This chapter covers two critical wireless network attacks—Evil Twin and WPS (Wi-Fi Protected Setup) attacks—that frequently appear on the SY0-701 exam under Objective 2.3 (Given a scenario, analyze potential indicators associated with vulnerability exploits). These attacks exploit trust in wireless network names and weak PIN-based authentication. Understanding their mechanisms, detection indicators, and countermeasures is essential for both the exam and real-world network defense. We will dissect how each attack works mechanically, how attackers execute them, and what security professionals can do to prevent or detect them.
Jump to a section
Imagine you walk into a bank to deposit cash. A person at a desk near the entrance, wearing a name tag and holding a deposit slip, greets you and says, 'I can help you here to save time.' You hand them your cash and slip. They smile, say 'thank you,' and you leave. But that person isn't a real teller—they're a fraudster who set up a fake station right inside the bank lobby. They have a fake sign, a fake deposit box, and they look official. You never checked if they were behind the actual teller counter. In a few minutes, they pack up and disappear with your money. This is exactly how an Evil Twin attack works: the attacker sets up a rogue access point that mimics a legitimate Wi-Fi network. The SSID (network name) is identical, the signal is strong, and the user's device automatically connects because it remembers the network. The user then sends sensitive data—passwords, credit card numbers—through the attacker's access point, believing it's the real network. The attacker captures everything. The bank lobby is the physical space; the Wi-Fi environment is the radio space. The fake teller's desk is the rogue AP. The user's trust in the familiar bank branch is like the device's trust in a saved SSID. Both attacks exploit the victim's assumption that a familiar-looking entity is authentic.
What is an Evil Twin Attack?
An Evil Twin attack is a type of wireless network attack where an attacker sets up a rogue access point (AP) that impersonates a legitimate Wi-Fi network. The rogue AP broadcasts the same Service Set Identifier (SSID) as a trusted network, such as a corporate guest network or a public hotspot. The goal is to trick users into connecting to the rogue AP instead of the legitimate one. Once connected, the attacker can intercept, modify, or redirect all network traffic, enabling credential harvesting, man-in-the-middle (MITM) attacks, or malware delivery.
How Evil Twin Attacks Work Mechanically
The attack proceeds in four phases:
Reconnaissance: The attacker identifies a target network by scanning for SSIDs using tools like Kismet or airodump-ng. They note the SSID, channel, and encryption type (e.g., WPA2-Enterprise).
Rogue AP Deployment: The attacker configures a wireless device (e.g., a laptop with a Wi-Fi adapter in master mode, or a dedicated device like a Raspberry Pi with a Wi-Fi dongle) to broadcast the same SSID. The rogue AP typically uses a stronger signal than the legitimate AP to encourage clients to connect. Tools like airbase-ng or hostapd can create a rogue AP. The attacker may also disable the legitimate AP via a deauthentication attack (sending deauth frames) to force clients to reconnect, making them more likely to connect to the rogue AP.
Client Connection: When a user's device detects the rogue AP (often with a stronger signal), it may automatically connect if the SSID is in its preferred network list. Alternatively, the user manually selects the network. The device performs the normal 4-way handshake with the rogue AP, but the rogue AP does not possess the actual Pre-Shared Key (PSK) unless the attacker already knows it. For open networks (no encryption), the connection is immediate. For WPA2-PSK, the attacker can set up a fake captive portal that prompts the user to enter the password, which the attacker captures. For WPA2-Enterprise, the attacker can present a fake RADIUS server to capture credentials.
Traffic Interception: Once the client is associated with the rogue AP, all traffic passes through the attacker's device. The attacker can perform MITM attacks using tools like ettercap or Bettercap, capturing HTTP requests, injecting malicious code, or redirecting to phishing sites. Even if the traffic is encrypted (HTTPS), the attacker can attempt SSL stripping (downgrading HTTPS to HTTP) or present a fake certificate.
Key Components and Variants
SSID Spoofing: The core of the attack. The rogue AP uses the exact same SSID as the target.
Signal Strength Manipulation: Attackers often place their rogue AP close to victims or use high-gain antennas to ensure their signal is stronger than the legitimate AP.
Deauthentication Attack: An attack that sends forged deauthentication frames to disconnect clients from the legitimate AP, forcing them to reconnect to the rogue AP. Tools like aireplay-ng can send deauth packets.
Captive Portal Phishing: For open networks, the attacker can present a fake login page that mimics the legitimate network's portal, capturing credentials.
Karma Attack: A variant where the rogue AP responds to any probe request from a client for any SSID, effectively pretending to be any network the client is looking for. Tools like mana-toolkit or hostapd-mana perform Karma attacks.
Indicators of an Evil Twin Attack
Duplicate SSIDs: Multiple APs with the same SSID in the same area. Use tools like Wireshark or inSSIDer to detect.
Unusual Signal Strength: An AP with the same SSID but significantly stronger signal than expected.
Unexpected Gateway or DNS: The rogue AP may have a different MAC address (BSSID) and may use a different gateway IP or DNS server. On a client, check the default gateway and DNS settings.
Certificate Warnings: For enterprise networks, users may see certificate errors if the rogue AP presents a fake RADIUS certificate.
Slow Performance or Intermittent Connectivity: The attacker may be intercepting or throttling traffic.
Countermeasures
Use WPA3: WPA3 includes Simultaneous Authentication of Equals (SAE) which provides mutual authentication, making it harder for rogue APs to impersonate the network.
802.1X with EAP-TLS: For enterprise networks, use certificate-based authentication. Clients verify the server certificate, preventing connection to a rogue AP that cannot present a valid certificate.
Disable Automatic Connection: Educate users to not auto-connect to open Wi-Fi and to manually verify network names.
Wireless Intrusion Prevention System (WIPS): Deploy WIPS that can detect and block rogue APs by monitoring for duplicate SSIDs, unexpected MAC addresses, or deauth floods.
VPN: Require VPN for all traffic over wireless, so even if the attacker intercepts traffic, it remains encrypted.
Physical Security: Ensure access points are physically secure to prevent tampering.
What is WPS and Why is it Vulnerable?
Wi-Fi Protected Setup (WPS) is a network security standard designed to simplify the process of connecting devices to a Wi-Fi network. It was introduced in 2007 by the Wi-Fi Alliance. WPS allows users to connect to a WPA/WPA2-secured network without entering the long passphrase, using either a PIN (usually 8 digits) printed on the router, a push-button (PBC), or near-field communication (NFC). The PIN method is the most common and most vulnerable.
How WPS PIN Attack Works Mechanically
The WPS PIN is an 8-digit number. The last digit is a checksum, so only 7 digits (10^7 = 10,000,000 combinations) are effectively unknown. However, the protocol splits the PIN into two halves: the first half (first 4 digits) is validated separately from the second half (last 3 digits, plus checksum). This design flaw reduces the maximum number of attempts to 10^4 + 10^3 = 11,000 (10,000 for the first half, 1,000 for the second).
Attack tools like Reaver or PixieWPS exploit this. The attacker sends WPS PIN authentication requests to the router. If the first half is correct, the router responds with an M5 message (part of the WPS protocol) indicating success for that half. The attacker then tries the second half. The router locks out after a certain number of failed attempts (usually 3-5), but many routers do not implement lockout properly, or the attacker can spoof MAC addresses to bypass lockout. Newer tools like PixieWPS exploit a vulnerability in some routers where the WPS PIN can be computed from the router's BSSID and other data, reducing attack time to seconds.
Once the PIN is recovered, the attacker can obtain the WPA/WPA2 PSK directly from the router (the router sends the PSK in the M8 message) or use the PIN to connect and retrieve the PSK. The entire process can take anywhere from a few seconds (Pixie attack) to several hours (brute force with Reaver).
Key Components and Variants
WPS PIN: 8-digit numeric code. The last digit is a checksum derived from the first 7 digits using a simple algorithm. The protocol validates the first 4 digits and then the last 3 (plus checksum) separately.
WPS Push Button (PBC): A physical or virtual button that, when pressed, enables a 2-minute window for devices to connect without a PIN. Not vulnerable to PIN attacks but susceptible to physical access attacks.
WPS NFC: Uses near-field communication to exchange credentials. Less common.
Reaver: The most famous WPS brute force tool. It sends PIN attempts and listens for M5/M7 messages to determine correctness.
PixieWPS: An attack that exploits a vulnerability in some routers where the WPS PIN is derived from the router's BSSID or other public information, allowing instant recovery.
Indicators of a WPS Attack
High Number of WPS Failures: Router logs may show many failed WPS PIN attempts. Check router logs for entries like "WPS PIN authentication failed."
Router Lockout: Some routers temporarily disable WPS after a few failed attempts. This can cause connectivity issues.
Unexpected WPS LED Activity: On routers with a WPS LED, rapid blinking may indicate active WPS negotiation.
Network Anomalies: After a successful WPS attack, an attacker may connect to the network, leading to unusual traffic patterns or unknown MAC addresses.
Countermeasures
Disable WPS: The most effective countermeasure. On most routers, WPS can be disabled through the web interface. This prevents PIN attacks entirely.
Update Router Firmware: Some routers have patched the Pixie vulnerability. Always keep firmware up to date.
Use WPA3: WPA3 does not include WPS, eliminating the attack surface.
Enable WPS Lockout: If WPS must be used, ensure the router has a lockout feature that disables WPS after a few failed attempts for a long period (e.g., 5 minutes or more).
Monitor for Brute Force: Use intrusion detection systems (IDS) to detect multiple WPS failures from the same MAC address.
Real Command/Tool Examples
Evil Twin with airbase-ng and airodump-ng:
# Create a monitor interface
airmon-ng start wlan0
# Capture traffic to find target SSID
airodump-ng wlan0mon
# Set up rogue AP with same SSID (e.g., "CompanyWiFi")
airbase-ng -e "CompanyWiFi" -c 6 wlan0monDeauthentication attack to force clients to reconnect:
# Deauth all clients on the legitimate AP (BSSID: 00:11:22:33:44:55)
aireplay-ng -0 5 -a 00:11:22:33:44:55 wlan0monWPS PIN brute force with Reaver:
# Start Reaver against a target AP (BSSID: 00:11:22:33:44:55) on interface wlan0mon
reaver -i wlan0mon -b 00:11:22:33:44:55 -vvPixieWPS attack:
# Use PixieWPS to attempt fast PIN recovery
pixiewps -e <PKE> -r <PKR> -s <E-Hash1> -z <E-Hash2> -a <AuthKey> -n <E-Nonce>
# Or use a tool like OneShot that automates PixieWPS
oneshot -i wlan0mon -b 00:11:22:33:44:55 -KEvil Twin: Reconnaissance
The attacker scans for available Wi-Fi networks using a tool like Kismet or airodump-ng. They note the target SSID, BSSID (MAC address of the legitimate AP), channel, encryption type, and signal strength. They also observe the number of connected clients. This information helps the attacker mimic the network accurately. For example, if the target uses WPA2-Enterprise with PEAP, the attacker will need to set up a fake RADIUS server. The attacker may also capture a beacon frame from the legitimate AP to extract parameters like supported rates and capabilities, ensuring the rogue AP appears identical.
Evil Twin: Rogue AP Deployment
The attacker configures a wireless interface (e.g., wlan0) to act as an access point using tools like hostapd or airbase-ng. They set the SSID to match the target, choose the same channel (or a less congested one), and optionally set the same MAC address (MAC spoofing) to avoid detection by simple BSSID checks. The rogue AP is placed physically close to the target area or uses a high-gain antenna to ensure its signal is stronger than the legitimate AP. The attacker may also launch a deauthentication attack against the legitimate AP to disconnect clients, increasing the chance they reconnect to the rogue AP.
Evil Twin: Client Connection
When a client device disconnects from the legitimate AP (due to deauth or weak signal), it scans for available networks. The rogue AP's strong signal and identical SSID make it appear as the best candidate. Many devices automatically connect to saved networks without user intervention. For open networks, the connection is instant. For WPA2-PSK, the attacker must either know the PSK or set up a fake captive portal that asks the user to enter the password. For WPA2-Enterprise, the attacker presents a fake RADIUS server that accepts any credentials. The client completes the 4-way handshake with the rogue AP, and the attacker now has an association.
Evil Twin: Traffic Interception
Once the client is connected, all network traffic passes through the rogue AP. The attacker can use ARP spoofing or DHCP spoofing to redirect traffic through their device for MITM attacks. Tools like Bettercap or mitmproxy can capture HTTP requests, inject JavaScript, or perform SSL stripping. The attacker may also set up a fake DNS server to redirect the user to phishing sites. Logs on the attacker's machine show the intercepted data. The user may notice nothing unusual, though HTTPS certificate warnings may appear if the attacker's fake certificate is not trusted.
WPS Attack: Identify Target
The attacker scans for nearby Wi-Fi networks using a tool like Wash (part of the Reaver suite) to identify routers with WPS enabled. Wash sends probe requests and listens for WPS information elements in beacon frames. It outputs the BSSID, SSID, channel, and whether WPS is locked or not. The attacker selects a target with WPS enabled and not locked. Some tools like OneShot can also perform this scan. The attacker notes the BSSID and channel for the next step.
WPS Attack: Brute Force PIN
The attacker runs Reaver or PixieWPS against the target BSSID. Reaver sends WPS PIN attempts (starting from 00000000) and listens for the router's response. For each attempt, it sends an M2 message (from the router) and an M3 message (from the client). If the first half of the PIN is correct, the router responds with an M5 message indicating success for that half. Reaver then tries the second half. The process can take 4-10 hours on average. PixieWPS attempts to compute the PIN directly using router-specific vulnerabilities, often succeeding in seconds. The attacker monitors the tool's output for the PIN or PSK.
WPS Attack: Obtain PSK
Once the PIN is known, the attacker can either use it to connect to the network and retrieve the PSK from the router (via the WPS protocol's M8 message) or use a tool like Reaver to extract the PSK directly. Reaver will output the PSK once the PIN is verified. The attacker now has the Wi-Fi password and can connect to the legitimate network, bypassing the need for further authentication. The attacker can then perform internal network reconnaissance, launch attacks on other devices, or exfiltrate data.
Scenario 1: Evil Twin at a Coffee Shop
A security analyst at a large corporation notices that several employees who visited a coffee shop reported unusual network behavior: slow internet, frequent disconnects, and a certificate error when accessing the company's webmail. The analyst reviews the employees' device logs and sees they connected to a network named 'CoffeeShopWiFi'—the same SSID as the legitimate network. However, the MAC address (BSSID) of the AP they connected to differs from the known legitimate AP's MAC address. The analyst uses a wireless scanner like inSSIDer and detects two APs with the same SSID on different channels. One has a signal strength of -45 dBm (the rogue) and the other -75 dBm (the legitimate). The analyst also checks the default gateway of the affected devices and finds it points to an IP address not in the coffee shop's known DHCP range. The correct response is to alert the coffee shop owner, block the rogue AP's MAC address on the corporate network's WIPS, and instruct employees to use a VPN and verify the network's BSSID before connecting. A common mistake is to assume the issue is a misconfigured legitimate AP and not investigate further, leaving the rogue AP active.
Scenario 2: WPS Attack on a Home Router
A penetration tester is hired to assess the security of a small business's wireless network. The tester uses Wash to scan for WPS-enabled routers and finds one with WPS enabled and no lockout. Using Reaver, the tester begins a brute force attack. After about 6 hours, the PIN is recovered, and the WPA2 PSK is extracted. The tester then connects to the network and performs a vulnerability scan of internal devices, discovering an unpatched file server. The correct response for the business is to disable WPS immediately, change the Wi-Fi password, and ensure all router firmware is updated. A common mistake is to assume that because the WPA2 password is strong, the network is secure—ignoring the WPS vulnerability entirely. The tester's report should highlight that WPS is the weakest link.
Scenario 3: Evil Twin in a Corporate Environment
A SOC analyst detects an alert from the WIPS: a rogue AP with the same SSID as the corporate guest network has appeared on a different channel. The analyst uses the WIPS console to locate the rogue AP's physical position (via triangulation) and sends a technician to investigate. The technician finds a small device plugged into an Ethernet port in a conference room—a Raspberry Pi running hostapd and dnsmasq. The device is confiscated, and logs show it captured several guest users' credentials via a fake captive portal. The correct response is to revoke the captured credentials, notify affected users, and review physical security for unauthorized device access. A common mistake is to simply block the rogue AP's MAC address without investigating how it was physically connected, leaving the attacker able to deploy another device.
What SY0-701 Tests on This Objective
For Objective 2.3, the exam expects you to analyze potential indicators of vulnerability exploits, specifically for wireless attacks. Key sub-objectives include:
Recognizing the indicators of an Evil Twin attack (duplicate SSIDs, unexpected MAC addresses, certificate warnings).
Understanding the WPS PIN vulnerability and why it is dangerous (the PIN split design flaw).
Knowing countermeasures: disable WPS, use WPA3, implement WIPS, use 802.1X with EAP-TLS.
Differentiating between Evil Twin and other wireless attacks like Rogue AP (a broader category) or Karma attack.
Common Wrong Answers and Why Candidates Choose Them
"Evil Twin is the same as a Rogue AP." While an Evil Twin is a type of rogue AP, not all rogue APs are Evil Twins. A rogue AP is any unauthorized AP; an Evil Twin specifically impersonates a legitimate network's SSID. Candidates often confuse the terms.
"Disabling SSID broadcast prevents Evil Twin attacks." Disabling SSID broadcast (hiding the network) does not prevent Evil Twin attacks because the attacker can still discover the SSID via packet sniffing. The rogue AP can broadcast the hidden SSID, and clients that probe for it will connect. This is a common trap.
"WPS attack requires physical access to the router." The WPS PIN attack is performed wirelessly; the attacker only needs to be within range. The PIN is often printed on the router, but the attack does not require physical access. Candidates may think they need the sticker.
"Using a strong WPA2 password makes WPS safe." WPS bypasses the WPA2 password entirely. Even if the password is 63 random characters, a successful WPS attack reveals the PSK. The password strength is irrelevant.
Specific Terms and Values
WPS PIN: 8 digits, last digit is checksum, split into two halves (first 4, then 3+checksum).
Reaver: The common brute force tool.
PixieWPS: Exploits a vulnerability in some routers to compute PIN in seconds.
Deauthentication Attack: Uses deauth frames (type 0x00, subtype 0x0C) to disconnect clients.
Karma Attack: Responds to any probe request, pretending to be any SSID.
WPA3: Uses SAE (Simultaneous Authentication of Equals) for mutual authentication, mitigating Evil Twin.
802.1X with EAP-TLS: Certificate-based authentication prevents rogue APs from impersonating the network.
Common Trick Questions
A question describes a scenario where a user sees two networks with the same name but different signal strengths. The question asks for the most likely attack. Answer: Evil Twin. Wrong answer: Rogue AP (too broad) or Karma (different mechanism).
A question describes a router with WPS enabled and a long, complex WPA2 password. The question asks for the easiest way to gain access. Answer: Perform a WPS PIN attack. Wrong answer: Brute force the WPA2 password (too time-consuming).
A question asks for the best defense against Evil Twin in an enterprise. Answer: Use 802.1X with EAP-TLS and a WIPS. Wrong answer: Disable SSID broadcast (ineffective).
Decision Rule for Eliminating Wrong Answers
When faced with a scenario question about wireless attacks, ask: 1. Is the attack exploiting trust in an SSID? -> Evil Twin or Karma. If the attacker responds to any probe, it's Karma; if it mimics a specific SSID, it's Evil Twin. 2. Is the attack exploiting a weak authentication protocol? -> WPS attack. Look for keywords like "PIN," "8-digit," "router button." 3. Is the attack using deauthentication frames? -> Often a precursor to Evil Twin, but the question may focus on the deauth itself. 4. Is the attack capturing credentials via a fake captive portal? -> Could be Evil Twin or a Rogue AP with a portal. 5. What is the best countermeasure? -> For WPS: disable it. For Evil Twin: use certificate-based authentication and WIPS.
Evil Twin attacks exploit trust in an SSID; the attacker sets up a rogue AP with the same SSID as a legitimate network.
WPS PIN attack exploits a design flaw where the 8-digit PIN is validated in two halves, reducing combinations to 11,000.
Reaver is the classic WPS brute force tool; PixieWPS can recover PINs in seconds on vulnerable routers.
Deauthentication attacks (using aireplay-ng) are often used to force clients to reconnect to an Evil Twin.
The best defense against Evil Twin is using WPA3 or 802.1X with EAP-TLS, plus a Wireless Intrusion Prevention System (WIPS).
The best defense against WPS attacks is to disable WPS entirely on all routers and access points.
Karma attacks differ from Evil Twin: Karma responds to any probe request, while Evil Twin targets a specific SSID.
Indicators of Evil Twin include duplicate SSIDs, unexpected BSSID, and certificate warnings on enterprise networks.
These come up on the exam all the time. Here's how to tell them apart.
Evil Twin Attack
Impersonates a specific legitimate SSID
Uses the same network name to trick users
Often involves deauthentication to force reconnection
Designed for credential theft or MITM
Detection: duplicate SSIDs, unexpected BSSID
Rogue AP (General)
Any unauthorized access point on the network
May have a different SSID (e.g., 'Free WiFi')
May not impersonate any existing network
Could be for unauthorized access or policy violation
Detection: MAC address not in authorized list, physical location
Mistake
Evil Twin attacks only work on open (unencrypted) Wi-Fi networks.
Correct
Evil Twin attacks can target WPA2-PSK and WPA2-Enterprise networks as well. For WPA2-PSK, the attacker may set up a fake captive portal to capture the password, or use a deauthentication attack to force a reconnection and then perform a MITM attack after the client connects. For WPA2-Enterprise, the attacker can present a fake RADIUS server to capture credentials.
Mistake
WPS is secure because the PIN is printed on the router and only accessible physically.
Correct
The WPS PIN attack is performed wirelessly. The attacker does not need to see the sticker; they can brute force the PIN over the air. The PIN is transmitted during the WPS handshake, and tools like Reaver can guess it remotely.
Mistake
If WPS is disabled, the router is immune to all wireless attacks.
Correct
Disabling WPS eliminates that specific vector, but the router may still be vulnerable to other attacks like Evil Twin, deauthentication, or KRACK (Key Reinstallation Attack) for WPA2. Defense in depth is required.
Mistake
A Karma attack is the same as an Evil Twin attack.
Correct
In a Karma attack, the rogue AP responds to any probe request from a client, pretending to be whatever network the client is looking for. In an Evil Twin attack, the rogue AP impersonates a specific known network. Karma is more opportunistic; Evil Twin is targeted.
Mistake
Using a VPN completely protects against Evil Twin attacks.
Correct
A VPN encrypts traffic between the client and the VPN server, but it does not prevent the attacker from capturing the initial connection or performing a MITM attack on the VPN handshake itself (if the attacker can intercept the VPN setup). Additionally, the VPN does not prevent the attacker from launching a deauthentication attack or from presenting a fake captive portal. VPN is a strong defense but not absolute.
Use a wireless scanner like inSSIDer or Wireshark to look for multiple APs with the same SSID. Check for differences in BSSID (MAC address), channel, and signal strength. A rogue AP often has a stronger signal. On clients, check the default gateway and DNS settings; if they differ from expected, it may be an Evil Twin. Enterprise networks should use a WIPS that can automatically detect and block rogue APs by analyzing beacon frames and client associations.
Yes, WPS PIN attacks are performed wirelessly. The attacker only needs to be within range of the router. Tools like Reaver send PIN attempts over the air. The PIN is not required to be seen physically; the attacker can brute force it. Some routers have a lockout feature, but many do not, or the attacker can spoof their MAC address to bypass lockout.
WPA2 does not provide mutual authentication in personal mode (PSK), making it vulnerable to Evil Twin attacks. WPA3 uses Simultaneous Authentication of Equals (SAE), which includes mutual authentication: both the client and AP prove knowledge of the password without revealing it. This prevents a rogue AP from impersonating the legitimate AP because the rogue AP cannot complete the SAE handshake without the correct password. For enterprise modes, WPA2 with EAP-TLS also provides mutual authentication via certificates.
No. Disabling SSID broadcast (hiding the network) is not effective. The SSID is still transmitted in probe requests and probe responses, and an attacker can easily discover it using a tool like airodump-ng. The rogue AP can broadcast the hidden SSID, and clients that have the network saved will still probe for it and connect. The only way to hide from an attacker is to not use Wi-Fi at all.
Immediately disable WPS in the router's settings. Then change the Wi-Fi password (PSK) to ensure any attacker who obtained it is locked out. Check router logs for multiple failed WPS attempts. Update the router firmware to patch any known WPS vulnerabilities. If the router is old and vulnerable, consider replacing it with one that supports WPA3 or at least has a proper WPS lockout mechanism.
Yes. The attacker sets up a rogue AP with the same SSID and uses a fake RADIUS server. When a client connects, the rogue AP presents a fake certificate (often self-signed) and captures the user's credentials (username and password). The client may see a certificate warning, but many users ignore it. To defend, use EAP-TLS with client-side certificates so the client can verify the server's certificate, and deploy a WIPS to detect rogue APs.
PixieWPS exploits a vulnerability in some routers (e.g., many Realtek and Ralink chipsets) where the WPS PIN can be computed from the router's BSSID, ESSID, and other publicly available information. Instead of brute forcing, PixieWPS calculates the PIN directly using cryptographic weaknesses. This can recover the PIN in seconds, bypassing the need for thousands of attempts. Not all routers are vulnerable; it depends on the implementation.
You've just covered Wireless Network Attacks (Evil Twin, WPS) — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?