In the Wild

Every protocol in this manual broadcasts a live, attackable access point so you can practice the technique safely on your own lab. The attacks are not academic: the same weaknesses have driven some of the largest data breaches on record, forced industry-wide emergency patches, and remain trivially findable in the field today. This page ties each real-world incident to its consequence and points you to the protocol page (and the Attack Catalog) for the mechanics.

Between 2005 and 2007 a major retail chain lost the details of more than 45 million payment cards (later estimates ran far higher) after attackers cracked the WEP encryption on store wireless and pivoted into the payment network. The intrusion began with wardriving from a store parking lot and went undetected for roughly eighteen months. It became the textbook case for why WEP must never carry sensitive data and was a direct driver of the PCI DSS ban on WEP for cardholder environments. This is exactly the capture-to-crack loop reproduced on the WEP page. Background: Computerworld, InformationWeek.

WEP was deprecated by the IEEE when 802.11i (the basis of WPA2) was ratified in 2004, and removed from the standard in later revisions. Yet two decades on, war-driving census data and home-router surveys still turn up live WEP networks: legacy point-of-sale links, old IP cameras, industrial gear, and forgotten consumer routers. A network broadcasting WEP today is recoverable in minutes by anyone in radio range with free tooling. The lesson the lab teaches is not "WEP is theoretically weak" but "WEP in 2026 is an open door," which is why the WEP page exists purely for demonstration. For the standard's own history see IEEE 802.11.

In October 2017 a coordinated disclosure revealed the Key Reinstallation Attack (KRACK), a flaw in the WPA2 four-way handshake itself rather than in any one vendor's code. Because the bug lived in the protocol state machine, it affected essentially every WPA2 client and AP across Windows, macOS, iOS, Android, Linux, and embedded systems at once, and the response was a global, simultaneous patch effort across operating systems and router firmware. CERT/CC tracked it as VU#228519. KRACK is one reason Protected Management Frames and WPA3 matter; for the handshake it abuses see WPA2-Personal, and for the SAE handshake that supersedes it see WPA3-Personal.

In 2018 a published technique showed that many WPA2 access points hand over the PMKID before any client has even associated, removing the long-standing prerequisite of deauthenticating a real client to capture a handshake. The consequence was that WPA2 passphrase cracking industrialized: weak or wordlist-present passphrases now fall in seconds, and the capture step is passive and instant. Modern firmware withholds the PMKID, and the lab AP does too by default; the PMKID Exposed toggle re-creates the vulnerable behavior on demand. Walk the full path on the WPA2-Personal page.

Wi-Fi Protected Setup was meant to make pairing painless and instead became one of the most reliable ways into a home network. A 2011 disclosure (CERT/CC VU#723755) showed the eight-digit PIN was far weaker than its length implied, and that many routers shipped without effective lockout, so free tools brute-force the PIN in hours and recover the passphrase outright. A 2014 follow-on, the offline Pixie Dust attack, cut that to seconds on several common chipsets. Millions of consumer routers shipped with WPS enabled by default, and many still do. The lab's WPS target ships a recoverable AP PIN so the online brute force always works, with the Pixie-Dust Downgrade toggle for the offline variant. See WPS.

At hotels, airports, and conferences the recurring incident is the evil twin: an attacker stands up an access point broadcasting a familiar SSID, devices auto-join the stronger or expected signal, and a captive portal harvests credentials or the session is silently man-in-the-middled. On an open network the cloned SSID is indistinguishable from the real one; against WPA2-Enterprise a rogue RADIUS server captures inner authentication from any client that does not validate the server certificate. The consequence is the same in both cases, a credential dump, and the defenses are captive-portal awareness, server-certificate validation, and 802.1X done correctly. Reproduce the open-hotspot portal on the Open page and the enterprise credential harvest on the WPA2-Enterprise page.

In 2021 a set of frame aggregation and fragmentation flaws, collectively FragAttacks, showed that even correctly configured WPA2 and WPA3 networks could leak or accept injected frames. Three were design flaws present in the 802.11 standard since 1997 and the rest were widespread implementation bugs such as CVE-2020-26139. The takeaway for the range is that strong encryption is necessary but not sufficient: management-frame protection, careful implementations, and defense in depth still matter. The relevant baseline is WPA2-Personal, with WPA3-Personal as the hardened successor.

Pick the incident, stand up the matching network, and run the documented technique end to end. WEP for the retail-breach crack, WPA2-Personal with PMKID Exposed for the 2018 clientless capture, WPS for the consumer-router PIN attacks, Open and WPA2-Enterprise for evil-twin credential theft. Doing it once on hardware you control turns a headline into muscle memory and makes the defensive lesson, retire WEP, kill WPS, pick a strong passphrase, validate the server certificate, impossible to forget.