:::info Last tested Kali Linux 2025.4 · HexStrike AI (Kali package 2025.4 repo) · May 2026. Results may vary on other versions. :::
Authorization required. All techniques on this page are for use in authorized lab environments only. Never test against systems you do not own or have explicit written permission to assess. Document scope, maintain an audit log, and obtain approval before executing any exploitation step.
AI-Driven Wireless Penetration Testing. One Prompt WIFI cracking
Using Aircrack-ng with HexStrike-AI and Gemini-CLI
AI-Driven Wireless Penetration Testing. One Prompt WIFI cracking
Using Aircrack-ng with HexStrike-AI and Gemini-CLI
Introduction
Wireless penetration testing is traditionally a manual, error-prone process :
capturing handshakes, guessing attack paths, retrying failed steps, and correlating outputs by hand.
By combining:
- Aircrack-ng (low-level Wi-Fi attack tooling)
Full manual guide for Aircrack-ng here:https://medium.com/@1200km/wifi-cracking-with-aircrack-ng-d51cf98c789f
- HexStrike-AI (local execution and orchestration)
- Gemini-CLI (LLM-driven reasoning via MCP)
we can transform Wi-Fi testing into a goal-driven, adaptive workflow , where the AI:
- decides what to do next,
- reacts to failures,
- and chains findings logically.
This guide demonstrates how to perform authorized Wi-Fi penetration testing using AI-orchestrated tooling.
If you like this research, buy me a coffee (PayPal) — Keep the lab running
Architecture Overview
User (High-level prompt)
↓
Gemini-CLI (Reasoning & decision making)
↓ MCP
HexStrike-AI (Local execution)
↓
Aircrack-ng suite (airodump-ng, aireplay-ng, aircrack-ng)
Key principle:
You describe intent , not commands.
Prerequisites
Environment
- Kali Linux (VM or bare metal)
- External Wi-Fi adapter with monitor mode support
- HexStrike-AI installed and running
- Gemini-CLI configured with HexStrike MCP
- Explicit authorization to test the target network
Required tools (already in Kali)
airmon-ngairodump-ngaireplay-ngaircrack-ngmacchanger(optional)
Prompt
>@hexstrike
Perform an authorized wireless penetration test against the Wi-Fi network
First show me all aviable interfaces:
Then show me all aviable SSID/ESSID
aircrack-ng toolset.
Capture a WPA/WPA2 handshake and attempt offline cracking using:
/path/to/wordlist.txt
Do it agressive, Keep scans short with time out, stop on success or timeout, and produce a brief report
with results and remediation.
What happened (step by step)
1. Interface discovery
- HexStrike queried the system for wireless interfaces.
- Result:
wlan0was identified as the only usable wireless interface (RTL8821AU chipset).
2. Monitor mode enablement
airmon-ng start wlan0was executed.- Warnings appeared about
NetworkManagerandwpa_supplicant, but monitor mode was enabled successfully. - Result:
wlan0entered monitor mode and was usable for capture/injection.
3. Initial wireless scan
airodump-ngran for ~30 seconds.- Multiple APs were discovered, including multiple BSSIDs broadcasting the same ESSID:
**Andrey**(typical for mesh / multi-band APs). - Encryption observed: WPA2-PSK.
4. Target selection (first attempt)
- Selected BSSID
D6:35:1D:AD:F5:C0(channel 64). - Clients were detected.
- Several deauthentication attempts failed with:
No such BSSID available- Channel drift / driver instability
- Multiple retries were attempted, including interface reset.
- Result: No valid handshake captured on this BSSID.
5. Pivot to another AP (same ESSID)
- Switched to BSSID
A2:B5:3C:89:CB:52(channel 1). - This AP had multiple active clients and stable channel behavior.
- Key decision: Correct pivot based on runtime conditions.
6. Handshake capture
airodump-ngran in the background.aireplay-ngdeauthentication was executed against an active client.
- This time, the deauth succeeded.
- Result: A valid WPA2 handshake was captured.
Verification:
aircrack-ng handshake_capture_3-01.cap- Output confirmed: “WPA (1 handshake)”
7. Offline cracking
- Dictionary attack launched using:
/path/to/wordlist.txt- Cracking speed: ~2500 keys/sec
- Password found almost immediately.
Recovered key:
A0542553383#
Final result
Outcome
- The Wi-Fi network “Andrey” was successfully compromised offline.
- No live brute-force was required.
- Attack chain:
Capture handshake → Offline dictionary attack → Key recovery
Recovered password
A0542553383#
Key technical observations
- The first failure was not logical — it was physical
- Channel instability + driver behavior caused deauth failure.
- HexStrike correctly adapted by pivoting to another AP.
2. Same ESSID ≠ same attack surface
- One BSSID was unreliable.
- Another BSSID under the same SSID was fully exploitable.
3. Password strength illusion
- The password looks “complex” (numbers + symbol),
- but it existed in a wordlist → effectively weak.
4. AI orchestration worked as intended
- Tool chaining
- Runtime decision-making
- Failure handling
- Logical pivoting
- Clean reporting
This was not a single-command crack — it was a full, adaptive PT flow.
Andrey Pautov
If you like this research, buy me a coffee (PayPal) — Keep the lab running
By Andrey Pautov on December 24, 2025.
Exported from Medium on May 15, 2026.