Chapter 47 Β· Concepts

Wireless Attack Concepts

Attack mechanisms, 802.11 frame types, RF jamming categories, and the defense stack in structured reference format.

Deauthentication Attack vs. RF Jamming β€” Side-by-Side

PropertyDeauthentication AttackRF Jamming
Attack LayerProtocol / Data Link (802.11 management frames)Physical (radio frequency signal)
MechanismForged deauthentication frames force client disconnectionInterference raises noise floor; SNR drops below usable threshold
Attacker RequiresTarget MAC address, monitor-mode wireless adapter, proximityTransmitter capable of target frequency, proximity
Password Required?NoNo
Affected ScopeSpecific device or all devices (broadcast)All devices on affected frequency/channel
Mitigated by 802.11w?Yes β€” protected frames prevent forgeryNo β€” physical layer; protocol fixes irrelevant
Detection MethodPacket capture shows burst of deauth frames from spoofed sourceSpectrum analyzer shows elevated noise floor
Proximity Required?Yes β€” within wireless rangeYes β€” radio signals weaken with distance

Deauthentication Attack β€” Step-by-Step

1. Reconnaissance with airodump-ng β€” attacker runs airodump-ng in monitor mode; tool passively captures all management frames and lists every AP (BSSID, SSID, channel) and every associated client (MAC address) in range
2. Identify targets β€” attacker notes the AP's BSSID and the target device's MAC address (e.g., iPhone ending in 2E:FD)
3. Inject deauth frames with aireplay-ng β€” attacker runs aireplay-ng with -0 flag, specifying the AP BSSID and client MAC; tool begins sending continuous forged deauthentication frames to the target client
4. Client disconnects β€” the target device receives a deauth frame that appears to come from the AP (spoofed MAC); client disconnects, believing the AP initiated it
5. Reconnection blocked β€” client attempts to reconnect; another deauth frame arrives before the reassociation completes; client is disconnected again; loop continues indefinitely
6. Broadcast variant β€” if attacker uses the broadcast MAC address instead of a specific client, all devices on the network are simultaneously disconnected

802.11 Management Frame Types

Frame TypePurpose802.11w Protected?
BeaconAP broadcasts its presence, SSID, capabilities, and supported ratesNo β€” must be readable before association
Probe RequestClient scans for available APsNo β€” sent before association
Probe ResponseAP responds to client probe with its parametersNo β€” sent before association
AuthenticationInitial open authentication exchange before associationNo β€” required before encryption is established
Association Request/ResponseClient requests to join the network; AP responds with connection parametersNo β€” part of initial connection setup
DeauthenticationTerminates an authenticated relationship between client and APYes β€” encrypted and MIC-protected
DisassociationEnds the associated state while preserving authenticationYes β€” encrypted and MIC-protected
Channel Switch AnnouncementAP notifies clients it is moving to a different channelYes β€” encrypted and MIC-protected

Why Some Frames Cannot Be Protected by 802.11w

802.11w uses cryptographic keys established during the connection process to protect management frames. This creates a logical constraint: frames that must be transmitted before the connection is established cannot be protected by 802.11w, because the encryption keys don't exist yet at that point.

Beacon, probe, authentication, and association frames all happen during the initial discovery and connection phase β€” before the encryption handshake. These frames must remain in plaintext for the 802.11 protocol to function. Once a secure connection is established (keys exchanged), subsequent management frames β€” deauthentication, disassociation, channel switches β€” can be protected by 802.11w.

Exam tip: "Some management frames are still in the clear even on 802.11ac networks" is true and expected. This is not a misconfiguration β€” it is a protocol design requirement.

RF Jamming Types

TypeBehaviorDetectabilityEfficiency
Constant JammingContinuous transmission of noise, random data, or legitimate-looking framesEasy β€” persistent elevated noise on spectrum analyzerHigh disruption; high attacker energy use
Random JammingInterference at unpredictable intervalsHarder β€” requires prolonged monitoring to establish patternModerate disruption; moderate energy use
Reactive JammingSilent until detecting transmission; then immediately jamsHardest β€” no signal present in idle periodsMaximum efficiency; disruption targeted exactly when communication is attempted

Unintentional vs. Intentional Interference

SourceTypeAffected FrequencyResponse
Microwave ovensUnintentional2.4 GHzMove AP or switch to 5 GHz band
Fluorescent lighting (with failing ballasts)UnintentionalVariableReplace lighting; conduct RF site survey
Cordless phones (older DECT)Unintentional2.4 GHzReplace with 5.8 GHz or DECT 6.0 devices
Intentional jammer deviceMaliciousAttacker's choiceFox hunt to locate source; law enforcement involvement
Adjacent APs (channel overlap)Unintentional2.4 GHz (channels 1/6/11)Channel planning; use 5 GHz band

Fox Hunting β€” Locating a Jamming Source

1. Confirm the signal exists β€” use a wireless spectrum analyzer to verify elevated noise on a specific channel or frequency; confirm it is not consistent with known natural interference sources
2. Attach a directional antenna β€” connects to the spectrum analyzer or a wireless adapter; directional antennas are sensitive in a narrow forward arc and insensitive to the sides and rear
3. Rotate to find the bearing β€” stand in a fixed position and slowly rotate; note the compass heading where the signal is strongest; this gives an approximate direction to the source
4. Move toward the signal β€” walk in the direction indicated; repeat bearing checks as you move; signal strengthens as you approach
5. Apply attenuator when signal is strong β€” as you get very close, the signal becomes too strong for precise directional detection; an inline attenuator reduces the signal to a workable level, restoring the ability to detect directional differences
6. Triangulate and confirm β€” take bearings from at least two different positions; the intersection identifies the source location; visually confirm

Defense Stack

ControlAttack AddressedHow
802.11w (Protected Management Frames)Deauthentication attackEncrypts and authenticates critical management frames; forged deauth frames are rejected
Modern APs (802.11ac/ax)Deauthentication attack802.11w is mandatory in 802.11ac and newer; upgrading APs automatically brings 802.11w
Wireless IDS (WIDS)BothMonitors for anomalous management frame patterns (burst deauths) or elevated noise floor indicative of jamming
Spectrum Analysis ToolsRF jammingIdentifies interference sources, affected channels, and signal patterns for investigation
Fallback Wired ConnectivityRF jammingProvides continuity when wireless is disrupted; critical systems should not rely solely on wireless
Physical Perimeter AwarenessBothBoth attacks require proximity; access control, physical security, and awareness of who is in wireless range limit the attack surface
Fox Hunting CapabilityRF jammingDirectional antenna + attenuator enables locating and eliminating the source of interference