How to check if a Wi-Fi network is safe to connect to?

Can you tell if the network you're attached to, assuming you're just an average user, has a been compromised?

No

What can an attacker do if they're on the same network as you?

Regardless if you're connected to an open access point, an access point with WEP enabled (hopefully not) or an access point with WPA/WPA2 you can be attacked. Many public places have WiFi with WPA2 enabled and they just freely give out the password. You're still at risk.

An attacker doesn't need to compromise a router to attack you on a public network. It's very easy to arp spoof the entire network and pretend to be the router. Then all your traffic will pass through them. It'd be seamless to your experience

Once the arp spoof and ipv#_forwarding is configured it's trivial to sniff your traffic, inject malicious javascript into http traffic, etc etc etc.

The attacker doesn't even need to arp spoof you to attack your machine though. Just being on the same network as the attacker gives them the ability to scan your machine for open ports, vulnerable services running, start probing your machine.

Using tools such as nmap to first scan the network for potential targets and then port scanning each target, an attacker can quickly find you and identify any possible holes in your machine. Nmap even has some nifty passive scanning features where it won't even expose the attacker on the network because it just listens to who's transmitting instead of actively probing.

How can you mitigate risk?

Always use TLS and if you can, connect to a VPN whenever you're on a public wifi. Make sure that you don't have any unnecessary services running on your machine that are open to the network. Honestly, you probably shouldn't have any ports open. Any openings are potential access points. Also make sure your machine is fully patched and running all available firewall services.

Mind you this is all just mitigation. If you're connecting to public wifi points you have some accepted risk.

Some reference material for you:

If you want to dig in a little deeper into what can be done, how and with what tools, please look at these links below. To do what I've described above has a very low barrier of entry.

What is NMAP

What is Man in the Middle Attacks?

What is arp spoofing?

What are beef hooks?

What is MiTM Framwork?

What is SSLStrip?

Bonus:

How do you see what ports are open and listening on Windows?

  1. Open a command prompt
  2. Run netstat -ano | FIND /N "LISTEN"

The output will show you all the ports that are open and listening internally and externally. The one's marked with 127.0.0.1 you can ignore because those are only visible internally to your machine.

Anything marked as 0.0.0.0:Port will be visible to attackers on the network. Also anything marked with private addresses such as

10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255

will be visible.

The command and results are almost the same on Linux

netstat -ano | grep LISTEN

How to identify what services are running on your listening ports

From an elevated command prompt run netstat -a -b and look for ports marked as listening. You'll see the name of the service in brackets.

Final Note

I use this attack pattern all the time to test devices on my home network for weaknesses. My favorite is testing my phone apps for random things they're sending over the internet. Anyone with a live boot of kali or parrot os can have this attack up and running in about 5 minutes. Last year I even wrote a tool that does most of this for you and injects javascript miners into public networks. You can find my article about it here