Printable one-page quick reference guides for WiFi security fundamentals, attack detection, and defense strategies.
MalwareZero Research Team
Updated April 2026
Cheatsheet 1: "Am I Safe on Public WiFi?" Decision Tree
┌──────────────────────────────────────────────────────────────────────┐
│ AM I SAFE ON PUBLIC WiFi? — DECISION TREE │
├──────────────────────────────────────────────────────────────────────┤
│ │
│ START: Are you on public WiFi? ─────────────────────────────────┐ │
│ (coffee shop / hotel / airport / coworking space) │ │
│ │ │ │
│ ┌───────────────┴───────────────┐ │ │
│ │ │ │ │
│ YES NO │ │
│ │ │ │ │
│ ▼ ▼ │ │
│ ┌─────────────────────┐ ┌──────────────────────────────┐ │ │
│ │ Do you have a VPN │ │ You're on a private network. │ │ │
│ │ running? │ │ Risk depends on: │ │ │
│ │ │ │ • Who else is on it │ │ │
│ │ ┌──────┐ ┌─────────┐ │ │ • Your encryption strength │ │ │
│ │ │ YES │ │ NO │ │ │ • Router security posture │ │ │
│ │ └──┬───┘ └────┬────┘ │ │ → Generally LOW risk if │ │ │
│ │ │ │ │ │ WPA2/WPA3 + strong pwd │ │ │
│ │ │ │ │ └──────────────────────────────┘ │ │
│ │ │ │ │ │ │
│ │ ▼ ▼ │ │ │
│ │ ┌──────────────┐ │ │ │
│ │ │ LOW-MODERATE │ │ │ │
│ │ │ RISK │ │ │ │
│ │ │ │ │ │ │
│ │ │ VPN encrypts │ │ │ │
│ │ │ traffic. │ │ │ │
│ │ │ Metadata and │ │ │ │
│ │ │ DNS visible. │ │ │ │
│ │ └──────────────┘ │ │ │
│ │ │ │ │ │
│ │ ▼ │ │ │
│ │ ┌──────────────┐ │ │ │
│ │ │ What are you │ │ │ │
│ │ │ doing? │ │ │ │
│ │ └──────┬───────┘ │ │ │
│ │ │ │ │ │
│ │ ┌─────┼─────┐ │ │ │
│ │ │ │ │ │ │ │
│ │ ▼ ▼ ▼ │ │ │
│ │ Brows- Email Bank- │ │ │
│ │ ing /Work ing │ │ │
│ │ │ │ │ │ │ │
│ │ ▼ ▼ ▼ │ │ │
│ │ LOW MED HIGH │ │ │
│ │ Risk Risk Risk │ │ │
│ │────── │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ └─────────┼─────────────────────────────────────┐ │ │
│ │ │ │ Use mobile hotspot OR VPN + wait │ │ │
│ │ │ │ until on trusted network. Never │ │ │
│ │ │ │ do high-risk activities on public │ │ │
│ │ │ │ WiFi without VPN. │ │ │
│ │ │ └─────────────────────────────────────┘ │ │
│ │ │ │ │
│ │ └───────────────────────────────────────────────────┐ │
│ │ HIGH RISK — Don't do it on public WiFi. │ │
│ │ Use VPN + certificate validation. │ │
│ └──────────────┬────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────┐ │
│ │ What network │ │
│ │ type? │ │
│ └──────┬───────┘ │
│ │ │
│ ┌──────┼────────┬────────────┐ │
│ ▼ ▼ ▼ ▼ │
│ OPEN HOTEL CORPORATE MOBILE │
│ (any) WPA2 WPA2-EAP HOTSPOT │
│ │ │ │ │ │
│ ▼ ▼ ▼ ▼ │
│ HIGH MED LOW-MED LOWEST │
│ RISK RISK RISK RISK │
│ w/VPN w/VPN w/VPN No VPN needed │
│ │ │ │ │ │
│ └──────┴──────────┴──────────┘ │
│ │ │
│ ▼ │
│ ╔═══════════════════════════════╗ │
│ ║ GENERAL RULE OF THUMB: ║ │
│ ║ ║ │
│ ║ Public WiFi + VPN = Safe ║ │
│ ║ Public WiFi + No VPN = Risky ║ │
│ ║ Open Public WiFi + No VPN = ║ │
│ ║ VERY RISKY ║ │
│ ╚═══════════════════════════════╝ │
└──────────────────────────────────────────────────────────────────────┘
Cheatsheet 2: VPN Setup Quick Reference
┌──────────────────────────────────────────────────────────────────────┐
│ VPN SETUP QUICK REFERENCE — MAJOR PROVIDERS │
├──────────────────────────────────────────────────────────────────────┘
│ │
│ WIREGUARD (Recommended — fastest, most modern) │
│ ───────────────────────────────────────── │
│ # Generate keypair (do this on your client machine) │
│ wg genkey | tee privatekey.txt | wg pubkey > publickey.txt │
│ │
│ # Example WireGuard config (client side) │
│ [Interface] │
│ PrivateKey = <your-private-key> │
│ Address = 10.0.0.2/32 │
│ DNS = 1.1.1.1 │
│ │
│ [Peer] │
│ PublicKey = <server-public-key> │
│ Endpoint = vpn.example.com:51820 │
│ AllowedIPs = 0.0.0.0/0, ::/0 # route ALL traffic through VPN │
│ PersistentKeepalive = 25 │
│ │
│ # Start WireGuard │
│ sudo wg-quick up wg0 │
│ sudo wg-quick down wg0 # to disconnect │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ NORDVPN (WireGuard + OpenVPN support) │
│ ───────────────────────────────────────── │
│ # Install │
│ curl -s https://downloads.nordcdn.com/configs/archives/nordvpn/snap/ │
│ stable/nordvpn-release.gpg | sudo tee /etc/apt/trusted.gpg.d/ │
│ nordvpn.gpg │
│ sudo apt update && sudo apt install nordvpn │
│ │
│ # Connect (CLI) │
│ nordvpn connect # connect to fastest │
│ nordvpn connect --group p2p_us # connect to US P2P server │
│ nordvpn connect Denmark # connect to specific │
│ nordvpn disconnect │
│ nordvpn settings --autoconnect on # auto-connect on WiFi │
│ nordvpn set threatprotectionlite on # block ads/trackers │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ MULLVAD (Privacy-focused, WireGuard + OpenVPN) │
│ ───────────────────────────────────────── │
│ # CLI connect (Mullvad account number only, no email) │
│ mullvad account get │
│ mullvad connect │
│ mullvad disconnect │
│ mullvad status │
│ │
│ # Use WireGuard via Mullvad's bridge mode (anti-censorship) │
│ mullvad lan-broadcast allow # if you need LAN access │
│ mullvad tunnel custom-port 51820 # behind restrictive firewall │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ PROTONVPN (WireGuard + Stealth protocol for censors) │
│ ───────────────────────────────────────── │
│ # Install │
│ # Download from https://protonvpn.com/linux-download │
│ │
│ # Connect via CLI │
│ protonvpn configure # first-time setup │
│ protonvpn connect # fastest server │
│ protonvpn connect --profile "US-FREE #1" # specific server │
│ protonvpn connect --p2p # P2P-optimized server │
│ protonvpn kill-switch enable # BLOCK traffic if VPN drops │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ KEY CHECKS BEFORE USING ANY VPN │
│ ───────────────────────────────────────── │
│ □ Does the VPN have a NO-LOG policy? Verify the policy in writing │
│ □ Where is the VPN company based? (Check data retention laws) │
│ □ Does the VPN support WireGuard? (fastest, most modern) │
│ □ Does it have a kill switch? (blocks traffic if VPN drops) │
│ □ Does it leak DNS queries? Test at: https://dnsleaktest.com │
│ □ Does it have WebRTC leak? Test at: https://browserleaks.com │
│ □ Is there a port forwarding option? (Some P2P use cases need it) │
│ │
│ TEST FOR LEAKS after setup: │
│ 1. Connect to VPN │
│ 2. Visit https://ipleak.net — should show VPN server IP only │
│ 3. Visit https://dnsleaktest.com — should show VPN DNS servers │
│ 4. Disable VPN briefly — does your real IP appear? Yes = leak │
│ │
└──────────────────────────────────────────────────────────────────────┘
Cheatsheet 3: Detecting Rogue Access Points with Wireshark
┌──────────────────────────────────────────────────────────────────────┐
│ DETECTING ROGUE ACCESS POINTS — WIRESHARK FILTERS │
├──────────────────────────────────────────────────────────────────────┘
│ │
│ SETUP: Put your wireless card in Monitor Mode first │
│ ───────────────────────────────────────── │
│ # Using airmon-ng (Kali/Linux) │
│ sudo airmon-ng start wlan0 # start monitor mode │
│ sudo airmon-ng check kill # kill interfering processes │
│ # Now open Wireshark and select the mon0 interface │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ BEACON FRAME ANALYSIS — Find all visible APs │
│ ───────────────────────────────────────── │
│ Filter: wlan.fc.type_subtype == 0x08 │
│ (Shows all beacon frames — APs announcing their presence) │
│ │
│ Read columns to add: │
│ • SSID → wlan.ssid │
│ • BSSID → wlan.bssid │
│ • Channel → wlan_radio.channel │
│ • Signal → wlan_radio.signal_dbm │
│ • Encryption → wlan.tag_set.unicast_cipher │
│ • Auth → wlan.tag_set.group_cipher │
│ │
│ DETECT: Same SSID on multiple BSSIDs (Evil Twin signature) │
│ ───────────────────────────────────────── │
│ wlan.ssid == "Free WiFi" and wlan.bssid != XX:XX:XX:XX:XX:XX │
│ │
│ Look for: │
│ • Two BSSIDs with identical SSIDs but different MAC addresses │
│ • Same SSID, different channels (legit AP may have 2.4+5GHz) │
│ • Same SSID, different encryption types (one open, one WPA2) │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ DEAUTHENTICATION ATTACK DETECTION │
│ ───────────────────────────────────────── │
│ Filter: wlan.fc.type == 0x0 and wlan.fc.type_subtype == 0x0c │
│ (Shows all deauthentication frames) │
│ │
│ Count deauths per BSSID: │
│ Menu → Statistics → I/O Graph → Filter: wlan.fc.type_subtype == 12 │
│ Look for: sudden spikes in deauth packets — classic jamming/ │
│ disconnection attack │
│ │
│ Deauth from AP to client: wlan.fc.type_subtype == 0x0c │
│ Deauth from client to AP: wlan.fc.type_subtype == 0x0a │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ PROBE REQUEST ANALYSIS — Find clients searching for networks │
│ ───────────────────────────────────────── │
│ Filter: wlan.fc.type_subtype == 0x04 │
│ (Shows probe requests — clients asking "is anyone there?") │
│ │
│ Useful for: │
│ • Mapping which clients are nearby (MAC addresses visible) │
│ • Detecting clients looking for known networks (your corporate SSID)│
│ • Identifying WiFi Sense (Windows) probing for saved networks │
│ │
│ Find clients probing for your corporate SSID: │
│ wlan.ssid == "YourCorporateSSID" and wlan.fc.type_subtype == 0x04 │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ COMMON ATTACK SIGNATURES IN WIRESHARK │
│ ───────────────────────────────────────── │
│ │
│ Attack │ Filter │ Red Flag │
│ ───────────────────┼───────────────────────────────┼───────────── │
│ Evil Twin │ Same SSID, diff BSSID │ 2+ MACs for 1 │
│ Karma/MDK3 probe │ Many source MACs, same SSID │ Flood of reqs │
│ Deauth flood │ wlan.fc.type_subtype == 0x0c │ Spike in deauth │
│ Disassociation storm│ wlan.fc.type_subtype == 0x0a │ Client → AP │
│ ChopChop attack │ Frame with WEP IV repeated │ IV collision │
│ Hirte attack │ ARP reqs encrypted w/ WEP │ Crypted ARP │
│ KRACK attack │ 802.1X reassembly packets │ Nonce reuse │
│ Hidden SSID (probe) │ wlan.ssid == "" │ Empty SSID seen │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ WIRESHARK TIPS FOR WiFi ANALYSIS │
│ ───────────────────────────────────────── │
│ 1. Enable "IEEE 802.11" columns: BSSID, RSSI, Channel │
│ 2. Sort by channel to find APs on your channel (co-channel interfr) │
│ 3. Use "Wireless Toolbar" (View → Wireless Toolbar) to see chan-hop│
│ 4. Right-click packet → "Apply as Filter" → "Selected" to drill down│
│ 5. Use "Follow → IEEE 802.11" to reassemble encrypted traffic │
│ 6. Export objects (File → Export Objects) to extract files from │
│ captured traffic if decryption keys are known │
│ │
│ DECRYPT WPA2 TRAFFIC IN WIRESHARK: │
│ Edit → Preferences → Protocols → IEEE 802.11 → │
│ Check "Enable decryption" → Add wpa-pwd entry: │
│ Format: "SSID:PSK" or just ":PSK" for all SSIDs │
│ │
└──────────────────────────────────────────────────────────────────────┘
Cheatsheet 4: Router Security Checklist
┌──────────────────────────────────────────────────────────────────────┐
│ ROUTER SECURITY HARDENING CHECKLIST │
├──────────────────────────────────────────────────────────────────────┘
│ │
│ CREDENTIALS │
│ ───────────────────────────────────────── │
│ □ Change default admin username (if possible — many routers won't) │
│ □ Set a strong, unique admin password (different from WiFi pwd) │
│ □ Disable "remember password" in router admin panel │
│ □ Set up a separate admin account if available (not the default) │
│ □ Enable HTTPS for admin panel access (HTTP is plaintext) │
│ □ Disable "remote management" (router admin from internet) UNLESS │
│ you specifically need it and can secure it with IP allowlist │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ WiFi ENCRYPTION │
│ ───────────────────────────────────────── │
│ □ Set encryption to WPA3-Personal (or WPA2-AES if WPA3 unavailable) │
│ □ NEVER use WEP — it is broken and crackable in minutes │
│ □ NEVER use Open (no encryption) for any network you control │
│ □ Use a strong PSK: 16+ characters, random, stored in password mgr │
│ □ For business networks: use WPA3-Enterprise with RADIUS auth │
│ □ If WPA2 only: ensure it's AES (TKIP is deprecated and weak) │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ WiFi NETWORK SETTINGS │
│ ───────────────────────────────────────── │
│ □ Disable WPS (WiFi Protected Setup) — known vulnerabilities │
│ (Pixie Dust attack, brute force of WPS PIN) │
│ □ Change the default SSID — don't broadcast your router model/name │
│ (e.g., "NETGEAR-5G" tells attacker exactly what firmware to check)│
│ □ Consider disabling SSID broadcast (security through obscurity, │
│ not a real security control, but reduces casual scanning) │
│ □ Enable AP isolation / client isolation if available │
│ (prevents devices on same network from talking to each other) │
│ □ Enable Airtime Fairness if available (prevents slow devices from │
│ degrading overall network performance — security side benefit: │
│ makes some DoS attacks harder) │
│ □ Set a proper channel (use WiFi Analyzer app to find least crowded)│
│ │
├──────────────────────────────────────────────────────────────────────┤
│ FIRMWARE AND UPDATES │
│ ───────────────────────────────────────── │
│ □ Check for firmware updates quarterly — do it now if you haven't │
│ in the last 6 months │
│ □ Enable automatic firmware updates if your router supports them │
│ □ If router is no longer receiving firmware updates from manufacturer │
│ → replace it. An unpatched router is a liability. │
│ □ If your router supports it, consider OpenWrt or DD-WRT: │
│ open-source firmware with active security patches │
│ (only if your router model is well-supported) │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ NETWORK SERVICES ON THE ROUTER │
│ ───────────────────────────────────────── │
│ □ Disable UPnP (Universal Plug and Play) — major attack surface │
│ for malware that wants to punch holes in your firewall │
│ □ Disable Telnet (should never be on — uses plaintext) │
│ □ Ensure SSH is only v2 (disable v1) and using key-based auth │
│ □ Disable FTP, Samba, or any file sharing unless you specifically │
│ need it and understand the security implications │
│ □ Check what services are exposed to the WAN (internet) side │
│ — run a port scan from outside your network to check │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ FIREWALL AND ADVANCED SETTINGS │
│ ───────────────────────────────────────── │
│ □ Ensure the router's built-in firewall is enabled (almost always │
│ is by default, but double-check) │
│ □ Disable SIP ALG (Session Border Controller for VoIP) if you don't │
│ use VoIP — it can cause call issues and create attack surface │
│ □ Enable DoS protection / SPI firewall if available │
│ □ Set reasonable session limits (max concurrent connections, │
│ connection timeout values) │
│ □ If your router supports VLANs (most mid-range and above do): │
│ segment IoT devices onto a separate VLAN from your main network │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ LOGGING AND MONITORING │
│ ───────────────────────────────────────── │
│ □ Enable router logging and review logs monthly │
│ □ Set up log forwarding to a syslog server if you have one │
│ □ Enable WIDS (Wireless Intrusion Detection) if available │
│ □ Set up alerts for: unknown devices connecting, multiple failed │
│ auth attempts, changes to router settings │
│ □ Regularly audit connected devices — do you recognize everything? │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ INTERNET CONNECTION │
│ ───────────────────────────────────────── │
│ □ If using PPPoE (common in Europe, some ISPs): ensure your ISP │
│ credentials are strong — PPPoE passwords can be brute-forced │
│ □ Check if your router's WAN port is properly firewalled │
│ □ If you have a static IP, ensure the router's firewall blocks │
│ inbound traffic on all unused ports │
│ □ Consider using your router in bridge mode + a separate firewall │
│ appliance if security requirements are high │
│ │
└──────────────────────────────────────────────────────────────────────┘
Cheatsheet 5: What to Do If You Think You've Been Compromised
┌──────────────────────────────────────────────────────────────────────┐
│ WiFi COMPROMISE RESPONSE — STEP BY STEP │
├──────────────────────────────────────────────────────────────────────┘
│ │
│ STEP 1: CONTAIN — Stop the bleeding │
│ ───────────────────────────────────────── │
│ ☐ Disconnect from the compromised WiFi network NOW │
│ ☐ If on a wired connection too, unplug from the network │
│ ☐ Turn OFF WiFi on all devices — use mobile data as temporary │
│ connectivity while you assess │
│ ☐ Do NOT power off devices if you can avoid it — volatile memory │
│ (RAM) may contain forensic evidence │
│ │
│ STEP 2: ASSESS — What might be affected? │
│ ───────────────────────────────────────── │
│ ☐ Did you access any sensitive accounts while on the network? │
│ (banking, work VPN, email, corporate systems) │
│ ☐ Did you enter passwords or credit card information? │
│ ☐ What devices were connected to the compromised network? │
│ (laptop, phone, smart home devices, TV, etc.) │
│ ☐ Did you use the same passwords on multiple services? │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ STEP 3: CREDENTIAL RESET — Assume passwords are compromised │
│ ───────────────────────────────────────── │
│ PRIORITY ORDER for password resets: │
│ │
│ 1. Email account (primary — attackers use this to reset everything) │
│ 2. Banking and financial accounts │
│ 3. Work/corporate VPN and SSO systems │
│ 4. Cloud services (AWS, Azure, Google Cloud) — check for new keys │
│ 5. Social media accounts │
│ 6. Shopping accounts with saved payment info │
│ 7. All other accounts using the same or similar passwords │
│ │
│ ⚠ Use a DIFFERENT device for resets (e.g., your phone on mobile │
│ data) — if your laptop is compromised, reset links sent to it │
│ may be intercepted │
│ │
│ Use a password manager to generate unique, random passwords │
│ Recommended: Bitwarden, 1Password, KeePassXC │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ STEP 4: ENABLE ADDITIONAL SECURITY │
│ ───────────────────────────────────────── │
│ ☐ Enable two-factor authentication (2FA) on all critical accounts │
│ — use an authenticator app (Google Auth, Authy), NOT SMS │
│ (SIM swap attacks can bypass SMS 2FA) │
│ ☐ Review active sessions — force-logout of all unknown sessions │
│ ☐ Revoke any API keys or OAuth tokens that were active during │
│ the incident │
│ ☐ Check email forwarding rules — attackers often set up forwarding │
│ to harvest your communications │
│ ☐ Check email filter rules for auto-delete rules │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ STEP 5: DEVICE INVESTIGATION │
│ ───────────────────────────────────────── │
│ On your laptop/computer: │
│ ☐ Check installed programs — anything unfamiliar? │
│ ☐ Check Task Manager / Activity Monitor — unfamiliar processes? │
│ ☐ Check startup items — anything suspicious added? │
│ ☐ Run a malware scan with a reputable scanner (not just AV默认) │
│ ☐ Check browser extensions — malicious extensions are common │
│ ☐ Check hosts file (C:\Windows\System32\drivers\etc\hosts on Windows│
│ or /etc/hosts on macOS/Linux) for suspicious entries │
│ │
│ On your router: │
│ ☐ Factory reset the router — this removes most compromises │
│ (some advanced malware like VPNFilter persists across resets) │
│ ☐ After reset: change admin password, update firmware, review │
│ all settings │
│ ☐ Set a completely new WiFi password — don't reuse the old one │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ STEP 6: REPORT AND DOCUMENT │
│ ───────────────────────────────────────── │
│ ☐ Document everything: when you discovered, what you did, │
│ what data might be at risk, what actions you've taken │
│ ☐ File a report with FBI IC3 (ic3.gov) if financial loss occurred │
│ ☐ Report to your bank if financial data may be compromised │
│ ☐ If work-related: notify your IT security team immediately │
│ ☐ If personal data breach: check your jurisdiction's notification │
│ requirements (GDPR: 72 hours; US state laws vary) │
│ ☐ Consider filing a police report for identity theft if credentials │
│ were used fraudulently │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ STEP 7: PREVENT FUTURE INCIDENTS │
│ ───────────────────────────────────────── │
│ ☐ Always use a VPN on public WiFi going forward │
│ ☐ Never access sensitive accounts on open/public WiFi without VPN │
│ ☐ Use a password manager — unique passwords for every service │
│ ☐ Enable 2FA everywhere it's available │
│ ☐ Keep devices and software updated │
│ ☐ Consider using a mobile hotspot for sensitive work travel │
│ ☐ Regularly audit connected devices on your home network │
│ │
│ EMERGENCY CONTACTS: │
│ ───────────────────────────────────────── │
│ FBI IC3 (US): ic3.gov │ Online complaint │
│ CISA (US Critical): cisa.gov/report │ 1-888-282-0870 │
│ Action Fraud (UK): actionfraud.police.uk │ 0300 123 2040 │
│ NCSC (UK): ncsc.gov.uk │ Incident form online │
│ Your Bank: Card back / website │ 24/7 fraud line │
│ │
└──────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────┐
│ WiFi ATTACK TAXonomy — QUICK REFERENCE │
├──────────────────────────────────────────────────────────────────────┘
│ │
│ PASSIVE ATTACKS (No client interaction required — harder to detect) │
│ ───────────────────────────────────────────────────────────────── │
│ ┌────────────────────┬──────────────────────────────────────────┐ │
│ │ Attack │ Description │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ WiFi Eavesdropping │ Capturing and analyzing WiFi traffic │ │
│ │ │ with a monitor-mode card. Possible on │ │
│ │ │ OPEN and WEP networks without any │ │
│ │ │ interaction. WPA2 requires key. │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ Traffic Analysis │ Identifying who communicates with whom │ │
│ │ │ based on packet timing, size, frequency. │ │
│ │ │ Works even with encryption. │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ Evil Twin Recon │ Identifying target networks, clients, │ │
│ │ │ and their probe requests. Passive recon │ │
│ │ │ to build attack plan. │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ Fingerprinting │ Identifying device types, OS, apps │ │
│ │ │ based on 802.11 frame characteristics. │ │
│ │ │ Uses VHT (Very High Throughput) info, │ │
│ │ │ HT capabilities, and client fingerprints. │ │
│ └────────────────────┴──────────────────────────────────────────┘ │
│ │
│ ACTIVE ATTACKS (Requires some interaction — easier to detect) │
│ ┌────────────────────┬──────────────────────────────────────────┐ │
│ │ Attack │ Description │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ Deauthentication │ Sending forged deauth frames to disconnect│ │
│ │ (Deauth) Attack │ clients from legitimate AP. Used for: │ │
│ │ │ • Forcing reconnection to capture handshake│ │
│ │ │ • Jamming/disruption of service │ │
│ │ │ • Capturing client probe requests │ │
│ │ │ Tool: aireplay-ng -0 0 -a [BSSID] │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ Disassociation │ Similar to deauth but at MAC layer. │ │
│ │ │ Can be more stealthy in some cases. │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ WEP Cracking │ Exploiting RC4 weak keys in WEP to │ │
│ │ │ recover the encryption key. │ │
│ │ │ Tools: aircrack-ng, wifite │ │
│ │ │ Time: 2-15 minutes depending on traffic │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ WPA2 Password │ Capturing 4-way handshake + offline │ │
│ │ Cracking │ dictionary/rainbow table attack on PSK. │ │
│ │ │ Tools: hashcat (GPU), john the ripper │ │
│ │ │ Mitigation: strong, random passphrase │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ KRACK Attack │ Key Reinstallation Attack. Exploits │ │
│ │ │ nonce reuse in WPA2 protocol. All WPA2 │ │
│ │ │ devices were affected at disclosure. │ │
│ │ │ Patch status varies by device. │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ Evil Twin / │ Setting up a fake AP with same SSID as │ │
│ │ Rogue AP │ legitimate network to intercept traffic.│ │
│ │ │ Often combined with KARMA (responding to │ │
│ │ │ any probe request with the requested SSID)│ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ Honeypot AP │ Open network with no password to attract │ │
│ │ │ victims. Once connected, traffic is │ │
│ │ │ intercepted. Common in public spaces. │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ WPA3 Attacks │ Dragonblood: timing/eavesdropping attacks │ │
│ │ (Dragonblood) │ against WPA3's SAE handshake. Results │ │
│ │ │ in password brute-force against handshake.│ │
│ │ │ Affects early WPA3 implementations. │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ WPS PIN Attack │ Brute-forcing or using Pixie Dust attack │ │
│ │ (Pixie Dust) │ to recover WPS PIN, then deriving WPA │ │
│ │ │ password. Affected many routers. │ │
│ │ │ Tool: reaver, bully, wifite │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ EAP Thrashing │ Sending many EAP-Failure messages to │ │
│ │ │ force clients to reconnect, capturing │ │
│ │ │ handshakes for offline cracking. │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ LTE Hijacking │ Using IMSI Catchers (StingRay/DragonFly) │ │
│ │ (Not WiFi but │ to intercept cellular connections, │ │
│ │ related) │ track devices, and capture communications. │ │
│ └────────────────────┴──────────────────────────────────────────┘ │
│ │
│ ENCRYPTION BYPASS / REDUCTION ATTACKS │
│ ┌────────────────────┬──────────────────────────────────────────┐ │
│ │ Attack │ Description │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ SSL Strip / │ Downgrading HTTPS to HTTP in transit, │ │
│ │ HTTPS Downgrade │ allowing content interception. Works │ │
│ │ │ on public WiFi where attacker is MITM. │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ DNS Spoofing │ Manipulating DNS responses to redirect │ │
│ │ │ users to attacker-controlled sites. │ │
│ ├────────────────────┼──────────────────────────────────────────┤ │
│ │ Captive Portal │ Bypassing or spoofing captive portal │ │
│ │ Bypass │ to gain network access without paying │ │
│ │ │ or accepting terms. │ │
│ └────────────────────┴──────────────────────────────────────────┘ │
│ │
│ DEFENSE SUMMARY: │
│ • WPA3 (where available) — resists most attacks │
│ • Strong random WiFi password (16+ chars) — thwarts cracking │
│ • VPN on public WiFi — encrypts traffic end-to-end │
│ • Disable WPS — eliminates Pixie Dust attack surface │
│ • Keep router firmware updated — patches KRACK, Dragonblood │
│ • 802.1X / WPA-Enterprise (RADIUS) for business networks │
│ │
└──────────────────────────────────────────────────────────────────────┘
Cheatsheet 7: Secure Video Conferencing on Public Networks
┌──────────────────────────────────────────────────────────────────────┐
│ SECURE VIDEO CONFERENCING ON PUBLIC / UNTRUSTED NETWORKS │
├──────────────────────────────────────────────────────────────────────┘
│ │
│ BEFORE THE MEETING — PREP │
│ ───────────────────────────────────────── │
│ □ Patch your video conferencing app to latest version │
│ □ Test your VPN connection before the meeting │
│ □ Close all non-essential applications to reduce attack surface │
│ □ Enable OS firewall if not already on │
│ □ Check that your camera and microphone are actually muted │
│ (some apps show "muted" but the hardware indicator is not) │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ NETWORK CONNECTION OPTIONS (Ranked by Security) │
│ ───────────────────────────────────────── │
│ │
│ SECURE ──────────────────────────────────────────────────────── │
│ 1. Mobile hotspot (4G/LTE or 5G) + VPN │
│ → Most secure option. Cellular traffic is harder to intercept. │
│ → Use VPN on top for additional protection. │
│ │
│ 2. Trusted WiFi (home WPA3 network) + VPN │
│ → Your home router, you control the security settings. │
│ → Add VPN for work-related meetings. │
│ │
│ 3. Public WiFi + VPN (corporate VPN preferred) │
│ → VPN encrypts your traffic, hiding it from WiFi eavesdroppers │
│ → Corporate VPN with certificate auth is best for work calls │
│ → If no corp VPN, use a reputable personal VPN (WireGuard) │
│ │
│ LESS SECURE ────────────────────────────────────────────────── │
│ 4. Public WiFi + HTTPS-only meeting │
│ → Your video/audio is encrypted in transit by the conferencing │
│ platform's TLS. Metadata (who you're calling, when) is visible. │
│ → Only acceptable for non-sensitive discussions. │
│ │
│ UNSAFE ──────────────────────────────────────────────────────── │
│ 5. Public WiFi with no VPN, no HTTPS │
│ → Your video/audio can be intercepted. Don't do this. │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ VIDEO CONFERENCING PLATFORM SECURITY SETTINGS │
│ ───────────────────────────────────────── │
│ │
│ ZOOM │
│ • Enable "Require password for meetings" │
│ • Enable "Waiting Room" — don't auto-admit participants │
│ • Disable "Join before host" │
│ • Enable "Co-host" instead of sharing host controls │
│ • Disable "File transfer" if not needed │
│ • Use Zoom's "Enhanced Encryption" (AES-256 GCM) — enabled by │
│ default for paid accounts but verify in account settings │
│ • Enable "Prevent participant screen sharing without permission" │
│ • Check "Always encrypt meeting content" setting (Zoom 5.0+) │
│ │
│ MICROSOFT TEAMS │
│ • Enable end-to-end encryption for sensitive calls │
│ (Teams Admin Center → Meetings → E2EE) │
│ • Require meeting passwords for external meetings │
│ • Enable "Lobby" — let authenticated users skip lobby │
│ • Disable "Anonymous users can join" unless needed │
│ • Enable "Prevent anonymous join" for internal meetings │
│ • Use Teams' built-in DLP policies if handling sensitive data │
│ │
│ GOOGLE MEET │
│ • Use "Host-only meetings" option for sensitive calls │
│ • Enable "Require 2-step verification" for your organization │
│ • Use "Videotron" access control for external participants │
│ • Enable "End-to-end encryption" option where available (web only) │
│ • Turn off "Allow meeting chat" if not needed │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ DURING THE MEETING │
│ ───────────────────────────────────────── │
│ □ Keep VPN running throughout the call │
│ □ Don't share your screen unless actively presenting │
│ □ Before sharing: close email, browser tabs with sensitive data │
│ □ Don't read sensitive documents aloud — even if screen is off, │
│ a compromised device could have microphone access │
│ □ Be aware of what's visible in your camera frame │
│ □ After the meeting: verify you've actually left the meeting │
│ (don't stay connected while doing sensitive work) │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ COMMON MISTAKES THAT COMPROMISE CALL SECURITY │
│ ───────────────────────────────────────── │
│ ☠ Sharing meeting links publicly (Twitter, LinkedIn) │
│ → Anyone with the link can join. Use password-protected links. │
│ │
│ ☠ Sharing screen with browser bookmarks visible │
│ → Your bookmarks reveal your browsing history and accounts. │
│ │
│ ☠ Joining from a public WiFi network without VPN │
│ → Unencrypted traffic can be captured by anyone on the network. │
│ │
│ ☠ Having meeting recordings stored in unencrypted cloud storage │
│ → Ensure your meeting recordings go to encrypted storage. │
│ │
│ ☠ Accepting file transfers from unknown meeting participants │
│ → Malware can be delivered via in-meeting file transfer. │
│ │
│ ☠ Using the same meeting ID for recurring meetings │
│ → Predictable meeting IDs can be zoom-bombed. Use random IDs. │
│ │
└──────────────────────────────────────────────────────────────────────┘