802.11 PROTOCOL INTELLIGENCE

WLAN Threats - Attack Reference

802.11 protocol design decisions from 1997 created attack surfaces that took decades to close. Understanding these threats at the protocol level - not just as tool names - is the difference between configuring against them and understanding why the configuration works.

CWSP Domain IEEE 802.11 / MITRE ATT&CK Wi-Fi

Every 802.11 attack exploits a design decision made in 1997. Most work because management frames were never required to be authenticated until 802.11w in 2009. Knowing which protocol gap each attack targets is how you configure against it rather than just naming it.

// quick wireshark filters - attack detection
wlan.fc.type_subtype == 0x0cDeauth frames. Burst from spoofed BSSID = deauth flood attack.
eapol && eapol.keydes.type == 2EAPOL-Key frames - PMKID in M1. Capture even one to run hashcat mode 22000.
wlan.bssid != aa:bb:cc:00:00:00 && wlan_mgt.ssid == "TargetSSID"Same SSID, different BSSID = possible evil twin. Substitute real BSSID.
wlan.fc.type_subtype == 0x0b && wlan.fixed.auth.alg == 3SAE commit frames. High rate without confirm = Dragonblood commit flood.
wlan.fc.type_subtype == 0x08Beacons. Sequential different BSSIDs at rapid rate = beacon flood (MDK4).
wlan.fc.retry == 1 && eapolRetransmitted EAPOL frames. M3 retry = potential KRACK nonce-reuse attempt.
Full filter reference → /wireshark-filters
2
Critical
Full traffic decryption or credential capture
5
High
Significant impact; requires active mitigation
2
Medium
DoS or partial impact; important in dense environments

Evil Twin / Rogue AP

Critical 2003+
Vector
Attacker broadcasts cloned SSID with stronger signal or forced deauth to lure clients
Impact
Full MITM - captures credentials, injects content, decrypts HTTP sessions
HOW IT WORKS

Hostapd + dnsmasq creates a rogue AP matching target SSID. MDK4 deauths clients from legitimate AP. Clients auto-associate to evil twin. HTTP intercepted via SSLstrip. HTTPS requires separate cert downgrade or HSTS bypass.

MITIGATIONS
WPA3-SAE - no offline crack of captured traffic
802.1X EAP-TLS with server cert validation prevents MITM
WIPS wired-side correlation detects SSID on unexpected port
HSTS preloading + DoT/DoH bypasses SSLstrip
PCAP SIGNATURE

Client associates to AP with same SSID but different BSSID MAC OUI. Beacon interval or capability mismatch vs legitimate AP. Wireshark: two Beacon streams from different BSSIDs with identical SSID.

wlan.bssid != aa:bb:cc:dd:ee:ff && wlan.ssid == "TargetSSID"

Deauth / Disassoc Flood

High — (fixed by 802.11w) Pre-2009
Vector
Inject spoofed Deauth or Disassoc frames with victim BSSID and STA MACs
Impact
DoS - continuous client disconnections, reconnection storms, denial of service
HOW IT WORKS

aireplay-ng --deauth or MDK3/MDK4 broadcast deauth. Attacker spoofs AP BSSID (src) and FF:FF:FF:FF:FF:FF or specific STA (dst). Without PMF, AP and STA accept unsigned management frames. Clients immediately disconnect and retry.

MITIGATIONS
PMF (802.11w) encrypts unicast Deauth/Disassoc under PTK
WPA3 mandates PMF (MFPR=1) - cannot connect without PMF
Broadcast deauth protected by IGTK + BIP (AES-128-CMAC)
Rate-limiting deauth on AP to detect flood
PCAP SIGNATURE

High rate of Deauth frames (FC subtype 12) from AP BSSID to broadcast or specific STA. Reason Code 3 = leaving BSS. MDK4 signature: sequential Deauth bursts at precise intervals.

wlan.fc.type_subtype == 12

PMKID Attack

High CVE-2018-unclear (Steube, 2018) 2018
Vector
Capture EAPOL M1 frame containing PMKID; run hashcat offline dictionary attack
Impact
PSK passphrase recovery without capturing 4-Way Handshake - no client needed
HOW IT WORKS

PMKID = HMAC-SHA1-128(PMK, "PMK Name" || BSSID || Client MAC). PMK = PBKDF2-SHA1(passphrase, SSID, 4096). Attacker sends EAPOL M1 without completing auth. hcxdumptool captures PMKID from a single frame. hashcat mode 22000 attacks at billions of hashes/sec on GPU.

MITIGATIONS
WPA3-SAE eliminates PMKID - SAE PMK is session-unique
Enforce long random passphrases (20+ chars)
Private SSID names (not dictionary words) slow PBKDF2 precompute
Transition Mode (WPA2+WPA3) still exposes PMKID for WPA2 clients
PCAP SIGNATURE

EAPOL-Key M1 (Key Info: ACK=1, Pairwise=1) from AP to client, then no M2 response (attacker disconnects). PMKID is in EAPOL Key Data of M1.

eapol && eapol.keydes.type == 2

KRACK (Key Reinstallation)

Critical CVE-2017-13077 through CVE-2017-13086 2017
Vector
Replay 4-Way Handshake M3 to force nonce reset and key reinstallation on client
Impact
CCMP/GCMP nonce reuse → keystream reuse → full traffic decryption and injection
HOW IT WORKS

Attacker sits between STA and AP (channel-based MitM). Replays M3 - client reinstalls already-used PTK, resetting Packet Number (PN) to 0. CCMP: nonce reuse recovers keystream via XOR. TKIP: worse - authentication key also recoverable. GCMP: nonce reuse leaks authentication key entirely.

MITIGATIONS
Patch client OS and AP firmware (2017-2018 patches fix nonce reuse)
WPA3-SAE: per-session PMK limits blast radius even if nonce reused
PMF required with WPA3 - prevents M3 relay in some scenarios
HTTPS/TLS over Wi-Fi limits impact even if decrypted
PCAP SIGNATURE

Duplicate EAPOL M3 frames (same content, same sequence) from AP. Client PN reset to 0 visible in subsequent encrypted data frames (PN counter goes backward).

eapol && wlan.fc.retry == 1

Dragonblood (WPA3-SAE)

High CVE-2019-9494 / CVE-2019-9496 2019
Vector
SAE Hunting-and-Pecking timing side-channel; SAE commit flooding DoS
Impact
Partial password recovery via timing oracle; AP CPU exhaustion via commit flood
HOW IT WORKS

H&P loop iterations vary based on password bits → timing differences reveal password bits. Cache side-channel via flush+reload on shared system. DoS: attacker sends SAE commit frames without completing exchange → exhausts AP state table (before anti-clogging tokens).

MITIGATIONS
WPA3-Rev1: SSWU (Simplified SWU) constant-time curve point generation replaces H&P
Anti-clogging token (ACT): AP issues token before accepting commit - rate-limits state creation
Update AP firmware to post-Dragonblood patches (mid-2019+)
PCAP SIGNATURE

High rate of SAE commit frames (Auth Algorithm=3, Seq=1) without corresponding confirms. Anti-clogging token response changes the Auth frame body structure.

wlan.fc.type_subtype == 11 && wlan.fixed.auth.alg == 3

KARMA Attack

High 2004
Vector
Rogue AP responds to any directed Probe Request with a matching SSID
Impact
Mass auto-connection of devices to rogue AP using remembered SSID list
HOW IT WORKS

Devices probe for remembered SSIDs using directed Probe Requests. Karma-enabled AP (hostapd-wpe) responds to all probes with matching SSID. Devices auto-associate. Combined with PEAP credential harvesting (hostapd-wpe captures inner MSCHAPv2 credentials).

MITIGATIONS
iOS/Android: randomized probe requests + null SSID probing (partial mitigation)
802.1X with EAP-TLS server cert validation blocks credential harvest
Disable auto-join on open and public SSIDs
WPA3-only SSIDs + OWE (Opportunistic Wireless Encryption) for open networks
PCAP SIGNATURE

Rogue AP responds to directed probes for multiple different SSIDs - a legitimate AP only responds to its configured SSIDs. Probe response BSSID does not match any known infrastructure AP.

wlan.fc.type_subtype == 5

Beacon Flood

Medium Pre-2010
Vector
Inject thousands of Beacon frames with random SSIDs to fill client scan lists
Impact
DoS - client scan tables overloaded; legitimate APs displaced from scan results
HOW IT WORKS

MDK3/MDK4 --beacon-flood or mdk4 b mode generates Beacon frames at high rate with randomised BSSIDs and SSIDs. Fills client Preferred Network Lists. Some clients crash or exhibit high CPU due to scan list overflow. Can be used as cover for evil twin deployment.

MITIGATIONS
802.11w PMF does not protect Beacon frames (not a management frame class covered)
WIPS signature detection: beacon frames with sequential fake BSSIDs, non-standard IEs
Rate-limiting scan responses on managed clients
PCAP SIGNATURE

Beacon bursts from many unique BSSIDs in rapid succession. OUI range may be sequential or random (locally administered bit set in MAC = random). Very short intervals between beacons from the same BSSID.

wlan.fc.type_subtype == 8

Rogue DHCP + DNS Spoofing

High Classic
Vector
After association, serve malicious DHCP offer with attacker-controlled DNS + gateway IP
Impact
Full DNS MITM - all hostname resolutions redirected to attacker-controlled IPs
HOW IT WORKS

Race condition: attacker DHCP server responds faster than legitimate DHCP. Options 3 (gateway) and 6 (DNS) point to attacker. dnsmasq on rogue AP handles DNS queries and returns forged A records. SSLstrip or custom forged pages served at resolved IPs.

MITIGATIONS
DHCP snooping on managed switches drops unauthorized DHCP offers
DNS-over-HTTPS (DoH) / DNS-over-TLS (DoT) bypasses DHCP DNS injection
802.1X identity enforcement prevents unauthorized device association
DNSSEC validation (rarely enforced by default on clients)
PCAP SIGNATURE

Multiple DHCP Offer frames from different source MACs for the same DHCPDISCOVER. Client selects first offer received. Compare DHCP option 6 (DNS) against known infrastructure IP ranges.

bootp.option.dhcp == 2

EAPOL Silence Attack

Medium Ongoing
Vector
Capture EAPOL M2 from client; block M3 from AP; force full re-auth cycle
Impact
Repeated auth failures, connectivity disruption, exposure of additional handshake material
HOW IT WORKS

Selective jamming of EAPOL M3 from AP forces client to time out and retry, producing additional M1/M2 pairs containing different SNonces. Multiple SNonce captures enable cryptanalysis. Also used to force downgrade from WPA3 to WPA2 on transition-mode networks.

MITIGATIONS
PMF (802.11w) does not directly address EAPOL jamming
WPA3-SAE prevents SNonce-based attacks (each SAE produces unique PMK)
Detect repeated EAPOL sequences from same STA in short window - WIPS signature
PCAP SIGNATURE

Multiple EAPOL M1→M2 pairs from same STA+BSSID without M3→M4 completion. High retry rate on EAPOL frames. Look for pattern: M1, M2, M1(retry), M2(retry) repeating.

eapol && eapol.keydes.key_info.key_ack == 1

Root Cause Analysis - Protocol Design Gaps

Unsigned management frames (pre-802.11w)
Enables: Deauth flood, Disassoc flood, Beacon flood, Evil Twin deauth step
Fix: 802.11w PMF encrypts unicast Deauth/Disassoc under PTK. WPA3 mandates PMF.
No mutual authentication in WPA2-PSK
Enables: Evil Twin, KARMA, PMKID attack
Fix: 802.1X EAP-TLS with server cert validation provides mutual auth. WPA3-SAE eliminates offline crack.
Deterministic PMK derivation from passphrase
Enables: PMKID attack, offline dictionary attacks on captured handshakes
Fix: WPA3-SAE: PMK derived from live Dragonfly exchange - no offline attack possible.
EAPOL M3 retransmission without nonce protection
Enables: KRACK key reinstallation
Fix: Patched in OS/firmware: enforce key installation only once, treat retransmitted M3 as error.
Probe request broadcasts reveal remembered SSIDs
Enables: KARMA attack, location tracking
Fix: Randomized probe requests (iOS since 2014, Android 10+). Null-SSID passive scanning.
// related reference
Security (WPA2/WPA3) →PMF (802.11w) →WIDS/WIPS & Rogue AP →802.1X / EAP →Wireshark Filters →