Chapter 47 Β· Concepts
Wireless Attack Concepts
Attack mechanisms, 802.11 frame types, RF jamming categories, and the defense stack in structured reference format.
Deauthentication Attack vs. RF Jamming β Side-by-Side
| Property | Deauthentication Attack | RF Jamming |
| Attack Layer | Protocol / Data Link (802.11 management frames) | Physical (radio frequency signal) |
| Mechanism | Forged deauthentication frames force client disconnection | Interference raises noise floor; SNR drops below usable threshold |
| Attacker Requires | Target MAC address, monitor-mode wireless adapter, proximity | Transmitter capable of target frequency, proximity |
| Password Required? | No | No |
| Affected Scope | Specific device or all devices (broadcast) | All devices on affected frequency/channel |
| Mitigated by 802.11w? | Yes β protected frames prevent forgery | No β physical layer; protocol fixes irrelevant |
| Detection Method | Packet capture shows burst of deauth frames from spoofed source | Spectrum analyzer shows elevated noise floor |
| Proximity Required? | Yes β within wireless range | Yes β radio signals weaken with distance |
Deauthentication Attack β Step-by-Step
1. Reconnaissance with airodump-ng β attacker runs airodump-ng in monitor mode; tool passively captures all management frames and lists every AP (BSSID, SSID, channel) and every associated client (MAC address) in range
2. Identify targets β attacker notes the AP's BSSID and the target device's MAC address (e.g., iPhone ending in 2E:FD)
3. Inject deauth frames with aireplay-ng β attacker runs aireplay-ng with -0 flag, specifying the AP BSSID and client MAC; tool begins sending continuous forged deauthentication frames to the target client
4. Client disconnects β the target device receives a deauth frame that appears to come from the AP (spoofed MAC); client disconnects, believing the AP initiated it
5. Reconnection blocked β client attempts to reconnect; another deauth frame arrives before the reassociation completes; client is disconnected again; loop continues indefinitely
6. Broadcast variant β if attacker uses the broadcast MAC address instead of a specific client, all devices on the network are simultaneously disconnected
802.11 Management Frame Types
| Frame Type | Purpose | 802.11w Protected? |
| Beacon | AP broadcasts its presence, SSID, capabilities, and supported rates | No β must be readable before association |
| Probe Request | Client scans for available APs | No β sent before association |
| Probe Response | AP responds to client probe with its parameters | No β sent before association |
| Authentication | Initial open authentication exchange before association | No β required before encryption is established |
| Association Request/Response | Client requests to join the network; AP responds with connection parameters | No β part of initial connection setup |
| Deauthentication | Terminates an authenticated relationship between client and AP | Yes β encrypted and MIC-protected |
| Disassociation | Ends the associated state while preserving authentication | Yes β encrypted and MIC-protected |
| Channel Switch Announcement | AP notifies clients it is moving to a different channel | Yes β encrypted and MIC-protected |
Why Some Frames Cannot Be Protected by 802.11w
802.11w uses cryptographic keys established during the connection process to protect management frames. This creates a logical constraint: frames that must be transmitted before the connection is established cannot be protected by 802.11w, because the encryption keys don't exist yet at that point.
Beacon, probe, authentication, and association frames all happen during the initial discovery and connection phase β before the encryption handshake. These frames must remain in plaintext for the 802.11 protocol to function. Once a secure connection is established (keys exchanged), subsequent management frames β deauthentication, disassociation, channel switches β can be protected by 802.11w.
Exam tip: "Some management frames are still in the clear even on 802.11ac networks" is true and expected. This is not a misconfiguration β it is a protocol design requirement.
RF Jamming Types
| Type | Behavior | Detectability | Efficiency |
| Constant Jamming | Continuous transmission of noise, random data, or legitimate-looking frames | Easy β persistent elevated noise on spectrum analyzer | High disruption; high attacker energy use |
| Random Jamming | Interference at unpredictable intervals | Harder β requires prolonged monitoring to establish pattern | Moderate disruption; moderate energy use |
| Reactive Jamming | Silent until detecting transmission; then immediately jams | Hardest β no signal present in idle periods | Maximum efficiency; disruption targeted exactly when communication is attempted |
Unintentional vs. Intentional Interference
| Source | Type | Affected Frequency | Response |
| Microwave ovens | Unintentional | 2.4 GHz | Move AP or switch to 5 GHz band |
| Fluorescent lighting (with failing ballasts) | Unintentional | Variable | Replace lighting; conduct RF site survey |
| Cordless phones (older DECT) | Unintentional | 2.4 GHz | Replace with 5.8 GHz or DECT 6.0 devices |
| Intentional jammer device | Malicious | Attacker's choice | Fox hunt to locate source; law enforcement involvement |
| Adjacent APs (channel overlap) | Unintentional | 2.4 GHz (channels 1/6/11) | Channel planning; use 5 GHz band |
Fox Hunting β Locating a Jamming Source
1. Confirm the signal exists β use a wireless spectrum analyzer to verify elevated noise on a specific channel or frequency; confirm it is not consistent with known natural interference sources
2. Attach a directional antenna β connects to the spectrum analyzer or a wireless adapter; directional antennas are sensitive in a narrow forward arc and insensitive to the sides and rear
3. Rotate to find the bearing β stand in a fixed position and slowly rotate; note the compass heading where the signal is strongest; this gives an approximate direction to the source
4. Move toward the signal β walk in the direction indicated; repeat bearing checks as you move; signal strengthens as you approach
5. Apply attenuator when signal is strong β as you get very close, the signal becomes too strong for precise directional detection; an inline attenuator reduces the signal to a workable level, restoring the ability to detect directional differences
6. Triangulate and confirm β take bearings from at least two different positions; the intersection identifies the source location; visually confirm
Defense Stack
| Control | Attack Addressed | How |
| 802.11w (Protected Management Frames) | Deauthentication attack | Encrypts and authenticates critical management frames; forged deauth frames are rejected |
| Modern APs (802.11ac/ax) | Deauthentication attack | 802.11w is mandatory in 802.11ac and newer; upgrading APs automatically brings 802.11w |
| Wireless IDS (WIDS) | Both | Monitors for anomalous management frame patterns (burst deauths) or elevated noise floor indicative of jamming |
| Spectrum Analysis Tools | RF jamming | Identifies interference sources, affected channels, and signal patterns for investigation |
| Fallback Wired Connectivity | RF jamming | Provides continuity when wireless is disrupted; critical systems should not rely solely on wireless |
| Physical Perimeter Awareness | Both | Both attacks require proximity; access control, physical security, and awareness of who is in wireless range limit the attack surface |
| Fox Hunting Capability | RF jamming | Directional antenna + attenuator enables locating and eliminating the source of interference |