Wireless Attack Catalog

This page is the index to the wireless attacks this manual covers, grouped by the layer they work against rather than by tool: attacks on the network, on the client, and on availability itself. Each entry names the attack by its technical class, the protocols it lands on, the core open-source tool that performs it, and a link to the protocol page where the full capture-to-crack workflow and the Tala WTE toggles live. Treat it as a map: find the standard you are testing, follow the link, and the protocol page gives you the exact commands. Every network referenced here is one you stand up yourself on the New Network form, so nothing in this catalog touches anything you do not own.

The single most important distinction across the whole catalog is passive versus active. Passive attacks observe; active attacks transmit. Some of the most powerful results (an offline WPA2 crack, a full WEP key) require only a brief, almost incidental active step (one deauthentication burst) before the rest is pure offline computation. For the toolset itself, see The Toolkit.

Reconnaissance is entirely passive: an adapter in monitor mode captures every frame in range without ever transmitting. Everything downstream (which BSSID, which channel, which clients, whether PMF is on) comes from this first look.

• Channel survey and target discovery - enumerate SSIDs, BSSIDs, channels, cipher suites, and associated clients; the prerequisite for every other entry. All protocols. airodump-ng. Open.
• Passive eavesdropping - on an open network all payload is cleartext, so the capture is the attack. Open. wireshark. Open.
• Hidden-SSID disclosure - the hidden name still appears in probe and association frames; capture a client joining and it falls out. Any protocol with the hidden flag set. airodump-ng. WPA2-Personal.
• Probe-request fingerprinting - a client's probe requests carry information elements and sequence numbers that re-identify the device even when its MAC is randomized, the basis of venue and movement tracking. All clients. airodump-ng. See Wireless and Health for the tracking detail.

An open network provides connectivity and nothing else, which makes it the home of the classic shared-segment and impersonation attacks, none of which break any cryptography because there is none to break.

• Rogue AP / Evil Twin - clone the SSID on a stronger signal and clients with no server-side authentication associate to you; the basis of credential-harvesting captive-portal labs. Open (and others via downgrade). hostapd plus a captive portal. Open.
• ARP poisoning / man-in-the-middle - forged ARP replies redirect a victim's traffic through the attacker; defeated by Client Isolation. Open. bettercap. Open.
• DNS spoofing - forged DNS answers redirect clients to attacker-controlled hosts, typically paired with a rogue AP. Open. bettercap. Open.

These target the client rather than the access point: a rogue radio impersonates a network the device already trusts, or coerces an isolated client into leaking key material. They work wherever a device auto-connects or holds a saved network, and most break no cryptography at all.

• KARMA (2004) - a rogue AP answers the directed probe requests a client uses to look for remembered networks, impersonating every SSID in the device's preferred-network list so it auto-associates. Any client that auto-joins remembered or open networks. airbase-ng -P. Open. Largely mitigated on modern clients that no longer leak the full list, and superseded by MANA.
• MANA (2014) - SensePost's KARMA successor builds each client's network list from both broadcast and directed probes and answers both, defeating the mitigation of not naming networks in broadcast probes. Open networks (and enterprise with EAP add-ons). hostapd-mana. Open.
• Known Beacons (2017) - rather than wait for a probe, beacon a dictionary of popular open SSIDs (for example xfinitywifi or attwifi) so any client with one of those names saved and set to auto-join connects on its own. Open networks in the saved list. wifiphisher. Open.
• Evil-twin passphrase phishing (2015) - deauthenticate the victim, raise an open twin of the real SSID, and serve a router "firmware upgrade" page that asks for the Wi-Fi passphrase, harvesting the PSK from the user with no handshake to crack. WPA2-Personal. wifiphisher (or airgeddon). WPA2-Personal.
• OWE-transition downgrade - an Enhanced Open network in transition mode advertises a companion open BSS in unauthenticated beacons; stand up that open twin and clients associate unencrypted, so OWE protects little more than legacy open against an active attacker. OWE. hostapd-mana. OWE.
• Caffe Latte (2007) - recover a WEP key from an isolated client with no AP present: flip bits in a captured ARP so the client answers a flood of WEP-encrypted replies, yielding enough IVs to crack the key. WEP (client-side). airbase-ng. WEP.
• Hirte (2008) - extends Caffe Latte with fragmentation so any packet, not just a gratuitous ARP, can coerce an isolated WEP client into generating crackable traffic. WEP (client-side). airbase-ng -N. WEP.

WEP has been cryptographically dead since 2001: a 24-bit IV that repeats within hours and a forgeable CRC-32 integrity check yield total key recovery independent of key length. It exists in the manual purely to demonstrate the tooling and the lesson. Full workflow at WEP.

• FMS statistical key recovery - the 2001 attack: weak IVs leak key bytes through the keystream. WEP. aircrack-ng. WEP.
• PTW key recovery - the modern refinement: the key falls out of roughly 20,000 to 80,000 IVs in minutes, the default path today. WEP. aircrack-ng. WEP.
• ARP-replay injection - replay one captured ARP frame to force IV generation at line rate, the active accelerator for the attacks above. WEP. aireplay-ng. WEP.
• ChopChop and fragmentation - recover keystream without the key, enough to forge and inject valid packets. WEP. aireplay-ng. WEP.

WPA2-Personal never sends the passphrase over the air; the four-way handshake proves both sides hold the PMK derived from it, and those four EAPOL frames carry everything needed to test guesses offline. Security reduces entirely to passphrase strength. This is the highest-value lab in the manual. Full workflow at WPA2-Personal.

• Four-way handshake offline crack - capture the EAPOL exchange, then grind a wordlist offline; the same attack applies to legacy WPA-TKIP. WPA, WPA2-Personal, the PSK side of WPA3-Transition. hashcat -m 22000. WPA2-Personal.
• Deauthentication to force a handshake - one spoofed burst forces a reconnect on demand wherever PMF is off. WPA, WPA2-Personal, WPA3-Transition. aireplay-ng -0. WPA2-Personal.
• Clientless PMKID capture - harvest the RSN PMKID straight from the AP's first frame, no client needed; requires the PMKID Exposed toggle, off by default. WPA2-Personal (and WPA). hcxdumptool, then hashcat -m 22000. WPA2-Personal.
• Beck-Tews / Ohigashi-Morii TKIP injection (2008 to 2009) - the WEP ChopChop attack adapted to WPA-TKIP through 802.11e QoS queues recovers the Michael MIC key, enough to decrypt one short packet and inject a few forged ones; the 2009 variant adds a man-in-the-middle to drop the QoS requirement. Not full key recovery. WPA (TKIP). tkiptun-ng. WPA.
• kr00k (2020) - vulnerable Broadcom and Cypress chips, on a forced disassociation, transmit still-buffered frames re-encrypted with an all-zero session key, so repeatedly disassociating a victim leaks decryptable data. WPA2-Personal, WPA2-Enterprise. CVE-2019-15126. WPA2-Personal. Patched in current firmware.
• Hole196 (2010) - an authorized insider uses the shared group key (GTK), which carries no source-address protection, to inject forged broadcast frames and ARP-poison other clients; a one-way injection that needs valid credentials and is stopped by client isolation. WPA2. WPA2-Personal.

WPS bolts a PIN-based pairing shortcut onto WPA2, and the PIN is validated as two independent halves with a checksum last digit, collapsing the search space from 10^8 to about 11,000 (CERT VU#723755, 2011). Every Tala WTE WPA2 + WPS target ships a recoverable AP PIN that does not lock out. Full workflow at WPS.

• Online PIN brute force - cycle the roughly 11,000 candidates against the live registrar; with no lockout it yields the PIN and then the passphrase. WPA2 + WPS. reaver (or bully). WPS.
• Pixie Dust offline PIN recovery - where the registration nonces use weak randomness, the PIN is recoverable offline in seconds; enable Pixie-Dust Downgrade to practice it. WPA2 + WPS. pixiewps. WPS.

WPA3-Personal replaces the PSK handshake with SAE (Dragonfly, RFC 7664), adding forward secrecy and resistance to the offline dictionary attack, with mandatory PMF that removes the deauth trick. What remains is implementation side-channels and, most practically, downgrade against transition mode. Full workflow at WPA3-Personal and WPA3-Transition.

• Dragonblood timing and cache side-channel - SAE password-element derivation leaks information in early builds (2.7 and earlier); patched in current builds. WPA3-Personal. CVE-2019-9494. wpa_supplicant. WPA3-Personal.
• SAE confirm denial of service - an SAE Confirm processed without the expected state crashes the AP process; a denial of service, not a key compromise. WPA3-Personal. CVE-2019-9496. WPA3-Personal.
• Dragonblood group-downgrade and clogging DoS (2019) - force SAE to negotiate a weaker group, widening the side-channel surface, and flood spoofed commit frames so the AP repeatedly computes the costly password element and exhausts itself, defeating SAE anti-clogging. WPA3-Personal. Tracked under CERT VU#871675. dragondrain. WPA3-Personal.
• Transition-mode downgrade - suppress the WPA3 information elements so a dual-mode client falls back to WPA2-PSK, exposing the handshake to the offline crack above. WPA3-Transition. hostapd rogue plus hashcat -m 22000. WPA3-Transition.

WPA2-Enterprise authenticates each user over 802.1X/EAP, with the AP forwarding credentials to a RADIUS server. The weakness is almost never the crypto and almost always the client: one that does not validate the RADIUS server certificate hands its inner credentials to whoever answers. Full workflow at WPA2-Enterprise and WPA3-Enterprise.

• Rogue RADIUS / Evil Twin credential harvest - a cloned enterprise SSID presents a self-signed certificate; clients that skip validation complete the inner EAP exchange against the attacker. WPA2-Enterprise, WPA3-Enterprise. eaphammer (or hostapd-wpe). WPA2-Enterprise.
• PEAP-MSCHAPv2 offline crack - a captured MSCHAPv2 inner exchange reduces to three 56-bit DES operations and the NT hash cracks the password. WPA2-Enterprise. hashcat -m 5500 (or asleap). WPA2-Enterprise.
• Blast-RADIUS - RADIUS over UDP without a Message-Authenticator is forgeable through an MD5 chosen-prefix collision, turning a reject into an accept. The RADIUS transport behind WPA2-Enterprise and WPA3-Enterprise. CVE-2024-3596. WPA2-Enterprise.
• EAP method downgrade - a rogue authenticator forges EAP responses to steer negotiation toward the weakest method both sides allow, down to MSCHAP or a cleartext inner, so a permissive client surrenders crackable or plaintext credentials; the natural partner to the rogue-RADIUS evil twin. WPA2-Enterprise, WPA3-Enterprise. eaphammer (or hostapd-wpe). WPA2-Enterprise.

These two protocol-level disclosures hit the IEEE 802.11 standard itself, not one vendor. Both are largely closed on current clients and APs, so the manual treats them as study material rather than live lab targets.

• KRACK (Key Reinstallation Attacks, 2017) - forcing a handshake retransmission makes the victim reinstall an in-use key, resetting the nonce and exposing the keystream; the four-way variant is CVE-2017-13077, the 802.11r variant CVE-2017-13082. WPA and WPA2 (TKIP installs are most severe). WPA2-Personal.
• FragAttacks (Fragmentation and Aggregation, 2021) - flaws in 802.11 frame aggregation and fragmentation allow injection and limited exfiltration: CVE-2020-24588, CVE-2020-24587, CVE-2020-24586. Because the flaws are in the frame format, they reach WEP, WPA, WPA2, and WPA3 alike. WPA2-Personal.

These do not recover keys or data; they take the network or its clients off the air. Management and beacon frames are largely unauthenticated, so most need no credentials, and the physical layer has no 802.11 defense at all.

• Deauthentication and disassociation flood - spoof the unauthenticated deauth or disassoc frames to knock one station, or a whole BSS, off the air at will; the same primitive behind handshake capture and the evil-twin lures above. Any network without PMF. aireplay-ng -0, mdk4. Protected Management Frames (802.11w) close the basic version, though beacon-based and some implementation-specific disconnects remain. WPA2-Personal.
• Beacon, authentication, and association floods - inject mass fake-AP beacons to swamp scanners, or floods of auth and association frames to exhaust an AP's client table. APs and clients across every protocol. mdk4. PMF does not stop these, since the frames precede the protected association.
• TKIP Michael countermeasures shutdown - the Michael MIC is weak enough that the standard mandates a 60-second network shutdown after two MIC failures in a minute; force two failures per minute and a TKIP network stays down. WPA (TKIP). mdk4. WPA.
• Channel Switch Announcement abuse (2009) - a forged beacon carrying an unauthenticated CSA element tells clients to jump to a dead channel, knocking them off the real AP. 802.11h clients. mdk4. Plain PMF does not stop it because beacons are unprotected; WPA3 Beacon Protection plus Operating Channel Validation close it.
• RF jamming - a transmitter on the same band raises the noise floor and denies service at the physical layer, beneath any 802.11 protection. All wireless. Listed for awareness only: operating a jammer is illegal in the United States (FCC enforcement).