Introduction to Wi-Fi Security
Wi-Fi networks have become ubiquitous in modern life, but their convenience comes with significant security risks. Understanding Wi-Fi attacks is crucial for both defenders (to protect networks) and security professionals (to assess vulnerabilities). This comprehensive guide explores the various types of Wi-Fi attacks, how they work, and how to defend against them.
Key Concepts
- Wireless Networks: Radio frequency communication with inherent broadcast nature
- Authentication: Process of verifying device identity
- Encryption: Protecting data in transit
- Attack Surface: Multiple entry points (beacons, probes, associations)
- Defense in Depth: Layered security approach for wireless networks
1. Wi-Fi Security Fundamentals
Wi-Fi Standards and Security Protocols
def wifi_security_protocols():
"""Overview of Wi-Fi security protocols"""
protocols = {
"WEP (Wired Equivalent Privacy)": {
"year": "1997",
"status": "DEPRECATED - Completely broken",
"vulnerabilities": [
"Weak RC4 encryption",
"Static keys",
"IV reuse attacks",
"Easy cracking with tools like aircrack-ng"
],
"attack_time": "Seconds to minutes"
},
"WPA (Wi-Fi Protected Access)": {
"year": "2003",
"status": "DEPRECATED - Vulnerable",
"vulnerabilities": [
"TKIP encryption weaknesses",
"MIC key recovery attacks",
"Dictionary attacks on PSK",
"WPA2 migration path"
],
"attack_time": "Minutes to hours (with dictionary)"
},
"WPA2 (Wi-Fi Protected Access 2)": {
"year": "2004",
"status": "Widely used but with known issues",
"vulnerabilities": [
"KRACK (Key Reinstallation Attack)",
"PMKID attack",
"Dictionary attacks on PSK",
"Evil twin attacks"
],
"attack_time": "Hours to days (depending on password strength)"
},
"WPA3 (Wi-Fi Protected Access 3)": {
"year": "2018",
"status": "Current standard - Most secure",
"features": [
"Simultaneous Authentication of Equals (SAE)",
"Forward secrecy",
"Protected Management Frames (PMF)",
"Individualized data encryption"
],
"vulnerabilities": [
"Dragonblood vulnerabilities (patched)",
"Side-channel attacks (theoretical)",
"Configuration weaknesses"
]
}
}
print("Wi-Fi Security Protocols Evolution")
print("=" * 70)
for protocol, details in protocols.items():
print(f"\n🔐 {protocol} ({details['year']})")
print(f" Status: {details['status']}")
if 'vulnerabilities' in details:
print(f" Vulnerabilities: {details['vulnerabilities'][0]}")
print(f" {details['vulnerabilities'][1]}")
if 'features' in details:
print(f" Features: {details['features'][0]}")
print(f" {details['features'][1]}")
if 'attack_time' in details:
print(f" Attack Time: {details['attack_time']}")
wifi_security_protocols()
Wi-Fi Attack Surface
def wifi_attack_surface():
"""Map the Wi-Fi attack surface"""
print("Wi-Fi Attack Surface Analysis")
print("=" * 70)
attack_surface = {
"Beacon Frames": {
"description": "Broadcast network information",
"attack_types": ["Evil twin", "Honeypot", "Deauthentication"],
"information": ["SSID", "BSSID", "Supported rates", "Security parameters"]
},
"Probe Requests/Responses": {
"description": "Device discovery messages",
"attack_types": ["Device tracking", "Karma attack", "Probe sniffing"],
"information": ["Device MAC", "Preferred networks", "Client capabilities"]
},
"Authentication": {
"description": "Device authentication process",
"attack_types": ["Dictionary attacks", "Brute force", "PSK cracking"],
"information": ["Auth frames", "Handshake capture", "PMKID capture"]
},
"Association": {
"description": "Connection establishment",
"attack_types": ["Association flood", "Deauthentication"],
"information": ["Client capabilities", "Connection parameters"]
},
"Data Frames": {
"description": "Actual data transmission",
"attack_types": ["Eavesdropping", "Packet injection", "Man-in-the-middle"],
"information": ["Decrypted data (if cracked)", "Traffic analysis", "Session hijacking"]
},
"Management Frames": {
"description": "Network management",
"attack_types": ["Deauthentication", "Disassociation", "Channel switching"],
"information": ["Client behavior", "Network topology"]
}
}
for element, details in attack_surface.items():
print(f"\n📡 {element}")
print(f" {details['description']}")
print(f" Attack Types: {', '.join(details['attack_types'][:2])}")
if len(details['attack_types']) > 2:
print(f" + more")
print(f" Information Exposed: {', '.join(details['information'][:2])}")
wifi_attack_surface()
2. Passive Wi-Fi Attacks
Network Sniffing and Eavesdropping
Passive attacks involve listening to wireless traffic without actively interacting with the network.
def passive_attacks():
"""Explain passive Wi-Fi attacks"""
print("Passive Wi-Fi Attacks")
print("=" * 70)
attacks = {
"Network Sniffing": {
"description": "Capturing wireless traffic for analysis",
"tools": ["Wireshark", "tcpdump", "Airodump-ng", "Kismet"],
"what_can_be_learned": [
"SSIDs and BSSIDs of nearby networks",
"Client MAC addresses (device tracking)",
"Probed networks (preferred networks list)",
"Traffic patterns and timing",
"Unencrypted data",
"Handshake captures (for offline cracking)"
],
"defense": ["WPA3 encryption", "Disable SSID broadcast (limited)", "VPN usage"]
},
"Device Tracking": {
"description": "Tracking devices by their MAC addresses",
"tools": ["Kismet", "Custom scripts", "Commercial tracking systems"],
"what_can_be_learned": [
"Device presence and location",
"Movement patterns",
"Device types (manufacturer from OUI)",
"Behavior patterns (when device is active)"
],
"defense": ["MAC randomization", "Disable Wi-Fi when not in use"]
},
"Traffic Analysis": {
"description": "Analyzing patterns without decryption",
"tools": ["Wireshark", "Custom analysis tools"],
"what_can_be_learned": [
"Who is communicating with whom",
"Communication timing and frequency",
"Packet sizes (reveals file types)",
"Encrypted data patterns"
],
"defense": ["VPN with constant padding", "Traffic obfuscation"]
},
"PMKID Capture": {
"description": "Capturing PMKID for offline cracking (WPA2)",
"tools": ["hcxdumptool", "aircrack-ng"],
"what_can_be_learned": [
"PMKID (can crack PSK without full handshake)",
"Network capabilities"
],
"defense": ["WPA3", "Strong passwords"]
}
}
for attack, details in attacks.items():
print(f"\n👁️ {attack}")
print(f" {details['description']}")
print(f" Tools: {', '.join(details['tools'][:2])}")
print(f" Information: {details['what_can_be_learned'][0]}")
print(f" {details['what_can_be_learned'][1]}")
print(f" Defense: {details['defense']}")
passive_attacks()
Wardriving
def wardriving():
"""Explain wardriving techniques"""
print("Wardriving: Mapping Wi-Fi Networks")
print("=" * 70)
print("""
🚗 WARDRIVING - The practice of mapping Wi-Fi networks while moving
TECHNIQUES:
├── Walking: Warwalking (pedestrian mapping)
├── Driving: Traditional wardriving
├── Flying: Wardroning (drone-based mapping)
├── Biking: Warbiking
└── Boating: Warboating (water-based mapping)
INFORMATION COLLECTED:
├── GPS coordinates
├── SSID names
├── BSSID (MAC address)
├── Channel and frequency
├── Security protocol (WEP/WPA/WPA2/WPA3)
├── Signal strength
├── Connected clients (if any)
└── Captured handshakes (if enabled)
TOOLS:
├── Kismet - Advanced wireless detector
├── Wigle.net - Database of Wi-Fi networks
├── GPS receiver for location
├── Laptop/phone with Wi-Fi adapter
└── External antenna for extended range
LEGAL CONSIDERATIONS:
├── Collecting network information may be legal in many jurisdictions
├── Capturing data (handshakes) may violate laws
├── Attempting to crack or access networks is illegal
├── Private property considerations
└── Always check local laws
""")
print("\n" + "=" * 70)
print("Defensive Wardriving Countermeasures:")
measures = [
"Disable SSID broadcast (not foolproof)",
"Use directional antennas to control coverage",
"Implement MAC address filtering (limited protection)",
"Monitor for suspicious probe requests",
"Use WPA3 with strong passwords",
"Regularly audit your network's visibility"
]
for measure in measures:
print(f" ✓ {measure}")
wardriving()
3. Active Wi-Fi Attacks
Deauthentication Attacks
Deauthentication attacks forcibly disconnect clients from access points.
def deauth_attack():
"""Explain deauthentication attacks"""
print("Deauthentication (Deauth) Attacks")
print("=" * 70)
print("""
🔌 DEAUTHENTICATION ATTACK MECHANISM:
1. ATTACKER sends deauth frames to target (client or AP)
2. Frame appears to come from legitimate AP
3. Target disconnects from network
4. Client may attempt to reconnect (reveals handshake)
5. Attacker captures handshake for offline cracking
COMMAND EXAMPLE (aircrack-ng suite):
# Scan for networks
sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon
# Deauth specific client
sudo aireplay-ng -0 5 -a [AP_BSSID] -c [CLIENT_MAC] wlan0mon
Options:
-0 : Deauth attack
-a : Access point BSSID
-c : Client MAC address
5 : Number of deauth packets (0 = continuous)
ATTACK VARIANTS:
├── Broadcast deauth: Disconnects all clients
├── Targeted deauth: Specific client
├── Spoofed AP deauth: Appears from AP
├── Client deauth: Appears from client
└── Airgeddon tools: Automated deauth attacks
USE CASES:
├── Capturing WPA handshake for cracking
├── Testing network resilience
├── Forcing re-authentication
├── Denial of Service (DoS)
└── Evil twin setup (disconnect, connect to rogue AP)
""")
print("\n" + "=" * 70)
print("Deauth Attack Defenses:")
defenses = [
"WPA3 with Protected Management Frames (PMF)",
"802.11w (Management Frame Protection)",
"Monitor for excessive deauth frames",
"Use wired connections for critical systems",
"Implement WIDS (Wireless Intrusion Detection System)"
]
for defense in defenses:
print(f" ✓ {defense}")
deauth_attack()
Evil Twin Attack
Evil twin attacks create a rogue access point mimicking a legitimate network.
def evil_twin_attack():
"""Explain evil twin attack"""
print("Evil Twin Attack")
print("=" * 70)
print("""
🎭 EVIL TWIN ATTACK FLOW:
STEP 1: SCAN
├── Identify target network (Starbucks_WiFi)
├── Record SSID, BSSID, channel, security type
└── Note client devices
STEP 2: SETUP ROGUE AP
├── Create identical SSID
├── Use same or better signal strength
├── Configure authentication to capture credentials
└── May use tool like airbase-ng, hostapd, or commercial AP
STEP 3: DISCONNECT LEGITIMATE CLIENTS
├── Send deauth packets to force disconnection
├── Clients automatically try to reconnect
└── Rogue AP may have stronger signal
STEP 4: CAPTURE CREDENTIALS
├── Clients connect to rogue AP
├── Capture handshake (if WPA/WPA2)
├── May serve captive portal for additional credentials
└── Monitor all traffic
STEP 5: FORWARD TRAFFIC (Optional)
├── Bridge to legitimate internet
├── Man-in-the-middle attack
├── Inject malicious content
└── Collect sensitive data
TOOLS:
├── airbase-ng - Create rogue AP
├── hostapd - Access point software
├── dnsmasq - DHCP server
├── Wireshark - Traffic capture
└── Social engineering toolkit - Captive portals
""")
print("\n" + "=" * 70)
print("Evil Twin Defenses:")
defenses = [
"Use WPA3-Enterprise with certificate validation",
"Verify AP certificates before connecting",
"Use VPN for all sensitive traffic",
"Implement 802.1X with RADIUS authentication",
"Deploy wireless intrusion detection (WIDS)",
"Monitor for duplicate APs with same SSID",
"Educate users on verifying network authenticity"
]
for defense in defenses:
print(f" ✓ {defense}")
evil_twin_attack()
KRACK Attack (Key Reinstallation Attack)
def krack_attack():
"""Explain KRACK vulnerability"""
print("KRACK - Key Reinstallation Attack")
print("=" * 70)
print("""
🔑 KRACK (Key Reinstallation Attack) - WPA2 Vulnerability (2017)
VULNERABILITY OVERVIEW:
├── Affects WPA2 protocol implementation
├── Attacker forces reuse (reinstallation) of encryption keys
├── Allows decryption of traffic
├── Can inject packets into connections
├── Does NOT recover PSK, but breaks encryption
ATTACK MECHANISM:
1. CLIENT connects to legitimate AP (normal 4-way handshake)
2. AP and client establish encryption keys
3. AP sends message 3 of 4-way handshake
4. Client receives message 3, installs key
5. AP may resend message 3 (due to packet loss)
6. Client re-installs same key, resets nonce counter
7. Attacker can replay packets, decrypt traffic
ATTACK VARIANTS:
├── Client-only attack (target client)
├── AP-only attack (requires AP implementation flaw)
├── Against TKIP, AES-CCMP, GCMP
├── Against 4-way handshake, group key handshake
IMPACT:
├── Decrypt WPA2 encrypted traffic
├── Replay packets
├── TCP connection hijacking
├── HTTP content injection
└── Does NOT reveal PSK (passphrase)
MITIGATION:
├── Patch clients and APs (patches available since 2017)
├── Update to WPA3
├── Use VPN for sensitive traffic
├── Implement 802.1X with RADIUS
└── Certificate-based authentication
""")
print("\n" + "=" * 70)
print("Post-KRACK Recommendations:")
recommendations = [
"Apply all security patches",
"Upgrade to WPA3-capable hardware",
"Use VPN for all sensitive connections",
"Implement certificate-based 802.1X",
"Regular vulnerability scanning"
]
for rec in recommendations:
print(f" ✓ {rec}")
krack_attack()
4. Cracking Wi-Fi Passwords
WPA/WPA2 Password Cracking
def wpa_cracking():
"""Explain WPA/WPA2 password cracking"""
print("WPA/WPA2 Password Cracking")
print("=" * 70)
print("""
🔓 CRACKING WPA/WPA2 PSK (Pre-Shared Key)
PREREQUISITES:
├── Capture 4-way handshake OR PMKID
├── Wordlist/dictionary of possible passwords
├── Computing power (GPU acceleration recommended)
└── Patience (depends on password strength)
STEP 1: CAPTURE HANDSHAKE
# Put card in monitor mode
sudo airmon-ng start wlan0
# Capture handshake
sudo airodump-ng -c [channel] --bssid [AP_BSSID] -w capture wlan0mon
# Force handshake with deauth
sudo aireplay-ng -0 1 -a [AP_BSSID] wlan0mon
STEP 2: CRACK WITH AIRCRACK-NG
sudo aircrack-ng -w wordlist.txt -b [AP_BSSID] capture-01.cap
STEP 3: GPU ACCELERATION (hashcat)
# Convert .cap to .hccapx
cap2hccapx capture-01.cap capture.hccapx
# Crack with hashcat
hashcat -m 2500 capture.hccapx wordlist.txt
# Use rules for mutation
hashcat -m 2500 capture.hccapx wordlist.txt -r best64.rule
TOOLS:
├── aircrack-ng - Traditional cracking tool
├── hashcat - GPU-accelerated cracking
├── John the Ripper - Password cracking
├── cowpatty - WPA-PSK cracking
└── pyrit - Multi-core CPU cracking
WORDLIST SOURCES:
├── RockYou.txt (common passwords)
├── SecLists (comprehensive wordlists)
├── CrackStation (large wordlist)
├── Custom wordlists (target-specific)
└── Generated with crunch or maskprocessor
""")
print("\n" + "=" * 70)
print("Password Strength Recommendations:")
print("""
✓ Use at least 12-15 characters
✓ Include uppercase, lowercase, numbers, symbols
✓ Avoid dictionary words
✓ Use passphrases: Correct-Horse-Battery-Staple
✓ Change default router passwords
✓ Use WPA3 when available
""")
wpa_cracking()
PMKID Attack
def pmkid_attack():
"""Explain PMKID attack"""
print("PMKID Attack - WPA2 Cracking Without Handshake")
print("=" * 70)
print("""
🔑 PMKID (Pairwise Master Key Identifier) Attack
DISCOVERY (2018):
├── Alternative to capturing full 4-way handshake
├── Exploits RSN (Robust Security Network) IE
├── AP leaks PMKID in initial beacon/association
├── Requires AP with roaming enabled (most)
ADVANTAGES:
├── No client needed (AP broadcasts PMKID)
├── No deauth required (passive)
├── Single frame capture
├── Faster cracking (no handshake verification)
STEP 1: CAPTURE PMKID
# Install hcxtools
sudo apt install hcxtools
# Capture PMKID
sudo hcxdumptool -i wlan0mon -o capture.pcapng --enable_status=1
# Convert to hashcat format
hcxpcapngtool -o hash.hccapx -E essidlist capture.pcapng
STEP 2: CRACK WITH HASHCAT
# PMKID hash format: hashcat -m 16800
hashcat -m 16800 hash.hccapx wordlist.txt
STEP 3: VERIFY WITH AIRCRACK
aircrack-ng -w wordlist.txt -b [AP_BSSID] capture.pcapng
TOOLS:
├── hcxdumptool / hcxpcapngtool - Capture PMKID
├── hashcat - Cracking (mode 16800)
├── aircrack-ng - Verification
└── hcxpcaptool - Conversion tools
MITIGATION:
├── Upgrade to WPA3 (not vulnerable)
├── Disable roaming if not needed
├── Use extremely strong PSK
├── Implement WPA2-Enterprise
└── Regular firmware updates
""")
print("\n" + "=" * 70)
print("WPA3 SAE (Simultaneous Authentication of Equals):")
print("• Uses Dragonfly handshake (not vulnerable to PMKID)")
print("• Implements forward secrecy")
print("• Resistant to offline dictionary attacks")
print("• Requires WPA3-capable hardware")
pmkid_attack()
5. Wi-Fi Jamming and DoS
RF Jamming
def rf_jamming():
"""Explain RF jamming attacks"""
print("RF Jamming - Physical Layer Denial of Service")
print("=" * 70)
print("""
📡 RADIO FREQUENCY JAMMING
TYPES OF JAMMING:
1. CONSTANT JAMMING
├── Continuous noise on Wi-Fi channels
├── Prevents any communication
├── Easy to detect
└── Simple to implement
2. DECEPTIVE JAMMING
├── Sends legitimate-looking but malformed frames
├── Wastes AP resources
├── Harder to detect
└── Selective target
3. REACTIVE JAMMING
├── Only jams when activity detected
├── More power-efficient
├── Harder to detect
└── Selective interference
4. SELECTIVE JAMMING
├── Targets specific protocols (beacons, ACKs)
├── Disrupts specific functions
├── Difficult to diagnose
└── Used in targeted attacks
HARDWARE:
├── HackRF One - Software-defined radio
├── USRP - Universal Software Radio Peripheral
├── ESP8266/ESP32 - Low-cost jammers
├── Wi-Fi adapters with packet injection
└── Commercial jammers (illegal in many countries)
SOFTWARE:
├── mdk4 - Multi-purpose Wi-Fi tool
├── airgeddon - All-in-one toolkit
├── wifijammer - Python-based jammer
└── Custom SDR scripts
""")
print("\n" + "=" * 70)
print("Jamming Detection and Defense:")
defenses = [
"Monitor for unusual noise levels",
"Implement channel hopping",
"Use WIDS to detect jamming patterns",
"Have backup wired connections",
"Report jamming to authorities (illegal in most countries)",
"Use directional antennas to focus coverage",
"Decrease power to reduce attack surface"
]
for defense in defenses:
print(f" ✓ {defense}")
rf_jamming()
Beacon Flood and Association Flood
def flood_attacks():
"""Explain beacon and association flood attacks"""
print("Wi-Fi Flood Attacks")
print("=" * 70)
attacks = {
"Beacon Flood": {
"description": "Overwhelming clients with fake AP beacons",
"impact": [
"Client confusion",
"Device battery drain",
"Network list pollution",
"Potential DoS"
],
"tool": "mdk4 beacon flood",
"command": "sudo mdk4 wlan0mon b -f beacon_list -c"
},
"Association Flood": {
"description": "Exhausting AP association table",
"impact": [
"AP denies legitimate connections",
"Resource exhaustion",
"Denial of service"
],
"tool": "mdk4 a",
"command": "sudo mdk4 wlan0mon a -a [AP_BSSID] -m"
},
"Authentication Flood": {
"description": "Overwhelming AP with auth requests",
"impact": [
"AP authentication buffer exhaustion",
"DoS for legitimate clients",
"AP reset/crash potential"
],
"tool": "mdk4 m",
"command": "sudo mdk4 wlan0mon m -t [AP_BSSID]"
},
"Deauthentication Flood": {
"description": "Continuous deauth to all clients",
"impact": [
"All clients disconnected",
"Network unusable",
"Constant reconnection attempts"
],
"tool": "aireplay-ng / mdk4",
"command": "sudo mdk4 wlan0mon d -c [channel]"
}
}
for attack, details in attacks.items():
print(f"\n💥 {attack}")
print(f" {details['description']}")
print(f" Impact: {details['impact'][0]}")
print(f" {details['impact'][1]}")
print(f" Tool: {details['tool']}")
print(f" Example: {details['command']}")
flood_attacks()
6. Enterprise Wi-Fi Attacks
WPA2-Enterprise Vulnerabilities
def enterprise_attacks():
"""Explain attacks against enterprise Wi-Fi"""
print("Enterprise Wi-Fi Attacks (WPA2-Enterprise / 802.1X)")
print("=" * 70)
print("""
🏢 ENTERPRISE WI-FI ARCHITECTURE:
Components:
├── RADIUS Server (Authentication)
├── Access Points (Network access)
├── Supplicants (Client devices)
└── Authentication Server (Active Directory/LDAP)
COMMON ATTACKS:
1. EVIL TWIN WITH RADIUS RELAY
├── Setup rogue AP with same SSID
├── Relay authentication to legitimate RADIUS
├── Capture credentials in transit
└── Tools: hostapd-wpe, EAPhammer
2. PEAP MSCHAPv2 CRACKING
├── Capture PEAP handshake
├── Extract MSCHAPv2 challenge/response
├── Crack with asleap or hashcat
└── Requires weak password or dictionary
3. CERTIFICATE SPOOFING
├── Present rogue certificate
├── If client doesn't validate, accept
├── Man-in-the-middle decryption
└── Requires misconfigured clients
4. EAP-GTC (Generic Token Card) ATTACK
├── Captures username/password in clear
├── No encryption of credentials
└── Should use TLS tunnel
5. LEAP (Lightweight Extensible Authentication Protocol)
├── Cisco proprietary, deprecated
├── Known vulnerabilities
└── asleap tool can crack quickly
""")
print("\n" + "=" * 70)
print("Enterprise Defenses:")
defenses = [
"Use EAP-TLS with mutual certificate authentication",
"Validate server certificates on clients",
"Implement certificate revocation checking",
"Use strong authentication protocols (PEAPv0/EAP-MSCHAPv2 with TLS)",
"Regular RADIUS server auditing",
"Implement client certificate renewal process",
"Monitor for rogue APs",
"Use 802.11w (Management Frame Protection)"
]
for defense in defenses:
print(f" ✓ {defense}")
enterprise_attacks()
7. Wi-Fi Attack Tools
Popular Tool Overview
def attack_tools():
"""Overview of Wi-Fi attack tools"""
print("Wi-Fi Attack Tools Overview")
print("=" * 70)
tools = {
"aircrack-ng Suite": {
"purpose": "Complete Wi-Fi security assessment",
"tools": [
"airmon-ng: Enable monitor mode",
"airodump-ng: Packet capture",
"aireplay-ng: Packet injection",
"aircrack-ng: Password cracking",
"airdecap-ng: Decrypt captures",
"airbase-ng: Rogue AP"
],
"use_cases": ["Handshake capture", "Deauth attacks", "WEP cracking", "WPA cracking"]
},
"Kismet": {
"purpose": "Wireless network detector",
"features": [
"Passive network discovery",
"Client tracking",
"GPS integration",
"Packet capture",
"Device fingerprinting"
],
"use_cases": ["Wardriving", "Network mapping", "Spectrum analysis"]
},
"Reaver": {
"purpose": "WPS PIN brute-force",
"features": [
"WPS PIN attacks",
"Pixie dust attack",
"WPA handshake capture"
],
"use_cases": ["WPS vulnerability testing"]
},
"mdk4": {
"purpose": "Multi-purpose Wi-Fi attack tool",
"features": [
"Beacon flood",
"Deauth flood",
"Association flood",
"Auth flood",
"WIDS testing"
],
"use_cases": ["DoS testing", "WIDS evasion", "Stress testing"]
},
"Wifite": {
"purpose": "Automated Wi-Fi attack tool",
"features": [
"Auto-detect networks",
"Handshake capture",
"PMKID capture",
"WPS attacks",
"Password cracking"
],
"use_cases": ["Automated penetration testing"]
}
}
for tool, details in tools.items():
print(f"\n🔧 {tool}")
print(f" Purpose: {details['purpose']}")
if 'tools' in details:
print(f" Components: {details['tools'][0]}")
print(f" {details['tools'][1]}")
if 'features' in details:
print(f" Features: {details['features'][0]}")
print(f" {details['features'][1]}")
print(f" Use Cases: {', '.join(details['use_cases'][:2])}")
attack_tools()
8. Wi-Fi Defense Strategies
Detection and Monitoring
def detection_strategies():
"""Explain Wi-Fi attack detection strategies"""
print("Wi-Fi Attack Detection Strategies")
print("=" * 70)
print("""
📊 WIDS (Wireless Intrusion Detection System)
DETECTION METHODS:
1. SIGNATURE-BASED DETECTION
├── Known attack patterns
├── Deauth frame flooding
├── Probe request flooding
├── Association flooding
└── Beacon flooding
2. ANOMALY-BASED DETECTION
├── Baseline normal behavior
├── Unusual frame types
├── Abnormal packet rates
├── New MAC addresses
└── Channel switching patterns
3. SPECTRUM ANALYSIS
├── RF noise monitoring
├── Jammer detection
├── Interference identification
└── Channel utilization
4. ROQUE AP DETECTION
├── MAC address validation
├── SSID duplication monitoring
├── Signal strength anomalies
├── Channel overlap detection
└── Client connection patterns
DEPLOYMENT OPTIONS:
├── Overlay WIDS (dedicated sensors)
├── Integrated WIDS (AP-based)
├── Cloud-based WIDS
└── Hybrid approach
""")
print("\n" + "=" * 70)
print("Commercial WIDS Solutions:")
solutions = [
"Cisco DNA Center / ISE",
"Aruba AirWave / Aruba Central",
"Fortinet FortiWiFi",
"Extreme Networks",
"Open-source: Kismet, Snort for Wi-Fi"
]
for solution in solutions:
print(f" • {solution}")
detection_strategies()
Prevention Best Practices
def prevention_best_practices():
"""Wi-Fi security best practices"""
print("Wi-Fi Security Best Practices")
print("=" * 70)
print("""
🔒 COMPREHENSIVE WI-FI SECURITY CHECKLIST
NETWORK CONFIGURATION:
├── Use WPA3 (or WPA2 if WPA3 unavailable)
├── Disable WPS (Wi-Fi Protected Setup)
├── Disable WEP and TKIP
├── Use strong PSK (15+ chars, complex)
├── Change default SSID and admin credentials
├── Disable remote management
├── Enable Protected Management Frames (PMF)
└── Regularly update firmware
ENTERPRISE ENHANCEMENTS:
├── Implement 802.1X with EAP-TLS
├── Use client certificates
├── Validate RADIUS server certificates
├── Implement MAC address filtering (as additional layer)
├── Use VLAN segmentation
├── Deploy guest network isolation
└── Implement client isolation on guest networks
MONITORING:
├── Deploy WIDS (Wireless Intrusion Detection)
├── Monitor for rogue APs
├── Log authentication attempts
├── Analyze traffic patterns
├── Set up alerts for anomalies
└── Regular penetration testing
USER EDUCATION:
├── Train users to identify rogue networks
├── Encourage VPN usage
├── Disable auto-connect to open networks
├── Verify network names before connecting
├── Report suspicious activity
└── Use password managers for complex credentials
TECHNICAL CONTROLS:
├── Use VPN for sensitive data
├── Implement DNS filtering
├── Deploy endpoint protection
├── Regular vulnerability scanning
├── Network segmentation
└── Zero Trust Network Access (ZTNA)
""")
print("\n" + "=" * 70)
print("Secure Configuration Checklist:")
checklist = [
"[ ] WPA3 or WPA2-AES only (no TKIP)",
"[ ] WPS disabled",
"[ ] Default credentials changed",
"[ ] Firmware updated",
"[ ] Management interfaces restricted",
"[ ] Guest network isolated",
"[ ] Protected Management Frames enabled",
"[ ] Rogue AP detection active",
"[ ] VPN for remote access",
"[ ] Regular security audits"
]
for item in checklist:
print(item)
prevention_best_practices()
9. Wi-Fi Security Assessment
Penetration Testing Methodology
def pentesting_methodology():
"""Explain Wi-Fi penetration testing methodology"""
print("Wi-Fi Penetration Testing Methodology")
print("=" * 70)
print("""
📋 STRUCTURED WI-FI PENTEST APPROACH:
PHASE 1: RECONNAISSANCE
├── Passive scanning (Kismet, airodump)
├── Identify networks and channels
├── Document client devices
├── Map physical coverage
├── Identify security protocols
└── Capture initial traffic
PHASE 2: VULNERABILITY ANALYSIS
├── Check for WPS enabled
├── Test for PMKID vulnerability
├── Verify management frame protection
├── Check for WEP/WPA-TKIP usage
├── Test deauth vulnerability
└── Assess signal strength and coverage
PHASE 3: ACTIVE TESTING
├── Attempt handshake capture
├── Test deauth attacks
├── Attempt PMKID capture
├── WPS brute force testing
├── Evil twin deployment
├── Enterprise EAP testing
└── Check for rogue APs
PHASE 4: CREDENTIAL CRACKING
├── Dictionary attacks
├── Rule-based attacks
├── GPU acceleration
├── Rainbow tables (if applicable)
└── Analyze password strength
PHASE 5: POST-EXPLOITATION
├── Network access verification
├── Lateral movement testing
├── Data exfiltration simulation
├── Man-in-the-middle attacks
└── Impact assessment
PHASE 6: REPORTING
├── Document all findings
├── Risk rating per finding
├── Remediation recommendations
├── Executive summary
├── Technical details
└── Evidence (screenshots, logs)
""")
print("\n" + "=" * 70)
print("Legal and Ethical Considerations:")
print("""
✓ Always obtain written authorization
✓ Define scope clearly
✓ Test only during authorized hours
✓ Handle credentials securely
✓ Provide remediation guidance
✓ Sign non-disclosure agreements
""")
pentesting_methodology()
10. Wi-Fi Security for Home Users
Home Network Security
def home_security():
"""Home Wi-Fi security recommendations"""
print("Home Wi-Fi Security Guide")
print("=" * 70)
print("""
🏠 SECURING YOUR HOME WI-FI
ROUTER SETUP:
├── Change default admin password immediately
├── Update router firmware
├── Disable remote administration
├── Use WPA2-AES or WPA3
├── Disable WPS
├── Change default SSID (avoid identifying info)
├── Enable guest network for visitors
└── Disable UPnP if not needed
NETWORK CONFIGURATION:
├── Use strong Wi-Fi password (12+ characters)
├── Consider MAC address filtering (additional layer)
├── Reduce transmit power if possible
├── Use separate IoT network
├── Disable Wi-Fi Protected Setup (WPS)
├── Enable firewall on router
└── Regularly check connected devices
MONITORING:
├── Regularly check router logs
├── Monitor connected devices list
├── Watch for unknown devices
├── Check for firmware updates monthly
├── Use network scanning apps
└── Consider open-source router firmware (OpenWrt, DD-WRT)
ADVANCED PROTECTION:
├── Use VPN for sensitive activities
├── Consider Pi-hole for DNS filtering
├── Implement network segmentation
├── Use IoT device isolation
├── Set up ad blocking at router level
└── Consider commercial security routers
""")
print("\n" + "=" * 70)
print("Recommended Router Settings:")
settings = {
"Wireless Security": "WPA2-AES or WPA3",
"WPS": "Disabled",
"Remote Management": "Disabled",
"Default SSID": "Changed (not brand/model)",
"Admin Password": "Changed (complex)",
"Guest Network": "Enabled with isolation",
"Firmware": "Auto-update enabled"
}
for setting, value in settings.items():
print(f" {setting}: {value}")
home_security()
11. Legal and Ethical Considerations
Legal Framework
def legal_framework():
"""Legal aspects of Wi-Fi security testing"""
print("Legal and Ethical Considerations")
print("=" * 70)
print("""
⚖️ LAWS AND REGULATIONS:
UNITED STATES:
├── Computer Fraud and Abuse Act (CFAA) - Unauthorized access
├── Electronic Communications Privacy Act (ECPA) - Interception
├── State computer crime laws
└── FCC regulations on radio frequency
EUROPEAN UNION:
├── General Data Protection Regulation (GDPR)
├── Network and Information Systems (NIS) Directive
├── National cybercrime laws
└── Privacy regulations
INTERNATIONAL:
├── Council of Europe Cybercrime Convention
├── UN resolutions on cybercrime
└── Mutual legal assistance treaties
KEY PRINCIPLES:
├── Authorization: Written permission required
├── Scope: Defined boundaries for testing
├── Proportionality: Minimal necessary intrusion
├── Confidentiality: Protect findings
├── Integrity: No permanent damage
└── Disclosure: Responsible vulnerability reporting
""")
print("\n" + "=" * 70)
print("Ethical Guidelines for Security Professionals:")
guidelines = [
"Never test networks you don't own or have written permission",
"Obtain permission from appropriate authority",
"Define clear scope and boundaries",
"Protect all captured data",
"Report findings responsibly",
"Never use skills for personal gain",
"Respect privacy",
"Follow responsible disclosure practices"
]
for guideline in guidelines:
print(f" ✓ {guideline}")
legal_framework()
12. Emerging Threats and Future Trends
Next-Generation Wi-Fi Security
def emerging_threats():
"""Future Wi-Fi security challenges"""
print("Emerging Wi-Fi Threats and Future Trends")
print("=" * 70)
print("""
🚀 WIFI 6/6E SECURITY CONSIDERATIONS:
Wi-Fi 6 (802.11ax) Features:
├── WPA3 mandatory certification
├── OFDMA (multi-user efficiency)
├── MU-MIMO improvements
├── Target Wake Time (TWT)
└── 6 GHz band (Wi-Fi 6E)
Security Implications:
├── Increased attack surface (more clients, more bandwidth)
├── 6 GHz brings new spectrum challenges
├── WPA3 mandatory but implementation matters
├── IoT devices may lag in security
└── New vulnerabilities in complex protocols
🔮 FUTURE THREATS:
1. QUANTUM COMPUTING THREATS
├── Could break current encryption (WPA3)
├── Post-quantum cryptography development
├── New standards (WPA4 likely post-quantum)
└── Timeline: 5-15 years
2. AI-POWERED ATTACKS
├── Automated vulnerability discovery
├── Intelligent jamming patterns
├── AI-enhanced password cracking
├── Behavioral analysis bypass
└── Autonomous attack agents
3. IOT PROLIFERATION
├── Billions of insecure devices
├── Limited compute for strong encryption
├── Legacy devices without updates
├── Botnet recruitment vectors
└── Supply chain vulnerabilities
4. 5G/WI-FI CONVERGENCE
├── Cellular/Wi-Fi roaming vulnerabilities
├── Handoff attacks
├── Authentication delegation risks
└── Complex multi-RAT security
""")
print("\n" + "=" * 70)
print("Preparing for Future Threats:")
preparedness = [
"Plan for quantum-resistant cryptography",
"Implement AI-based security monitoring",
"Segment IoT devices from critical networks",
"Maintain device update capabilities",
"Zero Trust architecture for wireless",
"Continuous security assessment"
]
for item in preparedness:
print(f" ✓ {item}")
emerging_threats()
13. Incident Response for Wi-Fi Attacks
Response Procedures
def incident_response():
"""Incident response for Wi-Fi attacks"""
print("Wi-Fi Attack Incident Response")
print("=" * 70)
print("""
🚨 INCIDENT RESPONSE PROCEDURES
PHASE 1: DETECTION
├── User reports connectivity issues
├── WIDS alerts (deauth flood, rogue AP)
├── Performance degradation
├── Unusual network traffic
├── Authentication failures spike
└── Rogue AP detected
PHASE 2: CONTAINMENT
├── Disable compromised AP if identified
├── Block rogue AP MAC addresses
├── Change Wi-Fi credentials
├── Revoke compromised certificates
├── Isolate affected VLANs
├── Force all clients to re-authenticate
└── Enable additional logging
PHASE 3: ANALYSIS
├── Collect logs from APs, controllers, RADIUS
├── Analyze packet captures
├── Identify attack vector
├── Determine scope of compromise
├── Check for data exfiltration
├── Identify affected clients
└── Preserve evidence
PHASE 4: ERADICATION
├── Patch vulnerabilities
├── Remove rogue APs
├── Update compromised credentials
├── Re-image affected systems
├── Update firmware
└── Implement additional controls
PHASE 5: RECOVERY
├── Restore normal operations
├── Monitor for recurrence
├── Re-authenticate all devices
├── Verify network integrity
├── Update security policies
└── Conduct lessons learned
PHASE 6: DOCUMENTATION
├── Incident timeline
├── Impact assessment
├── Evidence preservation chain
├── Remediation actions
├── Regulatory reporting if applicable
└── Process improvements
""")
print("\n" + "=" * 70)
print("Evidence Preservation:")
print("""
• Capture all logs before changes
• Preserve packet captures
• Document timeline
• Photograph rogue AP if physical
• Maintain chain of custody
• Use write-blockers for forensic images
""")
incident_response()
14. Wi-Fi Security Tools for Defense
Defensive Tools
def defensive_tools():
"""Tools for defending Wi-Fi networks"""
print("Wi-Fi Defense Tools")
print("=" * 70)
tools = {
"Wireless Intrusion Detection Systems (WIDS)": {
"open_source": ["Kismet", "Snort with Wi-Fi plugins", "Suricata"],
"commercial": ["Cisco DNA", "Aruba AirWave", "Fortinet FortiWiFi"],
"features": ["Rogue AP detection", "Deauth detection", "Client tracking"]
},
"Rogue AP Detection": {
"tools": [
"Wireshark with filters",
"Kismet",
"Airwave",
"Custom scripts"
],
"techniques": ["Passive scanning", "Active probing", "Switch port analysis"]
},
"Spectrum Analyzers": {
"tools": [
"Wi-Spy", "Metageek", "Kismet", "Spectools"
],
"features": ["RF noise detection", "Jammer identification", "Channel utilization"]
},
"Vulnerability Scanners": {
"tools": [
"Nessus (Wi-Fi plugins)",
"OpenVAS",
"Qualys",
"Custom scripts"
],
"features": ["Weak encryption detection", "Configuration audits", "Firmware checks"]
}
}
print("Wi-Fi Defense Tools")
print("=" * 70)
for tool_type, details in tools.items():
print(f"\n🛡️ {tool_type}")
if 'open_source' in details:
print(f" Open Source: {', '.join(details['open_source'])}")
if 'commercial' in details:
print(f" Commercial: {', '.join(details['commercial'])}")
if 'tools' in details:
print(f" Tools: {', '.join(details['tools'][:2])}")
if 'features' in details:
print(f" Features: {', '.join(details['features'][:2])}")
defensive_tools()
15. Summary and Key Takeaways
Wi-Fi Attack Summary
def final_summary():
"""Summary of Wi-Fi attacks and defenses"""
print("Wi-Fi Security Summary")
print("=" * 70)
print("""
📊 WI-FI ATTACK TYPES:
PASSIVE ATTACKS:
├── Network sniffing (eavesdropping)
├── Device tracking
├── Traffic analysis
├── PMKID capture
└── Wardriving
ACTIVE ATTACKS:
├── Deauthentication (client disconnect)
├── Evil twin (rogue AP)
├── KRACK (key reinstallation)
├── Password cracking (handshake, PMKID)
├── RF jamming
├── Flood attacks (beacon, association)
└── WPS PIN brute force
ENTERPRISE ATTACKS:
├── RADIUS relay attacks
├── EAP-MSCHAPv2 cracking
├── Certificate spoofing
└── LEAP attacks
🔒 DEFENSIVE LAYERS:
LAYER 1: PROTOCOLS
├── Use WPA3 (or WPA2-AES)
├── Disable WPS
├── Enable Protected Management Frames
└── Use strong encryption
LAYER 2: CONFIGURATION
├── Strong PSK (15+ chars)
├── Change default credentials
├── Update firmware
├── Disable remote management
└── MAC filtering (as additional layer)
LAYER 3: MONITORING
├── Wireless Intrusion Detection System
├── Rogue AP detection
├── Log analysis
├── Performance monitoring
└── Regular audits
LAYER 4: USER EDUCATION
├── VPN usage
├── Network verification
├── Password hygiene
├── Report suspicious activity
└── Device security
LAYER 5: INCIDENT RESPONSE
├── Detection procedures
├── Containment plans
├── Forensic capabilities
├── Communication protocols
└── Regular testing
""")
print("\n" + "=" * 70)
print("Key Metrics to Track:")
metrics = [
"Number of detected rogue APs",
"Deauth frame rate",
"Authentication failure rate",
"Unknown devices connected",
"Firmware update status",
"WIDS alert frequency",
"WPA2/WPA3 adoption rate"
]
for metric in metrics:
print(f" • {metric}")
final_summary()
Conclusion
Wi-Fi security is a critical component of overall cybersecurity. Understanding how attacks work enables better defense design and implementation.
Key Takeaways
- Protocol Evolution: WPA3 addresses many WPA2 vulnerabilities but requires proper implementation
- Attack Diversity: Wi-Fi attacks range from passive eavesdropping to active jamming
- Defense in Depth: Multiple security layers are essential (protocols, configuration, monitoring)
- Continuous Monitoring: WIDS is critical for detecting ongoing attacks
- User Education: Users must be trained to identify and avoid rogue networks
- Enterprise Security: Certificate-based authentication provides stronger protection than PSK
Final Security Principles
def security_principles():
"""Core security principles for Wi-Fi"""
principles = [
"Assume wireless networks are compromised",
"Encrypt all sensitive traffic (VPN)",
"Segment wireless networks (guest, IoT, corporate)",
"Monitor continuously for anomalies",
"Update regularly",
"Test periodically",
"Train users",
"Plan for incidents"
]
print("\n" + "=" * 70)
print("CORE WI-FI SECURITY PRINCIPLES")
print("=" * 70)
for i, principle in enumerate(principles, 1):
print(f"{i:2}. {principle}")
security_principles()
This guide is for educational purposes only. Always obtain proper authorization before testing or assessing Wi-Fi networks. Unauthorized access to computer networks is illegal in most jurisdictions.