WiFi & Bluetooth Hacking
Wireless attack platforms for WiFi evil twin attacks, deauth, BLE tracking, and Bluetooth exploitation.
WiFi Attack Landscape
WiFi security has evolved from the easily-cracked WEP to WPA2 and now WPA3. Each generation has introduced new vulnerabilities, and the tools to exploit them have become increasingly sophisticated — and increasingly accessible.
WiFi Security Evolution
Protocol Year Encryption Status ────────────────────────────────────────────────── WEP 1997 RC4 Broken in minutes WPA 2003 TKIP/RC4 Deprecated, vulnerable WPA2 2004 AES-CCMP KRACK attack (2017) WPA3 2018 SAE/GCMP Dragonblood (2019) 802.11w 2009 PMF Management frame protection
WiFi Attack Tools
Aircrack-ng Suite
The foundational WiFi auditing framework. A complete suite of tools for assessing WiFi network security — from packet capture to WEP/WPA cracking.
- airmon-ng: Put wireless adapter into monitor mode
- airodump-ng: Capture 802.11 frames — discover networks and clients
- aireplay-ng: Generate traffic — deauth attacks, fragmentation attacks, injection
- aircrack-ng: Crack WEP keys (PTW attack) and WPA/WPA2 handshakes (dictionary/brute-force)
- airbase-ng: Create rogue access points and evil twin attacks
WiFi Pineapple ($100-600)
Hak5's dedicated penetration testing platform. A purpose-built rogue access point with a web-based management interface for WiFi attacks.
- Evil Twin: Clone legitimate APs and lure clients to connect
- Credential harvesting: Intercept usernames, passwords, and session cookies
- Recon: Map nearby networks, clients, and probe requests
- Packages: Extensible via community modules (Nmap, Metasploit integration)
- Models: Tetra (dual radio), Mark VII (latest), Nano (portable)
Common WiFi Attacks
- Deauthentication: Send forged deauth frames to disconnect clients from the network (802.11 management frame injection)
- Evil Twin: Create a fake AP with the same SSID as a legitimate network — clients connect to the attacker
- Handshake capture: Capture the 4-way WPA handshake and crack it offline with dictionary or brute-force attacks
- PMKID attack: Capture PMKID from AP without client association — crack WPA2 without waiting for a client to connect
- WEP cracking: Collect enough IVs (initialization vectors) and crack the key statistically (PTW attack)
- Client isolation bypass: Exploit weaknesses in AP configuration to communicate between isolated clients
- KRACK: Exploit WPA2 key reinstallation vulnerability to decrypt traffic
Bluetooth & BLE Hacking
Ubertooth One ($120)
Great Scott Gadgets' open-source 2.4 GHz tool for Bluetooth research. Sniffs Bluetooth Classic and BLE packets, analyzes frequency hopping, and provides raw 2.4 GHz spectrum access.
- Bluetooth Classic: Sniff BR/EDR connections, analyze pairing
- BLE: Capture advertising packets, track devices, analyze GATT profiles
- Spectrum analysis: View 2.4 GHz activity across all channels
- Software: Ubertooth tools, Wireshark BLE plugin, Bettercap
BLE Attack Tools
- nRF Connect (Mobile): Scan, connect, and interact with BLE devices
- Bettercap: WiFi and BLE sniffing, MITM, and tracking
- GATTacker: Clone and impersonate BLE GATT servers
- Sweyntooth: BLE vulnerabilities in popular devices (keyboard injection, spoofing)
- BIAS: Bluetooth Impersonation AttackS — spoof legitimate devices
WiFi Security Best Practices
- Use WPA3: SAE handshake is resistant to offline dictionary attacks
- Strong passwords: WPA2 is only as strong as the passphrase — use 12+ random characters
- Disable WPS: WiFi Protected Setup is vulnerable to brute-force PIN attacks
- Management frame protection: Enable 802.11w to prevent deauth attacks
- Network segmentation: Guest networks should be isolated from internal resources
- Monitor for rogue APs: Use wireless IDS to detect evil twin attacks