Wi‐Fi Attack Techniques - ikenpachi/Wireless-Attacks-Docs-Red-Team GitHub Wiki

Wi-Fi Attack Techniques

Wireless networks are susceptible to various attacks that exploit vulnerabilities in encryption, authentication, and network protocols. Below is a detailed breakdown of the most common attack techniques used in wireless penetration testing.

1. ChopChop Attack

Type: WEP Encryption Attack
Description:

The attacker captures an encrypted data packet and attempts to decrypt it without knowing the WEP key.
By manipulating packet fragments, the attacker reconstructs the plaintext data and ultimately recovers the WEP key.
This attack is effective against networks using WEP encryption, which is outdated and vulnerable.

Tool Used: Aircrack-ng

2. Fragmentation Attack

Type: WEP Key Recovery Attack
Description:

Breaks WEP encryption by injecting small packets into the network.
Each small packet helps the attacker reconstruct the full encryption key.
WEP’s weak IV (Initialization Vector) implementation makes this attack highly effective.

Tool Used: Aircrack-ng

3. Pixie-Dust Attack

Type: WPS Exploit
Description:

Targets routers with WPS (Wi-Fi Protected Setup) enabled.
Exploits vulnerabilities in the E-S1 and E-S2 nonces used in the WPS PIN validation process.
The attacker can recover the WPA/WPA2 password offline without brute-forcing the entire key space.
Works effectively on routers with poorly implemented WPS PIN authentication.

Tool Used: Reaver, Bully

4. Deauthentication Attack

Type: Denial of Service (DoS)
Description:

The attacker sends fake deauthentication frames to a victim, forcing their device to disconnect from the network.
This attack can be used to capture WPA2 handshakes or disrupt a network's connectivity.
Commonly used for forcing users to connect to an Evil Twin access point.

Tool Used: Aireplay-ng, Bettercap

5. Evil Twin Attack

Type: Rogue Access Point Attack
Description:

The attacker creates a fake access point with the same SSID as a legitimate Wi-Fi network.
Victims unknowingly connect to the attacker-controlled network, allowing data interception.
This technique is often used for credential theft and Man-in-the-Middle (MITM) attacks.

Tool Used: Airbase-ng, Bettercap

6. PMKID Attack

Type: WPA2 Key Extraction Attack
Description:

Instead of capturing a four-way handshake, this attack targets the PMKID hash generated during WPA2 authentication.
The attacker captures this hash and performs offline brute-force or dictionary attacks to retrieve the Wi-Fi password.
This method is faster than traditional handshake attacks because it doesn’t require a client to connect to the network.

Tool Used: Hashcat, hcxdumptool, hcxtools

7. WPA/WPA2 Handshake Cracking

Type: Dictionary/Brute-force Attack
Description:

The attacker captures a WPA/WPA2 handshake when a device connects to a Wi-Fi network.
The captured handshake is then subjected to a dictionary or brute-force attack to find the correct password.
Highly dependent on the strength of the password—long, complex passwords are resistant to this attack.

Tool Used: Aircrack-ng, Hashcat

8. KARMA Attack

Type: Automatic Client Connection Exploit
Description:

Many devices are configured to automatically reconnect to known networks.
The attacker sets up an open access point with common SSIDs (e.g., "Starbucks Wi-Fi").
Devices automatically connect, allowing the attacker to intercept and manipulate network traffic.

Tool Used: Bettercap

9. Rogue DHCP Attack

Type: Network Manipulation Attack
Description:

The attacker sets up a rogue DHCP server on the network to assign fake IP configurations to clients.
Victims unknowingly use the attacker's gateway, enabling MITM attacks and DNS hijacking.

Tool Used: Bettercap, Yersinia

10. WPS PIN Brute-force Attack