Chapter 47 Β· Flashcards

Wireless Attacks Flashcards

Click any card to reveal its definition.

0 / 10 flipped
Wireless Deauthentication Attack
Tap to reveal
A denial-of-service attack that forces wireless clients to disconnect by sending forged 802.11 deauthentication management frames. The attacker does not need the network password β€” only the MAC addresses of the AP and the target device plus wireless range proximity. Clients receive the fake frame (which appears to come from the legitimate AP) and comply by disconnecting. Continuous frames prevent reconnection. Broadcast variant kicks all clients simultaneously. Fixed by 802.11w Protected Management Frames in 802.11ac and newer hardware.
802.11 Management Frames
Tap to reveal
Control messages that coordinate 802.11 wireless network operations β€” entirely invisible to users. Functions: discovering APs (beacons, probes), connecting to the network (authentication, association frames), managing QoS, disconnecting (deauthentication, disassociation frames). In early 802.11 implementations, all management frames were sent in plaintext with no encryption or authentication β€” enabling any nearby device to forge them. Modern 802.11w-capable networks encrypt and authenticate critical management frames to prevent forgery.
The Core Deauth Vulnerability
Tap to reveal
Early 802.11 management frames β€” including deauthentication frames β€” were transmitted in plaintext with no authentication mechanism. Any device could send a deauthentication frame spoofing any source MAC address. Since receiving devices had no way to verify the frame's authenticity, they would comply with any deauth frame they received, believing it to be legitimate. This was not a software bug β€” it was a design omission in the original 802.11 specification. Fixed by 802.11w, which was incorporated into the 802.11ac standard as a mandatory requirement.
Protected Management Frames (802.11w)
Tap to reveal
IEEE 802.11w amendment that adds cryptographic authentication to critical management frames using Message Integrity Codes (MIC) based on session keys. Protects: deauthentication frames, disassociation frames, and channel switch announcements. Unprotected (by design): beacons, probe requests/responses, authentication frames, and initial association frames β€” these must be exchanged before session keys exist. 802.11w is mandatory in 802.11ac and newer. A forged deauth frame without the correct MIC is rejected. First adopted July 2014.
airodump-ng / aireplay-ng
Tap to reveal
Tools from the Aircrack-ng suite used in wireless deauthentication attacks. airodump-ng: passive reconnaissance β€” captures management frames and lists all APs (BSSID, SSID, channel) and associated clients (MAC addresses) in range. Requires monitor mode. aireplay-ng: active injection β€” sends forged frames into the network. With -0 flag, injects deauthentication frames targeting a specific client or broadcast. Combining the two: airodump-ng identifies targets; aireplay-ng conducts the attack. Both tools are free, open-source, and available for Linux β€” no Wi-Fi password required.
RF Jamming
Tap to reveal
A physical-layer denial-of-service attack that disrupts wireless communication by transmitting interfering radio signals on the target frequency. Raises the noise floor and reduces the signal-to-noise ratio (SNR) until legitimate devices cannot decode the AP's signal. Unlike deauthentication attacks, RF jamming exploits the physical medium β€” not a protocol flaw. 802.11w does not protect against jamming. Affects all devices on the target frequency regardless of encryption or security settings. Requires physical proximity. Intentional RF jamming is illegal in most jurisdictions. Detected with spectrum analyzers; source located via fox hunting.
Constant Jamming
Tap to reveal
RF jamming technique that continuously transmits interference β€” random data, noise, or legitimate-looking frames β€” without interruption. Most effective (no gaps for devices to communicate) and simplest to implement. Also the most detectable: spectrum analysis shows persistent elevated noise on the affected channel at all times, making localization via fox hunting easier. High energy consumption by the attacker. Interference pattern appears as a consistent rise in noise floor that does not correlate with legitimate network traffic patterns.
Random Jamming
Tap to reveal
RF jamming technique that transmits interference at unpredictable, irregular intervals. The random timing makes it harder to diagnose than constant jamming β€” network monitoring shows intermittent drops that resemble ordinary RF congestion, hardware issues, or flaky equipment. Without sustained monitoring, the jamming signature may not be captured. More energy-efficient than constant jamming and harder to locate via fox hunting since the signal is not continuously present. Users experience it as an unstable, unreliable network rather than a complete outage.
Reactive Jamming
Tap to reveal
The most sophisticated RF jamming technique: the jammer is completely silent until it detects a wireless device transmitting, then immediately floods the channel with interference. During idle periods, the spectrum looks clean β€” no jamming signal present. The moment any device attempts to communicate, the jammer responds, making transmission impossible. Highly efficient (minimal transmit time), hardest to detect (nothing to find when idle), and hardest to locate via fox hunting. Network appears intermittent: silent periods work fine; any communication attempt immediately fails. The gap between "network looks fine" and "network stops working when used" is the reactive signature.
Fox Hunting (Wireless)
Tap to reveal
The process of physically locating a jamming or interference signal source using directional antennas and signal attenuators. Process: (1) use a directional antenna to determine approximate signal bearing; (2) move toward the signal; (3) as proximity increases and signal becomes overwhelming, add an attenuator to reduce signal strength enough for directional discrimination to remain precise; (4) triangulate from multiple positions. Both attacks and fox hunting require proximity β€” the attacker is physically nearby, which is what makes them locatable. Named after amateur radio hidden transmitter competitions.