Wireless Networking
802.11 standards, WiFi 6/6E/7, WPA3 security, wireless attacks, and site survey fundamentals
Chapter 8: Wireless Networking
The WiFi Pineapple in the Coffee Shop
In 2019, a security researcher demonstrated a disturbing attack at a major conference. He set up a device called a βWiFi Pineappleβ in a coffee shop. The device advertised SSIDs for every network that nearby devices had ever connected toββHomeWiFi,β βCompanyNet,β βAirportFreeββbased on the probe requests those devices broadcast.
Within an hour, dozens of laptops and phones had automatically connected to his rogue access point, thinking theyβd found a familiar network. He could see all their unencrypted traffic, inject content into HTTP pages, and capture credentials. All without any interaction from the victims.
This attack exploits a fundamental behavior: devices remember WiFi networks and automatically reconnect when they see them. Combined with WiFiβs broadcast natureβanyone within range can receive signalsβwireless networks present unique security challenges that donβt exist in wired environments.
Understanding wireless networkingβthe protocols, security mechanisms, and inherent vulnerabilitiesβis essential for modern network security. This chapter covers 802.11 standards (including WiFi 6 and 7), security protocols (WEP through WPA3), and the attacks that exploit them.
The Freedom and Risk of Wireless
Wireless networking transformed connectivity. No cables mean instant access anywhere within rangeβhomes, offices, coffee shops, airports. The convenience is undeniableβbut this freedom comes with fundamental security challenges that donβt exist in wired networks.
Consider the differences:
Radio is broadcast: Anyone within range can receive your transmissions. Unlike wired networks where physical access is required, wireless signals extend beyond walls. Your neighbor, a person in a parked car outside, or someone in the apartment below might be within range of your WiFi network.
The medium is shared: Multiple devices compete for the same radio spectrum, creating both performance and security implications. Unlike a switch that isolates traffic between ports, all wireless devices hear all transmissions.
Trust is implicit: Devices automatically connect to networks they recognize, and users trust networks by name alone. Your laptop doesnβt verify that βCoffeeShop_WiFiβ is actually run by the coffee shopβit just connects if it remembers that network.
These characteristics make wireless networking fundamentally different from wired networking. Throughout this chapter, weβll build up from the basic technology (how WiFi works) to the security mechanisms (how we try to protect it) to the attacks (how attackers exploit it). Letβs start with the underlying standards.
802.11: The WiFi Standards
Before we can discuss WiFi security, we need to understand how WiFi works. The IEEE 802.11 family of standards defines everything about wireless LANsβthe radio frequencies used, how devices share the airwaves, and how fast data can travel.
The 802.11 Family
IEEE 802.11 is the family of standards defining wireless local area networks (WLANs). Different generations offer varying speeds, frequencies, and capabilities.
| Standard | Marketing Name | Frequency | Max Speed | Year | Key Features |
|---|---|---|---|---|---|
| 802.11b | - | 2.4 GHz | 11 Mbps | 1999 | First widely adopted |
| 802.11a | - | 5 GHz | 54 Mbps | 1999 | Less interference |
| 802.11g | - | 2.4 GHz | 54 Mbps | 2003 | Compatible with b |
| 802.11n | WiFi 4 | 2.4/5 GHz | 600 Mbps | 2009 | MIMO introduced |
| 802.11ac | WiFi 5 | 5 GHz | 6.9 Gbps | 2014 | MU-MIMO, 160 MHz |
| 802.11ax | WiFi 6/6E | 2.4/5/6 GHz | 9.6 Gbps | 2019 | OFDMA, BSS coloring |
| 802.11be | WiFi 7 | 2.4/5/6 GHz | 46 Gbps | 2024 | MLO, 320 MHz |
Frequency Bands
WiFi Frequency Bands
WiFi Frequency Bands:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2.4 GHz Band (2.400 - 2.4835 GHz):
βββββ¬ββββ¬ββββ¬ββββ¬ββββ¬ββββ¬ββββ¬ββββ¬ββββ¬ββββ¬ββββ¬ββββ¬ββββ
β 1 β 2 β 3 β 4 β 5 β 6 β 7 β 8 β 9 β10 β11 β12 β13 β
βββββ΄ββββ΄ββββ΄ββββ΄ββββ΄ββββ΄ββββ΄ββββ΄ββββ΄ββββ΄ββββ΄ββββ΄ββββ
β² β² β²
βββββββββββββββββββββΌββββββββββββββββββββ
Only 3 non-overlapping: 1, 6, 11 (US)
Pros: Better range, wall penetration
Cons: Crowded (microwaves, Bluetooth, many devices), only 3 channels
5 GHz Band (5.150 - 5.895 GHz):
ββββββββββ¬ββββββββββ¬ββββββββββ¬βββββββββ¬βββββββββ¬βββββββββββββββββββ
β UNII-1 β UNII-2A β UNII-2C β UNII-3 β UNII-4 β β
β 36-48 β 52-64 β 100-144 β 149-165β 169-177β β
β Indoor β DFS β DFS β No DFS β No DFS β β
ββββββββββ΄ββββββββββ΄ββββββββββ΄βββββββββ΄βββββββββ΄βββββββββββββββββββ
Pros: Many non-overlapping channels, less interference
Cons: Shorter range, blocked by walls more
6 GHz Band (5.925 - 7.125 GHz) - WiFi 6E/7:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 59 new 20 MHz channels! β
β 29 new 40 MHz channels β
β 14 new 80 MHz channels β
β 7 new 160 MHz channels β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Pros: Clean spectrum (no legacy devices), wide channels
Cons: Shortest range, newest devices onlyDFS (Dynamic Frequency Selection): Some 5 GHz channels are shared with radar. Devices must detect radar and vacateβcan cause brief disconnections.
WiFi 6 (802.11ax) Key Features
WiFi 6 was designed for high-density environments (stadiums, offices, smart homes):
OFDMA (Orthogonal Frequency Division Multiple Access):
- Divides channels into smaller resource units
- Multiple devices served simultaneously
- Reduces latency for small packets
BSS Coloring:
- Tags frames to reduce interference from overlapping networks
- Devices can ignore frames from other BSSs
Target Wake Time (TWT):
- Schedules when devices wake to communicate
- Dramatically improves IoT battery life
1024-QAM:
- More bits per transmission (higher efficiency)
- Requires stronger signal for benefit
WiFi 5 vs WiFi 6 Medium Access
WiFi 5 vs WiFi 6 Medium Access:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
WiFi 5 (OFDM - One device at a time):
ββββββββββββββββββββββββββββββββββββ
Time β
βββββββββββββββ¬ββββββββββββββ¬ββββββββββββββ¬ββββββββββββββ¬βββββ
β Device A β Device B β Device C β Device A β β
β (full BW) β (full BW) β (full BW) β (full BW) β β
βββββββββββββββ΄ββββββββββββββ΄ββββββββββββββ΄ββββββββββββββ΄βββββ
Each device waits for turn, uses entire bandwidth
WiFi 6 (OFDMA - Multiple devices simultaneously):
βββββββββββββββββββββββββββββββββββββββββββββββββ
Time β
ββββββββββββ¬βββββββββββ¬βββββββββββ¬βββββββββββ¬βββββββββββββββββ
β Device A β Device B β Device C β Device D β β
β β β β β Simultaneous! β
β (part BW)β (part BW)β (part BW)β (part BW)β β
ββββββββββββ΄βββββββββββ΄βββββββββββ΄βββββββββββ΄βββββββββββββββββ
AP subdivides bandwidth, serves multiple devices per transmissionWiFi 7 (802.11be) Preview
WiFi 7 brings major improvements:
Multi-Link Operation (MLO):
- Device connects to AP on multiple bands simultaneously
- Aggregates bandwidth and improves reliability
- Seamless failover if one link degrades
320 MHz Channels:
- Twice the width of WiFi 6βs maximum
- Only in 6 GHz band
4K-QAM:
- Even more bits per transmission
Improved latency:
- Better for real-time applications (VR/AR, cloud gaming)
Now that we understand the different WiFi generations and what they offer, letβs look at the components that make up a wireless network and how they communicate.
Wireless Network Components
Understanding the components and terminology of wireless networks is essential before we can discuss security. These terms appear constantly in security discussions, attack descriptions, and configuration guides.
Key Terms
Access Point (AP): The central device that bridges wireless clients to the wired network. In infrastructure mode, all communication goes through the AP.
Station (STA): Any wireless client device (laptop, phone, IoT device).
SSID (Service Set Identifier): The network name you see when scanning for WiFi networks.
BSSID (Basic Service Set Identifier): The MAC address of the AP, uniquely identifying a specific access point.
ESSID (Extended Service Set Identifier): Multiple APs sharing the same SSID (for roaming).
Wireless Network Architecture
Wireless Network Architecture:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Infrastructure Mode (Most Common):
ββββββββββββββββββββββββββββββββββ
Wireless Clients (STAs)
βββββββ βββββββ βββββββ
βClient βClient βClient
βββββ¬ββ ββββ¬βββ ββββ¬βββ
β β β
βββββββββΌβββββββββ
β WiFi (802.11)
β
ββββββ΄βββββ
β AP β β BSSID: AA:BB:CC:DD:EE:FF
β β SSID: "CorporateWiFi"
ββββββ¬βββββ
β Ethernet
β
ββββββ΄βββββ
β Switch β β Wired Network
βββββββββββ
Enterprise (Multiple APs, Same ESSID):
ββββββββββββββββββββββββββββββββββββββ
ββββββββ ββββββββ ββββββββ
β AP 1 β β AP 2 β β AP 3 β
βSSID: β βSSID: β βSSID: β
βCorp β βCorp β βCorp β
ββββ¬ββββ ββββ¬ββββ ββββ¬ββββ
β β β
βββββββββββββββββΌββββββββββββββββ
β
ββββββββββ΄βββββββββ
β WLC (Controller)β β Centralized management
βββββββββββββββββββ
Client roams between APs without reconnectingManagement Frames
802.11 uses management frames for network operations:
| Frame Type | Purpose |
|---|---|
| Beacon | AP advertises network (SSID, capabilities) |
| Probe Request | Client requests network info |
| Probe Response | AP responds to probe |
| Authentication | Auth process frames |
| Deauthentication | Disconnect notification |
| Association Request | Client requests to join |
| Association Response | AP accepts/rejects |
| Disassociation | Leave notification |
| Action | Various management actions |
Security Note: Until 802.11w (Management Frame Protection), these frames were unencrypted and unsigned. Attackers could forge deauthentication frames to kick users offlineβthe basis for deauth attacks. WPA3 mandates MFP.
WiFi Security Protocols
Now we arrive at the heart of wireless security: how do we protect data traveling through the air where anyone can receive it? This is where WiFi security protocols come inβand itβs a story of repeated failures and gradual improvement.
Understanding this evolution isnβt just historical curiosity. Youβll encounter all these protocols in the wild: WEP on legacy devices, WPA on older equipment, WPA2 on most current networks, and WPA3 on newer devices. Knowing their weaknesses helps you assess the security posture of any wireless network.
WEP: Wired Equivalent Privacy (Broken)
WEP was the original 802.11 security protocol. It is completely broken.
Why WEP Fails
Why WEP Fails:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
WEP Design (Flawed):
βββββββββββββββββββββββββ¬ββββββ¬ββββββββββββββββββββββββββββββββββββ
β 24-bit IV (plaintext) β Key β β RC4 β XOR with plaintext β
βββββββββββββββββββββββββ΄ββββββ΄ββββββββββββββββββββββββββββββββββββ
Problems:
1. IV is only 24 bits β Reuses after ~5000 packets
2. IV transmitted in cleartext β Attacker can see it
3. RC4 with reused IV+Key β Keystream recovery possible
4. Weak keys exist β Some IVs leak key bytes directly
5. CRC-32 checksum β Can be manipulated (no real integrity)
Attack:
- Collect ~40,000 packets (few minutes of traffic)
- Statistical analysis recovers key
- Tools: aircrack-ng can crack WEP in minutes
DO NOT USE WEP UNDER ANY CIRCUMSTANCES.
Treat WEP networks as completely unencrypted.WPA: WiFi Protected Access (Deprecated)
WPA was a stopgap while WPA2 was developed. It improved on WEP with TKIP (Temporal Key Integrity Protocol).
Improvements over WEP:
- Per-packet key mixing
- Message integrity check (Michael)
- Larger IV (48-bit)
- Better key management
Still vulnerable: TKIP has weaknesses; WPA should be avoided if possible. Some attacks can inject packets and recover keystream.
WPA2: The Standard
WPA2 uses AES-CCMP encryption, which is cryptographically sound.
Two modes:
- WPA2-Personal (PSK): Shared passphrase, suitable for homes/small offices
- WPA2-Enterprise: 802.1X authentication with RADIUS server, suitable for organizations
The WPA2 4-Way Handshake
After association, WPA2 uses a 4-way handshake to derive session keys:
WPA2 4Way Handshake
WPA2 4-Way Handshake:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Pre-shared Key (PSK) + SSID β PBKDF2 β PMK (Pairwise Master Key)
Both sides have this
Client Access Point
β β
β 1. ANonce (AP's random number) β
ββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Client now has PMK + ANonce + SNonce β
β Can derive PTK (Pairwise Transient Key) β
β β
β 2. SNonce + MIC (Message Integrity Code) β
βββββββββββββββββββββββββββββββββββββββββββββΊβ
β β
β AP derives same PTK, verifies MIC β
β β
β 3. GTK (Group Temporal Key) + MIC β
ββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β 4. ACK + MIC β
βββββββββββββββββββββββββββββββββββββββββββββΊβ
β β
β βββββββ Encrypted communication βββββββ β
β β
Key Hierarchy:
PSK β PMK β PTK (unicast) + GTK (broadcast/multicast)WPA2 Vulnerabilities
Dictionary Attacks on PSK: The PMK is derived from the passphrase and SSID. Attackers who capture the 4-way handshake can attempt offline dictionary/brute-force attacks.
WPA2 PSK Attack
WPA2 PSK Attack:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. Capture 4-way handshake (wait or force reconnection via deauth)
2. Offline attack (no interaction with AP needed):
For each password candidate:
βββ Derive PMK = PBKDF2(passphrase, SSID, 4096, 256)
βββ Derive PTK using captured ANonce + SNonce + MACs
βββ Calculate MIC
βββ Compare to captured MIC
3. If MIC matches β Password found!
Attack speed: ~100,000-1,000,000 attempts/second (depends on hardware)
GPU acceleration: 100x faster
Protection: Use strong, random passphrases (12+ characters, mixed)
"correcthorsebatterystaple" >> "P@ssw0rd!"KRACK (Key Reinstallation Attack): Discovered in 2017, KRACK exploits vulnerabilities in the handshake to force nonce reuse. Allows traffic decryption and injection on vulnerable clients. Patches are availableβensure systems are updated.
WPA3: The New Standard
WPA3 (2018) addresses WPA2 weaknesses:
WPA3-Personal:
SAE (Simultaneous Authentication of Equals): Replaces PSK-based authentication with a secure key exchange.
WPA3SAE (Dragonfly) vs WPA2PSK
WPA3-SAE (Dragonfly) vs WPA2-PSK:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
WPA2-PSK:
βββββββββ
Password β PMK derived once
Captured handshake enables offline attack
Weak password = fast crack
WPA3-SAE:
βββββββββ
Password used in zero-knowledge proof
Each connection: fresh keys via Dragonfly exchange
Captured handshake does NOT enable offline attack!
Even weak passwords much harder to crack
Forward Secrecy:
WPA2: If password later compromised, past captured traffic can be decrypted
WPA3: Each session uses ephemeral keys, past sessions remain protectedWPA3-Enterprise:
- 192-bit security suite option
- Protected management frames mandatory
- Suite B cryptography
Security Protocol Comparison
| Feature | WEP | WPA | WPA2 | WPA3 |
|---|---|---|---|---|
| Encryption | RC4 (broken) | TKIP/RC4 | AES-CCMP | AES-CCMP/GCMP-256 |
| Key Exchange | Static | TKIP | 4-Way PSK | SAE |
| Offline Attack | Minutes | Possible | Dictionary | Resistant |
| Forward Secrecy | No | No | No | Yes |
| MFP | No | No | Optional | Mandatory |
| Status | Broken | Deprecated | Current | Recommended |
Now that we understand the security protocols, letβs examine how attackers exploit wireless networks. Even with strong encryption, the broadcast nature of wireless creates unique attack opportunities that donβt exist in wired environments.
Wireless Security Threats
Wireless attacks fall into several categories: passive attacks (eavesdropping), active attacks (injecting or modifying traffic), and attacks against the authentication mechanism itself. Understanding these threats helps you both defend networks and recognize when you might be under attack.
Eavesdropping
Anyone within range can capture wireless traffic. Without encryption (or with broken encryption like WEP), all data is exposed.
Mitigation: Use WPA2/WPA3; use VPN on untrusted networks; ensure HTTPS for sensitive sites.
Rogue Access Points / Evil Twin
Attackers set up fake APs mimicking legitimate networks:
Evil Twin Attack
Evil Twin Attack:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Legitimate Network: Attacker's Fake AP:
SSID: "CoffeeShop_WiFi" SSID: "CoffeeShop_WiFi"
Security: WPA2 Security: Open (or captures PSK)
Signal: -70 dBm Signal: -50 dBm (stronger!)
βββββββββββββ
β Victim β
β Device β
βββββββ¬ββββββ
β
β Connects to stronger signal
β (attacker's AP)
βΌ
βββββββββββββββββ βββββββββββββββββ
β Legitimate β β Evil Twin β
β AP β β (Attacker) β
βββββββββββββββββ βββββββββ¬ββββββββ
β
β All traffic visible
β Can inject content
β Capture credentials
βΌ
βββββββββββββββββ
β Internet β
βββββββββββββββββCaptive portal variant: Fake AP shows a login page that captures credentials.
Mitigation: Verify network authenticity; use VPN; check certificate warnings; donβt auto-connect to known SSIDs.
Deauthentication Attacks
Attacker sends forged deauthentication frames, disconnecting clients:
Deauth Attack
Deauth Attack:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Normal frame:
Source: AP MAC
Destination: Client MAC
Type: Deauthentication
Reason: "Leaving network"
Attacker forges this frame:
1. Spoofs source as AP's MAC
2. Sends to specific client or broadcast (FF:FF:FF:FF:FF:FF)
3. Clients disconnect
Uses:
βββ DoS (keep users offline)
βββ Force reconnection to capture handshake
βββ Redirect users to evil twin
βββ Create window for other attacks
Tools: aireplay-ng, mdk4, WiFi Pineapple
Mitigation: 802.11w (MFP) - Management Frame Protection
WPA3 mandates MFPPMKID Attack
Discovered in 2018, this attack doesnβt require a client:
PMKID Attack
PMKID Attack:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Traditional attack: Capture 4-way handshake (need active client)
PMKID attack: Request association, get PMKID from first message
PMKID = HMAC-SHA1(PMK, "PMK Name" || AP_MAC || Client_MAC)
1. Attacker sends association request to AP
2. AP responds with PMKID in first message
3. No full handshake needed!
4. Offline attack against PMKID
Advantage: No client needed, no deauth needed
Mitigation: Strong passwords (attack is still offline dictionary)WPS Vulnerabilities
WiFi Protected Setup (WPS) was designed to simplify connection using a PIN. However, the PIN is vulnerable to brute force:
WPS PIN Attack
WPS PIN Attack:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
WPS PIN: 8 digits (e.g., 12345678)
Last digit: Checksum
Naive assumption: 10^8 = 100 million combinations
Reality:
- PIN validated in two halves!
- First half: 10,000 combinations
- Second half: 1,000 combinations (7th digit, checksum is 8th)
- Total: 11,000 combinations maximum
Brute force time: Few hours
Tool: reaver, bully
Mitigation: Disable WPS or use push-button only with timeoutSecurity Note: Wireless attacks including handshake capture, evil twins, and deauth attacks are covered in detail in Part II, Chapter 8.
Wireless Site Surveys
Understanding attacks is one thing; properly deploying and assessing wireless networks is another. Before installing a WiFi networkβor auditing an existing oneβprofessionals conduct site surveys. These surveys reveal both coverage issues and security concerns.
Why Site Surveys Matter
Proper wireless deployment requires understanding the RF environment:
- Where to place APs for coverage
- Which channels to use to avoid interference
- How much power to use
- Where security risks exist
Site Survey Types
Passive Survey:
- Listen only (donβt transmit)
- Discover existing networks
- Measure signal strength
- Identify interference sources
Active Survey:
- Associate with your network
- Measure actual throughput
- Test roaming behavior
- Verify coverage requirements
Survey Tools
# Linux - View available networks
nmcli device wifi list
iwlist wlan0 scan
iw dev wlan0 scan
# macOS
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s
# Windows
netsh wlan show networks mode=bssid
# Professional tools:
# - Ekahau (enterprise)
# - NetSpot (prosumer)
# - WiFi Analyzer (mobile)
# - Acrylic WiFi (Windows)Heat Maps
WiFi Coverage Heat Map Example
WiFi Coverage Heat Map Example:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Office Floor β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β ββββββββ[AP1]βββββββββββββββββββββββββββ[AP2]ββββββββββ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Legend: ββββ Strong (-30 to -50 dBm) β
β ββββ Good (-50 to -67 dBm) β
β ββββ Acceptable (-67 to -70 dBm) β
β Weak/No coverage (< -70 dBm) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββBest Practices
For Network Administrators
- Use WPA3 where possible, WPA2-Enterprise minimum for corporate
- Strong passphrases: 12+ random characters, avoid dictionary words
- Disable WEP and WPA completely
- Enable 802.11w (MFP) to protect management frames
- Disable WPS or use push-button only with timeout
- Network segmentation: Separate guest/IoT networks via VLANs
- Monitor for rogue APs using wireless IDS (WIDS)
- Update firmware regularly
- Use non-default SSIDs (donβt advertise equipment type)
- Consider hiding SSID for sensitive networks (limited benefit)
For Users
- Verify network identity before connecting (ask staff, check signage)
- Use VPN on public/untrusted networks
- Forget networks you no longer use
- Disable auto-connect to unknown/open networks
- Check for HTTPS on sensitive sites
- Keep devices updated (patches for KRACK, etc.)
- Disable WiFi when not needed (reduces attack surface)
Practical Commands
# Linux - Put interface in monitor mode
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up
# Or using airmon-ng
sudo airmon-ng start wlan0
# Capture with tcpdump
sudo tcpdump -i wlan0mon -w capture.pcap
# View captured handshakes
aircrack-ng capture.pcap
# Deauth attack (authorized testing only!)
aireplay-ng -0 5 -a <AP_MAC> -c <CLIENT_MAC> wlan0mon
# Capture PMKID
hcxdumptool -i wlan0mon -o capture.pcapng --enable_status=1
# Test WPS
wash -i wlan0mon # Find WPS-enabled APs
reaver -i wlan0mon -b <AP_MAC> -vv # Brute force (authorized only)** LEGAL WARNING**
Capturing traffic from networks you donβt own or attacking networks without authorization is illegal in most jurisdictions. Only perform these activities on networks you own or have explicit written permission to test.
Key Takeaways
-
802.11 standards have evolved from WiFi 4 through WiFi 7, with each generation adding speed, efficiency, and density improvements
-
WiFi 6 (802.11ax) introduced OFDMA and BSS coloring for high-density environments; WiFi 6E added 6 GHz spectrum
-
WEP is completely brokenβnever use it. WPA is deprecated. Use WPA2 or WPA3.
-
WPA3βs SAE eliminates offline dictionary attacks and provides forward secrecy
-
Management frames can be spoofed without 802.11w protection, enabling deauth attacks
-
Evil twin and deauth attacks exploit WiFiβs broadcast nature and trust model
-
Site surveys are essential for proper deployment and security assessment
Self-Assessment
-
Comprehension: Why can WPA2-PSK handshakes be attacked offline, but WPA3-SAE cannot?
-
Application: A coffee shop wants to offer free WiFi. What security measures should they implement, and what should they tell customers?
-
What if: If all devices suddenly supported only WPA3 tomorrow, which current attacks would no longer work?
Review Questions
- What are the key differences between 2.4 GHz, 5 GHz, and 6 GHz bands?
- What makes WEP fundamentally broken?
- How does the WPA2 4-way handshake enable offline password attacks?
- What improvement does WPA3βs SAE provide over WPA2-PSK?
- How do deauthentication attacks work, and how can they be prevented?
- What is a WiFi evil twin attack, and how can users protect themselves?
Key Standards
- IEEE 802.11 - Wireless LAN standards family
- IEEE 802.11i - Security (WPA2)
- IEEE 802.11w - Protected Management Frames
- IEEE 802.11ax - WiFi 6
- IEEE 802.11be - WiFi 7
- WiFi Alliance WPA3 - Latest security specification