While some wireless access points (WAPs) themselves can have vulnerabilities, the vast majority of scans will be against the WAP's security configuration. Most WAP security mechanisms have proven at some point to be vulnerable. The following table summarizes common WAP vulnerabilities.
WAP Security Type
A weak implementation of the RC4 encryption algorithm, coupled with the absence of digital signatures and packet sequencing, makes it possible to crack a WEP key in 10 minutes or less. A 128-bit key takes only slightly longer.
Rotating keys and sequence numbers make cracking much more difficult, but the protocol is still susceptible to dictionary attacks if a weak passkey has been chosen.
A key reinstallation attack (KRACK) manipulates the WPA2 4-way handshake, tricking a device into changing its encryption key to all zeros.
Brute forcing can crack a WPS pin in minutes. Usually also requires detection evasion techniques such as constantly changing the attacker's MAC address, or specifying a blank PIN.
Note: Most of the security tests that apply to WAPs also apply to wireless routers.