WiFi & Bluetooth Hacking

Wireless attack platforms for WiFi evil twin attacks, deauth, BLE tracking, and Bluetooth exploitation.

Period2001 - Present

WiFi Attack Landscape

WiFi security has evolved from the easily-cracked WEP to WPA2 and now WPA3. Each generation has introduced new vulnerabilities, and the tools to exploit them have become increasingly sophisticated — and increasingly accessible.

WiFi Security Evolution

Protocol  Year  Encryption    Status
──────────────────────────────────────────────────
WEP       1997  RC4           Broken in minutes
WPA       2003  TKIP/RC4     Deprecated, vulnerable
WPA2      2004  AES-CCMP      KRACK attack (2017)
WPA3      2018  SAE/GCMP      Dragonblood (2019)
802.11w   2009  PMF           Management frame protection

WiFi Attack Tools

Aircrack-ng Suite

The foundational WiFi auditing framework. A complete suite of tools for assessing WiFi network security — from packet capture to WEP/WPA cracking.

  • airmon-ng: Put wireless adapter into monitor mode
  • airodump-ng: Capture 802.11 frames — discover networks and clients
  • aireplay-ng: Generate traffic — deauth attacks, fragmentation attacks, injection
  • aircrack-ng: Crack WEP keys (PTW attack) and WPA/WPA2 handshakes (dictionary/brute-force)
  • airbase-ng: Create rogue access points and evil twin attacks

WiFi Pineapple ($100-600)

Hak5's dedicated penetration testing platform. A purpose-built rogue access point with a web-based management interface for WiFi attacks.

  • Evil Twin: Clone legitimate APs and lure clients to connect
  • Credential harvesting: Intercept usernames, passwords, and session cookies
  • Recon: Map nearby networks, clients, and probe requests
  • Packages: Extensible via community modules (Nmap, Metasploit integration)
  • Models: Tetra (dual radio), Mark VII (latest), Nano (portable)

Common WiFi Attacks

  • Deauthentication: Send forged deauth frames to disconnect clients from the network (802.11 management frame injection)
  • Evil Twin: Create a fake AP with the same SSID as a legitimate network — clients connect to the attacker
  • Handshake capture: Capture the 4-way WPA handshake and crack it offline with dictionary or brute-force attacks
  • PMKID attack: Capture PMKID from AP without client association — crack WPA2 without waiting for a client to connect
  • WEP cracking: Collect enough IVs (initialization vectors) and crack the key statistically (PTW attack)
  • Client isolation bypass: Exploit weaknesses in AP configuration to communicate between isolated clients
  • KRACK: Exploit WPA2 key reinstallation vulnerability to decrypt traffic

Bluetooth & BLE Hacking

Ubertooth One ($120)

Great Scott Gadgets' open-source 2.4 GHz tool for Bluetooth research. Sniffs Bluetooth Classic and BLE packets, analyzes frequency hopping, and provides raw 2.4 GHz spectrum access.

  • Bluetooth Classic: Sniff BR/EDR connections, analyze pairing
  • BLE: Capture advertising packets, track devices, analyze GATT profiles
  • Spectrum analysis: View 2.4 GHz activity across all channels
  • Software: Ubertooth tools, Wireshark BLE plugin, Bettercap

BLE Attack Tools

  • nRF Connect (Mobile): Scan, connect, and interact with BLE devices
  • Bettercap: WiFi and BLE sniffing, MITM, and tracking
  • GATTacker: Clone and impersonate BLE GATT servers
  • Sweyntooth: BLE vulnerabilities in popular devices (keyboard injection, spoofing)
  • BIAS: Bluetooth Impersonation AttackS — spoof legitimate devices

WiFi Security Best Practices

  • Use WPA3: SAE handshake is resistant to offline dictionary attacks
  • Strong passwords: WPA2 is only as strong as the passphrase — use 12+ random characters
  • Disable WPS: WiFi Protected Setup is vulnerable to brute-force PIN attacks
  • Management frame protection: Enable 802.11w to prevent deauth attacks
  • Network segmentation: Guest networks should be isolated from internal resources
  • Monitor for rogue APs: Use wireless IDS to detect evil twin attacks

Timeline

2001AirSnort — first practical WiFi WEP cracking tool released
2004Aircrack-ng suite becomes the standard WiFi auditing framework
2007WiFi Pineapple launched — dedicated rogue access point for penetration testing
2008Ubertooth One — open-source 2.4 GHz Bluetooth sniffer and research tool
2011Fern Wifi Cracker — automated wireless attack tool for Linux
2017Krack attack demonstrates WPA2 protocol vulnerability (Key Reinstallation Attack)
2018ESP8266/ESP32 become popular for WiFi deauth and attack tools
2019Dragonblood vulnerabilities discovered in WPA3
2020WiFi Pineapple Mark VII released — modern penetration testing platform
2024WiFi 7 (802.11be) introduces new attack surfaces and security considerations