Man in the middle attacks on wireless networks.

How Wireless Networks Work

Wireless networks (Wi-Fi) operate on a shared radio medium governed by the 802.11 protocol suite. Unlike wired networks where each host has a dedicated physical connection to a switch port, wireless clients share the same airspace — every station within range can hear every transmission on a given channel.

Association and Authentication

A client joins a wireless network through a multi-step process:

1. Probing: The client broadcasts probe request frames asking for known SSIDs. The access point (AP) replies with probe response frames.
2. Authentication: A lightweight 802.11 authentication exchange (distinct from WPA/WPA2 authentication — this is a legacy handshake that is essentially a no-op for open networks and a formality for encrypted networks).
3. Association: The client sends an association request; the AP responds with an association response. The client is now a station on the BSS (Basic Service Set).
4. Key exchange: For WPA/WPA2 networks, the 4-way handshake negotiates encryption keys using the pre-shared key (PSK). For WPA3, Simultaneous Authentication of Equals (SAE) replaces the PSK-based handshake.

The Trust Problem

802.11 management frames — probes, beacons, authentication, and association — are unauthenticated and unencrypted by default. Any device can transmit a beacon claiming to be any SSID. Any device can respond to any probe request. Any device can send deauthentication frames to any station, using only the MAC address of the AP as the spoofed source.

This is the root vulnerability that makes wireless MITM attacks possible — and it exists at Layer 2, below the IP/ARP layers that wired MITM attacks must contend with.

Shared Medium, Shared Pain

On a wireless network, the AP broadcasts all frames to all associated stations. Each client's Wi-Fi card is supposed to discard frames not addressed to its MAC. However:

• An attacker can place a wireless card in monitor mode, which disables MAC filtering and passes all observed frames to the CPU. This reveals Layer 1–2 information (MAC addresses, signal strength, probe requests) but not Layer 3+ payloads — those remain encrypted under the WPA session keys.
• An attacker who knows the network passphrase and captures the 4-way handshake can derive the session keys and decrypt all traffic for that session.
• An attacker already associated with the same AP as the target can use a monitor-mode virtual interface (monitor vif) to capture frames addressed to other stations, though this is lossy and unreliable compared to a true MITM position.

Because the medium is shared, wireless MITM attacks operate primarily at Layer 2 (802.11 frames) rather than Layer 3 (ARP), though ARP spoofing remains useful post-association for controlling traffic flow through the attacker's relay.

Classic Approaches (2000s)

These techniques flourished when WEP was common, WPA2-PSK was emerging, client OSes broadcasted probe requests aggressively, and 802.11w (Protected Management Frames) did not exist.

Evil Twin

The original wireless MITM attack. The attacker creates a rogue access point broadcasting the same SSID as a legitimate network. If the attacker's signal is stronger, or if the legitimate AP is temporarily unavailable, clients may associate with the rogue AP instead.

The classic Evil Twin requires the attacker to know the target SSID in advance. It is a targeted attack — one SSID, one impersonation. The attacker provides DHCP, DNS, and gateway services to the victim, gaining full control of the network layer.

Legitimate AP        Rogue AP (Evil Twin)
     |                     |
     |     (deauth)        |
     X <------------------ |  ← Attacker deauths client from legitimate AP
     |                     |
                           | ← Client reconnects to rogue AP
                           |
                     [Attacker relays traffic to internet]

Classic Tools

• airbase-ng (part of aircrack-ng): Creates a rogue AP from a single wireless interface. airbase-ng -e "LegitWiFi" -c 6 wlan0mon
• aireplay-ng: Sends deauthentication frames to kick clients off the legitimate AP.

Deauthentication Attack

A deauthentication attack is not a MITM attack on its own — it is the enabling technique for wireless MITM. The attacker spoofs 802.11 deauthentication frames with the MAC address of the legitimate AP, targeting a specific client or all clients on the network. The client disconnects and begins scanning for a network to rejoin. If a rogue AP with the same SSID is available (and has a stronger signal), the client associates with the attacker.

Because deauthentication frames are management frames, they are unauthenticated (prior to 802.11w). The attacker only needs the AP's MAC address, which is visible to any monitor-mode interface.

Classic tool: aireplay-ng -0 0 -a [AP_MAC] -c [CLIENT_MAC] wlan0mon sends continuous deauths.

KARMA

KARMA, developed by Dino dai Zovi and Shane Macaulay (~2004–2005), weaponizes the client's own probe requests. Instead of impersonating a single known SSID (Evil Twin), KARMA listens for probe requests from nearby devices — which broadcast the names of every network they've ever connected to — and responds to all of them, instantly impersonating whatever network each device is looking for.

This is a mass-capture attack. At a busy airport or conference, dozens of devices can be ensnared simultaneously with zero prior knowledge of their preferred networks.

KARMA Mechanism

1. Attacker places a wireless card in monitor mode and passively captures all probe requests.
2. For each probe request received, the attacker's rogue AP immediately transmits a matching beacon frame.
3. The client, recognizing a "known" network, automatically associates.
4. The attacker provides DHCP/DNS/gateway services.

Classic tool: hostapd-karma, a modified version of the standard hostapd daemon.

ARP Spoofing on Wireless

Once an attacker has joined the same wireless network as the target (whether legitimately or via Evil Twin/KARMA), ARP spoofing works identically to wired ARP spoofing. The shared wireless medium makes it theoretically possible to capture frames addressed to other stations using monitor mode, but this is lossy and unreliable — ARP spoofing ensures the attacker controls the traffic flow rather than passively sampling it.

See MITM/Wired and MITM/ARP Poisoning for the full ARP spoofing playbook. Tools: arpspoof, Ettercap, Bettercap.

Modern Approaches (2010s–Present)

Modern wireless MITM is defined by purpose-built hardware platforms, sophisticated probe-response frameworks that defeat passive-scanning countermeasures, and attacks targeting the WPA3 transition.

WiFi Pineapple

The Wifi Pineapple is a dedicated hardware platform by Hak5 that transformed wireless MITM from a multi-tool command-line exercise into a point-and-click operation. Originally released in 2008, it has evolved through seven major hardware revisions (Mark I through Mark VII).

The Pineapple integrates KARMA, deauthentication, SSL stripping, captive-portal phishing, and credential harvesting into a single pocket-sized device with a web-based interface. It is the most recognizable wireless penetration testing tool in existence.

PineAP Suite

Starting with the Mark V (2014), the Pineapple's attack framework evolved into PineAP, a modular suite that subsumes and extends KARMA:

• Log Probes — Continuously sniffs and logs all probe requests from nearby clients.
• PineAP Daemon — Responds to probe requests as classic KARMA did, with refined targeting controls.
• Dogma — Aggressively broadcasts beacons for all previously-seen SSIDs (loud mode).
• Beacon Response — Responds individually to probes with matching beacons.
• Capture — Harvests WPA handshake frames for offline cracking.

The Pineapple's combination of KARMA, SSLStrip, and a captive-portal engine makes it a complete rogue-AP platform. For full details, see the Wifi Pineapple page.

MANA (Modified Advanced Next-generation Attack)

MANA, presented at DEF CON 22 (2014) by Dominic White and Ian de Villiers, extends KARMA to defeat modern OS countermeasures that reduced directed probe request verbosity (iOS, Android, Windows all moved toward passive scanning):

• Loud Mode: The rogue AP actively broadcasts beacons for every SSID it has ever seen in any probe request — no client probing needed.
• Stealth Mode: Selectively responds only to SSIDs previously captured, reducing noise and evading WIDS.
• EAP Credential Harvesting: Via the Wireless Pwnage Edition (WPE), captures credentials from devices configured for WPA2-Enterprise networks.
• Snoopy: Device fingerprinting and tracking.

Implementation: hostapd-mana

Bettercap (WiFi Module)

Bettercap's WiFi module brings modern, modular MITM to wireless. Capabilities include:

• Rogue AP creation with WPA/WPA2 support
• Deauthentication attacks
• PMKID capture for WPA3-incompatible cracking
• Clientless monitoring (passive traffic analysis without joining the network)
• Integrated HTTP/HTTPS proxy for traffic manipulation post-association

Example: sudo bettercap -eval "set wifi.interface wlan0; wifi.recon on; wifi.deauth *"

PMKID Attack

Discovered in 2018 by Jens "atom" Steube (hashcat developer), the PMKID attack exploits a feature of WPA/WPA2 Roaming. When a client attempts to connect, many APs include a PMKID (Pairwise Master Key Identifier) in the EAPOL frame from the first message of the 4-way handshake — before the handshake completes. The PMKID is derived from the PMK (which is derived from the passphrase), the AP MAC, the client MAC, and a salt.

An attacker can request the PMKID from an AP without any clients present, capture it, and attempt to crack it offline. This is faster than capturing a full 4-way handshake because:

• No client needs to be connected or deauthenticated.
• Only a single frame from the AP is required.

Tool: hcxdumptool + hashcat (hash mode 22000).

WPA3 Transition Mode Attacks

WPA3 mandates SAE (Simultaneous Authentication of Equals), which is resistant to offline dictionary attacks. However, WPA3 networks commonly operate in Transition Mode, where both WPA2-PSK and WPA3-SAE are accepted on the same SSID to support legacy clients.

An attacker can:

1. Set up a rogue AP broadcasting the target SSID with WPA2-only support (no WPA3).
2. Deauthenticate clients from the legitimate AP.
3. Clients reconnect to the rogue AP using WPA2.
4. Capture the WPA2 4-way handshake and crack the passphrase offline.

This is a downgrade attack that bypasses WPA3's protections entirely when transition mode is enabled. Tools: airbase-ng, hostapd-wpe, WiFi Pineapple.

Rogue AP with Captive Portal

A modern evolution of the Evil Twin that adds a captive portal — a fake login page that mimics the legitimate network's splash screen, a social media login, or a corporate SSO page. When the victim connects, they are presented with the portal and prompted for credentials.

Tools: wifiphisher (automated phishing scenarios), Fluxion (captive portal + deauth, uses social engineering to obtain the Wi-Fi password itself).

Multi-Channel MITM

Modern wireless attackers with dual-radio setups (like the WiFi Pineapple Mark VII or a laptop with two wireless adapters) can operate on two channels simultaneously:

• Radio 1: Connects to the legitimate AP as a client (upstream internet).
• Radio 2: Hosts the rogue AP for victims (downstream).

This eliminates the need for a separate upstream connection (Ethernet, cellular) and makes the attack fully self-contained.

Defenses

Client-Side

• Disable auto-connect for open networks: The single most effective OS-level defense against KARMA and Evil Twin. On iOS, Android, Windows, and macOS, toggle "Auto-Join" or "Connect Automatically" off for untrusted networks.
• Audit your Preferred Network List (PNL): Remove SSIDs for public or one-time networks you no longer use. Every SSID in your PNL is a potential target for KARMA.
• Use a VPN: An always-on VPN encrypts all traffic before it reaches the attacker's gateway. Even if the device connects to a rogue AP, the attacker sees only encrypted tunnel traffic.
• Prefer WPA3: WPA3's SAE handshake resists offline dictionary attacks and makes rogue AP impersonation harder (the rogue AP must know the password to complete the handshake).
• Enable MAC address randomization: Default on modern iOS and Android; reduces tracking across probe requests.
• Disable Wi-Fi when not in use: Stops probe request broadcasting.

Enterprise

• 802.1X / WPA2-Enterprise / WPA3-Enterprise: Requires RADIUS authentication with server certificates. A rogue AP cannot present a valid certificate and the client will refuse to connect.
• 802.11w (Protected Management Frames): Authenticates deauthentication and disassociation frames, neutralizing deauth-based attacks. Required for WPA3 certification; optional for WPA2. Supported on most modern APs and clients.
• Wireless Intrusion Detection Systems (WIDS): Monitors for rogue AP signatures — a single device responding to probes for multiple SSIDs, unexpected deauthentication floods, or association events on unknown BSSIDs. Platforms: Cisco CleanAir, Aruba RFProtect, Aircrack-ng + custom rules.
• MDM Wi-Fi profiles: Restrict managed devices to pre-configured, verified networks only. Disable auto-join for all other SSIDs.
• Disable WPA3 Transition Mode: If all clients support WPA3, disable transition mode to eliminate the downgrade attack vector.

Network Monitoring

• Kismet: Wireless network detector and sniffer that can identify rogue APs by fingerprinting beacon patterns and probe response behavior.
• ARPWatch: Detects ARP table changes that indicate ARP spoofing post-association.

Nutshell: Classic vs. Modern

Related Pages

• MITM/Wired — Man in the middle on wired networks, with the same classic/modern structure
• Karma — Deep dive on the KARMA attack mechanism and tools
• Wireless Pineapple — The Hak5 hardware platform for wireless penetration testing
• MITM/Evil Twin — Walkthrough of a classic Evil Twin attack with Ettercap
• MITM/ARP Poisoning — ARP spoofing fundamentals (applicable post-association on wireless)
• SSLStrip — Downgrading HTTPS to HTTP during MITM
• Bettercap — Modern MITM framework with WiFi module
• Kali/Wireless Reboot — Practical wireless attack workflows on Kali

Links

• Hak5 WiFi Pineapple documentation: https://documentation.hak5.org/
• hostapd-mana (SensePost): https://github.com/sensepost/hostapd-mana
• wifiphisher project: https://wifiphisher.org/
• PMKID attack (hashcat forums): https://hashcat.net/forum/thread-7717.html
• 802.11w / Protected Management Frames: IEEE 802.11w-2009

Flags

monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker. MITM Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired Layer 1 and 2 MITM Attacks: MITM/Layer 1 and 2 Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin  · MITM/Evil Twin Layer 3 and 4 MITM Attacks: MITM/Layer 3 and 4 Traffic Sniffing: MITM/Sniffing ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS Layer 5 MITM Attacks: Session Hijacking: MITM/Session Hijacking Toolz: Ettercap  · Bettercap  · MITMf  · EvilFOCA Wireshark  · Aircrack Dsniff  · Arpspoof  · Dnsspoof SSLSniff  · SSLStrip  · Frankencert Driftnet  · Karma MITM Labs: {{MITMLabs}} Category:MITM  · Category:Attacks  · Category:Kali Attack Layers Template:MITMLabs  · Template:MITMFlag Flags  · Template:MITMFlag  · e

Wireless all things wireless. Wireless  · Category:Wireless Software: Scapy Flags  · Template:WirelessFlag  · e