WiFi Protocol Attacks
#Overview
WiFi attacks target 802.11 protocol weaknesses at every security layer — from broken legacy protocols (WEP) to modern WPA3-SAE. The attack path depends entirely on the target's security configuration, which must be identified through passive reconnaissance before any active operation.
This section covers the full spectrum of WiFi protocol attacks. For network segmentation bypass after gaining wireless access (VLAN hopping, MAC filtering, NAC), see Network Segmentation. For Bluetooth, Zigbee, Z-Wave, and SDR, see Bluetooth & IoT.
#Attack Type Decision Tree
Target WiFi Security Type?
|
|-- Open / No Encryption
| |-- Captive Portal --> [Captive Portal Bypass](captive-portal-bypass.md)
| |-- No Portal --> Direct Access (monitor traffic)
|
|-- WEP
| |-- IV Collection --> aircrack-ng (trivial, < 5 min)
| |-- Chopchop / Fragmentation --> besside-ng, aircrack-ng
|
|-- WPA / WPA2-PSK
| |-- PMKID available? --> [PMKID Attack](pmkid-attack.md) (no client needed)
| |-- Connected clients? --> [Deauth + Capture](deauthentication-attacks.md) handshake
| |-- WPS enabled? --> [WPS PIN Attack](wpa-wpa2-cracking.md) (reaver, pixie dust)
| |-- Dictionary crack --> hashcat -m 22000
|
|-- WPA2-Enterprise (802.1X)
| |-- EAP downgrade --> [PEAP/GTC Downgrade](evil-twin-and-rogue-ap.md)
| |-- Evil twin --> eaphammer / hostapd-wpe
| |-- See [802.1X Attacks](../network-segmentation/8021x-attacks.md)
|
|-- WPA3-SAE
| |-- Dragonblood --> [WPA3 Attacks](wpa3-attacks.md)
| |-- Transition mode downgrade --> Force WPA2 handshake
| |-- SAE dictionary --> hashcat -m 22000
|
|-- Hidden SSID
|-- Probe request monitoring --> [Client Attacks](wireless-client-attacks.md)
|-- Deauth to force SSID reveal
TEXT
#Technique Files
| File | Covers | Complexity |
|---|---|---|
| WEP Attacks | FMS attack, KoreK, chopchop, fragmentation, aircrack-ng workflow | Low |
| WPA/WPA2 Cracking | 4-way handshake capture, PMKID, hashcat, WPS attacks, enterprise WPA2 | Medium |
| WPA3 Attacks | SAE/Dragonblood, downgrade attacks, OWE | Medium-High |
| PMKID Attack | hcxdumptool capture, no-client offline cracking | Medium |
| Deauthentication Attacks | 802.11 deauth frames, MFP impact, detection | Low-Medium |
| Evil Twin & Rogue AP | hostapd-wpe, eaphammer, captive portals, Karma attacks | High |
| Wireless Client Attacks | Karma, probe request exploitation, Wi-Fi Direct, hotspot theft | Medium |
| Captive Portal Bypass | MAC whitelist bypass, DNS/ICMP tunneling, ARP spoofing | Medium |
#General Workflow
#Step 1: Monitor Mode Setup
# Kill interfering processes
sudo airmon-ng check kill
# Start monitor mode
sudo airmon-ng start wlan0
# Verify
iw dev wlan0mon info
# Should show: type managed (or monitor) and channel info
BASH
#Step 2: Target Identification
# Passive survey (5-10 min recommended)
sudo airodump-ng wlan0mon --write survey --output-format pcap,csv,netxml
# Focus on specific target
sudo airodump-ng wlan0mon --channel <CH> --bssid <TARGET_MAC> --write target
BASH
#Step 3: Attack Selection
Based on the decision tree above, select the appropriate technique. Always prefer:
- PMKID capture (no deauth, no client needed) over handshake capture
- Passive techniques over active when possible
- Targeted deauth over broadcast when deauth is necessary
#Step 4: Credential Extraction
# Convert capture to hashcat format
hcxpcapngtool -o hash.hc22000 target.pcapng
# Dictionary attack
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt
# Rule-based mutation
hashcat -m 22000 hash.hc22000 wordlist.txt -r /usr/share/hashcat/rules/best64.rule
BASH
#Adapter Requirements
| Attack | Adapter Requirement |
|---|---|
| Passive survey | Any adapter with monitor mode |
| Deauth injection | Adapter with packet injection + monitor mode (Alfa AWUS036ACH recommended) |
| PMKID capture | Adapter supported by hcxdumptool (most modern adapters) |
| Evil twin / Rogue AP | Adapter with AP mode support + second adapter for internet relay |
| WPS attack | Adapter supported by reaver (RT8812AU recommended) |
#Cross-References
- Passive Survey -- Do this before any active attack
- Network Segmentation -- After gaining WiFi access, bypass VLANs/NAC
- 802.1X Attacks -- Enterprise WiFi authentication exploitation
- 06 - Exploitation & Foothold -- Post-wireless exploitation
#Tool References
| Tool | Purpose | Link |
|---|---|---|
| aircrack-ng suite | WiFi capture, deauth, cracking | https://www.aircrack-ng.org/ |
| hcxdumptool / hcxtools | PMKID capture, hash conversion | https://github.com/ZerBea/hcxtools |
| hashcat | GPU-accelerated hash cracking | https://hashcat.net/hashcat/ |
| eaphammer | Enterprise evil twin, PEAP attacks | https://github.com/s0lst1c3/eaphammer |
| hostapd-wpe | Rogue AP with credential logging | https://github.com/OpenSecurityResearch/hostapd-wpe |
| reaver / bully | WPS PIN attacks | https://github.com/t6x/reaver-wps-fork |
| bettercap | WiFi recon, deauth, MITM | https://www.bettercap.org/ |
| WiFi-Pumpkin | Rogue AP framework | https://github.com/P0cL4b/WiFi-Pumpkin |
| wifite2 | Automated WiFi audit | https://github.com/derv82/wifite2 |