WPA (TKIP)

WPA is the 2003 transitional standard the Wi-Fi Alliance shipped to rescue networks from broken WEP while the full 802.11i amendment was still being finalized. Its core is the Temporal Key Integrity Protocol (TKIP), a wrapper bolted on top of the same RC4 stream cipher WEP used. The point was that it had to run on existing WEP silicon as a firmware update, so it could not switch to a real block cipher.

TKIP papers over WEP's worst sins without removing RC4. It expands the initialization vector to 48 bits and uses a per-packet key mixing function so that no two frames share keystream, it adds a 48-bit TKIP Sequence Counter to stop replay, and it replaces WEP's useless CRC with the Michael MIC, a lightweight message integrity check. Michael was a compromise: it had to be cheap enough for 1990s hardware, so it is cryptographically weak, and TKIP compensates with countermeasures that shut the radio down for 60 seconds after two MIC failures in a second. Authentication still rides on a pre-shared key through the same four-way handshake WPA2-Personal uses, so WPA inherits the offline dictionary problem on top of its own cipher weaknesses.

WPA has no weakness toggle of its own: the PMKID Exposed switch belongs to WPA2-Personal, not WPA, so on a WPA network you capture the key the classic way, by grabbing a real four-way handshake. For a crack lab, pick a passphrase that lives in a wordlist so students reach a result.

For the full New-Network walkthrough, see Networks.

4-way handshake dictionary attack

WPA's PSK mode authenticates with the same EAPOL four-way handshake as WPA2, and those four frames carry everything needed to test guesses offline. Capture a handshake, deauthenticate a client to force a reconnect, then grind a wordlist on your own hardware:

airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w cap wlan0mon
aireplay-ng -0 3 -a AA:BB:CC:DD:EE:FF wlan0mon
hashcat -m 22000 cap.hc22000 wordlist.txt

Judgment: the highest-value WPA attack in practice; cipher choice (TKIP vs AES) is irrelevant once you have the handshake, because you are cracking the passphrase, not the cipher.

PMKID attack

Where the access point includes the RSN PMKID in the first EAPOL frame, you skip the client entirely and harvest the hash straight from the AP, then crack it with the same hashcat mode:

hcxdumptool -i wlan0mon -o pmkid.pcapng
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng
hashcat -m 22000 pmkid.hc22000 wordlist.txt

Judgment: clientless and quiet, but it depends on the AP electing to send a PMKID; most modern gear does not, and Tala WTE only forces it on the WPA2-Personal lab.

KRACK key reinstallation

The 2017 Key Reinstallation Attack (CVE-2017-13077) abuses the four-way handshake: by blocking and replaying message 3, an attacker tricks the client into reinstalling an already-in-use key, resetting the nonce and replay counter. Under AES-CCMP this enables replay and decryption; under TKIP it is worse, because nonce reuse against RC4 can leak keystream and, combined with Michael's weakness, allow frame forgery back toward the AP.

# KRACK targets the supplicant, not the AP: stand up a rogue clone of the
# BSSID on a second channel, relay frames as a man-in-the-middle, then block
# and replay EAPOL message 3 to force a key reinstall. See CVE-2017-13077.

Judgment: dangerous on unpatched clients, but it attacks the handshake state machine, not the passphrase; patched supplicants reject the reinstall, so in the field this is mostly a lesson, not a way in.

TKIP plaintext recovery (Beck-Tews / Ohigashi-Morii)

The 2008 to 2009 chopchop-style attacks against TKIP recover the plaintext of short, predictable frames (such as ARP) one byte at a time and, against QoS channels with multiple TX queues, inject a small number of forged packets. They exploit the Michael MIC and the per-packet structure, not the passphrase.

Judgment: a narrow, slow attack that recovers small packets and injects a few frames; historically important as proof TKIP is broken, but you will reach for the handshake crack instead.

Finding live WPA-TKIP today is itself a finding. It means the network has not been reconfigured since before 2006, or it is deliberately pinned to TKIP to support an ancient client (a legacy printer, a building-automation controller, an old handheld scanner). TKIP also drags performance down: 802.11n and later refuse to negotiate high-throughput rates on a TKIP BSS, so the whole network is capped at legacy 54 Mbps. A WPA-only or mixed WPA/WPA2 SSID is a reliable signal of stale infrastructure and weak operational hygiene, which usually means the passphrase is old and guessable too. Treat it the same as WPA2 for capture-and-crack, and flag the TKIP itself as a remediation item.

Do not run WPA-TKIP. Move to WPA2-Personal with AES-CCMP at a minimum, and to WPA3-Personal where clients support SAE, which removes the offline dictionary attack entirely. Disable TKIP outright rather than leaving it in a mixed-mode group cipher, since a TKIP group key drags an otherwise-AES network down to the weaker cipher and re-enables the TKIP-specific attacks. Patch every client and AP for KRACK; the fix lives in the supplicant, so client patching matters most. Because every PSK mode shares the offline-cracking weakness, use a long, random passphrase, and where the device count justifies it, retire shared passphrases for 802.1X / WPA2-Enterprise. If a single legacy device is the only reason TKIP survives, isolate it on its own VLAN and SSID rather than weakening the whole network.

• IEEE 802.11i-2004, Medium Access Control (MAC) Security Enhancements: https://standards.ieee.org/ieee/802.11i/3127/
• IEEE 802.11-2020, base standard (RSNA, TKIP, four-way handshake): https://standards.ieee.org/ieee/802.11/7028/
• RFC 3610, Counter with CBC-MAC (CCM): https://www.rfc-editor.org/rfc/rfc3610
• RFC 4764, EAP-PSK (PSK key derivation context): https://www.rfc-editor.org/rfc/rfc4764
• CVE-2017-13077 (KRACK, four-way handshake PTK reinstallation): https://nvd.nist.gov/vuln/detail/CVE-2017-13077