Wi-Fi is radio. Anyone within 100 meters can record your packets. Encryption is the only defense. WEP was broken in minutes. WPA2 is solid but vulnerable to offline cracking. WPA3 is the new standard, but it has its own growing pains.
Breaking WPA2 (The 4-Way Handshake)
To crack WPA2, you don't need to be connected. You just need to capture the handshake (when a user joins).
1. Put card in Monitor Mode (`airmon-ng`).
2. Force a user off (Deauth packet).
3. Capture the re-connection.
4. Crack the hash offline with `aircrack-ng` or Hashcat. If the password is weak ("password123"), it breaks instantly.
1. Enter WPA3: The Dragonfly Handshake
WPA3 uses SAE (Simultaneous Authentication of Equals), also known as Dragonfly.
Key Feature: It prevents offline dictionary attacks.
Even if you capture the handshake, you cannot guess passwords against it offline. You must interact with the router to guess. This makes brute-forcing impossible due to speed.
2. WPA3 Vulnerabilities (Dragonblood)
Nothing is perfect. Researchers found side-channel attacks on WPA3.
Timing Attacks: Depending on how long the router takes to process a curve calculation, an attacker can infer information about the password.
Downgrade Attacks: Forcing WPA3-Transition mode devices to fall back to WPA2.
3. Evil Twins (Karma/Mana)
Tools like the WiFi PineApple exploit the "Auto-Join" feature.
1. Your phone yells: "Is 'Starbucks WiFi' here?"
2. Pineapple yells: "Yes! I am Starbucks WiFi."
3. Phone connects. Attacker intercepts all traffic.
Defense: Connect only to trusted networks. Use a VPN.
4. Enterprise Wi-Fi (802.1X)
Corporations don't use a single "Pre-Shared Key" (PSK). They use RADIUS servers.
Each user logs in with their own Username/Password.
Attack: Setup a fake Access Point. When user connects, capture their MS-CHAPv2 hash. Crack it to get their domain password.