Detecting WiFi Brute Force Attacks

TL;DR

Yes, brute force and dictionary attacks on WiFi can be detected, but it requires monitoring your network for unusual activity like repeated failed login attempts, disconnections, and changes in connected clients. Tools like Wireshark, intrusion detection systems (IDS), and your router’s logs are key.

Detecting WiFi Brute Force Attacks

1. Understand the Attacks:
• Brute Force Attack: Tries every possible password combination. Slow, but effective against weak passwords.
• Dictionary Attack: Uses a list of common passwords (a ‘dictionary’). Faster than brute force.
2. Monitor Router Logs: This is your first line of defence.
   • Most routers keep logs of connection attempts, including failed ones.
   • Look for patterns of repeated failures from the same IP address or MAC address.
   • Accessing these logs varies by router manufacturer (check your router’s manual). Often found under ‘Security’, ‘Administration’, or ‘Logs’.
3. Use Wireshark to Capture Network Traffic: This is a more advanced technique.
   • Download and install Wireshark.
   • Start capturing traffic on your WiFi network interface.
   • Filter for 802.11 authentication packets (e.g., using the filter wlan.auth).
   • Look for a high volume of deauthentication or association/reassociation attempts, which can indicate an attack.

     wlan.auth

4. Intrusion Detection Systems (IDS): These systems automatically detect malicious activity.
   • Popular options include Snort and Suricata. They require some technical setup.
   • They can be configured to alert you when they detect suspicious patterns, like a large number of failed authentication attempts within a short period.
5. Check for Disconnections:
   • Frequent disconnections from your WiFi network can be a sign that someone is trying to crack the password.
   • This is especially true if it happens to multiple devices at once.
6. Monitor Connected Clients:
   • Regularly check the list of connected clients on your router.
   • Look for unfamiliar MAC addresses or IP addresses.

     arp -a

     (This command shows a list of devices currently connected to your network, but doesn’t always show all WiFi clients.)

7. WPA3: If possible, upgrade to WPA3 encryption. It offers stronger security features and makes brute force attacks much harder.
8. Strong Passwords: Use a long, complex password with a mix of uppercase and lowercase letters, numbers, and symbols.