Wireless Network Attacks: WEP, WPA, WPA2, WPA3 and Rogue Access Points

A Wi-Fi capture is only useful to an examiner who can read the addressing. Each frame in a monitor-mode capture carries up to four address fields: the source MAC, the destination MAC, the BSSID (the AP's MAC), and a fourth address used only in wireless distribution system frames. The BSSID is the anchor: every association, authentication and data frame in a basic service set names that BSSID. The ESSID is the readable network name and appears in beacon frames roughly ten times a second.

The 2.4 GHz band carries channels 1 through 14 (with 12, 13 and 14 restricted by region; India permits 1 through 13 under Wireless Planning and Coordination Wing rules). The 5 GHz band carries 4 non-overlapping channels in the lower UNII-1 sub-band plus more in UNII-2, UNII-2e and UNII-3, with dynamic frequency selection mandatory in the radar-sharing sub-bands. The 6 GHz band, opened in India by DoT in January 2026 for low-power indoor use, carries 59 non-overlapping 20 MHz channels.

The examiner reading a capture from a Bengaluru café incident first checks the channel and band the suspect frame lives on. A capture limited to channel 6 will miss a rogue AP camped on channel 11 or on 5 GHz channel 36. The Aircrack-ng tool airodump-ng with --band abg hops across 2.4 and 5 GHz; --band g6 adds 6 GHz on supported NICs.

WEP combines a 40-bit or 104-bit pre-shared key with a 24-bit initialisation vector to produce an RC4 keystream. The IV is sent in the clear. Two flaws compound. First, the IV space is small enough (16.7 million values) that a busy AP repeats IVs within hours. Second, the FMS attack of Fluhrer, Mantin and Shamir in 2001 showed that certain "weak" IVs leak information about the key bytes, so the attacker needs only IV reuse plus enough weak IVs to solve for the key.

KoreK improved the attack in 2004 by adding more biased-keystream observations, reducing the number of IVs needed from millions to tens of thousands. The PTW attack by Pyshkin, Tews and Weinmann in 2007 reduced the number further, to roughly 40,000 IVs for a 104-bit key with 50% success. Practical cracking time on a moderately busy AP is 5 to 15 minutes.

1. airmon-ng start wlan0
   Puts the wireless interface into monitor mode. The new interface is typically named wlan0mon. Disables NetworkManager handlers that fight monitor mode.
2. airodump-ng --bssid <ap> -c <ch> -w cap wlan0mon
   Captures all frames on the target BSSID and channel into cap-01.cap. The #Data column rises as IVs accumulate. Target 40,000 to 100,000 data frames.
3. aireplay-ng -3 -b <ap> -h <my-mac> wlan0mon
   ARP request replay attack: the tool listens for an ARP request, then re-injects it indefinitely. The AP responds to each injection, generating a fresh IV per response and accelerating capture from hours to minutes.
4. aircrack-ng cap-01.cap
   Runs FMS plus KoreK plus PTW against the captured IVs. Output prints the recovered key bytes once enough IVs accumulate. Re-run periodically while airodump-ng is still capturing.

The Indian anchor here is the long tail of legacy hardware. In 2024 a state SFSL audit of municipal Wi-Fi deployments in a Tier-2 city in Maharashtra found 47 routers still configured for WEP behind retail counters and small clinics. These are not academic targets; the same routers were named in three FIRs as the pivot point for downstream financial fraud. WEP cracking remains a recurring scenario in forensic lab assessments.

WPA-PSK introduced TKIP, which wraps RC4 with a per-packet keying function and a Michael MIC. The MIC plus per-packet keys closed the IV-reuse hole that finished WEP, but the password-based key derivation (PBKDF2-HMAC-SHA1 with 4096 iterations and the ESSID as salt) is still attackable offline once the 4-way handshake is captured. WPA2-PSK kept the same handshake but replaced TKIP and Michael with AES-CCMP. The dictionary attack against the handshake works against both.

The handshake capture is straightforward. airodump-ng on the target channel logs all frames; an aireplay-ng -0 deauthentication burst forces an existing client to re-associate, producing a fresh handshake. The capture is then run through aircrack-ng -w wordlist.txt cap.cap for CPU-bound cracking, or converted with hcxpcapngtool and run through hashcat -m 22000 for GPU-accelerated cracking at hundreds of thousands of guesses per second on a single consumer GPU.

The PMKID attack changes the economics. Jens Steube, hashcat's lead developer, showed in August 2018 that many APs leak a Pairwise Master Key Identifier in the first EAPOL frame of any association attempt, without a client ever completing the handshake. hcxdumptool requests the PMKID from the target AP directly; no client is required. The PMKID is fed to hashcat -m 16800 (modern: -m 22000 with the unified format) for the same offline dictionary attack.

WPA2-Enterprise uses 802.1X with a RADIUS server instead of a shared PSK. Each user authenticates with an EAP method (EAP-TLS, PEAP-MSCHAPv2, EAP-TTLS). The handshake-capture attack does not apply, but EAP relay attacks do: a rogue AP using eaphammer or hostapd-wpe impersonates the corporate ESSID, accepts the client's EAP exchange, and either harvests the MSCHAPv2 challenge-response for offline cracking or relays the credentials to the real RADIUS server. Certificate validation on the client side is the only defence; clients that do not pin the corporate CA are exploitable on first connection.

In a 2024 red-team exercise documented by an Indian BFSI SOC team in Mumbai, an eaphammer-driven rogue AP harvested 41 MSCHAPv2 hashes from corporate laptops at a nearby coffee shop in under 90 minutes. None of the laptops had certificate pinning configured. Cross-link to live packet capture for the post-capture analysis side of the same exercise.

KRACK, disclosed by Mathy Vanhoef in October 2017 as CVE-2017-13077 (and a family of related CVEs), targets the 4-way handshake itself rather than the password. Message 3 of the handshake confirms the Pairwise Transient Key. If the attacker replays message 3, a compliant client reinstalls the same PTK and resets its packet number counter, which under CCMP means the same keystream is reused for different plaintexts. The attacker can then recover plaintext bytes without ever knowing the PSK. The bug affected every WPA2 client implementation that followed the standard literally, with Android 6 and Linux's wpa_supplicant 2.4 to 2.6 hit hardest because their re-association behaviour zeroed the key on reinstall.

WPA3, ratified in 2018, replaced the 4-way handshake's password-based key derivation with Simultaneous Authentication of Equals (SAE), also known as Dragonfly. SAE is a balanced password-authenticated key exchange built on elliptic-curve Diffie-Hellman. The protocol is designed so an offline dictionary attack against a captured exchange yields no useful information about the password.

Dragonblood, disclosed by Vanhoef and Eyal Ronen in April 2019, broke that promise in three ways. CVE-2019-9494 is a timing side channel in the hash-to-curve operation that leaks information about the password to a co-located attacker. CVE-2019-9495 is a cache side channel against the same primitive. The companion CVEs cover downgrade attacks where a hybrid AP accepts both SAE and the legacy PSK exchange and an attacker forces the client to negotiate the weaker option.

"WPA3" on a router admin page does not by itself indicate a hardened configuration. The implementation must be patched against the Dragonblood family and configured in WPA3-only (not WPA2/WPA3 transition) mode for the strongest posture. Patched OpenWrt and patched vendor firmware (Cisco, Aruba, Ubiquiti) have shipped Dragonblood mitigations since mid-2019.

A rogue AP is any access point on or near the target network that the network operator did not authorise. An evil twin is a rogue AP that replicates a legitimate ESSID. Most consumer and corporate clients auto-associate with a saved ESSID when it appears at sufficient signal strength, without verifying the BSSID or AP certificate. An attacker broadcasting a known ESSID at higher transmit power than the legitimate AP will attract clients silently.

The capture pattern at an Indian airport or metro station typically runs as follows. The attacker brings up a portable AP (Wi-Fi Pineapple, an OpenWrt mini-router, or a laptop with hostapd) on the same ESSID as the venue's free Wi-Fi. The first HTTP request from any associated client is intercepted by a captive portal that imitates the venue's branding. The portal asks for the user's email and phone, sometimes for a corporate single sign-on, sometimes for the user's existing bank or wallet credentials in a "verify before browsing" prompt. The credentials are logged; the user is then released to the real internet via the attacker's uplink.

CERT-In's wireless advisory from late 2024 named a sustained campaign of evil-twin captive portals at Delhi, Bengaluru and Hyderabad metro stations, with credential harvests linked downstream to UPI fraud and SIM-swap requests. The advisory recommends disabling auto-join for public Wi-Fi, treating any captive portal that asks for OTP as hostile, and using a VPN for any session on a venue network. SSL stripping on plain HTTP and HSTS bypass via crafted redirects are the post-association layer; the cross-link to network attacks covers the wired-side parallels.

Defensively, the operator side wants a Wireless Intrusion Detection System. Kismet, AirMagnet and the WIDS modules built into enterprise controllers (Cisco WLC, Aruba Mobility Master) detect rogue BSSIDs by watching for a BSSID using an ESSID the operator owns from a MAC the operator did not authorise. A 6 dB signal-strength anomaly on a known ESSID is the standard alert trigger.

WPS, Wi-Fi Protected Setup, was meant to make residential pairing easier and turned out to make residential cracking trivial. The 8-digit PIN is checked as two 4-digit halves, so the search space collapses from 10^8 to 10^4 plus 10^4. Reaver implemented the online attack in 2011. Dominique Bongard's Pixie Dust attack in 2014 exploited weak PRNG seeding in many Broadcom and Realtek chipsets to recover the PIN offline from a single exchange. reaver -K 1 and bully implement Pixie Dust. The recommended posture is to disable WPS entirely; many Indian ISP-supplied routers ship with it on by default.

NFC vulnerabilities cluster around card cloning and relay. Proxmark3 and the open-source Flipper Zero will read most MIFARE Classic and many MIFARE DESFire (with key recovery for weak deployments) tags and emulate them back. Indian transit cards using older MIFARE Classic (some legacy Bengaluru and Delhi metro card generations) have been documented as cloneable in research papers; modern deployments have moved to DESFire EV2 or EV3 with stronger key management. Malicious NFC tag URLs, sticker tags placed on top of legitimate venue tags, redirect a tap to a phishing URL.

QR code attacks dominate the Indian fraud filings list. Three patterns matter. First, malicious QR redirecting to phishing or malware: the user trusts a QR on a poster more than a typed URL. Second, physical QR replacement (QRJacking): a fraudster prints a UPI QR with their VPA over a shopkeeper's legitimate code at the counter; customers scan and pay the fraudster instead of the shop. Third, UPI request-money QR confusion: the victim is sent a "scan to receive" QR that is actually a "scan to pay" request. NPCI advisories in 2023 and 2024 named QRJacking specifically and recommended laminated, single-print QRs with the merchant's name printed prominently above the code.

The cellular bridge is where wireless forensics meets mobile forensics. IMSI catchers (commercially Stingray, KingFisher; research-grade with a USRP plus srsRAN or YateBTS) impersonate a base station, force nearby phones to attach, log the IMSI and IMEI, and frequently downgrade the connection from 4G or 5G to 2G where the lack of mutual authentication lets the attacker intercept calls and SMS. The 4G to 2G downgrade is the practical lever: 2G GSM authenticates the network only via a one-way challenge, so a rogue 2G base station is trusted by default. Diameter protocol attacks at the operator core layer are out of scope for the air-interface examiner but show up in coordinated SIM-swap operations.

SIM swap fraud uses the cellular ID layer rather than the radio layer: the attacker convinces the carrier to port the victim's number to a SIM the attacker controls. Fuller coverage lives at /topics/digital-forensics/wireless-and-mobile-network-attacks-sim-swap-nfc-qr.