# Wireless Network Hacking: WiFi Security and Penetration Testing
Introduction to Wireless Security
Wireless networks present unique security challenges that differ significantly from wired networks. The broadcast nature of WiFi signals means that anyone within range can potentially capture and analyze network traffic, making wireless security a critical concern for organizations of all sizes.
Understanding wireless attack techniques is essential for security professionals conducting penetration tests and for organizations seeking to protect their networks.
WiFi Security Protocols
WEP (Wired Equivalent Privacy)
The original WiFi security protocol, now thoroughly deprecated. WEP weaknesses include RC4 encryption with weak IVs, 24-bit initialization vectors, and attack tools that can crack in minutes.
WEP cracking with aircrack-ng: airodump-ng --channel 6 --bssid AA:BB:CC:DD:EE:FF --write wep_capture wlan0mon. Once enough packets are captured, use aircrack-ng wep_capture-01.cap.
WPA/WPA2 (WiFi Protected Access)
The current standard for WiFi security. WPA-Personal uses password-based authentication with PSK (Pre-Shared Key), vulnerable to brute force if weak password. WPA-Enterprise uses individual credentials per user via 802.1X authentication, more secure but complex to implement.
WPA/WPA2 security mechanisms include TKIP (Temporal Key Integrity Protocol) with per-packet key mixing and 48-bit IV, and CCMP (Counter Mode CBC-MAC Protocol) using AES encryption with stronger integrity protection.
WPA3
The latest WiFi security standard with SAE (Simultaneous Authentication of Equals) providing password-based key exchange resistant to offline dictionary attacks. Enhanced Open provides Opportunistic Wireless Encryption for open networks using DHE or other key exchange. 192-bit Security Suite provides minimum strength for government and enterprise use.
WiFi Attack Methodology
Phase 1: Reconnaissance
Start monitor mode with airmon-ng start wlan0. Discover networks with airodump-ng wlan0mon. Get detailed information on specific network with airodump-ng --channel 6 --bssid AA:BB:CC:DD:EE:FF --write capture wlan0mon.
Information gathering includes SSID (network name), BSSID (access point MAC address), channel, security protocol (WPA/WPA2/WEP/Open), connected clients, and signal strength.
Phase 2: Capturing Handshakes
Monitor specific channel with airodump-ng --channel 6 --bssid AA:BB:CC:DD:EE:FF --write handshake wlan0mon. Wait for natural reconnection or use deauthentication attack (faster): aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon where -0 is deauth count.
Verify handshake captured with aircrack-ng -w /dev/null handshake-01.cap looking for "WPA handshake: AA:BB:CC:DD:EE:FF".
Phase 3: Password Cracking
Convert capture to Hashcat format: cap2hccapx handshake-01.cap handshake.hccapx. Crack with dictionary: hashcat -m 2500 -a 0 handshake.hccapx rockyou.txt. Or use Aircrack-ng: aircrack-ng -w wordlist.txt handshake-01.cap.
Rule-based attacks: hashcat -m 2500 -a 0 handshake.hccapx rockyou.txt -j "c" -k "$1!".
Phase 4: Post-Cracking Access
Once password obtained, use NetworkManager or wpa_supplicant with wpa_passphrase "SSID" "password" > wpa_supplicant.conf, then wpa_supplicant -i wlan0 -c wpa_supplicant.conf, and dhclient wlan0. Start reconnaissance on network with nmap -sn 192.168.1.0/24.
Advanced Wireless Attacks
Rogue Access Point Attack
Create malicious access point to capture credentials using hostapd with configuration for interface, SSID, channel, driver, authentication (WPA2), and password.
Setup for credential harvesting includes using dnsmasq for DHCP and DNS with configuration for interface, DHCP range, and DNS forwarding.
Evil Twin Attack
Spoof legitimate access point to intercept traffic by setting up access point with same SSID, creating stronger signal to attract clients, using deauth on legitimate AP to force reconnection, and capturing and monitoring traffic.
Karma Attack
Responding to all probe requests regardless of SSID. Enable karma module in hostapd with empty SSID. Client devices auto-connect if configured for that network.
WPS (WiFi Protected Setup) Attacks
WPS was designed to simplify WiFi setup but introduces vulnerabilities. Check if WPS is enabled with wash -i wlan0mon. Attack WPS-enabled router with reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv or bully -b AA:BB:CC:DD:EE:FF -c 6 wlan0mon.
WPS attack process: extract WPS information, start brute force on PIN (4 digits + 4 digits = 20,000 combinations), first 4 digits validated separately, once PIN found PSK can be derived, and full WPA password recovered.
Wireless Defense Strategies
Network Design
Segmentation with separate VLANs for Guest (isolation enabled), Corporate (required 802.1X), and IoT (strict isolation). Strong encryption using WPA3-Enterprise with AES-256-GCM, auth using 802.1X/RADIUS, and certificate using WPA3-Certified.
Strong Pre-Shared Key Management
Password requirements: minimum 16 characters, random characters with no dictionary words, include all character classes, and generated with secure random.
Generate strong PSK with python3 -c "import secrets; print(secrets.token_urlsafe(24))" producing output like aB3kL9mN2pQ5rT8vW1xY4zA6bC7dE0f. Implement regular rotation every 90 days with immediate rotation on suspected compromise.
802.1X Enterprise Authentication
Components include Access Point (authenticator), RADIUS Server (authentication server), and User Device (supplicant). Authentication flow: user connects to WiFi, AP requests credentials, supplicant sends credentials to AP, AP forwards to RADIUS server, RADIUS validates against directory, and access granted or denied.
Supported protocols include EAP-TLS (certificate-based), EAP-TTLS (tunneled), PEAP (Protected EAP), and LEAP (legacy, deprecated).
Rogue AP Detection
Use airmon-ng monitoring with airodump-ng wlan0mon and compare AP list against authorized list watching for unexpected SSIDs and monitoring for evil twin indicators. Use WIDS/WIPS tools like AirDefense, Cisco CleanAir, and Aruba Spectrum Analyzer.
Wireless Penetration Testing Methodology
Planning and Scoping
Define targets (WPA2-Enterprise, WPA2-PSK, Guest), locations (Headquarters, Branch Office), testing types (Pre-shared key recovery, Enterprise credential harvesting, Rogue access point detection, Client isolation bypass), and constraints (No DoS testing during business hours, Test only designated networks, Minimize client disconnection).
Assessment Phases
Phase 1: Passive reconnaissance with airodump-ng wlan0mon --write pentest_data. Phase 2: Active testing including WPS attacks with reaver -i wlan0mon -b TARGET_BSSID -vv and PSK cracking with hashcat -m 2500 handshake.hccapx wordlist.txt after capturing handshake.
Common Wireless Vulnerabilities
Configuration Weaknesses
Default SSIDs revealing make/model, broadcast SSID making network discoverable, WPS Enabled providing brute force vulnerability, Weak PSK enabling dictionary attack vulnerability, and Open Networks with no encryption.
Implementation Flaws
Isolation Bypass allowing clients to communicate directly, Certificate Validation issues in custom apps, Legacy Protocol Fallback to WEP, and Hidden SSID Discovery revealing names through passive monitoring.
Management Plane Issues
Default Credentials on admin interface, Firmware Vulnerabilities from outdated firmware, Management VLAN misconfiguration, and Remote Management exposure.
Real-World Attack Scenarios
Office Network Compromise
Attacker parks in parking lot, discovers networks with airodump-ng wlan0mon, captures handshake with aireplay-ng -0 10 -a TARGET_BSSID wlan0mon, cracks password with hashcat -m 2500 handshake.hccapx rockyou.txt, connects using cracked PSK, and performs internal reconnaissance with nmap -sn 192.168.1.0/24.
Guest Network Exploitation
Capture and analyze guest traffic with Wireshark using filter "not broadcast and not multicast". Look for unencrypted credentials, session tokens, and internal server IPs.
Frequently Asked Questions
Can WPA3 be cracked?
WPA3 with SAE is highly resistant to offline attacks due to Dragonfly handshake. However, transitional mode networks that support WPA2 may be vulnerable to traditional WPA2 attacks. Implementation flaws in specific devices may also create vulnerabilities.
How long does it take to crack WPA2?
WPA2 cracking time depends on password strength. A weak password from rockyou.txt might crack in minutes. An 8-character random password could take years with a single GPU. A 12+ character random password with all character classes is effectively uncrackable.
Is WPS completely insecure?
WPS has serious vulnerabilities and should be disabled on all devices. The PIN brute force attack can recover the PSK in hours on most devices. Some implementations also leak the PIN through evil twin attacks.
Can wireless traffic be decrypted without cracking?
In certain scenarios, yes. If the PSK is known, all traffic can be decrypted. With WPA2-Enterprise, if valid certificates are obtained, traffic can be intercepted. Some implementations have flaws that enable decryption without the PSK.
How do I secure my home WiFi?
Use WPA3 if available, or WPA2-AES with strong random password of 16+ characters. Disable WPS. Use strong admin password. Keep firmware updated. Consider VLAN segmentation for IoT devices.
What is the safest wireless configuration?
WPA3-Enterprise with certificates provides the highest security. If enterprise auth is not possible, WPA3-Personal with SAE and strong random password offers excellent protection. Enable rogue AP detection and monitor for suspicious access points.
Conclusion
Wireless network security remains a critical concern as WiFi usage continues to grow. Understanding attack techniques enables security professionals to conduct thorough penetration tests and helps organizations implement appropriate defenses.
Key takeaways include WPA2/WPA3 with strong credentials providing reasonable security, WPS should always be disabled, Enterprise authentication (802.1X) offering superior protection, regular penetration testing identifying vulnerabilities, and defense in depth combining multiple security layers.
Cyber Defence offers comprehensive wireless security training as part of our ethical hacking courses. Learn both offensive and defensive techniques for WiFi security through hands-on labs.
Master wireless security testing. Protect your organization network from wireless attacks.