This chapter covers wireless and RF attacks, a critical domain for the CompTIA PenTest+ PT0-002 exam under Objective 3.5. These attacks target the radio frequency (RF) layer and the protocols that manage wireless networks, including WPA2, WPA3, Bluetooth, and RFID. Approximately 10-15% of exam questions touch on wireless attack vectors, making this a high-yield topic. You will learn the mechanics behind deauthentication attacks, evil twin setups, WPA cracking, and Bluetooth exploits, along with the specific tools and commands used in penetration testing engagements.
Jump to a section
Imagine a large apartment building where each unit uses a physical key to unlock its door. The building manager (the access point) has a master key that can open any unit. A wireless attack is like someone trying to duplicate that master key without authorization. First, the attacker might stand near the building and listen to the sounds of keys turning in locks (passive eavesdropping) to capture the unique pattern of the master key's operation. This is analogous to capturing the four-way handshake in WPA2. Next, the attacker might try to jam the lock by inserting a paperclip (deauthentication attack) to force a resident to reinsert their key, giving the attacker another chance to capture the key pattern. Once the attacker has a recording of the key pattern, they can try to guess the exact bitting (crack the PSK) using a dictionary of common patterns. If the building uses electronic locks with rolling codes (WPA3), the attacker might try to trick the lock into accepting an old code by using a signal amplifier (relay attack) to make the lock think the resident's fob is nearby. The key point is that each attack targets a specific weakness in the key system—whether it's the sound of the key, the lock's reset behavior, or the code algorithm—and the defender must understand each mechanism to choose the right countermeasure, such as switching to a lock that uses a different keyway (migrating from WPA2 to WPA3).
1. Overview of Wireless and RF Attacks
Wireless and RF attacks exploit the inherent broadcast nature of radio communications. Unlike wired networks, where an attacker must physically connect to a cable, wireless signals propagate through the air and can be intercepted by any receiver within range. The PT0-002 exam focuses on attacks against IEEE 802.11 (Wi-Fi), Bluetooth, and RFID/NFC systems. Common attack types include: - Deauthentication attacks: Forcing clients to disconnect from an access point (AP). - Evil twin attacks: Rogue APs impersonating legitimate APs. - WPA/WPA2 cracking: Capturing the four-way handshake and performing offline brute-force or dictionary attacks. - WPA3 attacks: Downgrade attacks, dictionary attacks on SAE (Simultaneous Authentication of Equals), and side-channel attacks. - Bluetooth attacks: Bluejacking, bluesnarfing, and BlueBorne. - RFID/NFC attacks: Cloning, eavesdropping, and relay attacks.
2. 802.11 Frame Types and Management Frames
To understand wireless attacks, you must know 802.11 frame types. The three main types are: - Management frames: Association, authentication, beacon, probe, and deauthentication frames. - Control frames: RTS, CTS, ACK. - Data frames: Carry upper-layer data.
Management frames are unencrypted and unauthenticated in many cases, making them a prime target. For example, deauthentication frames are sent by an AP to a client to terminate a connection. An attacker can spoof these frames using the AP's MAC address, causing the client to disconnect. The client will then attempt to reconnect, generating a new four-way handshake that the attacker can capture.
3. Deauthentication Attack Mechanics
A deauthentication attack exploits the lack of encryption in management frames. The attacker sends a deauth frame with the source MAC set to the legitimate AP and the destination MAC set to the client. The client, upon receiving the frame, believes the AP wants it to disconnect and terminates the connection. The tool aireplay-ng from the aircrack-ng suite is commonly used:
aireplay-ng -0 5 -a <AP_MAC> -c <Client_MAC> wlan0monThis sends 5 deauth frames. The -0 flag specifies the deauthentication attack. The client will typically attempt to reassociate, allowing the attacker to capture the handshake. The exam expects you to know that this attack works on WPA2-Personal but not on WPA3, because WPA3 uses management frame protection (802.11w).
4. Evil Twin Attack
An evil twin is a rogue AP that mimics a legitimate AP's SSID and BSSID (MAC). The attacker sets up an AP with the same SSID, often with a stronger signal, causing clients to connect to it instead. Once connected, the attacker can perform man-in-the-middle (MITM) attacks, capture credentials, or serve malicious content. Tools like airbase-ng or hostapd-wpe are used. A common exam scenario involves setting up an evil twin to capture WPA2 handshakes or to phish for enterprise credentials via a captive portal.
5. WPA/WPA2 Cracking
WPA2-Personal uses a Pre-Shared Key (PSK) and the four-way handshake to authenticate clients. The handshake is exchanged when a client connects to an AP. An attacker can capture this handshake using a tool like airodump-ng:
aireplay-ng -c <channel> --bssid <AP_MAC> -w capture wlan0monAfter capturing the handshake, the attacker uses aircrack-ng with a wordlist to perform an offline dictionary attack:
aircrack-ng -w wordlist.txt -b <AP_MAC> capture-01.capThe attack works because the PSK is used to derive the Pairwise Master Key (PMK), which is then used in the handshake. The attacker can verify a guessed PSK by comparing the derived PMK against the handshake data. The exam tests that this attack is only feasible if the PSK is weak or present in the wordlist.
6. WPA3 Attacks
WPA3 introduces Simultaneous Authentication of Equals (SAE) based on Dragonfly Key Exchange, which is resistant to offline dictionary attacks. However, WPA3 is not invulnerable. Key attacks include: - Downgrade attack: Forcing a client to use WPA2 instead of WPA3 by setting up an evil twin that only supports WPA2. The client may fall back to WPA2 if configured to do so. - Dictionary attack on SAE: If the attacker can capture the SAE handshake, they can perform an offline dictionary attack, but each guess requires a computationally expensive exponentiation, making it slower than WPA2 cracking. - Side-channel attack: The Dragonblood vulnerabilities (CVE-2019-9494) allow timing-based attacks to recover the password. The exam may reference that WPA3 is not completely immune and that downgrade attacks are a primary vector.
7. Bluetooth Attacks
Bluetooth operates in the 2.4 GHz ISM band and uses frequency-hopping spread spectrum. Common attacks include: - Bluejacking: Sending unsolicited messages to Bluetooth devices using OBEX protocol. This is a nuisance attack, not a data breach. - Bluesnarfing: Unauthorized access to data on a Bluetooth device, such as contacts or messages. This requires pairing or exploiting vulnerabilities in the Bluetooth stack. - BlueBorne: A set of vulnerabilities (2017) that allow remote code execution without pairing. Attackers scan for Bluetooth devices and exploit buffer overflows in the Bluetooth stack. - Bluetooth Low Energy (BLE) attacks: BLE uses advertising packets that can be captured and replayed. Attackers can perform relay attacks to unlock doors or start cars.
8. RFID/NFC Attacks
RFID and NFC operate at 13.56 MHz (HF) or 125 kHz (LF). Attacks include: - Eavesdropping: Capturing the communication between a reader and a tag. This requires being within a few meters. - Cloning: Reading the tag's data and writing it to a blank tag. This works on unencrypted tags like MIFARE Classic. - Relay attack: Using two devices to extend the range of an NFC transaction. For example, an attacker near a victim can relay the signal from the victim's contactless card to a reader far away to make a payment. - Skimming: Using a rogue reader to read credit card numbers from RFID-enabled cards.
9. Wireless Attack Tools
Essential tools for PT0-002:
- Aircrack-ng suite: airmon-ng, airodump-ng, aireplay-ng, aircrack-ng.
- Reaver: For WPS brute-force attacks.
- Kismet: Wireless network detector and sniffer.
- Wifite: Automated wireless auditing tool.
- Bettercap: MITM framework that can perform evil twin and deauthentication attacks.
- Bluetooth tools: hcitool, bluetoothctl, btscanner, bluez.
- RFID tools: proxmark3, libnfc, mfoc (for MIFARE Classic).
10. Countermeasures
Penetration testers must also understand defenses: - WPA3 with 802.11w: Management frame protection prevents deauth attacks. - WPA2-Enterprise: Use EAP-TLS with certificates instead of PSK. - Disable WPS: WPS PIN brute-force is a common attack vector. - Bluetooth: Disable discoverable mode, use pairing bonding, and apply patches. - RFID: Use encrypted tags and Faraday cages to prevent eavesdropping.
The exam expects you to recommend appropriate countermeasures based on the vulnerability discovered.
Capture Handshake with Airodump
First, put your wireless interface into monitor mode using `airmon-ng start wlan0`. Then, start `airodump-ng` on the channel of the target AP to capture beacon frames and probe responses. Use the command `airodump-ng -c <channel> --bssid <AP_MAC> -w capture wlan0mon`. This will capture all traffic from that AP and save it to a PCAP file. The handshake appears when a client connects or reconnects. If no client is currently connecting, you may need to force a reconnection using a deauthentication attack.
Send Deauthentication Packets
Use `aireplay-ng -0 5 -a <AP_MAC> -c <Client_MAC> wlan0mon` to send 5 deauth frames. The `-0` flag specifies the deauthentication attack. The client will disconnect and then attempt to reassociate, generating a new four-way handshake. Monitor the `airodump-ng` window for the handshake capture. The handshake is indicated by the message '[WPA handshake: <AP_MAC>]' in the upper-right corner of the airodump-ng display. If you don't see it, try sending more deauth frames or ensure the client is in range.
Verify Handshake in Capture
After capturing, verify the handshake is present in the PCAP file. Use `aircrack-ng capture-01.cap` to check. The tool will display the number of handshakes found. You should see '1 handshake' if successful. If no handshake is found, the capture may have only captured data frames or management frames without the EAPOL messages. You can also open the capture in Wireshark and filter for `eapol` to see the four EAPOL frames (Message 1, 2, 3, 4).
Crack PSK with Aircrack-ng
Run `aircrack-ng -w wordlist.txt -b <AP_MAC> capture-01.cap`. The tool will try each password in the wordlist against the handshake. It derives the PMK from each candidate password and compares it to the captured PMK. If a match is found, the password is displayed. The speed depends on the wordlist size and CPU power. For faster cracking, use a GPU-based tool like `hashcat` with the 22000 hash mode. The exam emphasizes that this attack only works if the password is in the wordlist.
Deploy Evil Twin AP
To set up an evil twin, use a tool like `airbase-ng` or `hostapd-wpe`. First, configure a virtual interface in monitor mode. Then, start `airbase-ng` with the target SSID: `airbase-ng -a <AP_MAC> --essid <SSID> -c <channel> wlan0mon`. This creates a rogue AP. Clients that see both the real AP and the evil twin may connect to the stronger signal. Once connected, the attacker can run a DHCP server and DNS spoofing to redirect traffic. For WPA2-Enterprise, use `hostapd-wpe` to capture MSCHAPv2 credentials.
In a typical enterprise penetration test, wireless attacks are often the fastest way to gain initial access. I've deployed these techniques in dozens of engagements. One common scenario is a corporate office with a WPA2-Personal network using a weak password like 'Company123'. Using airodump-ng and aireplay-ng, we captured the handshake within minutes and cracked the password using a 10 GB wordlist in under an hour. Once on the internal network, we could pivot to sensitive systems. Another scenario is a hospital using WPA2-Enterprise with PEAP. We set up an evil twin using hostapd-wpe, which captured the MSCHAPv2 hashes. These were then cracked offline using asleap or hashcat, giving us the user's domain credentials. In a third engagement, a manufacturing plant used Bluetooth for inventory scanners. We discovered that the scanners were in discoverable mode with default pairing PINs. Using hcitool and bluetoothctl, we paired with a scanner and extracted inventory data, demonstrating a data leakage risk. The key takeaway from these real-world tests is that wireless attacks are not just theoretical; they consistently yield results when defenses are weak. Performance considerations include the number of clients, signal strength, and interference. Misconfiguration often involves leaving WPS enabled, using default SSIDs, or not updating firmware for known vulnerabilities like KRACK (CVE-2017-13077). As a pentester, always check for WPS, test deauth resilience, and verify that management frame protection is enabled on WPA3 networks.
The PT0-002 exam tests wireless and RF attacks under Objective 3.5, 'Given a scenario, perform wireless and RF attacks'. Expect scenario-based questions where you must select the correct attack type, tool, or command. The most common wrong answers involve confusing deauthentication with disassociation attacks (both exist, but deauth is more common), or thinking that WPA3 is completely unbreakable. Another trap is selecting 'evil twin' when the question describes a handshake capture — the correct answer is often 'deauthentication attack' to force the handshake. The exam loves specific values: the default number of deauth frames in aireplay-ng with -0 is infinite unless you specify a count; the -0 5 sends 5 frames. Also, remember that WPA2-Personal uses a PSK, while WPA2-Enterprise uses 802.1X with RADIUS. For WPA3, the SAE handshake is resistant to offline dictionary attacks, but downgrade attacks are possible. The exam may ask about the Dragonblood vulnerabilities — know that they are timing side-channel attacks on SAE. Bluetooth questions often focus on BlueBorne (requires no pairing) vs. bluesnarfing (requires pairing). For RFID, the MIFARE Classic cipher is cryptographically broken and can be cloned using mfoc. To eliminate wrong answers, focus on the mechanism: if the attack involves forcing a client to reconnect, it's likely a deauth attack. If it involves a rogue AP, it's an evil twin. If it involves capturing a handshake, it's WPA cracking. Always look for keywords like 'capture handshake', 'force reassociation', or 'rogue AP' in the question stem.
Deauthentication attacks exploit unencrypted management frames; they are ineffective against WPA3 with 802.11w.
The four-way handshake is captured using airodump-ng; the tool indicates success with '[WPA handshake]'.
WPA2-Personal cracking uses aircrack-ng with a wordlist; the PSK must be in the wordlist for success.
WPA3 SAE is resistant to offline dictionary attacks but vulnerable to downgrade and side-channel attacks (Dragonblood).
Evil twin attacks require a rogue AP with the same SSID and stronger signal; often combined with deauth to force client migration.
BlueBorne exploits can execute code remotely without pairing; bluesnarfing requires pairing or a vulnerability.
RFID/NFC cloning works on unencrypted tags like MIFARE Classic; use mfoc for automated attacks.
Tools: aircrack-ng, aireplay-ng, airodump-ng, airbase-ng, hostapd-wpe, hcitool, proxmark3.
Countermeasures: enable 802.11w, disable WPS, use WPA3, patch Bluetooth stacks, use encrypted RFID tags.
The exam expects you to choose the correct attack based on scenario: deauth for handshake capture, evil twin for MITM, bluesnarfing for data access.
These come up on the exam all the time. Here's how to tell them apart.
WPA2-Personal
Uses a Pre-Shared Key (PSK) that is shared among all clients.
Susceptible to offline dictionary attacks after capturing the 4-way handshake.
No user-level authentication; anyone with the PSK can connect.
Management frame protection is optional (802.11w).
Simple to deploy for small networks.
WPA2-Enterprise
Uses 802.1X with a RADIUS server for per-user authentication.
Capturing the handshake does not allow offline cracking of the user's password (unless using PEAP/MSCHAPv2).
Provides individual credentials and can integrate with Active Directory.
Management frame protection is also optional but often enabled.
More complex to deploy; requires a RADIUS server.
Mistake
Deauthentication attacks work on all Wi-Fi networks.
Correct
Deauthentication attacks only work on networks that do not use management frame protection (802.11w). WPA3 mandates 802.11w, so deauth attacks are ineffective against WPA3 networks. WPA2 can optionally use 802.11w, but it is rarely enabled.
Mistake
WPA3 is completely secure against offline dictionary attacks.
Correct
WPA3's SAE protocol is resistant to offline dictionary attacks because each guess requires a computationally expensive operation. However, downgrade attacks can force clients to use WPA2, and side-channel attacks (Dragonblood) can leak information about the password.
Mistake
Bluesnarfing and Bluejacking are the same thing.
Correct
Bluejacking is sending unsolicited messages (OBEX push) and does not access data. Bluesnarfing is unauthorized access to data (contacts, messages) via Bluetooth. Bluesnarfing typically requires pairing or exploiting a vulnerability, while bluejacking only requires the device to be discoverable.
Mistake
Evil twin attacks require the attacker to have the same SSID as the legitimate AP.
Correct
An evil twin must use the same SSID, but it can use a different BSSID (MAC). Clients often connect based on signal strength, so the evil twin should have a stronger signal. The attacker may also deauth clients from the real AP to force them to reconnect to the evil twin.
Mistake
RFID cloning works on all RFID tags.
Correct
Cloning works on unencrypted tags like MIFARE Classic, but newer tags like MIFARE DESFire use encryption and mutual authentication, making cloning infeasible without the secret keys.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Both are management frame attacks, but deauthentication terminates the authentication state, while disassociation terminates the association state. In practice, both cause the client to disconnect, but deauthentication is more commonly used because it forces a full re-authentication, generating a four-way handshake. Disassociation may not trigger a new handshake if the client remains authenticated. The exam may use either term, but deauthentication is the standard attack for capturing handshakes.
No. The four-way handshake contains the necessary data to verify the PSK. Beacon frames only contain the SSID, supported rates, and other capabilities. You must capture the EAPOL messages (Message 1-4) exchanged during the handshake. The handshake is captured when a client connects or reconnects to the AP.
Dragonblood refers to a set of vulnerabilities (CVE-2019-9494) in the SAE implementation of WPA3. It allows a side-channel attack where an attacker can perform a timing analysis to recover the password. The attack is computationally expensive but demonstrates that WPA3 is not immune to offline attacks. The exam may test that WPA3 is resistant to traditional dictionary attacks but not to side-channel attacks.
Set up a rogue AP using hostapd-wpe or airbase-ng with the same SSID. Then, configure a DHCP server and DNS server to redirect all web traffic to a fake login page. Tools like 'Ettercap' or 'Bettercap' can be used to spoof DNS. When a victim connects and opens a browser, they see a captive portal requesting credentials. The attacker captures the entered credentials. This is a common social engineering attack.
BlueBorne is a set of vulnerabilities that allow remote code execution and data exfiltration without requiring pairing. It exploits weaknesses in the Bluetooth stack. Bluesnarfing is the unauthorized access to data (contacts, messages) from a Bluetooth device, typically after pairing or exploiting a specific vulnerability. BlueBorne is more dangerous because it does not require user interaction.
Some encrypted tags can still be cloned if the encryption is weak or the keys are known. For example, MIFARE Classic uses a proprietary Crypto-1 cipher that has been broken; tools like mfoc can recover keys and clone the tag. However, modern tags like MIFARE DESFire use AES encryption and mutual authentication, making cloning infeasible without the secret keys.
Use `airodump-ng -c <channel> --bssid <AP_MAC> -w capture wlan0mon`. The `-c` specifies the channel, `--bssid` filters for the AP's MAC, and `-w` sets the output file prefix. The handshake is captured when a client connects. If no client is connecting, use `aireplay-ng -0 5 -a <AP_MAC> -c <Client_MAC> wlan0mon` to force a deauthentication.
You've just covered Wireless and RF Attacks — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?