The recent rise in complex Wi-Fi vulnerabilities, such as KRACK and Dragonslayer, indicates the critical need for effective Wi-Fi protocol testing tools. In this article, we conceptualize, design and implement a directed fuzzing methodology named Greyhound that automatically tests the Wi-Fi client implementations against vulnerabilities such as crashes or non-compliant behaviors. Leveraging a holistic Wi-Fi protocol model, Greyhound directs the fuzzer in specific states of target Wi-Fi client. By exchanging mutated packets with a Wi-Fi client, Greyhound aims to induce the client to exhibit anomalous behaviors that badly deviate from Wi-Fi protocols. We have implemented Greyhound and evaluated it on a variety of real-world Wi-Fi clients, including smartphone, Raspberry Pi, IoT device microcontrollers and a medical device. Our evaluation indicates that Greyhound not only automatically discovers known vulnerabilities (including KRACK and Dragonslayer) that would require specialized verification otherwise, but, more importantly, it also has uncovered four new vulnerabilities in popular Wi-Fi client devices. All discovered vulnerabilities have been confirmed by manufacturers and they have been assigned three different common vulnerability exposure (CVE) IDs. We also win a bug bounty of 2,200 USD for discovering the security vulnerabilities. Furthermore, our evaluation with three existing Wi-Fi fuzz testing tools reveals that all such tools fail to discover any of the vulnerabilities (including crashes) uncovered by Greyhound. Last but not the least, we have deployed Greyhound to test the Wi-Fi client implementation on automotive head units. Greyhound automatically discovers KRACK, Dragonslayer and other anomalies in these Wi-Fi implementations. Such a real world try-out justifies the necessity and efficacy of Greyhound.