Example 1 Β· Deauthentication Attack Walkthrough
A complete walkthrough of a wireless deauthentication attack as demonstrated in the course material β using the Aircrack-ng toolset on a Linux system with a monitor-mode wireless adapter.
Lab setup:
- Attacker: Linux system with wireless adapter in monitor mode (interface: wlan0mon)
- Target access point: SSID "pmn", BSSID visible in airodump output
- Target device: User's iPhone, MAC address ending in 2E:FD
Phase 1 β Reconnaissance:
The attacker runs: airodump-ng wlan0mon
The tool outputs a live table of all detected access points within range, including their BSSIDs, SSIDs, channels, signal strengths, and encryption types. Below the AP list, it shows all associated client devices and which AP each is connected to. The attacker identifies the target AP and notes the iPhone's MAC address (ending in 2E:FD) in the client list.
Phase 2 β Deauthentication:
The attacker runs: aireplay-ng -0 0 -a [AP BSSID] -c [iPhone MAC] wlan0mon
The -0 flag indicates deauthentication attack mode. The 0 following it means "send continuously" (a specific number would send that many frames then stop). -a specifies the AP's BSSID. -c specifies the target client's MAC.
What happens:
The tool immediately begins sending forged deauthentication frames. The iPhone receives a frame that appears to be from the legitimate AP (the spoofed BSSID) instructing it to disconnect. The iPhone disconnects. It attempts to reconnect. Another deauthentication frame arrives before reconnection completes. The iPhone is disconnected again. The Wi-Fi icon on the iPhone's screen shows the network repeatedly appearing and disappearing.
As long as aireplay-ng runs, the device cannot maintain a wireless connection.
Broadcast variant: Replace -c [iPhone MAC] with no -c flag, and the deauth frames are sent to the broadcast address β all associated clients are simultaneously disconnected.
What the attacker does NOT need: The WPA2/WPA3 passphrase. Any authenticated session on the network. Admin access to anything. Just physical proximity and a wireless adapter in monitor mode.
Example 2 Β· The 802.11w Protection Difference
Illustrating why 802.11w prevents deauthentication attacks and why some frames must remain unprotected.
Without 802.11w (older networks):
A deauthentication frame arrives at the client. The frame contains: the AP's BSSID as the source address, the client's MAC as the destination, and the deauthentication reason code. The client has no way to verify this frame came from the legitimate AP β any device could have sent it with any source address. The client complies and disconnects.
With 802.11w (802.11ac and newer):
A deauthentication frame arrives at the client. In addition to the standard fields, the frame includes a Message Integrity Code (MIC) β a cryptographic value derived from a shared key established during the secure connection setup. The client verifies the MIC. If the attacker forged this frame, they do not know the session key, so the MIC they could attach would be wrong. The client rejects the frame. The connection is maintained.
Why beacons and probes can't be protected:
Beacon frames are broadcast by the AP before any client has connected. The cryptographic keys used by 802.11w are per-session keys established during the secure association process. Before a client connects, no shared key exists for the AP to use when signing its beacon frames β and clients that haven't connected yet don't have a key to verify them with. Protecting these frames would require a different key management infrastructure and would break the discovery process for new clients. This is the inherent protocol trade-off 802.11w makes.
Practical implication: Even on a fully 802.11ac network with 802.11w enabled, a packet capture will still show some unencrypted management frames (beacons, probes). This is expected behavior β not a security misconfiguration.
Example 3 Β· Natural vs. Malicious Interference
Distinguishing unintentional RF interference from a deliberate jamming attack.
Scenario A β Microwave oven interference (unintentional):
A small office reports that Wi-Fi in the break room becomes unreliable during lunch hours. Spectrum analysis shows elevated noise on 2.4 GHz channel 6 that appears between 12:00 PM and 1:00 PM daily, correlated with heavy kitchen use. The noise disappears when no one is in the break room.
Classification: Unintentional interference from microwave ovens. Microwave ovens operating at 2.4 GHz leak RF energy that overlaps with 2.4 GHz Wi-Fi channels. The pattern (time-of-day correlation, location correlation) identifies the source without any attacker hypothesis. Fix: move AP away from kitchen area, switch break room coverage to a 5 GHz AP, or channel plan to use channels 1 or 11 rather than 6.
Scenario B β Deliberate reactive jamming (malicious):
A financial trading firm notices that Wi-Fi on its trading floor becomes unusable exactly when trading volume is highest (market open, 9:30 AM). During off-hours, the network is fine. Spectrum analysis during trading hours shows elevated noise that appears and disappears rapidly, correlated with traffic volume. No microwave ovens, no other obvious interference sources near the trading floor.
Classification: Likely reactive jamming. The correlation with active network traffic (jammer fires when it detects communication) and the absence of obvious unintentional sources points to a deliberate attacker. The goal might be to disrupt competitor trading operations or cause missed trades. Investigation: fox hunt during peak hours to locate the transmitter source; involve law enforcement if confirmed intentional.
Exam Scenario 1 Β· Identifying the Attack Type
Scenario: An IT administrator receives reports that every device on the company's guest Wi-Fi network is repeatedly disconnecting every 30β60 seconds throughout the morning. The administrator confirms the access point is functioning normally β connected devices appear in the AP dashboard briefly, then drop, then reconnect, in a continuous loop. The wired network is unaffected. A packet capture of the wireless traffic shows bursts of type 0x0C frames arriving at a rate far higher than any normal AP operation would generate.
Question: What attack is occurring, and what does the 0x0C frame type indicate?
Answer: This is a wireless deauthentication attack. 0x0C is the 802.11 management frame subtype for deauthentication. The burst pattern β high-frequency deauth frames from a source not on the authorized device list β is the signature of aireplay-ng or similar tool running continuously to keep all clients disconnected. The wired network being unaffected confirms this is a wireless-layer attack, not a network-level or internet connectivity issue.
Response: Enable 802.11w on the AP if supported; upgrade AP to 802.11ac/ax hardware if not. Conduct a physical sweep of the area within wireless range for the attacker's device. The attack requires proximity β the attacker is nearby.
Exam Scenario 2 Β· Deauth vs. Jamming Classification
Scenario: Security researchers are evaluating two wireless incidents at different companies. Incident A: A company's 802.11ax network experiences repeated client disconnections; the problem stops immediately when the AP is upgraded and 802.11w is enforced. Incident B: A company's 5 GHz Wi-Fi network experiences complete loss of signal in one building; spectrum analysis shows the 5 GHz band is saturated with continuous noise across all channels; no client disconnections or management frames are visible because no traffic can get through at all.
Question: Classify each incident and explain why the solution for A doesn't work for B.
Answer: Incident A is a deauthentication attack β a protocol-layer attack exploiting unprotected management frames. 802.11w fixes it because it adds cryptographic verification to deauth frames, so forged frames are rejected. Incident B is RF jamming β a physical-layer attack saturating the radio medium with noise. 802.11w is completely irrelevant to Incident B because jamming doesn't exploit a protocol flaw; it destroys the signal itself. There are no frames to verify if the radio channel is full of noise. The fix for B requires physical investigation (fox hunt), spectrum analysis, and location/removal of the jammer.
Exam Scenario 3 Β· Fox Hunting Tool Selection
Scenario: A network engineer confirms via spectrum analysis that a jamming signal is present in the 2.4 GHz band. She begins walking the building with a directional antenna to locate the source. As she approaches one area, the signal becomes extremely strong β so strong that her spectrum analyzer shows maximum signal level from all directions, making it impossible to determine which way to proceed.
Question: What tool should the engineer add to her kit and why?
Answer: A signal attenuator. When very close to a strong signal source, the signal strength exceeds the directional antenna's ability to discriminate direction β everything looks equally loud from all angles. An attenuator placed inline reduces the effective signal strength by a known number of decibels, bringing the apparent signal level back into the range where the antenna's directional sensitivity can again indicate bearing. The engineer can then continue to narrow down the exact location of the source rather than being overwhelmed by signal saturation.