor mode, a Wi-Fi card receives all frames within range without transmitting itself. This allows for:

  • Capturing all SSIDs and BSSIDs (MAC addresses of access points)
  • Determining the encryption standard (WPA2/WPA3/WEP/open)
  • Counting the connected clients per AP
  • Analysis of probe requests: Which network names do clients automatically search for?

Probe requests are particularly revealing: A laptop automatically sends requests for all known network names—such as the home network, the office network, or the hotel Wi-Fi from last year. An attacker with a rogue AP that responds to these names can automatically attract clients.

Active Reconnaissance

  • Measuring signal strength: Where in the building can which AP be received? Does the corporate network radiate out to the street?
  • Wardriving: Systematic mapping of all Wi-Fi networks in an area (for red team assessments: with permission)
  • Rogue AP detection: Are there already unknown access points in the building?

Overview of Wi-Fi Penetration Testing Phases

A structured Wi-Fi penetration test follows a defined process:

Phase 1 — Scope Definition: What is the scope of the test? Which SSIDs, which locations? Is the guest Wi-Fi included? Are there time windows during which no testing is permitted?

Phase 2 — Passive Reconnaissance: Mapping the Wi-Fi infrastructure without active attacks. Inventory of all SSIDs, BSSIDs, encryption standards, and channel usage.

Phase 3 — Vulnerability Analysis: Which of the discovered networks have exploitable weaknesses? Is WEP active? Is WPS enabled? Weak PSK? No 802.11w?

Phase 4 — Exploitation: Controlled execution of attacks: PMKID attack, WPS brute force, Evil Twin, deauthentication. All attacks are documented and assessed for their impact on operations.

Phase 5 — Post-Exploitation: What is accessible after gaining access to the Wi-Fi? Is the internal network segmented? Can internal servers be reached from a compromised Wi-Fi access point?

Phase 6 — Reporting: Documentation of all findings with risk assessment (critical/high/medium/low) and specific hardening recommendations. Distinction between immediately implementable quick wins and medium-term measures.

Common Findings from Wi-Fi Penetration Tests

Professional penetration testers regularly find these vulnerabilities in corporate networks:

WPS active: In an alarmingly high percentage of the networks tested, WPS is still active — often because it was not explicitly disabled during router setup. Pixie Dust attacks compromise affected routers in seconds.

WEP still in use: Older infrastructure, particularly in production environments, still uses WEP encryption in some cases. WEP can be cracked in minutes.

Weak PSK: Passwords such as company names, years, or place names are included in word lists. A PMKID attack combined with typical German company passwords is often successful within hours.

Lack of 802.11w: Without Management Frame Protection, deauthentication attacks can be carried out at any time—as a denial-of-service attack or as a precursor to Evil Twin attacks.

Guest Wi-Fi without segmentation: The guest Wi-Fi is not technically separated from the production network. An attacker on the guest Wi-Fi can directly access internal systems.

Evil Twin Vulnerability with 802.1X: The EAP configuration accepts any server certificates. Clients connect to a rogue AP that presents a self-signed certificate—a successful Evil Twin attack despite 802.1X.

Wi-Fi penetration tests are legally sensitive and require a clear written mandate:

  • No Wi-Fi testing without the express written permission of the owner of the infrastructure being tested
  • Section 202a of the German Criminal Code (StGB) (data espionage) and Section 303b of the German Criminal Code (StGB) (computer sabotage) apply even if the tester “only intended to test”
  • Testing public or third-party networks is a criminal offense—even for academic purposes
  • A professional penetration testing service provider provides a framework agreement with a clear definition of scope

AWARE7 conducts Wi-Fi penetration tests exclusively within the framework of a written engagement. The client defines the scope, locations, and testing period.

Further Information

If you want to understand the defensive side—WPA3-Enterprise, 802.1X configuration, secure guest Wi-Fi design, and the complete hardening checklist—you’ll find all the details in the accompanying article:

Enterprise Wi-Fi Security: WPA3, 802.1X, and Secure Guest Wi-Fi

Wi-Fi security doesn’t end with setting a strong password. A professional Wi-Fi penetration test reveals which of your measures actually hold up—and which would fail in a real attack. The results form the basis for prioritized hardening.

Request a Wi-Fi penetration test | Penetration testing services

Next Step

Our certified security experts will advise you on the topics covered in this article — free and without obligation.

Book free consultation View services

Free · 30 minutes · No obligation

Share this article

LinkedIn X E-Mail

About the author

About the Author

Chris Wojzechowski
Chris Wojzechowski

Geschäftsführender Gesellschafter

E-Mail
PGP 465C26E1AF161AFA

Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.

10 Publikationen
  • Einsatz von elektronischer Verschlüsselung - Hemmnisse für die Wirtschaft (2018)
  • Kompass IT-Verschlüsselung - Orientierungshilfen für KMU (2018)
  • IT Security Day 2025 - Live Hacking: KI in der Cybersicherheit (2025)
  • Live Hacking - Credential Stuffing: Finanzrisiken jenseits Ransomware (2025)
  • Keynote: Live Hacking Show - Ein Blick in die Welt der Cyberkriminalität (2025)
  • Analyse von Angriffsflächen bei Shared-Hosting-Anbietern (2024)
  • Gänsehaut garantiert: Die schaurigsten Funde aus dem Leben eines Pentesters (2022)
  • IT Security Zertifizierungen — CISSP, T.I.S.P. & Co (Live-Webinar) (2023)
  • Sicherheitsforum Online-Banking — Live Hacking (2021)
  • Nipster im Netz und das Ende der Kreidezeit (2017)
IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)
Vollständiges Profil ansehen
Certified ISO 27001ISO 9001AZAVBSI

Cookielose Analyse via Matomo (selbst gehostet, kein Tracking-Cookie). Datenschutzerklärung