~Michael Ades
Objective
The goal of this lab was to perform a complete Wi-Fi penetration test in a controlled environment. The tasks included discovering nearby access points, capturing WPA2 handshakes, cracking the Wi-Fi password using dictionary attacks (specifically RockYou.txt), and then applying defenses to secure the network against future attacks.
Execution Steps
1. Lab Setup
Using WifiForge (https://github.com/blackhillsinfosec/WifiForge) / Mininet-WiFi, the Bettercap Recon lab was selected. This provided a simulated wireless environment which could be used for testing.

2. Wireless Interface Initialization
The lab initialized the wireless interface (Attacker-wlan0) using the mac80211_hwsim driver. Errors with rfkill were shown, but the interface was successfully recovered. After pressing ‘y’
_
3. Launching Bettercap
Bettercap was started with the monitoring interface:
bettercap -iface wlan0mon
This placed Bettercap into an interactive shell ready for recon.
_
4. Bettercap Configuration
Commands were issued to format the output for real-time scanning:
set wifi.show.sort clients desc set ticker.commands 'clear; wifi.show' ticker on
This ensured the terminal refreshed continuously with updated AP and client information.

5. Wi-Fi Network Discovery
Bettercap identified our target network:
- SSID:
WPA2_Network - BSSID:
76:df:71:67:40:2b - Encryption: WPA2 (PSK, CCMP)
- Clients: 2 active devices
- Signal Strength: -36 dBm (strong)

6. Deauthentication Attack
A deauthentication attack was launched to disconnect clients:
wifi.deauth 76:df:71:67:40:2b
This forced clients to reconnect, providing an opportunity to capture the handshake.

7. Capturing the WPA2 Handshake
Bettercap confirmed successful capture:
- “1 handshakes” logged for
WPA2_Network. - Increased traffic meant the client attempted to reconnect.

8. Cracking with Aircrack-ng
The captured handshake was cracked with the RockYou.txt file:
aircrack-ng -w /WifiForge/framework/lab_materials/rockyou.txt /loot/4whs
Aircrack tested ~10,902 keys at ~3070 k/s.

9. Password Successfully Recovered
Aircrack-ng output revealed:
- Key Found:
december2022 - Derived session keys and HMAC values confirmed authenticity with the WiFi Network.

Defense Measures (Planned Implementation)
Due to constrictions of the WifiForge/Mininet-WiFi simulation environment, I was not able to fully implement defense measures such as WPA3 or WPS configuration. However, in a real-world scenario, the following steps would be taken:
- Upgrade to WPA3 Encryption
Replace WPA2 with WPA3-SAE (Simultaneous Authentication of Equals). This prevents offline dictionary attacks against handshakes and strengthens auth security. This would be done by updating the router’s firmware and reconfiguring the SSID to require WPA3. - Disable WPS (Wi-Fi Protected Setup)
WPS is vulnerable to brute-force PIN attacks. Disabling it through the router’s interface eliminates that. - Enable MAC Filtering
Only allow connections from a defined set of device MAC addresses. While not fully protected because (attackers can spoof MACs), it adds another protection. - Change the Wi-Fi Password
Replace the weak password (december2022) with a complex and longer passcode. This should not appear in common dictionaries, making offline cracking way more difficult.
In the lab, Mallory’s second attack could not be blocked due to the simulation constraints and inability of editing the WiFi Network. However, these measures would have prevented handshake capture or made brute force practically impossible through RockYou.txt.
Second Attack Attempt
After the defenses were (theoretically) applied, Mallory attempted a second attack.
- Handshake Capture Attempt: With WPA3, Mallory would not be able to capture a reusable handshake since SAE does not allow the same offline cracking process used against WPA2.
- Dictionary Attack: Even if attempted, the strong new passphrase would not appear in common wordlists like RockYou.
- WPS Attack: Disabled WPS prevents brute-forcing the PIN.
- MAC Filtering: Mallory’s device would not be allowed to connect, unless they spoofed their MAC.
Result: Mallory’s attack failed. This highlights how modern encryption and layered defenses render such attacks impractical.
Reflection & Lessons Learned
This lab showed how easy it can be to compromise a WPA2 Wi-Fi network with a weak password using open-source tools such as aircrack. My key takeways include:
- Wi-Fi Vulnerabilities: WPA2-PSK networks are only as strong as their passphrase. Weak or dictionary-based passwords can be cracked quickly.
- Ethical Hacking: Controlled pentesting provides insight into security flaws for the company as long as there is explicit approval.
- Best Practices: Always use WPA3 where available, disable insecure features like WPS, enforce strong passphrases, and consider MAC filtering as a secondary safe option for very sensitive networks.
Permission Statement
Due to the nature of this lab and constrictions with my apartment WiFi, I opted to simulate eh environment. Since this was a simulated environment explicit permission was not necessary for this lab.