Wireless pen testing: capture WPA2 handshake (aircrack-ng) → crack with hashcat, test WPS (pixie dust attack), deploy evil twin AP, check for rogue APs, test 802.1X configuration.
WPA2-PSK: airdump-ng → airodump to capture handshake → hashcat -m 22000 for cracking. WPS PIN attack: reaver or bully (many APs now disable WPS). Evil twin: create same SSID, force deauth, capture credentials. Always verify scope includes wireless testing explicitly.