Threats

T1600

Wireless Attacks

A detailed guide to wireless attacks for SOC analysts — WPA2/WPA3 cracking, Evil Twin, deauthentication attacks, KRACK, Bluetooth BlueBorne, RFID cloning, and detection techniques for wireless intrusion.

View on Graph

How Wireless Attacks Work and Why They Matter

  • Wireless attacks target the radio frequency (RF) layer of network communications — 802.11 (Wi-Fi), Bluetooth, and RFID/NFC — where the transmission medium is inherently shared and unencrypted by default.
  • MITRE ATT&CK maps wireless attacks to T1600 (Weaken Encryption) with sub-techniques including T1600.002 (Disable Wi-Fi Encryption) and T1557.004 (Man-in-the-Middle via Wireless Evil Twin).
  • Wireless attacks matter because they bypass physical security controls: an attacker in the parking lot can compromise a network without ever entering the building. For SOC analysts, wireless threats often appear as network anomalies that are difficult to attribute without RF-layer telemetry.
  • The most common wireless attack categories are credential cracking (WPA2/WPA3 PSK), rogue access points (Evil Twin), denial of service (deauthentication floods), protocol attacks (KRACK), Bluetooth exploits (BlueBorne), and RFID cloning.

WPA2/WPA3 PSK Cracking

How It Works

PSK (Pre-Shared Key) cracking requires capturing the four-way handshake between a client and access point (WPA2) or the SAE handshake (WPA3), then performing an offline brute-force or dictionary attack against the passphrase.

Attack TypeHandshake CapturedRequiredCracking Method
WPA2 PSK4-way handshake (EAPOL frames)Client must attempt to connecthashcat -m 22000 or aircrack-ng against wordlist
WPA2 PMKIDPMKID from beacon frameNo client required — passive capturehashcat -m 22002 against wordlist
WPA3 SAESAE handshakeMuch harder — dictionary attacks less effectiveDragonblood attack (theoretical; practical attacks rare)

WPA2 Cracking Workflow

  1. Enable monitor mode: 
    sudo airmon-ng start wlan0
  2. Scan for target access point: 
    sudo airodump-ng wlan0mon
  3. Capture handshake (WPA2): 
    sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Force a client to reconnect (deauth attack):
sudo aireplay-ng -0 2 -a AA:BB:CC:DD:EE:FF -c CLIENT_MAC wlan0mon
  4. Or capture PMKID (no client needed): 
    # PMKID is in the RSN IE of the beacon frame
# Use hcxdumptool for PMKID capture:
sudo hcxdumptool -i wlan0mon --enable_status=1 -o captured.pcapng
  5. Crack offline: 
    # Convert to hashcat format
hcxpcapngtool -o hash.hc22000 capture-01.cap
# Crack with wordlist
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt

WPA3 Considerations

WPA3 uses SAE (Simultaneous Authentication of Equals), which provides forward secrecy and is resistant to offline dictionary attacks. The Dragonblood attack (disclosed 2019) found vulnerabilities in WPA3 implementations, but practical exploitation requires a vulnerable client or AP. For most SOC environments, WPA3 is significantly more secure than WPA2-PSK.

Evil Twin — The Rogue Access Point

An Evil Twin is a rogue Wi-Fi access point that impersonates a legitimate network. The attacker broadcasts the same SSID with a stronger signal, and clients connect to the attacker’s device instead of the real AP.

Attack Flow

StepActionResult
1Deauth clients from legitimate APClients disconnect and search for the network — similar to DDoS disruption patterns
2Broadcast legitimate SSID with stronger signalClients auto-connect to the rogue AP
3MITM traffic through rogue APAll client traffic passes through attacker
4Capture or modify trafficCredentials, session tokens, sensitive data

Detection Indicators

IndicatorWhat to Look ForDetection Method
Duplicate SSID with different BSSIDTwo APs broadcasting the same SSIDWIDS scan, airodump-ng
Signal strength mismatchWeak legitimate AP, strong rogue AP near perimeterPhysical site survey, WIPS
Rogue AP MAC OUIMAC address does not match known AP hardware vendorMAC OUI lookup
Deauth flood before rogue appearsHigh rate of deauth packets followed by new APWIDS deauth rate alert
Rogue AP channelRogue broadcasts on a non-standard or different channelChannel monitoring
Rogue AP beacon intervalNon-standard beacon interval (default is 100ms)Beacon interval analysis

SPL — Deauth Flood Detection

index=network sourcetype=wids
| search attack_type="deauth"
| stats count, values(src_mac) as Deauth_Sources by dst_mac, _time
| where count > 100
| eval alert = "DEAUTH FLOOD — " . count . " deauth packets sent to " . dst_mac . " from " . mvjoin(Deauth_Sources, ", ")
| table _time, dst_mac, count, alert
| sort - count

Deauthentication Attacks

Deauth attacks send forged deauthentication frames to disconnect clients from an AP. The attack is trivial because deauth frames in 802.11 (prior to 802.11w-2009) are unencrypted management frames.

Impact

EnvironmentImpactSeverity
Enterprise with 802.11wProtected Management Frames (PMF) prevent deauth spoofingLow — must use other methods
Enterprise without 802.11wClients can be disconnected at willHigh — can be used to force fallback to C2 channels
Home/SOHONo protection against deauthCritical
IoT devicesMany IoT devices don’t support PMFCritical — attackers can force offline behavior

Detection

index=network sourcetype=wids
| search frame_type="management" AND subtype="deauthentication"
| stats count, values(src_mac) as Sources by dst_mac
| where count > 50 AND mvcount(Sources) < 3
| eval alert = "DEAUTH FLOOD from " . mvjoin(Sources, ", ") . " targeting " . dst_mac
| table _time, dst_mac, Sources, count, alert

KRACK — Key Reinstallation Attack

KRACK (Key Reinstallation Attack, disclosed 2017) exploits a vulnerability in the WPA2 four-way handshake where an attacker forces the client to reinstall an already-in-use key, resetting the nonce and replay counter. This allows decryption of subsequent packets.

AspectDetail
CVECVE-2017-13077 through CVE-2017-13088
Affected protocolWPA2 (four-way handshake, group key handshake, Fast BSS Transition)
ImpactAttacker can decrypt, replay, and forge packets
FixPatch the client and AP — most vendors released patches in 2017-2018
Current statusWidely patched but unpatched IoT devices remain vulnerable
DetectionRepeated EAPOL message 3 retransmissions in short timeframe

Detection — repeated EAPOL frames (possible KRACK exploitation):

index=network sourcetype=wids
| search frame_type="EAPOL"
| stats count by src_mac, dst_mac
| where count > 10 AND count < 50
| eval alert = "Repeated EAPOL frames from " . src_mac . " to " . dst_mac . " — possible KRACK attempt"
| table _time, src_mac, dst_mac, count, alert

BlueBorne — Bluetooth Exploitation

BlueBorne is a set of 8 Bluetooth vulnerabilities disclosed in 2017 that affect Android, iOS, Windows, and Linux devices. The critical difference from other Bluetooth attacks: BlueBorne works without pairing, and the target device does not need to be in discoverable mode.

CVEComponentImpactAffected Platforms
CVE-2017-0781Android Bluetooth stackRCEAndroid 4.4 - 8.0
CVE-2017-8628Windows Bluetooth stackRCEWindows 7 - 10
CVE-2017-14315iOS Bluetooth stackRCEiOS 9.3.5, 10.3.3
CVE-2017-1000251Linux BlueZ kernel stackRCELinux kernel 3.x - 4.14
CVE-2017-0785Android Bluetooth info leakInformation disclosureAndroid 4.4 - 8.0

Detection

IndicatorWhat It Looks Like
Unusual Bluetooth traffic volumeBluetooth packets from devices that never normally use Bluetooth
BT traffic when Bluetooth should be offDevices with Bluetooth disabled transmitting
Multiple Bluetooth probes to the same deviceRepeated L2CAP echo requests from different BT MACs
Process monitoringbtusb.sys (Windows), bluetoothd (Linux) showing unusual CPU or memory

RFID Cloning

RFID cloning copies the data from a low-frequency (125 kHz) or high-frequency (13.56 MHz) RFID tag to a programmable blank tag, allowing the attacker to impersonate the legitimate credential.

Tag TypeFrequencyCloning DifficultyTypical Use
EM4100 / EM4x125 kHzTrivial — read and replayOlder access control badges
MIFARE Classic13.56 MHzEasy — CRYPTO1 cipher brokenWidespread access control, transit cards
MIFARE DESFire13.56 MHzDifficult — AES encryptedModern access control
HID iCLASS13.56 MHzModerate — requires specialized reader/writerEnterprise access control
NFC (NDEF)13.56 MHzTrivial — simple read/writePayment, phone-based access

Detection

Detection MethodWhat It Catches
Two-factor authenticationBadge + PIN — cloned badge alone doesn’t work
AntipassbackSame badge used at two doors simultaneously = duplication detected
Access pattern analysisBadge used at door at physically impossible speed
Log correlationBadge + timing + CCTV correlation

Defense in Depth for Wireless

ControlWhat It PreventsImplementation
802.11w (PMF)Deauth attacks, forged management framesEnable on all enterprise APs
WPA3-EnterprisePSK cracking, KRACKMigrate from WPA2 to WPA3
WIDS/WIPSRogue APs, deauth floodsDedicated wireless sensors or AP-based monitoring
MAC address filtering (supplemental)Guest device blockingLow-value — easily spoofed, but reduces noise; a common insider threat vector
EAP-TLS (certificate auth)Credential theft (PEAP-MSCHAPv2 is crackable)Deploy 802.1X with machine and user certificates — common in cloud hybrid deployments
Bluetooth disable policyBlueBorne, Bluetooth MITMGPO to disable Bluetooth on endpoints where not needed
Antipassback (physical)RFID clone reuseAccess control system setting
Physical site surveyRogue AP detection by walking perimeterQuarterly WIDS sweeps

Sources