Nine Ghost Protocol nodes down. One name left on the list: Ghost-Writer, the Syndicate's disgraced propagandist, holed up on a private island off the coast — the last human link to the Grand Master's real identity. His only connection to the outside world is GhostNet_5G, a single WPA2-Personal router with one client: his own laptop.
There is no server to breach here, no code to inject. Just a radio signal and a password. His phone and laptop trust any router broadcasting the name GhostNet_5G — they never check whether it's the same physical router twice. Whichever access point shouts that name the loudest wins the reconnection.
RAVEN has been running OSINT on Ghost-Writer's socials for a week. Quarterly password rotations, same format every time. We do not need to touch his router. We need to become it.
THE EVIL TWIN COFFEE SHOP
CHILD-LEVEL EXPLANATION
Imagine a phone that connects to networks based only on their name. Now imagine two networks with the same name. One is real. One is fake but stronger.
The phone cannot tell the difference and connects to the fake one.
If your phone connects to whichever signal is loudest, not whichever router is genuinely his — what would you need to fake to become "the real one"?
INTERCEPTED — WATCHDOG COMMS
12:44 UTC
GHOST-WRITER
"Island network is air-gapped. WPA2-Personal with a strong passphrase. No guest network. I rotate the password every quarter. Nobody is getting into this network."
RAVEN
Shadow — Ghost-Writer rotates his password quarterly. His last rotation was 3 months ago. OSINT from his public social media shows the pattern: daughter name plus year. Amara2019, Amara2020, Amara2021. Current quarter, current year. He has never changed the format. Build the wordlist. Set up the evil twin. His laptop will reconnect automatically — he will not notice a thing.
MISSION OBJECTIVES
01
TARGET: Ghost-Writer's island network GhostNet_5G — WPA2-Personal (one shared PSK), one client, passphrase pattern leaked via OSINT
02
EXPLOIT: Deauth his laptop, capture the 4-way handshake on reconnect, then crack the PSK offline against your wordlist — never touching the real router
03
SWEEP: Build the attack chain — classify which aircrack-ng parameters help or hurt handshake capture and cracking
04
WIN: Capture the field flag, then lock it down — the one authentication upgrade that makes handshake capture useless, not just harder
⚠ ETHICAL NOTICE: Evil Twin attacks and WPA2-Personal handshake cracking are covered by wireless security, CEH, OSCP, and professional network security training. All interactions are fully simulated. Real wireless testing requires explicit written authorisation.
🔧 UNDER THE HOOD▼
THE ATTACK — STEP BY STEP
Evil Twin + WPA2 handshake capture — clone a trusted SSID, force a reconnect, then crack the shared key offline:
# 1. Survey the target network in monitor mode:
airmon-ng start wlan0
airodump-ng wlan0mon
# BSSID CH ENC ESSID
# AA:BB:CC:11:22:33 36 WPA2 GhostNet_5G
# 2. Lock onto the channel and start writing a capture file:
airodump-ng -c 36 --bssid AA:BB:CC:11:22:33 -w ghostnet wlan0mon
# 3. Deauth the client so it is forced to reconnect (targeted, not broadcast):
aireplay-ng -0 5 -a AA:BB:CC:11:22:33 -c <CLIENT_MAC> wlan0mon
# 4. Capture confirms the 4-way handshake on reconnect:
[ CH 36 ] WPA handshake: AA:BB:CC:11:22:33
# 5. Crack the PSK offline — no further contact with the real router:
aircrack-ng -w wordlist.txt ghostnet-01.cap
The 4-way handshake contains a value derived from the Pairwise Master Key, which is itself derived from the shared passphrase (PSK). Because every client uses the same PSK, one captured handshake is enough to test unlimited password guesses completely offline, with no rate limiting and no trace on the real network.
COMMON VARIATIONS
1. Captive portal evil twin — instead of cloning WPA2, broadcast an open "free WiFi" AP with a fake login page (hostapd + a phishing captive portal) that harvests credentials directly, no handshake cracking needed.
# hostapd.conf (open rogue AP):
ssid=GhostNet_5G
channel=36
# dnsmasq redirects all DNS to the captive portal IP
2. KARMA / MANA attacks — respond to every probe request a phone broadcasts ("is HomeWiFi here? is Starbucks here?") by claiming to BE that network, so devices auto-connect to whichever SSID they already trust, no cloning of one specific target required.
3. WPA2-Enterprise downgrade — if a client isn't configured to validate the RADIUS server's certificate, a rogue AP can impersonate the enterprise network and harvest the client's real credentials directly, bypassing PSK-cracking entirely.
HOW TO DEFEND
WPA3-SAE (Simultaneous Authentication of Equals) replaces WPA2's PSK-derived handshake with a zero-knowledge proof exchange — it does not expose a value that can be tested offline against a wordlist, so a captured exchange alone is not enough to crack the password:
# Force WPA3-only on a router (disables the vulnerable WPA2 fallback):
# hostapd.conf:
wpa=2
wpa_key_mgmt=SAE
ieee80211w=2 # Management Frame Protection — blocks the deauth frames
# this whole attack depends on
# Enterprise networks: per-user certificates instead of a shared PSK
# so no single captured handshake compromises every user:
wpa_key_mgmt=WPA-EAP
ieee8021x=1
Management Frame Protection (802.11w) specifically closes the door this operation walked through — deauth frames are unauthenticated in classic WPA2, which is why they can be forged at all. With 802.11w enabled, the access point and client sign management frames, so a forged deauth is rejected before it can force a reconnect.
⚡ CYBER RANGE — ACTIVE ENVIRONMENT
LIVE
TARGET
ghostnet-ap.nexus-global.int
IP ADDRESS
10.47.1.19
OS / SERVER
Kali Linux · hostapd 2.10 · dnsmasq 2.89
KEY SERVICES
Rogue SSID "NEXUS_CORPORATE" · Open auth · Captive portal
ATTACK SCOPE
Deauth + captive-portal credential capture in scope
ATTACKER NODE
shadow@sigma9 · 10.99.0.1
📋 ROOM TASKS
01
✓
Understand how evil twin APs intercept credentials via deauth
02
▶
Execute the deauth attack and capture portal credentials
03
○
Classify which wireless configurations resist evil twin attacks
04
○
Identify the WPA3-Enterprise + certificate-pinning fix
05
○
Submit the capture-the-flag token
🚩
CAPTURE THE FLAG
Complete the exploit lab. The flag appears below once Phase 2 is done. Copy and submit it here for +50 XP.
PHASE 01
CRACK THE HANDSHAKE
EXPLOIT
SIGMA-9 CAPTURE LOG — HOW WE FOUND IT
02:47 UTC
> surveyed the island RF with the adapter in monitor mode — airodump-ng sweep
> GhostNet_5G on channel 36, WPA2-PSK (CCMP), one client: his laptop
> FOUND: a personal pre-shared key — crackable offline once we own the handshake
MENDAX: "WPA2-Personal hands everyone the same key. Capture the four-way handshake once and we can guess at it forever, offline, on our own hardware. We never touch his router again."
MENDAX — THE PLAN
LIVE
MENDAX
We're going to lock airodump onto his channel and start writing capture files. Then we knock his laptop off with a couple of deauth frames — when it reconnects, it hands us the 4-way handshake. That's all we need.
$ airodump-ng -c 36 --bssid AA:BB:CC:11:22:33 -w ghostnet wlan0mon
$ aireplay-ng -0 5 -a AA:BB:CC:11:22:33 -c CLIENT_MAC wlan0mon
# deauth forces the laptop to re-handshake — we catch it mid-air
[ CH 36 ] Waiting for WPA handshake: AA:BB:CC:11:22:33
MENDAX
Once the handshake lands in that .cap file, the attack goes fully offline. We throw our wordlist at it and let the GPU grind — Ghost-Writer's network will never know we were there.
$ aircrack-ng -w ghostwriter.txt ghostnet-01.cap
# testing each OSINT candidate offline — no connection to his router neededTesting key 1/50...
MENDAX
Your move, Shadow. When Ghost-Writer arrives at the island, his laptop is going to reconnect automatically. We just need to be ready. First — tell me why WPA2-Personal hands us this opportunity in the first place.
RAVEN
ENCRYPTED
MENDAX has the tools staged. The deauth frames are ready. The capture file is open. When Ghost-Writer's laptop reconnects to GhostNet_5G, we'll catch the 4-way handshake mid-air — without ever touching his router.
It will work because GhostNet_5G runs WPA2-Personal: one shared password for everyone, and OSINT has already narrowed his passphrase to daughter-name-plus-year. Capture the handshake once and we can test it forever, on our own hardware, with the network none the wiser.
Before MENDAX hits send — what is the fundamental weakness of WPA2-Personal that makes this possible?
TAP AN ANSWER — EXPLANATION APPEARS IMMEDIATELY
RAVEN — HINT (−20 XP)
Think about what the 4-way handshake actually proves, and what it doesn't hide. It proves both sides know the password, without ever transmitting the password itself. But it does that using a value derived FROM the password — and that derived value can be recomputed offline for any password guess. The handshake was never designed to survive being captured by someone who isn't part of the network.
✓
WPA2-PERSONAL WEAKNESS UNDERSTOOD
WPA2-Personal gives every device on the network the same pre-shared key. That single shared secret is what makes offline cracking possible: capture one handshake from any client, and you can test unlimited password guesses on your own hardware, at your own pace, with zero further contact with the router.
Simple version: It's not that the lock is weak — the maths behind WPA2 is solid. It's that everyone in the building was handed a copy of the same key. Steal one copy, and you can try it against the door as many times as you want, in private, with nobody watching.
The router cannot rate-limit or lock out an offline attack — because the attack never touches the router again after the handshake is captured.
Real world: A 2019 study of 70 million WiFi networks found 19% used passwords that appear in public wordlists — 29% for residential networks specifically. Most home WiFi passwords are set once, never rotated, and often built from publicly guessable personal details.
📶
THE WPA2 4-WAY HANDSHAKE
When a device connects to a WPA2 network, it performs a 4-way handshake with the router. This exchange mathematically proves both sides know the password — without either side transmitting the password itself. The handshake uses a nonce (random number) from each side combined with the password to generate session keys.
The vulnerability: the handshake can be captured passively from the air. Once captured, an attacker can test password guesses offline — each guess takes microseconds to verify against the captured handshake.
WPA2-Enterprise uses individual per-user certificates instead of a shared password — making offline cracking impossible because there is no shared secret to guess. WPA3 uses Simultaneous Authentication of Equals (SAE), which is resistant to offline dictionary attacks even if the handshake is captured. Home networks rarely use either.
PHASE 02
NETWORK PROBE — ANALYSE GHOSTNET_5G
INTERACTIVE
Handshake captured from the boat. Before we send the deauth and force Ghost-Writer's device to reconnect, we need to understand exactly which of his network's properties guarantee we'll win.
RAVEN
ENCRYPTED
RAVEN has scanned GhostNet_5G from the boat offshore. Before setting up the evil twin, we need to understand four key characteristics of Ghost-Writer's network.
For each characteristic, answer whether it helps our attack or hurts it — and why. All four must be analysed before we deploy the rogue access point.
MISSION OBJECTIVEFour characteristics of Ghost-Writer's GhostNet_5G network listed below. For each one, expand and decide: does it help us capture and crack the handshake, or does it make the attack harder? Correctly classify all 4 to deploy the evil twin.
CHARACTERISTICS ANALYSED
0 of 4 analysed
RAVEN — HINT (−20 XP)
For each network characteristic: does it help us capture the handshake or crack the password? Think about what the Evil Twin Attack requires at each step.
✓
ALL SCENARIOS ANALYSED — BLIND SPOTS MAPPED
All four characteristics confirmed: SSID known and clonable, WPA2-Personal with guessable shared password, OSINT wordlist narrowed to under 100 candidates, device auto-reconnects to strongest SSID match. Ghost-Writer has created the perfect target profile. One deauth. One reconnect. One handshake captured. Done in under 30 seconds.
Simple version: We know what to call our fake coffee shop (SSID). His laptop connects automatically (auto-reconnect). There is no doorman to check ID (no router authentication). And we already know his password from his Facebook posts (OSINT wordlist).
Real-world scale: A 2019 study of 70 million WiFi networks found that 19% used passwords that appeared in publicly available wordlists. In residential networks the figure was 29%. Most home WiFi passwords are set once and never changed — often based on memorable personal details that are publicly visible on social media.
☢
OFFLINE PSK CRACKING — FULL MECHANICS
The WPA2 4-way handshake is a mathematical exchange that proves both sides know the password without either side transmitting it. It works using nonces — random numbers — combined with the password through a key derivation function (PBKDF2-SHA1, 4096 rounds).
The output is session keys. But the handshake packets themselves — captured from the air — contain enough to verify whether a password guess is correct. The attacker runs guesses through the same derivation function and checks if the output matches. No connection to the router needed. No rate limiting. Pure offline computation.
The 4096-round PBKDF2 was designed to be slow — making each guess take time. On CPU: ~10,000 guesses/second. On a consumer GPU (RTX 4090): ~500,000 guesses/second. Against a targeted 50-word OSINT list: done in 0.0001 seconds regardless of hardware. The math is strong. The password was the problem.
PHASE 03
CLASSIFY THE ATTACK PARAMETERS
CLASSIFY
GhostNet_5G vulnerability profile complete. Now we configure the full Evil Twin chain — ten parameters that determine whether the attack succeeds or stalls on the water.
RAVEN
ENCRYPTED
RAVEN is configuring the Evil Twin attack chain. Each tool setting or condition either helps us capture and crack the handshake (HELPS ATTACK) or hurts our chances (HURTS ATTACK).
Tap a parameter, then classify it. All 10 must be correctly classified before we deploy.
📋WORKED EXAMPLE — HOW TO READ AN ATTACK PARAMETER
Before you classify, study this example. Each parameter either makes the Evil Twin attack easier to execute (HELPS ATTACK) or makes it fail outright (HURTS ATTACK).
EXAMPLE PARAMETER
"Target uses WPA2-Personal — one shared password for all devices"
ASK YOURSELF:
Does this let us capture a handshake and crack it offline? Yes — the shared PSK is what makes offline testing possible.
▲ HELPS ATTACK
Because: a shared password means one captured handshake can be tested offline against every wordlist guess. No rate limiting. No lockout. Pure math on our own hardware.
Now classify the remaining 10 parameters using the same method ›
TAP A PRACTICE — THEN CLASSIFY IT
Select an attack parameter above
▲ HELPS ATTACK
▼ HURTS ATTACK
RAVEN — HINT (−20 XP)
HELPS: anything that makes it easier to capture the handshake or crack the password — known SSID, auto-reconnect, deauth, OSINT wordlist, GPU cracking speed. HURTS: anything that makes handshake capture or cracking impossible — WPA2-Enterprise (no shared password), WPA3 SAE (offline cracking resistant), random 25-char password (wordlist useless).
✓
ALL PRACTICES CORRECTLY CLASSIFIED
All 10 parameters classified. Ghost-Writer network is a perfect target: SSID clonable, WPA2-Personal with shared password, device auto-reconnects, OSINT wordlist already built. Evil twin deployed, deauth sent, handshake captured in 18 seconds.
Simple version: We have the fake shop name (SSID). His device trusts us automatically (auto-reconnect). We forced him to walk in (deauth). We caught the secret handshake (4-way capture). Now we guess his key offline at half a million guesses per second.
Real aircrack-ng command: aircrack-ng -a2 -b AA:BB:CC:DD:EE:FF -w amara_wordlist.txt ghostnet_capture.cap — Tests every entry in the wordlist against the captured handshake. Match found = password recovered.
📶
CRACKING SPEED — WHY GPU MATTERS
WPA2 handshake cracking requires computing PBKDF2-SHA1 with 4096 iterations per password guess — deliberately slow to resist cracking. A CPU manages roughly 5,000-10,000 guesses per second. A consumer GPU (RTX 4090) manages 500,000-1,000,000 per second.
Against a targeted OSINT wordlist of 50 candidates: even a CPU cracks it in milliseconds. Against a full dictionary of 15 million words: CPU takes 30 minutes, GPU takes 15 seconds. Against a truly random 25-character password: no hardware on earth cracks it in any reasonable timeframe.
hashcat rule-based attacks extend wordlists by applying transformations — capitalise first letter, add digits, substitute letters for symbols (a=@, e=3). A base wordlist of 1,000 OSINT candidates becomes 50,000 variations with basic rules. Ghost-Writer password Amara2019 would be found in the first 10 guesses from our targeted list.
PHASE 04
THE ONLY FIX THAT SURVIVES OSINT
DEFENSE
Handshake captured. Wordlist running. Ghost-Writer still watching the sea. Before we close, one question: which single control would have made the handshake useless to us regardless of what OSINT found?
RAVEN — FINAL DEBRIEF
LAST PHASE
Handshake captured. aircrack-ng testing wordlist now. Ghost-Writer is watching the sea from his window — unaware.
RAVEN: "Shadow — Ghost-Writer believed a memorable password was enough. He rotated quarterly. He never told anyone the format. But he posted it on Facebook in 2019 without knowing. Which single change would have made this attack fail completely — regardless of how good our OSINT was?"
MISSION OBJECTIVESelect the one defensive change that makes the Evil Twin attack chain fail at its root — not just slower or harder, but structurally impossible. The correct answer closes Operation Evil Echo.
WHICH FIX SURVIVES THE EVIL TWIN ATTACK?
RAVEN — HINT (−20 XP)
Think about the root cause: the handshake can be captured and tested offline forever. The fix must make offline testing impossible — not just slow. Which option prevents offline dictionary attacks at the protocol level, regardless of what password is chosen?
► INTEL — OP-19 // OPERATION EVIL ECHO
TARGET: NEXUS Wi-Fi Infrastructure
Classification: TOP SECRET // Campaign 3 Ghost Protocol
MENDAX — CHANNEL BRIEFING
PRE-OP
MENDAX
The NEXUS corporate SSID uses WPA2-Personal with a passphrase that was never rotated from the default. A rogue AP with a stronger signal causes devices to deauthenticate and reconnect to us.
📓
OWASP CLASSIFICATION
INTEL
Network attack: Rogue AP combined with WPA2 4-way handshake capture allows offline dictionary/brute-force attack on the passphrase. PMKID attack doesn't require deauth.
⚖
GLOSSARY TERMS: WPA2, Rogue AP, Evil Twin, Deauthentication Attack, PMKID, 4-Way Handshake, WPA3, EAP, 802.1X. All terms auto-logged to your Field Manual as you encounter them.
ACADEMY — EVIL TWIN AND WPA2 ATTACKS
CLONE THE ROUTER. CATCH THE HANDSHAKE.
BEGINNERWhat Is the Evil Twin Attack?›
The Evil Twin Attack creates a fake WiFi access point that impersonates a legitimate one. The attacker clones the target SSID, forces devices off the real router using deauthentication frames, and captures the WPA2 4-way handshake when devices automatically reconnect. The captured handshake is cracked offline.
WPA2-Personal vulnerability: all devices share one password. The handshake can be tested against wordlists at 500,000+ guesses per second on consumer hardware. A password based on a name and year falls in under a second against a targeted list.
The encryption (AES-CCMP) is not broken — the password is the weakness.
Real world — DEF CON Wall of Sheep: Every year, DEF CON's "Wall of Sheep" project passively captures WPA2 handshakes and credentials from conference attendees' devices connecting to look-alike or unencrypted networks, then displays partially-redacted results on a public screen. Year after year, a meaningful share of captured passphrases crack in seconds against standard wordlists — a live demonstration that the human habit of reusing predictable passwords, not the WPA2 protocol itself, is the weak link.
Step 2 — Target capture:
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon — lock onto target and write all packets to capture file.
Step 3 — Deauthenticate:
aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon — send 10 deauth frames to the target device. It disconnects and reconnects.
Step 4 — Handshake confirmed:
airodump-ng shows WPA handshake: AA:BB:CC:DD:EE:FF in top-right when the 4-way handshake is captured to the .cap file.
Step 5 — Crack offline:
aircrack-ng -a2 -b AA:BB:CC:DD:EE:FF -w wordlist.txt capture.cap — tests each wordlist entry against the handshake. Match = password found.
EXPERTDefences — WPA3, Passwords, Enterprise›
WPA3-SAE — the correct fix:
Simultaneous Authentication of Equals replaces the WPA2 pre-shared key handshake. Each authentication uses a unique ephemeral key — capturing the handshake gives the attacker nothing they can test offline. Brute-force requires live interaction with the AP.
Strong random passwords on WPA2:
A truly random 20-character WPA2 password (upper, lower, digits, symbols) takes thousands of years to crack at 1M guesses/second. The password must be truly random — not a word, name, or predictable pattern. Use a password manager to generate and store it.
WPA2-Enterprise:
Per-user certificates replace the shared password entirely. No shared secret = nothing to guess offline. Requires a RADIUS authentication server — practical for businesses, impractical for homes.
Disable WPS:
WiFi Protected Setup PIN mode has a separate vulnerability (Reaver attack) — the 8-digit PIN can be cracked in hours. Disable WPS entirely on any router running WPA2.
Notable incidents:
2019 — DEF CON WiFi Village evil twin demo, 23 devices auto-connected
2022 — Multiple enterprise breaches via rogue AP in parking lots
2023 — WPA2 handshakes published in bulk from wardriving datasets
2022 Uber breach (WiFi component): An attacker positioned near Uber offices used an evil twin AP to capture employee WiFi credentials. Combined with MFA fatigue attacks, this contributed to the breach of Uber internal systems. The attacker was 18 years old and used publicly available tools. WPA2-Personal on corporate WiFi was identified as a contributing factor in the post-incident report.
REAL-WORLD TOOLS — WIFI SECURITY TESTING
WHAT PROFESSIONALS USE
📶
Aircrack-ng Suite
FREE / OPEN SOURCE
The standard WiFi security auditing suite. airmon-ng enables monitor mode. airodump-ng captures packets. aireplay-ng sends deauth frames. aircrack-ng cracks WPA2 handshakes against wordlists. Pre-installed on Kali Linux.
GPU-accelerated password cracker. Converts WPA2 .cap files to hashcat format and cracks at 500,000-1,000,000 guesses per second on consumer GPU. Supports rule-based attacks to expand wordlists with common variations.
Wireless access point daemon modified for penetration testing. Creates evil twin access points that impersonate legitimate networks. Used to capture WPA2 handshakes and conduct credential harvesting attacks on enterprise networks.
Swiss army knife for network attacks. Combines WiFi probing, evil twin creation, HTTPS downgrade, and credential capture in one framework. Modern replacement for ettercap with a web-based interface and active development.