Wireless network attacks constitute a critical segment of the CompTIA PenTest+ Attacks and Exploits domain, primarily focusing on exploiting the inherent vulnerabilities of radio frequency communication and authentication protocols. Because wireless signals are broadcasted, attackers can intercept …Wireless network attacks constitute a critical segment of the CompTIA PenTest+ Attacks and Exploits domain, primarily focusing on exploiting the inherent vulnerabilities of radio frequency communication and authentication protocols. Because wireless signals are broadcasted, attackers can intercept data without physical network access, utilizing Wi-Fi adapters in 'monitor mode' to capture packets passively.
A dominant attack vector targets the WPA/WPA2 handshake. Pentesters frequently use **Deauthentication attacks**, sending spoofed management frames to forcibly disconnect a legitimate client. When the device attempts to reconnect, the attacker captures the **4-way handshake**. This captured handshake is then subjected to offline dictionary or brute-force attacks using tools like Aircrack-ng or Hashcat to recover the pre-shared key (PSK). Legacy vulnerabilities, such as Initialization Vector (IV) attacks against WEP, are also covered conceptually.
Attackers also exploit infrastructure via **Evil Twin** attacks, where a rogue Access Point (AP) broadcasts the same SSID as a legitimate network. By overpowering the legitimate signal, the attacker tricks victims into connecting to the malicious node, facilitating Man-in-the-Middle (MitM) attacks to harvest credentials or manipulate traffic. Furthermore, vulnerabilities in **Wi-Fi Protected Setup (WPS)** allow attackers to recover network passwords rapidly via PIN brute-forcing or Pixie Dust attacks.
The domain extends beyond Wi-Fi to include Bluetooth and RFID. **Bluejacking** involves sending unsolicited messages, while **Bluesnarfing** allows for the unauthorized theft of data from a device. Pentesters must also understand **RFID/NFC cloning** attacks, where proximity cards used for physical building access are copied or replayed using tools like the Proxmark3. Effective defense relies on implementing WPA3, using Enterprise authentication (802.1X), and disabling insecure convenience features like WPS.
Mastering Wireless Network Attacks for CompTIA PenTest+
What are Wireless Network Attacks? Wireless network attacks involve exploiting vulnerabilities in wireless protocols (802.11 Wi-Fi, Bluetooth, RFID, NFC) to gain unauthorized access to a network, intercept data, or disrupt availability. Because wireless signals rely on radio waves, they are not bounded by physical walls, making them a prime target for penetration testers to gain entry from outside a building.
Why is this Important? Securing the wireless perimeter is critical because it often bypasses physical security controls. If an attacker cracks the Wi-Fi password, they are effectively inside the Local Area Network (LAN), often bypassing the firewall. Understanding these attacks allows security professionals to recommend stronger encryption protocols and better physical signal containment.
How it Works: Common Attack Vectors
1. WEP Cracking (The IV Attack) Wired Equivalent Privacy (WEP) is an obsolete protocol. It is vulnerable because it uses a short, static Initialization Vector (IV). Attackers use packet injection to generate traffic, capture a large number of IVs, and use statistical analysis to recover the key in minutes. Tool: Aircrack-ng
2. WPA/WPA2 PSK Cracking (The Handshake) WPA2 Personal uses a Pre-Shared Key (PSK). To crack this, an attacker must capture the 4-Way Handshake that occurs when a client connects to the Access Point (AP). Attackers often force this by sending Deauthentication frames (kicking a user off). Once captured, the handshake is subjected to an offline dictionary/brute-force attack. Tools: Airodump-ng (capture), Aireplay-ng (deauth), Hashcat (cracking).
3. WPS Attacks Wi-Fi Protected Setup (WPS) simplifies connecting devices but is highly vulnerable. The Pixie Dust attack can recover the PIN offline, or the Reaver attack can brute-force the PIN online.
4. Rogue Access Points and Evil Twins A Rogue AP is an unauthorized device plugged into the wired network (e.g., an employee’s router), creating a backdoor. An Evil Twin is a specific type of Rogue AP setup by an attacker that mimics the SSID and MAC address of a legitimate network to trick users into connecting, often to capture credentials via a fake captive portal (Karma attack).
5. Bluetooth Attacks Bluejacking: Sending unsolicited messages to a device (annoyance). Bluesnarfing: Unauthorized theft of data (contacts, emails) from a device.
How to Answer Questions Regarding Wireless Network Attacks 1. Identify the Standard: Look for keywords. 'IVs' = WEP. 'Handshake/Dictionary' = WPA/WPA2. 'PIN' = WPS. 2. Identify the Goal: Is the attacker trying to disrupt users (DoS/Deauth) or steal credentials (Evil Twin/Captive Portal)? 3. Select the Tool: Associate Kismet with passive sniffing/discovery and the Aircrack-ng suite with active cracking.
Exam Tips: Answering Questions on Wireless network attacks Tip 1: WPA2-Enterprise vs. Personal If the scenario involves a RADIUS server, certificates, or 802.1x, it is WPA2-Enterprise. Attacks here involve setting up a malicious radius server (using tools like Hostapd-WPE or EAPHammer) to harvest user credentials, not just a PSK.
Tip 2: Deauthentication is Key Remember that to crack WPA2, you usually need to force a user to reconnect. If a question asks how to accelerate the capture of a handshake, look for 'Deauthentication Attack' or 'Aireplay-ng'.
Tip 3: Signal Strength Matters For an Evil Twin attack to be successful, the attacker's signal must usually be stronger than the legitimate AP to force the victim's device to roam to the malicious AP.
Tip 4: Geofencing vs. Signal Power If the question asks about mitigation for signal bleed (signals reaching the parking lot), the answer is usually adjusting Tx (Transmit) Power or antenna placement, rather than geofencing (which is a logical GPS control, not physical radio control).