CEH (XVII): Hacking Wireless Networks

The index of this series of articles can be found here.

A wireless network allows devices to stay connected to the network but roam untethered to any wires. Access points amplify Wi-Fi signals, so a device can be far from a router but still be connected to the network. Previously it was thought that wired networks were faster and more secure than wireless networks. But continual enhancements to wireless network technology such as the Wi-Fi 6 networking standard have eroded speed and security differences between wired and wireless networks.

Usually, wireless communications rely on radio communications. Different frequency ranges are used for different types of wireless technologies depending upon the requirements.

Wireless Terminology


GSM (Global System for Mobile communications) is an open, digital cellular technology used for transmitting mobile voice and data services. GSM supports voice calls and data transfer speeds of up to 9.6 kbps, together with the transmission of SMS (Short Message Service).

GSM operates in the 900MHz and 1.8GHz bands in Europe and the 1.9GHz and 850MHz bands in the US. GSM services are also transmitted via 850MHz spectrum in Australia, Canada and many Latin American countries. The use of harmonised spectrum across most of the globe, combined with GSM’s international roaming capability, allows travellers to access the same mobile services at home and abroad. GSM enables individuals to be reached via the same mobile number in up to 219 countries.

Terrestrial GSM networks now cover more than 90% of the world’s population. GSM satellite roaming has also extended service access to areas where terrestrial coverage is not available.

Access Point

A wireless access point (WAP), or more generally just access point (AP), is a networking hardware device that allows other Wi-Fi devices to connect to a wired network. The AP usually connects to a router (via a wired network) as a standalone device, but it can also be an integral component of the router itself. An AP is differentiated from a hotspot which is a physical location where Wi-Fi access is available.


A Wi-Fi network’s SSID is the technical term for its network name. SSID stands for “Service Set Identifier”. Under the IEEE 802.11 wireless networking standard, a “service set” refers to a collection of wireless networking devices with the same parameters. So, the SSID is the identifier (name) that tells you which service set (or network) to join.


The BSSID is the MAC address of the wireless access point (WAP) generated by combining the 24-bit Organization Unique Identifier (the manufacturer’s identity) and the manufacturer’s assigned 24-bit identifier for the radio chipset in the WAP.

ISM Band

Industrial, Scientific and Medical band, as a part of the radio spectrum that can be used for any purpose without a license in most countries. 902-928 MHz, 2.4 GHz and 5.7-5.8 GHz bands are used for machines that emitted radio frequencies, industrial heaters and microwave ovens, but not for radio communications.

Orthogonal Frequency Division Multiplexing (OFDM)

Orthogonal Frequency Division Multiplexing is a digital transmission technique that uses a large number of carriers spaced apart at slightly different frequencies. First promoted in the early 1990s for wireless LANs, OFDM is used in many wireless applications including Wi-Fi, WiMAX, LTE, ultra-wideband (UMB), as well as digital radio and TV broadcasting in Europe and Japan. It is also used in land-based ADSL (see OFDMA).

Frequency-hopping Spread Spectrum (FHSS)

Frequency-hopping spread spectrum (FHSS) is a method of transmitting radio signals by rapidly changing the carrier frequency among many distinct frequencies occupying a large spectral band. The changes are controlled by a code known to both transmitter and receiver. FHSS is used to avoid interference, to prevent eavesdropping, and to enable code-division multiple access (CDMA) communications.

Types of Networks

Types of wireless networks deployed in a geographical area can be categorised as:

  • Wireless personal area network (WPAN)
  • Wireless local area network (WLAN)
  • Wireless metropolitan area network (WMAN)
  • Wireless wide area network (WWAN)

However, a wireless network can be defined in different types depending upon the deployment scenarios. The following are some of the wireless network types that are used in different scenarios:

  • Extension to a wired network
  • Multiple access points
  • 3G/4G hotspot

Wireless Standards

802.11a5 GHzOFDM54 Mbps
802.11b2.4 GHzDSSs11 Mbps
802.11g2.4 GHzOFDM, DSSS54 Mbps
802.11n5 GHzOFDM54 Mbps
802.16 (WIMAX)10 – 66 GHzOFDM70 – 1000 Mbps
Bluetooth2.4 GHz1 – 3 Mbps


Wi-Fi is a family of wireless networking technologies, based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access. Wi‑Fi is a trademark of the non-profit Wi-Fi Alliance, which restricts the use of the term Wi-Fi Certified to products that successfully complete interoperability certification testing.

They transmit at frequencies of 2.4 GHz or 5 GHz. This frequency is considerably higher than the frequencies used for cell phones, walkie-talkies and televisions. The higher frequency allows the signal to carry more data.

They use 802.11 networking standards, which come in several flavours:

  • 802.11a transmits at 5 GHz and can move up to 54 megabits of data per second. It also uses orthogonal frequency-division multiplexing (OFDM), a more efficient coding technique that splits that radio signal into several sub-signals before they reach a receiver. This greatly reduces interference.
  • 802.11b is the slowest and least expensive standard. For a while, its cost made it popular, but now it is becoming less common as faster standards become less expensive. 802.11b transmits in the 2.4 GHz frequency band of the radio spectrum. It can handle up to 11 megabits of data per second, and it uses complementary code keying (CCK) modulation to improve speeds.
  • 802.11g transmits at 2.4 GHz like 802.11b, but it is a lot faster – it can handle up to 54 megabits of data per second. 802.11g is faster because it uses the same OFDM coding as 802.11a.
  • 802.11n is the most widely available of the standards and is backwards compatible with a, b and g. It significantly improved speed and range over its predecessors. For instance, although 802.11g theoretically moves 54 megabits of data per second, it only achieves real-world speeds of about 24 megabits of data per second because of network congestion. 802.11n, however, reportedly can achieve speeds as high as 140 megabits per second. 802.11n can transmit up to four streams of data, each at a maximum of 150 megabits per second, but most routers only allow for two or three streams.
  • 802.11ac is the newest standard as of early 2013. It has yet to be widely adopted and is still in draft form at the Institute of Electrical and Electronics Engineers (IEEE), but devices that support it are already on the market. 802.11ac is backwards compatible with 802.11n (and therefore the others, too), with n on the 2.4 GHz band and ac on the 5 GHz band. It is less prone to interference and far faster than its predecessors, pushing a maximum of 450 megabits per second on a single stream, although real-world speeds may be lower. Like 802.11n, it allows for transmission on multiple spatial streams – up to eight, optionally. It is sometimes called 5G WiFi because of its frequency band, sometimes Gigabit WiFi because of its potential to exceed a gigabit per second on multiple streams and sometimes Very High Throughput (VHT) for the same reason.

Wi-Fi Authentication Modes

There are different authentication methods for WiFi-based networks:

Open Authentication to the Access Point

Open authentication allows any device to authenticate and then attempt to communicate with the access point. Using open authentication, any wireless device can authenticate with the access point, but the device can communicate only if it is Wired Equivalent Privacy (WEP) keys match the access point’s WEP keys. Devices that are not using WEP do not attempt to authenticate with an access point that is using WEP. Open authentication does not rely on a RADIUS server on your network.

Shared Key Authentication to the Access Point

During shared key authentication, the access point sends an unencrypted challenge text string to any device that is attempting to communicate with the access point. The device that is requesting authentication encrypts the challenge text and sends it back to the access point. If the challenge text is encrypted correctly, the access point allows the requesting device to authenticate.

Both the unencrypted challenge and the encrypted challenge can be monitored, however, which leaves the access point open to attack from an intruder who calculates the WEP key by comparing the unencrypted and encrypted text strings. Because of this vulnerability to attack, shared key authentication can be less secure than open authentication. Like open authentication, shared key authentication does not rely on a RADIUS server on your network.

EAP Authentication to the Network

This authentication type provides the highest level of security for your wireless network. By using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key. The RADIUS server sends the WEP key to the access point, which uses the key for all unicast data signals that the server sends to or receives from the client. The access point also encrypts its broadcast WEP key (which is entered in the access point’s WEP key slot 1) with the client’s unicast key and sends it to the client.

MAC Address Authentication to the Network

The access point relays the wireless client device’s MAC address to a RADIUS server on your network, and the server checks the address against a list of allowed MAC addresses. Because intruders can create counterfeit MAC addresses, MAC-based authentication is less secure than EAP authentication. However, MAC-based authentication provides an alternate authentication method for client devices that do not have EAP capability. See the “Assigning Authentication Types to an SSID” section for instructions on enabling MAC-based authentication.

Combining MAC-Based, EAP, and Open Authentication

You can set up the access point to authenticate client devices that use a combination of MAC-based and EAP authentication. When you enable this feature, client devices that use 802.11 open authentications to associate to the access point first attempt MAC authentication. If MAC authentication succeeds, the client device joins the network. If MAC authentication fails, EAP authentication takes place.

Using WPA Key Management

Wi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that strongly increases the level of data protection and access control for existing and future wireless LAN systems. It is derived from and will be forward-compatible with the upcoming IEEE 802.11i standard. WPA leverages TKIP (Temporal Key Integrity Protocol) for data protection and 802.1X for authenticated key management.

WPA key management supports two mutually exclusive management types: WPA and WPA-Pre-shared key (WPA-PSK). Using WPA key management, clients and the authentication server authenticate to each other using an EAP authentication method, and the client and server generate a pairwise master key (PMK). Using WPA, the server generates the PMK dynamically and passes it to the access point. Using WPA-PSK, however, you configure a pre-shared key on both the client and the access point, and that pre-shared key is used as the PMK

Wi-Fi Chalking

Wi-Fi Chalking includes several methods to detect open wireless networks, there are some of them:

  • WarWalking: Walking around to detect open networks.
  • WarChalking: Using symbols and signs to advertise open wireless networks.
  • WarFlying: Detection of open wireless using drones.
  • WarDriving: Driving around to detect open wireless networks.

Types of Wireless Antennas

  • Directional Antenna: Directional antennas, as the name implies, focus the wireless signal in a specific direction resulting in a limited coverage area. An analogy for the radiation pattern would be how a vehicle headlight illuminates the road. Types of Directional antennas include Yagi, Parabolic grid, patch and panel antennas.
  • Omni-Directional: Omni-directional antennas provide a 360º doughnut-shaped radiation pattern to provide the widest possible signal coverage in indoor and outdoor wireless applications. An analogy for the radiation pattern would be how an un-shaded incandescent light bulb illuminates a room. Types of Omni-directional antennas include “rubber duck” antennas often found on access points and routers, Omni antennas found outdoors, and antenna arrays used on cellular towers.
  • Parabolic Antenna: A parabolic antenna is an antenna that uses a parabolic reflector, a curved surface with the cross-sectional shape of a parabola, to direct the radio waves. The most common form is shaped like a dish and is popularly called a dish antenna or parabolic dish.
  • Yagi Antenna: A Yagi–Uda antenna, commonly known as a Yagi antenna, is a directional antenna consisting of multiple parallel elements in a line, usually half-wave dipoles made of metal rods.
  • Dipole Antenna: A dipole antenna or doublet is the simplest and most widely used class of antenna. The dipole is any one of a class of antennas producing a radiation pattern approximating that of an elementary electric dipole with a radiating structure supporting a line current so energized that the current has only one node at each end.

Wireless Encryption


Wired Equivalent Privacy (WEP), introduced as part of the original 802.11 standards ratified in 1997, it is probably the most used Wi-Fi Security protocol out there. It is pretty recognizable by its key of 10 or 26 hexadecimal digits (40 or 104 bits). In 2004, both WEP-40 and WEP-104 were declared deprecated. There were 128-bit (most common) and 256-bit WEP variants, but with ever-increasing computing power enable attackers to exploit numerous security flaws. All in all, this protocol is “dead“.

Breaking this encryption can be performed by following the next steps:

  • Monitor the access point channel.
  • Test injection capability of the access point.
  • Use a tool for fake authentication.
  • Sniff the packets in the network.
  • Use an encryption tool to inject packets.
  • Use a cracking tool to extract the encryption key from the initialisation vector (IV).


Wi-Fi Protected Access (WPA), became available in 2003, and it was the Wi-Fi Alliance’s direct response and replacement to the increasingly apparent vulnerabilities of the WEP encryption standard. The most common WPA configuration is WPA-PSK (Pre-Shared Key). The keys used by WPA are 256-bit, a significant increase over the 64-bit and 128-bit keys used in the WEP system.

WPA included message integrity checks (to determine if an attacker had captured/altered packets passed between the access point and client) and the Temporal Key Integrity Protocol (TKIP). TKIP employs a per-packet key system that was radically more secure than the fixed key system used by WEP. The TKIP encryption standard was later superseded by Advanced Encryption Standard (AES).

TKIP uses the same underlying mechanism as WEP and consequently is vulnerable to a number of similar attacks (e.g. Chop-Chop, MIC Key Recovery attack).

Usually, people do not attack WPA protocol directly, but a supplementary system that was rolled out with WPA – Wi-Fi Protected Setup (WPS).


WPA2 replaced WPA. Certification began in September 2004 and from March 13, 2006, it was mandatory for all new devices to bear the Wi-Fi trademark. The most important upgrade is the mandatory use of AES algorithms (instead of the previous RC4) and the introduction of CCMP (AES CCMP, Counter Cipher Mode with Block Chaining Message Authentication Code Protocol, 128 Bit) as a replacement for TKIP (which is still present in WPA2, as a fallback system and WPA interoperability).

Wireless Threats

  • Access control attack: Attackers obtaining access to a non-authorised network.
  • Integrity and confidentiality attacks: Attacker intercept confidential information going through the network.
  • Availability attacks: Attackers prevent legitimate users to access a network.
  • Authentication attacks: Attacker try to impersonate legitimate users of the network.
  • Rogue access point attacks: By starting a rogue access point with the same SSID that an existent and legitimate one in the same location, attackers try to gain access to the network and the existent traffic.
  • Client mis-association: Placing a rogue access point outside areas where the legitimate ones are to take advantage of the auto-connect setting in user devices and capture the traffic generated.
  • Misconfigured access point attacks: Attackers gain access to existing access points by taking advantage of existing misconfigurations on the device.
  • Unauthorised association: By taking advantage of a user’s troyanised computer attackers can be allowed to connect to private networks.
  • Ad-hoc connection attacks: Ad-hoc connections tend to be insecure because they do not provide strong authentication and encryption making it possible for attackers to take advantage of them.
  • Jamming signal attacks: By simply emitting an interference signal, a jamming attacker can effectively block the communication on a wireless channel, disrupt the normal operation, cause performance issues, and even damage the control system.

Wireless Attack Methodology

  • Wi-Fi discovery: Collect information by active footprinting.
  • GPS mapping: Creation of a list of existing access points and their locations.
  • Wireless traffic analysis: Capturing packets to reveal any information about the access point and the network.
  • Launch wireless attacks: Using a tool like Aircrack-ng to run one or multiple of the possible attacks against a wireless network.

Bluetooth Hacking

Bluetooth is a wireless technology which is found in pretty much every phone you can get your hands on. But it is also in many other devices and gadgets around the home and the office, such as laptops, speakers, headphones and more. Bluetooth is used to connect devices that are in close proximity, cutting down on cables and giving you flexibility and freedom. Bluetooth is designed to allow devices to communicate wirelessly with each other over relatively short distances. It typically works over a range of fewer than 100 meters. The range has been intentionally limited in order to keep its power drain to a minimum. Bluetooth operates at 2.4 GHz frequency.

Bluetooth has a discovery feature that enables devices to be discoverable by other Bluetooth devices.

Bluetooth Attacks

  • BlueSmacking: Basically, a DoS attack against a Bluetooth device overflowing it with random packets, for example, echo packets.
  • BlueBugging: In this type of attacks, attackers exploit devices to gain access and compromise their security.
  • BlueJacking: It is the act of sending unsolicited messages to Bluetooth enabled devices.
  • BluePrinting: It is a method or technique to extract information and details about a remote device. Information such as firmware, manufacturers information, model, etc.
  • BlueSnarfing: Exploiting security vulnerabilities, attackers steal the information on Bluetooth devices.

Bluetooth Countermeasures

  • Keep checking the paired devices list.
  • Keep devices in non-discoverable mode.
  • Use a strong ping pattern.
  • Use encryption.
  • Install host-based security.
  • Do not accept an unknown or suspectable request.
  • When idle, keep your Bluetooth disabled.

Wireless Security Tools

Wireless Intrusion Prevention Systems

A wireless intrusion prevention system (WIPS) operates at the Layer 2 (data link layer) level of the Open Systems Interconnection model. WIPS can detect the presence of rogue or misconfigured devices and can prevent them from operating on wireless enterprise networks by scanning the network’s RFs for denial of service and other forms of attack.

WIDS monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools. The system monitors the radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever a rogue access point is detected. Conventionally it is achieved by comparing the MAC address of the participating wireless devices.

Wi-Fi Security Auditing Tool

There are several tools that can use defenders to audit, troubleshoot, detect, prevent intrusions, mitigate threats, detect rogue, protect against day-zero threats, investigate incidents (forensics) and create compliance reports helping to protect wireless networks. Tools like:

  • AirMagnet Wi-Fi Analyser
  • Motorola’s AirDefens Service Platform (ADSP)
  • Cisco Adaptive Wireless IPS
  • Aruba RFProtect

In addition, SANS has a whitepaper with the tittle Wireless Network Audits using Open Source tools.


Multiple techniques and practices can be tacking to prevent attacks on wireless networks, some of them already discussed previously such as using monitoring and auditing tools, configuring strict access control policies, following best practices and techniques and, using appropriate encryption like WPA2 and strong authentication. Some of these basic techniques are:

  • Access point scanning
  • Change default parameters
  • Disable remote login for wireless devices
  • Wireless IPS deployment
  • Configuring WPA2 with AES for data protection
  • Choose strong passwords
  • RF scanning
  • MAC filtering
  • Disable SSID broadcast
  • Update software and patches
  • Blocking rogue access points
  • Per-packet authentication
  • Strong authentication
  • Enable firewall protection
  • Network management software
CEH (XVII): Hacking Wireless Networks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.