Ethical Hacking Lesson 33 – Wireless Attacks | Dataplexa

Ethical Hacking

I. Foundations & Hacking Mindset
1. What is Ethical Hacking 2. Hacker Types & Motivations 3. Legal & Ethical Considerations 4. Hacking Methodologies 5. Cyber Kill Chain 6. Footprinting & Reconnaissance 7. Passive vs Active Recon 8. Information Gathering Tools 9. Hacking Lab Setup 10. Kali Linux Overview
II. Reconnaissance & Scanning
11. DNS Enumeration 12. Whois & Network Enumeration 13. Google Dorking 14. Nmap Scanning 15. Port Scanning 16. Service Enumeration 17. Vulnerability Scanning 18. Nessus & OpenVAS 19. Banner Grabbing 20. Recon Best Practices
III. System & Network Attacks
21. Password Cracking 22. Brute Force Attacks 23. Credential Harvesting 24. Exploiting Misconfigurations 25. Linux System Attacks 26. Windows System Attacks 27. Privilege Escalation 28. Malware Concepts 29. Backdoors & Trojans 30. Network Sniffing 31. MITM Attacks 32. DoS Attacks 33. Wireless Attacks 34. Covering Tracks 35. Attack Mitigation
IV. Web Hacking & Real World
36. Web Architecture 37. OWASP Top 10 38. SQL Injection 39. Cross-Site Scripting (XSS) 40. Authentication Attacks 41. Session Hijacking 42. File Upload Vulnerabilities 43. API Security 44. Tools Summary 45. Mini Project – Ethical Hacking Lab
System & Network Attacks · Lesson 33

Wireless Attacks

Wireless networks are unique in the attack surface they present — the signal extends beyond walls, beyond the building, sometimes beyond the car park. Anyone within range can attempt to interact with a wireless network without being physically inside the premises. This lesson covers how that exposure is exploited and how it is assessed in a pen test.

Why wireless security is harder than it looks

A wired network requires physical access to attack — you need to plug something in. A wireless network broadcasts its existence to anyone with a receiver. The SSID, the signal strength, the encryption type, and the authentication method are all visible to a laptop sitting in the car park outside your office. The network itself is the advertisement.

Most organisations deploy wireless correctly on the surface — WPA2 encryption, strong passwords, hidden SSIDs — and consider the job done. The problems surface in the gaps: guest networks that are not properly isolated from internal infrastructure, corporate devices that remember every network they have ever connected to and will auto-connect to anything broadcasting the right SSID, and WPA2 passwords that have never been changed since the network was installed five years ago and are sitting in a Post-it note on the IT manager's desk.

WPA2 — how it works and where it fails

WPA2-Personal — the version used in most homes and small businesses — uses a pre-shared key. Everyone who knows the Wi-Fi password can derive the encryption keys for the network. The handshake that occurs when a device connects to the access point — the four-way handshake — contains enough information to allow offline password cracking. An attacker who captures that handshake can take it away and test millions of password candidates against it without ever interacting with the network again.

WPA2-Enterprise — the version used in larger organisations — uses individual credentials per user, typically validated through a RADIUS authentication server. Each user has their own login. There is no single shared password that, if cracked, gives access to the entire network. WPA2-Enterprise significantly raises the bar but introduces its own complexity: misconfigured RADIUS servers, improperly validated certificates, and users who accept certificate warnings rather than reporting them are all failure modes.

WPA3 — the current standard — addresses several WPA2 weaknesses including the offline cracking problem. WPA3's Simultaneous Authentication of Equals handshake does not expose enough information for offline dictionary attacks. However, WPA3 adoption remains slow. The vast majority of real-world networks a pen tester encounters are still WPA2, and even WPA3 networks frequently support WPA2 in transition mode for backward compatibility — which means attackers can force clients to use the weaker protocol.

Capturing the WPA2 handshake

To capture a WPA2 handshake, a wireless adapter in monitor mode is needed — a mode that allows the card to capture all wireless frames rather than just those addressed to it. Not all wireless adapters support monitor mode. The Alfa AWUS036ACH is the standard choice for pen testing wireless networks because it supports monitor mode and packet injection reliably.

The scenario: You are assessing a client's office wireless network. The scope explicitly covers wireless security assessment. You want to capture the WPA2 four-way handshake so you can test whether the network password is in a common wordlist. This is authorised wireless pen testing — treat it identically to any other active engagement technique.

# Step 1 — identify the wireless interface name
# iwconfig lists all wireless interfaces and their current mode
iwconfig

# Step 2 — put the wireless adapter into monitor mode
# airmon-ng start enables monitor mode on the specified interface
# The interface is renamed — typically wlan0 becomes wlan0mon
# Kill any processes that might interfere with monitor mode
airmon-ng check kill
airmon-ng start wlan0

# Step 3 — scan for nearby wireless networks
# airodump-ng lists all visible access points with their BSSID, channel,
# signal strength, encryption type, and SSID
# -i specifies the monitor mode interface
airodump-ng wlan0mon

# Step 4 — target a specific network and capture its handshake
# --bssid  the MAC address of the target access point
# --channel  the Wi-Fi channel the AP is broadcasting on
# -w  the filename prefix for the captured data files
# The capture runs until a four-way handshake is seen in the top-right corner
airodump-ng --bssid AA:BB:CC:DD:EE:FF \
  --channel 6 \
  -w /tmp/handshake_capture \
  wlan0mon

# Step 5 — speed up handshake capture by deauthenticating a connected client
# This forces the client to reconnect and perform a new handshake immediately
# -0  send deauth frames  15 = number of deauth packets to send
# -a  the access point BSSID  -c  the client MAC address to deauthenticate
# Run this in a second terminal while airodump-ng is still capturing
aireplay-ng -0 15 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

Breaking it down:

WPA handshake: AA:BB:CC:DD:EE:FF — confirmed capture
The top-right corner of airodump-ng displays this message the moment a complete four-way handshake is captured. Once you see it, the capture file contains everything needed for offline cracking. At this point the active capture can be stopped — no further interaction with the wireless network is required. The cracking phase happens entirely on your local machine.
Deauthentication frames — the active approach
The 802.11 standard includes deauthentication frames that can be sent by the access point to disconnect a client. These frames have no authentication in WPA2 — any device can send them, claiming to be the access point. Sending forged deauth frames to a connected client forces a disconnect, and the client immediately reconnects — triggering the four-way handshake that airodump-ng captures. If you are willing to wait, a passive capture will catch the handshake the next time any client connects naturally.
ENC: WPA2 AUTH: PSK
PSK means Pre-Shared Key — this is WPA2-Personal. Every user knows the same password. Cracking the handshake reveals that one password and gives access to the entire network. If this were WPA2-Enterprise (showing EAP in the AUTH column), the attack would be more complex — no single shared password exists to crack. The AUTH column in airodump-ng output is one of the first things to check when assessing a target network.

Cracking the captured handshake with aircrack-ng

Once the handshake is captured, cracking is identical in principle to offline hash cracking from Lesson 21. The captured file contains the WPA2 handshake material. aircrack-ng hashes each password candidate from a wordlist and compares it against the captured handshake. A match means the password is found. Speed depends entirely on the machine's CPU — for faster cracking, hashcat can target WPA2 handshakes with GPU acceleration using mode 22000 after converting the capture file with the hcxtools suite.

# Crack the WPA2 handshake using aircrack-ng and a wordlist
# -w  path to the wordlist file
# -b  the BSSID of the target access point (helps if multiple networks were captured)
# The last argument is the capture file (.cap extension)

aircrack-ng -w /usr/share/wordlists/rockyou.txt \
  -b AA:BB:CC:DD:EE:FF \
  /tmp/handshake_capture-01.cap

# For faster GPU-accelerated cracking using hashcat:
# Step 1 — convert the .cap file to hashcat's format using hcxtools
hcxpcapngtool -o /tmp/handshake.hc22000 /tmp/handshake_capture-01.cap

# Step 2 — crack with hashcat using WPA2 mode (22000)
# -m 22000  WPA2/WPA3 hash mode
# -a 0      dictionary attack
hashcat -m 22000 -a 0 \
  /tmp/handshake.hc22000 \
  /usr/share/wordlists/rockyou.txt

Breaking it down:

KEY FOUND! CompanyName2019!
The password follows the classic enterprise password pattern — company name plus a year plus an exclamation mark. This style of password satisfies most complexity policies (uppercase, lowercase, number, symbol) while being completely predictable. Rockyou.txt does not contain it as a literal entry, but a wordlist built from the company name during the OSINT phase — combined with common year and symbol suffixes — would catch it in seconds. This is the moment where good pre-engagement recon pays off during the wireless phase.
7,200 keys per second on CPU vs GPU
aircrack-ng on CPU runs approximately 7,200 passwords per second for WPA2 — substantially slower than MD5 cracking because WPA2 uses PBKDF2 with 4,096 rounds of HMAC-SHA1, making each candidate compute-intensive by design. hashcat on an RTX 3070 GPU achieves approximately 400,000 WPA2 candidates per second — still far slower than MD5 but fast enough to exhaust a 14-million-entry wordlist in about 35 seconds.

Evil twin access points — attacking the client, not the network

Cracking WPA2 requires capturing a handshake and running a wordlist. An evil twin attack takes a completely different approach — instead of attacking the cryptography, it attacks the user's trust in the network name. The attacker creates a rogue access point broadcasting the same SSID as the legitimate network, sends deauthentication frames to push clients off the real network, and waits for them to connect to the fake one instead.

Once connected to the evil twin, the attacker can present a captive portal — a fake login page — asking the user to re-enter the Wi-Fi password to "verify their identity." Many users comply without suspicion, handing over the network password directly. The rogue AP can also perform a MITM attack against everything the victim transmits — all traffic flows through the attacker's machine before being forwarded to the real internet.

This attack is particularly effective in environments where employees regularly connect to guest Wi-Fi networks in hotel lobbies, airport lounges, and conference centres. Corporate devices that auto-connect to remembered SSIDs will silently join an evil twin broadcasting a familiar SSID — without the user doing anything at all.

EVIL TWIN ATTACK — step by step
1

Survey and identify the target SSID and BSSID

Run airodump-ng to identify the target network, its operating channel, and the MAC addresses of connected clients. The rogue AP needs to broadcast on a different channel from the real one — otherwise signal interference causes connectivity problems that alert users something is wrong.

2

Create the rogue access point with hostapd

hostapd creates a software access point broadcasting the target SSID. The rogue AP can be configured as open (no password) — clients connecting to it will see the familiar network name and connect. Tools like bettercap and airbase-ng simplify the full rogue AP setup including DHCP assignment and internet forwarding.

3

Deauthenticate clients from the real network

Send continuous deauth frames to connected clients forcing them to disconnect from the legitimate AP. Their devices automatically scan for and connect to the strongest available network broadcasting the same SSID — which is the rogue AP at full signal strength because it is physically closer.

4

Deploy a captive portal to capture the password

A fake login page matching the organisation's branding asks for the Wi-Fi password to "reconnect." Users who enter it have handed over the real network credential. The portal can be built to look convincingly like a legitimate corporate re-authentication page — matching logos, colours, and copy from the client's real login page.

5

MITM all traffic from connected clients

All traffic from connected clients flows through the attacker's machine before reaching the real internet. Run the same interception techniques from Lessons 30 and 31 — tcpdump, Wireshark, credential extraction. Any plaintext protocol traffic is fully readable. SSL stripping can be applied to HTTP sessions that would otherwise be upgraded to HTTPS.

Wireless vulnerabilities beyond WPA2 cracking

WPA2 handshake cracking and evil twin attacks get the most attention in wireless pen testing — but the full wireless assessment covers several additional areas that are frequently overlooked and consistently produce findings in real engagements.

Guest network isolation

Guest wireless networks should be completely isolated from corporate infrastructure — no access to internal servers, printers, or any other network resource. Failure to enforce this isolation is one of the most common wireless findings. A guest network that can reach internal IP ranges bypasses all the perimeter security that protects the corporate network from the internet. The test is simple: connect to the guest network and attempt to reach internal IP ranges with ping and nmap. Finding open internal services from a guest connection is a critical misconfiguration finding.

WPS PIN vulnerability

Wi-Fi Protected Setup uses an 8-digit PIN to simplify device registration. Due to a design flaw, the PIN is validated in two 4-digit halves independently — reducing the effective keyspace from 100 million to 11,000 combinations. The Reaver tool exploits this to brute-force the WPS PIN and recover the WPA2 password directly, bypassing the need to capture and crack a handshake. WPS should be disabled on any production access point. Many routers still ship with it enabled by default.

Rogue access points planted by employees

Employees who find the corporate wireless policy too restrictive sometimes plug personal routers or wireless access points into corporate ethernet ports — creating an unsanctioned wireless network that bypasses all wireless security controls. These rogue APs are typically unencrypted, not monitored, and provide direct access to the corporate wired network to anyone within range of the signal. Wireless intrusion detection systems monitor for APs broadcasting from within the corporate IP space and alert on any device not in the approved AP inventory.

PMKID attack — no client interaction needed

Discovered in 2018, the PMKID attack captures a single frame from the access point beacon — no connected client and no four-way handshake required. The PMKID value in the frame is derived from the pre-shared key and can be used for offline dictionary cracking in exactly the same way as a captured handshake. hcxdumptool captures PMKID frames and hcxtools converts them for hashcat. On networks with no currently connected clients where capturing a handshake would require waiting, the PMKID method is more practical.

Wireless security best practices

A thorough wireless pen test produces findings across multiple categories. The remediation recommendations need to be equally specific — not "improve wireless security" but specific configuration changes with measurable outcomes.

WIRELESS SECURITY CONTROLS — what to recommend
Control What it addresses Priority
WPA3 or WPA2-Enterprise WPA3 eliminates offline cracking via SAE handshake. WPA2-Enterprise eliminates the shared-password problem with per-user credentials through RADIUS. Critical
Disable WPS Eliminates the Reaver PIN brute-force attack path. WPS provides no benefit in a managed enterprise environment. Critical
Guest network VLAN isolation Prevents guest users from reaching internal networks. Should be tested by attempting to ping and scan internal IP ranges from the guest network. Critical
Wireless IDS monitoring Detects rogue access points, deauthentication attacks, and evil twin attempts. Alerts on any AP broadcasting a known SSID from an unknown BSSID. High
Strong unique passphrase Where WPA2-PSK must be used, a passphrase of 20+ random characters resists dictionary attacks entirely. Rotate annually and whenever an employee who knew it leaves. High

Teacher's Note: Wireless pen testing requires a dedicated wireless adapter that supports monitor mode and packet injection — the built-in adapter in most laptops does not. The Alfa AWUS036ACH and AWUS036NHA are the standard choices. Check that your adapter supports both before arriving at a client engagement — finding out it does not work in the car park is not ideal timing.

Quiz

Scenario:

A pen tester captures a WPA2-PSK four-way handshake and stops interacting with the target network entirely. They take the capture file home and spend the evening running a dictionary attack against it. The next morning they have the network password. The client asks how cracking the password was possible without staying connected to or repeatedly probing their network. What is the explanation?

Scenario:

A pen tester is assessing a company's wireless security and wants to verify whether the guest Wi-Fi network is properly isolated from the corporate internal network. The IT manager insists the networks are on separate VLANs and therefore isolated. What specific test should the pen tester perform to verify or disprove this claim?

Scenario:

A pen tester runs Reaver against an access point with WPS enabled and successfully recovers the WPA2 password within a few hours without capturing or cracking any handshake. The client is confused — their WPA2 password is 16 characters and they assumed it would take years to crack. What design flaw in WPS made this attack possible?

Up Next · Lesson 34

Covering Tracks

Log clearing, artefact removal, and how attackers erase evidence of their presence — and what defenders watch for to catch them doing it.

← Previous Course Index Next →