Wireless & Mobile Security · beginner · ~10 min
Explain handshake capture, evil-twin/rogue AP, and wireless hardening (authorized only).
Conceptually: WPA2-PSK handshakes are captured (often via deauth) and cracked offline; evil-twin/rogue APs impersonate or bridge networks; guest Wi-Fi must be isolated. Hardening: WPA3/strong passphrase, no WPS, 802.1X with cert validation, WIDS, firmware/admin hygiene. Authorization is mandatory.
Evil twins, weak PSKs, WPS, and bridged guest networks are the real wireless findings, and the defenses (WPA3/Enterprise, isolation, no WPS, WIDS) are concrete recommendations. The legal boundary on wireless capture is strict.
Handshake capture. Deauth → reconnect → offline crack. Evil twin / rogue AP. Impersonate SSID or bridge the network. Guest isolation. Separate VLAN, client isolation. Hardening. WPA3, no WPS, 802.1X+cert, WIDS, firmware/admin. Legal. Explicit authorization required.
The conceptual wireless attack surface — taught for defense and within strict authorization.
For WPA2-PSK, an attacker passively waits for (or forces, via a deauthentication frame, a client to reconnect and re-send) the 4-way handshake, captures it, and cracks the passphrase offline with a wordlist. Defense: a long, random passphrase (or WPA3/Enterprise).
An evil twin is a fake access point impersonating a legitimate SSID. Victims (or their devices, auto-connecting to a known SSID) associate with it, letting the attacker capture credentials or run a captive-portal phish. Rogue APs plugged into a corporate network bypass the perimeter. Defense: 802.1X with server-cert validation (so clients won't trust a fake AP), wireless intrusion detection (WIDS), and disabling auto-connect to open SSIDs.
Guest Wi-Fi should be isolated from the internal network (its own VLAN, client isolation) so a guest (or attacker on guest) can't reach internal systems.
Strong WPA3/WPA2 passphrase, no WPS (PIN brute-forceable), updated firmware, changed default admin creds, management interface not exposed to Wi-Fi/WAN.
Wireless findings (WEP/weak PSK, rogue APs, guest-network bridging, WPS enabled) go in the report with the business impact. Again: only test wireless you're explicitly authorized to — capturing others' traffic is illegal.
Wireless attacks center on capturing/cracking WPA2-PSK and evil-twin/rogue APs; defenses are WPA3 or 802.1X with certificate validation, guest isolation, disabling WPS, and WIDS — all within strict, authorized scope.