WiFi security cheatsheets are your rapid-reference companions for assessing threats, hardening networks, and responding to incidents — without wading through lengthy guides. Each cheatsheet below is designed for practical use: print one before a security audit, keep one on hand during penetration testing, or bookmark it for on-the-go threat assessment. Commands are compatible with Kali Linux and most Debian-based distributions. No fluff — just the information you need, when you need it.
Cheatsheet 1: "Am I Safe on Public WiFi?" Decision Tree
┌──────────────────────────────────────────────────────────────────────┐ │ AM I SAFE ON PUBLIC WiFi? — DECISION TREE │ ├──────────────────────────────────────────────────────────────────────┤ │ │ │ START: Are you on public WiFi? ─────────────────────────────────┐ │ │ (coffee shop / hotel / airport / coworking space) │ │ │ │ │ │ │ ┌───────────────┴───────────────┐ │ │ │ │ │ │ │ │ YES NO │ │ │ │ │ │ │ │ ▼ ▼ │ │ │ ┌─────────────────────┐ ┌──────────────────────────────┐ │ │ │ │ Do you have a VPN │ │ You're on a private network. │ │ │ │ │ running? │ │ Risk depends on: │ │ │ │ │ │ │ • Who else is on it │ │ │ │ │ ┌──────┐ ┌─────────┐ │ │ • Your encryption strength │ │ │ │ │ │ YES │ │ NO │ │ │ • Router security posture │ │ │ │ │ └──┬───┘ └────┬────┘ │ │ → Generally LOW risk if │ │ │ │ │ │ │ │ │ WPA2/WPA3 + strong pwd │ │ │ │ │ │ │ │ └──────────────────────────────┘ │ │ │ │ │ │ │ │ │ │ │ ▼ ▼ │ │ │ │ │ ┌──────────────┐ │ │ │ │ │ │ LOW-MODERATE │ │ │ │ │ │ │ RISK │ │ │ │ │ │ │ │ │ │ │ │ │ │ VPN encrypts │ │ │ │ │ │ │ traffic. │ │ │ │ │ │ │ Metadata and │ │ │ │ │ │ │ DNS visible. │ │ │ │ │ │ └──────────────┘ │ │ │ │ │ │ │ │ │ │ │ ▼ │ │ │ │ │ ┌──────────────┐ │ │ │ │ │ │ What are you │ │ │ │ │ │ │ doing? │ │ │ │ │ │ └──────┬───────┘ │ │ │ │ │ │ │ │ │ │ │ ┌─────┼─────┐ │ │ │ │ │ │ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ │ │ │ Brows- Email Bank- │ │ │ │ │ ing /Work ing │ │ │ │ │ │ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ │ │ │ LOW MED HIGH │ │ │ │ │ Risk Risk Risk │ │ │ │ │────── │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └─────────┼─────────────────────────────────────┐ │ │ │ │ │ │ Use mobile hotspot OR VPN + wait │ │ │ │ │ │ │ until on trusted network. Never │ │ │ │ │ │ │ do high-risk activities on public │ │ │ │ │ │ │ WiFi without VPN. │ │ │ │ │ │ └─────────────────────────────────────┘ │ │ │ │ │ │ │ │ │ └───────────────────────────────────────────────────┐ │ │ │ HIGH RISK — Don't do it on public WiFi. │ │ │ │ Use VPN + certificate validation. │ │ │ └──────────────┬────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ │ │ │ What network │ │ │ │ type? │ │ │ └──────┬───────┘ │ │ │ │ │ ┌──────┼────────┬────────────┐ │ │ ▼ ▼ ▼ ▼ │ │ OPEN HOTEL CORPORATE MOBILE │ │ (any) WPA2 WPA2-EAP HOTSPOT │ │ │ │ │ │ │ │ ▼ ▼ ▼ ▼ │ │ HIGH MED LOW-MED LOWEST │ │ RISK RISK RISK RISK │ │ w/VPN w/VPN w/VPN No VPN needed │ │ │ │ │ │ │ │ └──────┴──────────┴──────────┘ │ │ │ │ │ ▼ │ │ ╔═══════════════════════════════╗ │ │ ║ GENERAL RULE OF THUMB: ║ │ │ ║ ║ │ │ ║ Public WiFi + VPN = Safe ║ │ │ ║ Public WiFi + No VPN = Risky ║ │ │ ║ Open Public WiFi + No VPN = ║ │ │ ║ VERY RISKY ║ │ │ ╚═══════════════════════════════╝ │ └──────────────────────────────────────────────────────────────────────┘
Setting up a VPN correctly is the single most effective step you can take to protect your traffic on any network — public or private. This cheatsheet covers WireGuard and the three major commercial VPN providers, with command-line examples and critical pre-use checks.
Cheatsheet 2: VPN Setup Quick Reference
┌──────────────────────────────────────────────────────────────────────┐ │ VPN SETUP QUICK REFERENCE — MAJOR PROVIDERS │ ├──────────────────────────────────────────────────────────────────────┘ │ │ │ WIREGUARD (Recommended — fastest, most modern) │ │ ───────────────────────────────────────── │ │ # Generate keypair (do this on your client machine) │ │ wg genkey | tee privatekey.txt | wg pubkey > publickey.txt │ │ │ │ # Example WireGuard config (client side) │ │ [Interface] │ │ PrivateKey = <your-private-key> │ │ Address = 10.0.0.2/32 │ │ DNS = 1.1.1.1 │ │ │ │ [Peer] │ │ PublicKey = <server-public-key> │ │ Endpoint = vpn.example.com:51820 │ │ AllowedIPs = 0.0.0.0/0, ::/0 # route ALL traffic through VPN │ │ PersistentKeepalive = 25 │ │ │ │ # Start WireGuard │ │ sudo wg-quick up wg0 │ │ sudo wg-quick down wg0 # to disconnect │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ NORDVPN (WireGuard + OpenVPN support) │ │ ───────────────────────────────────────── │ │ # Install │ │ curl -s https://downloads.nordcdn.com/configs/archives/nordvpn/snap/ │ │ stable/nordvpn-release.gpg | sudo tee /etc/apt/trusted.gpg.d/ │ │ nordvpn.gpg │ │ sudo apt update && sudo apt install nordvpn │ │ │ │ # Connect (CLI) │ │ nordvpn connect # connect to fastest │ │ nordvpn connect --group p2p_us # connect to US P2P server │ │ nordvpn connect Denmark # connect to specific │ │ nordvpn disconnect │ │ nordvpn settings --autoconnect on # auto-connect on WiFi │ │ nordvpn set threatprotectionlite on # block ads/trackers │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ MULLVAD (Privacy-focused, WireGuard + OpenVPN) │ │ ───────────────────────────────────────── │ │ # CLI connect (Mullvad account number only, no email) │ │ mullvad account get │ │ mullvad connect │ │ mullvad disconnect │ │ mullvad status │ │ │ │ # Use WireGuard via Mullvad's bridge mode (anti-censorship) │ │ mullvad lan-broadcast allow # if you need LAN access │ │ mullvad tunnel custom-port 51820 # behind restrictive firewall │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ PROTONVPN (WireGuard + Stealth protocol for censors) │ │ ───────────────────────────────────────── │ │ # Install │ │ # Download from https://protonvpn.com/linux-download │ │ │ │ # Connect via CLI │ │ protonvpn configure # first-time setup │ │ protonvpn connect # fastest server │ │ protonvpn connect --profile "US-FREE #1" # specific server │ │ protonvpn connect --p2p # P2P-optimized server │ │ protonvpn kill-switch enable # BLOCK traffic if VPN drops │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ KEY CHECKS BEFORE USING ANY VPN │ │ ───────────────────────────────────────── │ │ □ Does the VPN have a NO-LOG policy? Verify the policy in writing │ │ □ Where is the VPN company based? (Check data retention laws) │ │ □ Does the VPN support WireGuard? (fastest, most modern) │ │ □ Does it have a kill switch? (blocks traffic if VPN drops) │ │ □ Does it leak DNS queries? Test at: https://dnsleaktest.com │ │ □ Does it have WebRTC leak? Test at: https://browserleaks.com │ │ □ Is there a port forwarding option? (Some P2P use cases need it) │ │ │ │ TEST FOR LEAKS after setup: │ │ 1. Connect to VPN │ │ 2. Visit https://ipleak.net — should show VPN server IP only │ │ 3. Visit https://dnsleaktest.com — should show VPN DNS servers │ │ 4. Disable VPN briefly — does your real IP appear? Yes = leak │ │ │ └──────────────────────────────────────────────────────────────────────┘
Detecting rogue access points requires understanding what normal WiFi traffic looks like so you can spot the anomalies. This cheatsheet gives you the Wireshark display filters and column configurations to identify Evil Twin attacks, KARMA probes, and deauth floods in real time.
Cheatsheet 3: Detecting Rogue Access Points with Wireshark
┌──────────────────────────────────────────────────────────────────────┐ │ DETECTING ROGUE ACCESS POINTS — WIRESHARK FILTERS │ ├──────────────────────────────────────────────────────────────────────┘ │ │ │ SETUP: Put your wireless card in Monitor Mode first │ │ ───────────────────────────────────────── │ │ # Using airmon-ng (Kali/Linux) │ │ sudo airmon-ng start wlan0 # start monitor mode │ │ sudo airmon-ng check kill # kill interfering processes │ │ # Now open Wireshark and select the mon0 interface │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ BEACON FRAME ANALYSIS — Find all visible APs │ │ ───────────────────────────────────────── │ │ Filter: wlan.fc.type_subtype == 0x08 │ │ (Shows all beacon frames — APs announcing their presence) │ │ │ │ Read columns to add: │ │ • SSID → wlan.ssid │ │ • BSSID → wlan.bssid │ │ • Channel → wlan_radio.channel │ │ • Signal → wlan_radio.signal_dbm │ │ • Encryption → wlan.tag_set.unicast_cipher │ │ • Auth → wlan.tag_set.group_cipher │ │ │ │ DETECT: Same SSID on multiple BSSIDs (Evil Twin signature) │ │ ───────────────────────────────────────── │ │ wlan.ssid == "Free WiFi" and wlan.bssid != XX:XX:XX:XX:XX:XX │ │ │ │ Look for: │ │ • Two BSSIDs with identical SSIDs but different MAC addresses │ │ • Same SSID, different channels (legit AP may have 2.4+5GHz) │ │ • Same SSID, different encryption types (one open, one WPA2) │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ DEAUTHENTICATION ATTACK DETECTION │ │ ───────────────────────────────────────── │ │ Filter: wlan.fc.type == 0x0 and wlan.fc.type_subtype == 0x0c │ │ (Shows all deauthentication frames) │ │ │ │ Count deauths per BSSID: │ │ Menu → Statistics → I/O Graph → Filter: wlan.fc.type_subtype == 12 │ │ Look for: sudden spikes in deauth packets — classic jamming/ │ │ disconnection attack │ │ │ │ Deauth from AP to client: wlan.fc.type_subtype == 0x0c │ │ Deauth from client to AP: wlan.fc.type_subtype == 0x0a │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ PROBE REQUEST ANALYSIS — Find clients searching for networks │ │ ───────────────────────────────────────── │ │ Filter: wlan.fc.type_subtype == 0x04 │ │ (Shows probe requests — clients asking "is anyone there?") │ │ │ │ Useful for: │ │ • Mapping which clients are nearby (MAC addresses visible) │ │ • Detecting clients looking for known networks (your corporate SSID)│ │ • Identifying WiFi Sense (Windows) probing for saved networks │ │ │ │ Find clients probing for your corporate SSID: │ │ wlan.ssid == "YourCorporateSSID" and wlan.fc.type_subtype == 0x04 │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ COMMON ATTACK SIGNATURES IN WIRESHARK │ │ ───────────────────────────────────────── │ │ │ │ Attack │ Filter │ Red Flag │ │ ───────────────────┼───────────────────────────────┼───────────── │ │ Evil Twin │ Same SSID, diff BSSID │ 2+ MACs for 1 │ │ Karma/MDK3 probe │ Many source MACs, same SSID │ Flood of reqs │ │ Deauth flood │ wlan.fc.type_subtype == 0x0c │ Spike in deauth │ │ Disassociation storm│ wlan.fc.type_subtype == 0x0a │ Client → AP │ │ ChopChop attack │ Frame with WEP IV repeated │ IV collision │ │ Hirte attack │ ARP reqs encrypted w/ WEP │ Crypted ARP │ │ KRACK attack │ 802.1X reassembly packets │ Nonce reuse │ │ Hidden SSID (probe) │ wlan.ssid == "" │ Empty SSID seen │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ WIRESHARK TIPS FOR WiFi ANALYSIS │ │ ───────────────────────────────────────── │ │ 1. Enable "IEEE 802.11" columns: BSSID, RSSI, Channel │ │ 2. Sort by channel to find APs on your channel (co-channel interfr) │ │ 3. Use "Wireless Toolbar" (View → Wireless Toolbar) to see chan-hop│ │ 4. Right-click packet → "Apply as Filter" → "Selected" to drill down│ │ 5. Use "Follow → IEEE 802.11" to reassemble encrypted traffic │ │ 6. Export objects (File → Export Objects) to extract files from │ │ captured traffic if decryption keys are known │ │ │ │ DECRYPT WPA2 TRAFFIC IN WIRESHARK: │ │ Edit → Preferences → Protocols → IEEE 802.11 → │ │ Check "Enable decryption" → Add wpa-pwd entry: │ │ Format: "SSID:PSK" or just ":PSK" for all SSIDs │ │ │ └──────────────────────────────────────────────────────────────────────┘
Your router is the gateway to everything on your network — and most ship with laughably weak security defaults. This checklist covers every hardening step from credentials and encryption to firmware updates and VLAN segmentation, in order of priority.
Cheatsheet 4: Router Security Checklist
┌──────────────────────────────────────────────────────────────────────┐ │ ROUTER SECURITY HARDENING CHECKLIST │ ├──────────────────────────────────────────────────────────────────────┘ │ │ │ CREDENTIALS │ │ ───────────────────────────────────────── │ │ □ Change default admin username (if possible — many routers won't) │ │ □ Set a strong, unique admin password (different from WiFi pwd) │ │ □ Disable "remember password" in router admin panel │ │ □ Set up a separate admin account if available (not the default) │ │ □ Enable HTTPS for admin panel access (HTTP is plaintext) │ │ □ Disable "remote management" (router admin from internet) UNLESS │ │ you specifically need it and can secure it with IP allowlist │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ WiFi ENCRYPTION │ │ ───────────────────────────────────────── │ │ □ Set encryption to WPA3-Personal (or WPA2-AES if WPA3 unavailable) │ │ □ NEVER use WEP — it is broken and crackable in minutes │ │ □ NEVER use Open (no encryption) for any network you control │ │ □ Use a strong PSK: 16+ characters, random, stored in password mgr │ │ □ For business networks: use WPA3-Enterprise with RADIUS auth │ │ □ If WPA2 only: ensure it's AES (TKIP is deprecated and weak) │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ WiFi NETWORK SETTINGS │ │ ───────────────────────────────────────── │ │ □ Disable WPS (WiFi Protected Setup) — known vulnerabilities │ │ (Pixie Dust attack, brute force of WPS PIN) │ │ □ Change the default SSID — don't broadcast your router model/name │ │ (e.g., "NETGEAR-5G" tells attacker exactly what firmware to check)│ │ □ Consider disabling SSID broadcast (security through obscurity, │ │ not a real security control, but reduces casual scanning) │ │ □ Enable AP isolation / client isolation if available │ │ (prevents devices on same network from talking to each other) │ │ □ Enable Airtime Fairness if available (prevents slow devices from │ │ degrading overall network performance — security side benefit: │ │ makes some DoS attacks harder) │ │ □ Set a proper channel (use WiFi Analyzer app to find least crowded)│ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ FIRMWARE AND UPDATES │ │ ───────────────────────────────────────── │ │ □ Check for firmware updates quarterly — do it now if you haven't │ │ in the last 6 months │ │ □ Enable automatic firmware updates if your router supports them │ │ □ If router is no longer receiving firmware updates from manufacturer │ │ → replace it. An unpatched router is a liability. │ │ □ If your router supports it, consider OpenWrt or DD-WRT: │ │ open-source firmware with active security patches │ │ (only if your router model is well-supported) │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ NETWORK SERVICES ON THE ROUTER │ │ ───────────────────────────────────────── │ │ □ Disable UPnP (Universal Plug and Play) — major attack surface │ │ for malware that wants to punch holes in your firewall │ │ □ Disable Telnet (should never be on — uses plaintext) │ │ □ Ensure SSH is only v2 (disable v1) and using key-based auth │ │ □ Disable FTP, Samba, or any file sharing unless you specifically │ │ need it and understand the security implications │ │ □ Check what services are exposed to the WAN (internet) side │ │ — run a port scan from outside your network to check │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ FIREWALL AND ADVANCED SETTINGS │ │ ───────────────────────────────────────── │ │ □ Ensure the router's built-in firewall is enabled (almost always │ │ is by default, but double-check) │ │ □ Disable SIP ALG (Session Border Controller for VoIP) if you don't │ │ use VoIP — it can cause call issues and create attack surface │ │ □ Enable DoS protection / SPI firewall if available │ │ □ Set reasonable session limits (max concurrent connections, │ │ connection timeout values) │ │ □ If your router supports VLANs (most mid-range and above do): │ │ segment IoT devices onto a separate VLAN from your main network │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ LOGGING AND MONITORING │ │ ───────────────────────────────────────── │ │ □ Enable router logging and review logs monthly │ │ □ Set up log forwarding to a syslog server if you have one │ │ □ Enable WIDS (Wireless Intrusion Detection) if available │ │ □ Set up alerts for: unknown devices connecting, multiple failed │ │ auth attempts, changes to router settings │ │ □ Regularly audit connected devices — do you recognize everything? │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ INTERNET CONNECTION │ │ ───────────────────────────────────────── │ │ □ If using PPPoE (common in Europe, some ISPs): ensure your ISP │ │ credentials are strong — PPPoE passwords can be brute-forced │ │ □ Check if your router's WAN port is properly firewalled │ │ □ If you have a static IP, ensure the router's firewall blocks │ │ inbound traffic on all unused ports │ │ □ Consider using your router in bridge mode + a separate firewall │ │ appliance if security requirements are high │ │ │ └──────────────────────────────────────────────────────────────────────┘
If you suspect a WiFi compromise, every second counts. This cheatsheet walks you through the containment, assessment, credential reset, and reporting steps in the order that maximizes protection while preserving forensic evidence on your devices.
Cheatsheet 5: What to Do If You Think You've Been Compromised
┌──────────────────────────────────────────────────────────────────────┐ │ WiFi COMPROMISE RESPONSE — STEP BY STEP │ ├──────────────────────────────────────────────────────────────────────┘ │ │ │ STEP 1: CONTAIN — Stop the bleeding │ │ ───────────────────────────────────────── │ │ ☐ Disconnect from the compromised WiFi network NOW │ │ ☐ If on a wired connection too, unplug from the network │ │ ☐ Turn OFF WiFi on all devices — use mobile data as temporary │ │ connectivity while you assess │ │ ☐ Do NOT power off devices if you can avoid it — volatile memory │ │ (RAM) may contain forensic evidence │ │ │ │ STEP 2: ASSESS — What might be affected? │ │ ───────────────────────────────────────── │ │ ☐ Did you access any sensitive accounts while on the network? │ │ (banking, work VPN, email, corporate systems) │ │ ☐ Did you enter passwords or credit card information? │ │ ☐ What devices were connected to the compromised network? │ │ (laptop, phone, smart home devices, TV, etc.) │ │ ☐ Did you use the same passwords on multiple services? │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ STEP 3: CREDENTIAL RESET — Assume passwords are compromised │ │ ───────────────────────────────────────── │ │ PRIORITY ORDER for password resets: │ │ │ │ 1. Email account (primary — attackers use this to reset everything) │ │ 2. Banking and financial accounts │ │ 3. Work/corporate VPN and SSO systems │ │ 4. Cloud services (AWS, Azure, Google Cloud) — check for new keys │ │ 5. Social media accounts │ │ 6. Shopping accounts with saved payment info │ │ 7. All other accounts using the same or similar passwords │ │ │ │ ⚠ Use a DIFFERENT device for resets (e.g., your phone on mobile │ │ data) — if your laptop is compromised, reset links sent to it │ │ may be intercepted │ │ │ │ Use a password manager to generate unique, random passwords │ │ Recommended: Bitwarden, 1Password, KeePassXC │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ STEP 4: ENABLE ADDITIONAL SECURITY │ │ ───────────────────────────────────────── │ │ ☐ Enable two-factor authentication (2FA) on all critical accounts │ │ — use an authenticator app (Google Auth, Authy), NOT SMS │ │ (SIM swap attacks can bypass SMS 2FA) │ │ ☐ Review active sessions — force-logout of all unknown sessions │ │ ☐ Revoke any API keys or OAuth tokens that were active during │ │ the incident │ │ ☐ Check email forwarding rules — attackers often set up forwarding │ │ to harvest your communications │ │ ☐ Check email filter rules for auto-delete rules │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ STEP 5: DEVICE INVESTIGATION │ │ ───────────────────────────────────────── │ │ On your laptop/computer: │ │ ☐ Check installed programs — anything unfamiliar? │ │ ☐ Check Task Manager / Activity Monitor — unfamiliar processes? │ │ ☐ Check startup items — anything suspicious added? │ │ ☐ Run a malware scan with a reputable scanner (not just AV默认) │ │ ☐ Check browser extensions — malicious extensions are common │ │ ☐ Check hosts file (C:\Windows\System32\drivers\etc\hosts on Windows│ │ or /etc/hosts on macOS/Linux) for suspicious entries │ │ │ │ On your router: │ │ ☐ Factory reset the router — this removes most compromises │ │ (some advanced malware like VPNFilter persists across resets) │ │ ☐ After reset: change admin password, update firmware, review │ │ all settings │ │ ☐ Set a completely new WiFi password — don't reuse the old one │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ STEP 6: REPORT AND DOCUMENT │ │ ───────────────────────────────────────── │ │ ☐ Document everything: when you discovered, what you did, │ │ what data might be at risk, what actions you've taken │ │ ☐ File a report with FBI IC3 (ic3.gov) if financial loss occurred │ │ ☐ Report to your bank if financial data may be compromised │ │ ☐ If work-related: notify your IT security team immediately │ │ ☐ If personal data breach: check your jurisdiction's notification │ │ requirements (GDPR: 72 hours; US state laws vary) │ │ ☐ Consider filing a police report for identity theft if credentials │ │ were used fraudulently │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ STEP 7: PREVENT FUTURE INCIDENTS │ │ ───────────────────────────────────────── │ │ ☐ Always use a VPN on public WiFi going forward │ │ ☐ Never access sensitive accounts on open/public WiFi without VPN │ │ ☐ Use a password manager — unique passwords for every service │ │ ☐ Enable 2FA everywhere it's available │ │ ☐ Keep devices and software updated │ │ ☐ Consider using a mobile hotspot for sensitive work travel │ │ ☐ Regularly audit connected devices on your home network │ │ │ │ EMERGENCY CONTACTS: │ │ ───────────────────────────────────────── │ │ FBI IC3 (US): ic3.gov │ Online complaint │ │ CISA (US Critical): cisa.gov/report │ 1-888-282-0870 │ │ Action Fraud (UK): actionfraud.police.uk │ 0300 123 2040 │ │ NCSC (UK): ncsc.gov.uk │ Incident form online │ │ Your Bank: Card back / website │ 24/7 fraud line │ │ │ └──────────────────────────────────────────────────────────────────────┘
WiFi attacks span a wide range from passive eavesdropping to active protocol exploitation. This taxonomy cheatsheet organizes the major attack classes by their operational profile (passive vs. active) and the encryption bumbs they target, with tool references and mitigation notes.
Cheatsheet 6: WiFi Attack Taxonomy Quick Reference
┌──────────────────────────────────────────────────────────────────────┐ │ WiFi ATTACK TAXonomy — QUICK REFERENCE │ ├──────────────────────────────────────────────────────────────────────┘ │ │ │ PASSIVE ATTACKS (No client interaction required — harder to detect) │ │ ───────────────────────────────────────────────────────────────── │ │ ┌────────────────────┬──────────────────────────────────────────┐ │ │ │ Attack │ Description │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ WiFi Eavesdropping │ Capturing and analyzing WiFi traffic │ │ │ │ │ with a monitor-mode card. Possible on │ │ │ │ │ OPEN and WEP networks without any │ │ │ │ │ interaction. WPA2 requires key. │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ Traffic Analysis │ Identifying who communicates with whom │ │ │ │ │ based on packet timing, size, frequency. │ │ │ │ │ Works even with encryption. │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ Evil Twin Recon │ Identifying target networks, clients, │ │ │ │ │ and their probe requests. Passive recon │ │ │ │ │ to build attack plan. │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ Fingerprinting │ Identifying device types, OS, apps │ │ │ │ │ based on 802.11 frame characteristics. │ │ │ │ │ Uses VHT (Very High Throughput) info, │ │ │ │ │ HT capabilities, and client fingerprints. │ │ │ └────────────────────┴──────────────────────────────────────────┘ │ │ │ │ ACTIVE ATTACKS (Requires some interaction — easier to detect) │ │ ┌────────────────────┬──────────────────────────────────────────┐ │ │ │ Attack │ Description │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ Deauthentication │ Sending forged deauth frames to disconnect│ │ │ │ (Deauth) Attack │ clients from legitimate AP. Used for: │ │ │ │ │ • Forcing reconnection to capture handshake│ │ │ │ │ • Jamming/disruption of service │ │ │ │ │ • Capturing client probe requests │ │ │ │ │ Tool: aireplay-ng -0 0 -a [BSSID] │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ Disassociation │ Similar to deauth but at MAC layer. │ │ │ │ │ Can be more stealthy in some cases. │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ WEP Cracking │ Exploiting RC4 weak keys in WEP to │ │ │ │ │ recover the encryption key. │ │ │ │ │ Tools: aircrack-ng, wifite │ │ │ │ │ Time: 2-15 minutes depending on traffic │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ WPA2 Password │ Capturing 4-way handshake + offline │ │ │ │ Cracking │ dictionary/rainbow table attack on PSK. │ │ │ │ │ Tools: hashcat (GPU), john the ripper │ │ │ │ │ Mitigation: strong, random passphrase │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ KRACK Attack │ Key Reinstallation Attack. Exploits │ │ │ │ │ nonce reuse in WPA2 protocol. All WPA2 │ │ │ │ │ devices were affected at disclosure. │ │ │ │ │ Patch status varies by device. │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ Evil Twin / │ Setting up a fake AP with same SSID as │ │ │ │ Rogue AP │ legitimate network to intercept traffic.│ │ │ │ │ Often combined with KARMA (responding to │ │ │ │ │ any probe request with the requested SSID)│ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ Honeypot AP │ Open network with no password to attract │ │ │ │ │ victims. Once connected, traffic is │ │ │ │ │ intercepted. Common in public spaces. │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ WPA3 Attacks │ Dragonblood: timing/eavesdropping attacks │ │ │ │ (Dragonblood) │ against WPA3's SAE handshake. Results │ │ │ │ │ in password brute-force against handshake.│ │ │ │ │ Affects early WPA3 implementations. │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ WPS PIN Attack │ Brute-forcing or using Pixie Dust attack │ │ │ │ (Pixie Dust) │ to recover WPS PIN, then deriving WPA │ │ │ │ │ password. Affected many routers. │ │ │ │ │ Tool: reaver, bully, wifite │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ EAP Thrashing │ Sending many EAP-Failure messages to │ │ │ │ │ force clients to reconnect, capturing │ │ │ │ │ handshakes for offline cracking. │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ LTE Hijacking │ Using IMSI Catchers (StingRay/DragonFly) │ │ │ │ (Not WiFi but │ to intercept cellular connections, │ │ │ │ related) │ track devices, and capture communications. │ │ │ └────────────────────┴──────────────────────────────────────────┘ │ │ │ │ ENCRYPTION BYPASS / REDUCTION ATTACKS │ │ ┌────────────────────┬──────────────────────────────────────────┐ │ │ │ Attack │ Description │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ SSL Strip / │ Downgrading HTTPS to HTTP in transit, │ │ │ │ HTTPS Downgrade │ allowing content interception. Works │ │ │ │ │ on public WiFi where attacker is MITM. │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ DNS Spoofing │ Manipulating DNS responses to redirect │ │ │ │ │ users to attacker-controlled sites. │ │ │ ├────────────────────┼──────────────────────────────────────────┤ │ │ │ Captive Portal │ Bypassing or spoofing captive portal │ │ │ │ Bypass │ to gain network access without paying │ │ │ │ │ or accepting terms. │ │ │ └────────────────────┴──────────────────────────────────────────┘ │ │ │ │ DEFENSE SUMMARY: │ │ • WPA3 (where available) — resists most attacks │ │ • Strong random WiFi password (16+ chars) — thwarts cracking │ │ • VPN on public WiFi — encrypts traffic end-to-end │ │ • Disable WPS — eliminates Pixie Dust attack surface │ │ • Keep router firmware updated — patches KRACK, Dragonblood │ │ • 802.1X / WPA-Enterprise (RADIUS) for business networks │ │ │ └──────────────────────────────────────────────────────────────────────┘
Video conferencing on untrusted networks introduces multiple attack surfaces — network interception, meeting hijacking, and metadata exposure among them. This cheatsheet ranks connection options by security level and covers platform-specific settings for Zoom, Teams, and Google Meet.
Cheatsheet 7: Secure Video Conferencing on Public Networks
┌──────────────────────────────────────────────────────────────────────┐ │ SECURE VIDEO CONFERENCING ON PUBLIC / UNTRUSTED NETWORKS │ ├──────────────────────────────────────────────────────────────────────┘ │ │ │ BEFORE THE MEETING — PREP │ │ ───────────────────────────────────────── │ │ □ Patch your video conferencing app to latest version │ │ □ Test your VPN connection before the meeting │ │ □ Close all non-essential applications to reduce attack surface │ │ □ Enable OS firewall if not already on │ │ □ Check that your camera and microphone are actually muted │ │ (some apps show "muted" but the hardware indicator is not) │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ NETWORK CONNECTION OPTIONS (Ranked by Security) │ │ ───────────────────────────────────────── │ │ │ │ SECURE ──────────────────────────────────────────────────────── │ │ 1. Mobile hotspot (4G/LTE or 5G) + VPN │ │ → Most secure option. Cellular traffic is harder to intercept. │ │ → Use VPN on top for additional protection. │ │ │ │ 2. Trusted WiFi (home WPA3 network) + VPN │ │ → Your home router, you control the security settings. │ │ → Add VPN for work-related meetings. │ │ │ │ 3. Public WiFi + VPN (corporate VPN preferred) │ │ → VPN encrypts your traffic, hiding it from WiFi eavesdroppers │ │ → Corporate VPN with certificate auth is best for work calls │ │ → If no corp VPN, use a reputable personal VPN (WireGuard) │ │ │ │ LESS SECURE ────────────────────────────────────────────────── │ │ 4. Public WiFi + HTTPS-only meeting │ │ → Your video/audio is encrypted in transit by the conferencing │ │ platform's TLS. Metadata (who you're calling, when) is visible. │ │ → Only acceptable for non-sensitive discussions. │ │ │ │ UNSAFE ──────────────────────────────────────────────────────── │ │ 5. Public WiFi with no VPN, no HTTPS │ │ → Your video/audio can be intercepted. Don't do this. │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ VIDEO CONFERENCING PLATFORM SECURITY SETTINGS │ │ ───────────────────────────────────────── │ │ │ │ ZOOM │ │ • Enable "Require password for meetings" │ │ • Enable "Waiting Room" — don't auto-admit participants │ │ • Disable "Join before host" │ │ • Enable "Co-host" instead of sharing host controls │ │ • Disable "File transfer" if not needed │ │ • Use Zoom's "Enhanced Encryption" (AES-256 GCM) — enabled by │ │ default for paid accounts but verify in account settings │ │ • Enable "Prevent participant screen sharing without permission" │ │ • Check "Always encrypt meeting content" setting (Zoom 5.0+) │ │ │ │ MICROSOFT TEAMS │ │ • Enable end-to-end encryption for sensitive calls │ │ (Teams Admin Center → Meetings → E2EE) │ │ • Require meeting passwords for external meetings │ │ • Enable "Lobby" — let authenticated users skip lobby │ │ • Disable "Anonymous users can join" unless needed │ │ • Enable "Prevent anonymous join" for internal meetings │ │ • Use Teams' built-in DLP policies if handling sensitive data │ │ │ │ GOOGLE MEET │ │ • Use "Host-only meetings" option for sensitive calls │ │ • Enable "Require 2-step verification" for your organization │ │ • Use "Videotron" access control for external participants │ │ • Enable "End-to-end encryption" option where available (web only) │ │ • Turn off "Allow meeting chat" if not needed │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ DURING THE MEETING │ │ ───────────────────────────────────────── │ │ □ Keep VPN running throughout the call │ │ □ Don't share your screen unless actively presenting │ │ □ Before sharing: close email, browser tabs with sensitive data │ │ □ Don't read sensitive documents aloud — even if screen is off, │ │ a compromised device could have microphone access │ │ □ Be aware of what's visible in your camera frame │ │ □ After the meeting: verify you've actually left the meeting │ │ (don't stay connected while doing sensitive work) │ │ │ ├──────────────────────────────────────────────────────────────────────┤ │ COMMON MISTAKES THAT COMPROMISE CALL SECURITY │ │ ───────────────────────────────────────── │ │ ☠ Sharing meeting links publicly (Twitter, LinkedIn) │ │ → Anyone with the link can join. Use password-protected links. │ │ │ │ ☠ Sharing screen with browser bookmarks visible │ │ → Your bookmarks reveal your browsing history and accounts. │ │ │ │ ☠ Joining from a public WiFi network without VPN │ │ → Unencrypted traffic can be captured by anyone on the network. │ │ │ │ ☠ Having meeting recordings stored in unencrypted cloud storage │ │ → Ensure your meeting recordings go to encrypted storage. │ │ │ │ ☠ Accepting file transfers from unknown meeting participants │ │ → Malware can be delivered via in-meeting file transfer. │ │ │ │ ☠ Using the same meeting ID for recurring meetings │ │ → Predictable meeting IDs can be zoom-bombed. Use random IDs. │ │ │ └──────────────────────────────────────────────────────────────────────┘
Best Practices for Using These Cheatsheets
- Print and laminate the Router Security Checklist and Compromise Response cheatsheets — these are your two highest-stakes references when things go wrong.
- Run commands in a controlled environment first. Every tool in these cheatsheets has legitimate security uses, but also has significant potential for misuse. Only test on networks you own or have explicit written authorization to assess.
- Verify your VPN is working before connecting to sensitive accounts on any public network — don't assume the VPN icon turning green means traffic is actually protected.
- Review your router settings quarterly. Firmware updates, new vulnerabilities, and configuration drift all erode security over time. Use the Router Security Checklist as your quarterly audit template.
- Keep these cheatsheets accessible offline. If you're responding to an incident, you may not have reliable internet access to look up information. Download the PDFs or save these pages before you need them.
For deeper dives into any of these topics, explore the full attack and defense articles throughout MalwareZero.org.