Wireless Notes
Learn wireless attacks with eavesdropping, MITM, evil twin, deauthentication, jamming, replay, key cracking methods, and comprehensive prevention techniques for engineering students.
A comprehensive guide to wireless network attack vectors including eavesdropping, evil twin, deauthentication, KRACK, WPS attacks, rogue access points, and defense strategies for securing wireless infrastructure.
Passive Attacks (Listening)
Wireless Eavesdropping (Sniffing)
The most basic wireless attack requires zero interaction with the target network. The attacker simply places their wireless adapter in monitor mode and captures all wireless frames in range. On an unencrypted network, this exposes all data in cleartext. Even on encrypted networks, metadata (MAC addresses, frame types, traffic patterns) is visible.
Tools: Wireshark, Aircrack-ng suite, Kismet Prevention: Always use WPA2/WPA3 encryption; use HTTPS for all web traffic; use VPN on public WiFi
Traffic Analysis
Even without decrypting content, an attacker can learn valuable information from traffic patterns:
- Which websites you visit (DNS queries may be unencrypted)
- When you are home (device activity patterns)
- Number of devices on the network
- Types of services used (streaming vs browsing vs video calls)
Active Attacks
Evil Twin Attack
The attacker creates a fake access point with the same SSID as a legitimate network. Victims' devices automatically connect to the stronger signal (the fake AP), routing all their traffic through the attacker:
How it works:
- Attacker creates AP with identical SSID ("Airport_WiFi_Free")
- Uses higher transmit power or positions closer to victims
- Victim's device auto-connects (recognizes saved SSID)
- Attacker runs DHCP server, provides internet via mobile hotspot
- All victim traffic passes through attacker (man-in-the-middle)
Prevention: Verify AP certificates (802.1X/EAP-TLS), use VPN, disable auto-connect, verify network with staff
Deauthentication Attack
The attacker sends forged deauthentication frames (which are unencrypted management frames in 802.11) to disconnect clients from a legitimate AP. This can be used to:
- Force clients to reconnect (capturing the WPA2 handshake for offline cracking)
- Create denial of service (continuously deauthenticate all clients)
- Push clients toward an evil twin
Technical detail: 802.11 management frames (authentication, deauthentication, association, disassociation) were NOT encrypted or authenticated in original WiFi standards. Any device can forge these frames with spoofed source MAC addresses.
Prevention: WPA3 with Protected Management Frames (PMF / 802.11w) authenticates management frames, preventing spoofing. Enable PMF on all modern devices.
WPA2 Handshake Capture and Cracking
The WPA2 four-way handshake is vulnerable to offline dictionary attacks:
- Attacker captures the four-way handshake (waits for a client to connect, or forces reconnection via deauth)
- Extracts the handshake parameters (ANonce, SNonce, MAC addresses)
- Tests millions of password candidates offline using GPU-accelerated tools
- Each candidate generates a PMK → PTK → MIC and compares with captured MIC
- Match found = password recovered
Speed of attack: Modern GPUs can test 500,000-2,000,000 WPA2 passwords per second. An 8-character lowercase password (26⁸ ≈ 208 billion combinations) falls in 1-5 days.
Prevention: Use long, complex passwords (12+ characters with mixed case, numbers, symbols); use WPA3-SAE (immune to offline attacks); use 802.1X/EAP for enterprise
Protocol-Level Attacks
KRACK Attack (Key Reinstallation Attack)
Discovered in 2017 by Mathy Vanhoef, KRACK exploits a flaw in the WPA2 four-way handshake implementation:
- The attacker forces reinstallation of an already-used encryption key
- Key reuse allows decryption of packets and possible injection
- Affects ALL WPA2 implementations (protocol-level flaw, not implementation bug)
- Particularly devastating on Linux/Android (key resets to all-zeros)
Prevention: Software patches (available since late 2017 for all major OS); WPA3 is designed to be resistant
WPS PIN Attack
WiFi Protected Setup (WPS) allows connection via an 8-digit PIN. The protocol flaw:
- The 8-digit PIN is verified in two halves (4 digits + 3 digits + 1 checksum)
- First half: 10⁴ = 10,000 attempts maximum
- Second half: 10³ = 1,000 attempts maximum
- Total: 11,000 attempts (instead of 10⁸) — brute-forced in 4-10 hours
Prevention: Disable WPS entirely on all access points
FragAttacks (2021)
Fragmentation and Aggregation Attacks — a collection of vulnerabilities affecting all WiFi implementations since 1997:
- Design flaws in frame aggregation and fragmentation
- Implementation flaws in handling of mixed plaintext/encrypted fragments
- Allow injection of arbitrary frames even on WPA3 networks
Rogue Infrastructure Attacks
Rogue Access Point
An unauthorized AP connected to the corporate network (installed by an employee for convenience or by an attacker with physical access). Bypasses all wireless security by providing an uncontrolled entry point.
KARMA Attack
Devices constantly probe for previously connected networks by broadcasting SSIDs they remember. The KARMA attack responds to ALL probe requests, pretending to be whatever network the device is looking for — "Yes, I am your home WiFi. Yes, I am Starbucks_WiFi. Yes, I am Hotel_Guest."
Attack Summary Table
| Attack | Type | Target | Difficulty | Impact |
|---|---|---|---|---|
| Eavesdropping | Passive | All traffic | Very easy | Confidentiality breach |
| Evil Twin | Active | Users | Easy | Full MitM, credential theft |
| Deauthentication | Active | Availability | Very easy | Denial of service |
| WPA2 cracking | Offline | PSK passwords | Medium | Network access |
| KRACK | Active | WPA2 protocol | Hard | Decryption, injection |
| WPS brute-force | Active | WPS PIN | Easy (automated) | Network access |
| Rogue AP | Physical | Network perimeter | Medium | Bypass all security |
| KARMA/beacon flood | Active | Client devices | Easy | Evil twin delivery |
Defense Strategies
Network-Level Defenses
| Defense | Protects Against |
|---|---|
| WPA3 with SAE | Offline dictionary attacks, KRACK |
| 802.11w (PMF) | Deauthentication, disassociation attacks |
| 802.1X/EAP-TLS | Evil twin (mutual authentication) |
| WIDS/WIPS | Rogue APs, deauth floods, evil twins |
| Disable WPS | WPS PIN brute-force |
| Network segmentation | Lateral movement after compromise |
| Client isolation | Client-to-client attacks on same AP |
User-Level Defenses
- Always use VPN on public/untrusted WiFi networks
- Verify HTTPS — Look for lock icon before entering credentials
- Disable auto-connect — Prevent connecting to spoofed SSIDs
- Forget old networks — Remove saved networks you no longer use
- Use cellular over public WiFi when handling sensitive data
Key Takeaways
- Wireless networks are inherently exposed because radio signals travel through walls and can be received by anyone within range
- Evil twin attacks are devastatingly effective on open networks — creating a fake AP with the same name tricks devices into connecting automatically
- WPA2-PSK is vulnerable to offline dictionary attacks if the handshake is captured — password complexity is your primary defense
- Deauthentication attacks exploit unprotected management frames — WPA3 with PMF (802.11w) is the definitive solution
- WPS has a fatal design flaw reducing the PIN space from 10⁸ to 11,000 — always disable WPS on access points
- KRACK demonstrated that even WPA2's protocol design had flaws — software patching and migration to WPA3 are essential
- Defense-in-depth combining WPA3, 802.1X, WIDS, VPN, and user awareness provides robust protection against the full spectrum of wireless attacks
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Wireless Attacks Types Methods Prevention.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Wireless Communications topic.
Search Terms
wireless-communications, wireless communications, wireless, communications, security, attacks, wireless attacks types methods prevention
Related Wireless Communications Topics