Everything in this writeup happened on my own access points, in my own home, against my own client devices, on a network nobody else is connected to. Running these techniques against networks you don't own is illegal in essentially every jurisdiction. Don't do it.
The Wi-Fi pen-test lab is the longest-running thing in my homelab. It's not a project — it's a methodology. I've set up a private SSID I treat as the target, configured it differently each time (WPA2-PSK with a weak passphrase, WPA2 with WPS enabled, WPA3-only, etc.) and worked through the attack chain that applies. Each pass teaches me both halves: how the attack actually executes, and what defence stops it cold.
The lab setup
One spare TP-Link AP I configure to whatever I'm testing against. One Pi 4 with the AC600 USB Wi-Fi adapter (Realtek 8811AU chipset, monitor mode + injection). One target client — usually an old Android phone I've factory-reset and only joined to this network. The whole thing is wireless-isolated from the rest of my home Wi-Fi via channel separation and a different SSID/BSSID.
WPA2 handshake → hashcat
The classic attack. Capture a 4-way handshake, dictionary-attack the PSK offline. The handshake is short; capturing it requires either patience (wait for a client to roam back) or a deauth nudge (force a reconnect).
# 1. monitor mode
sudo airmon-ng start wlan1
# 2. find the target
sudo airodump-ng wlan1mon --bssid AA:BB:CC:DD:EE:FF -c 6 -w lab_capture
# 3. nudge a client to reconnect (against my own client)
sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF wlan1mon
# 4. crack offline
hashcat -m 22000 lab_capture.hc22000 rockyou.txt
A weak passphrase (anything in rockyou.txt) falls in seconds. A strong passphrase — 16+ characters, mixed alphabet, not derived from a dictionary — is computationally infeasible. The attack is not against WPA2 the protocol; it's against weak human passwords. Defence: a strong passphrase, end of conversation.
WPS PIN → reaver / pixie-dust
WPS is the "press a button to connect" feature. The PIN is 8 digits, but a flaw in the protocol means you only have to brute-force 4 digits + 3 digits separately, which makes the keyspace ~11,000 attempts. Some routers respond to a single offline computation (pixie-dust) and reveal the PIN in under a minute.
[ PIXIE-DUST WORKFLOW ]
reaver -i wlan1mon -b <BSSID> -c <CH> -K 1 -vv
└── if vulnerable → PIN recovered offline in seconds
If the router has WPS enabled and a vulnerable chipset (most consumer routers from a certain vintage), the PIN drops out, the WPA2 PSK is recovered, and the strong-passphrase defence is irrelevant. Defence: turn WPS off. Always. There is no good reason to have it on.
Evil twin / fluxion
Different category of attack: don't crack the network, just impersonate it. Fluxion sets up an AP with the same SSID, deauths clients off the real one, and serves a fake captive portal asking for the password "to reconnect." Many users will type it.
The evil twin doesn't care how strong your passphrase is. It's a social engineering attack pretending to be a network problem. The defence is partly user education and partly client-side: modern OSes warn when an SSID with the same name has a different security profile.
Deauth and 802.11w (PMF)
Standard 802.11 management frames are unauthenticated. Anyone within radio range can spoof a deauth and disconnect any client from any AP. Annoying for users, useful for forcing a reconnection that exposes a handshake. Defence: enable 802.11w (PMF — Protected Management Frames). WPA3 requires it; WPA2 supports it as optional.
PMKID — clientless capture
The 2018 surprise that broke the "wait for a handshake" assumption. Some routers leak the PMKID (a key derived from the PSK) in the very first packet of a connection attempt — no client needed. hcxdumptool harvests it, hashcat cracks it the same way as a 4-way handshake. Defence: same as the handshake attack — strong PSK. The keyspace search is identical.
The lab taught me that "Wi-Fi security" is misnamed. The protocol is fine. Almost every successful attack is against a configuration mistake (WPS on, weak PSK, no PMF) or against the user (evil twin). The defences are not exotic — they're hygiene.
WPA3 / SAE — much harder
WPA3 replaces the 4-way handshake with SAE (simultaneous authentication of equals), which is a zero-knowledge proof that doesn't expose anything crackable offline. Online attacks (one guess at a time, rate-limited by the AP) are still possible but slow. PMKID-style leaks are designed out. The Dragonblood attacks against early WPA3 implementations have largely been patched. The realistic in-scope attacks against WPA3 in the lab are denial of service, not key recovery.