What starting position does this attack require?

The first step is Authenticate to the network (T1078) — a initial access primitive. Assumed environment: target Wi-Fi is WPA2-PSK (not enterprise).

What is the final impact of this kill-chain?

The final step lands on aireplay-ng deauth a client (WIFI-DEAUTH), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

WPA2-PSK handshake capture + crack → LAN access

Deauth a connected client to force re-association, capture the 4-way handshake with airodump-ng, crack the PSK offline with hashcat.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Authenticate to the network

T1078 · Valid Accounts

Credential Access

hashcat -m 22000 offline

T1110 · Brute Force

Reconnaissance

airodump-ng → enumerate APs + clients

N-ARP-RECON · ARP Sweep / LAN Discovery

Discovery

Internal nmap + LLMNR poison

N-NMAP-INTERNAL · Internal Nmap Sweep

Credential Access

Capture 4-way handshake

WIFI-WPA2-PSK · WPA2-PSK Handshake Capture + Crack

Impact

aireplay-ng deauth a client

WIFI-DEAUTH · Deauthentication DoS

§ Context

Assumed environment: target Wi-Fi is WPA2-PSK (not enterprise). At least one client is currently associated. Attacker is in RF range with a monitor-mode-capable card.

§ Steps

01
Authenticate to the networkInitial Access
T1078— Valid Accounts
02
hashcat -m 22000 offlineCredential Access
T1110— Brute Force
03
airodump-ng → enumerate APs + clientsReconnaissance
N-ARP-RECON— ARP Sweep / LAN Discovery
04
Internal nmap + LLMNR poisonDiscovery
N-NMAP-INTERNAL— Internal Nmap Sweep
05
Capture 4-way handshakeCredential Access
WIFI-WPA2-PSK— WPA2-PSK Handshake Capture + Crack
06
aireplay-ng deauth a clientImpact
WIFI-DEAUTH— Deauthentication DoS

§ References

T1078Valid Accounts
T1110Brute Force

§ Frequently asked

What is the "WPA2-PSK handshake capture + crack → LAN access" attack path?: Deauth a connected client to force re-association, capture the 4-way handshake with airodump-ng, crack the PSK offline with hashcat. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Authenticate to the network (T1078) — a initial access primitive. Assumed environment: target Wi-Fi is WPA2-PSK (not enterprise).
What is the final impact of this kill-chain?: The final step lands on aireplay-ng deauth a client (WIFI-DEAUTH), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

WPA2-PSK handshake capture + crack → LAN access

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Evil twin + captive portal → credential harvest

PMKID attack → offline crack with no client interaction

802.1X NAC bypass via printer MAC spoof

Industroyer2 IEC-104 substation hijack

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

z/OS TN3270 → RACF userID brute → mainframe shell