Table of contents
Intro
Wi-Fi is the name of a popular wireless networking technology that uses radio waves to provide wireless high-speed internet and network connections. A common misconception is that the term Wi-Fi is short for "wireless fidelity," however this is not the case. Wi-Fi is simply a trademarked phrase by Wi-Fi Alliance that means IEEE 802.11x.
Modes of WiFi
In the 802.11x protocol, each device can be in one of 6 modes.
Master mode
This is the mode you'll usually find an access point in. In this mode, the device cannot connect to an access point. It can only serve as a connection point for other devices.
Managed mode
This is the most common mode, as it is the mode that is used by almost every client device (laptops, smartphones, fridges, ...). Only from this mode, the device can connect to an access point running in master mode. The connection between a master mode and a connection mode is by far the most common one.
Others
There are some other, less common modes as well. Most of these could appear in day to day use, but some are hardly ever seen.
Repeater mode
In this mode, the device will "extend" a network by taking all the packets it receives and broadcasting them again.
Ad-Hoc mode
A peer-to-peer connection. Devices are directly connected to eachother. This is obviously not suitable for day-to-day use, but is convenient for some use-cases, such as ad-hoc gaming.
Mesh mode
Ad-hoc on steroids. In this mode, devices will all be connected to eachother in a mesh. If one of the devices fails, the other clients will be able to re-route traffic along other devices.
Monitor mode
In this mode you can not connect to other devices, but the device can 'monitor' all the frames that are sent over the air.
What modes does my adapter support
iw list | grep -A 8 modes:
This command will list all the modes for your NIC
Management frames
The 802.11x has three types of frames. Management-frames, control-frames and data-frames.
Beacon frames
An access point constantly broadcasts beacon frames to advertise itself.
The file above is a capture made in monitor mode. This means that it captures all of the packets sent over the air during the time of capture, of all devices in range.
When we open it contains a big amount of frames, but for now, we are only interested in the 'Beacon frames'. For this we apply the following filter:
wlan.fc.type_subtype == 0x08
This results in a big list of beacon frames, looking somewhat like this:
If we look at the details of a frame, we can see what data it transmits.
It tells us the SSID (network name), the supported data-rates, the MAC-address of the access point, channel, security,...
When a client device receives this broadcast, it will check if the SSID included in this broadcast is a known network. If so, the device will automatically connect.
Probe requests and responses
Similar to beacon frames, a client device may send out probe requests. In this case, the client will ask if a network is around. In this frame, an SSID is included. If an access point using said SSID receives this frame, it will respond with a probe response. This probe response includes the access point capabilities.
Now try to analyse a probe request and a probe response.
wlan.fc.type_subtype == 0x04 or wlan.fc.type_subtype == 0x05
Exploiting probe request/response
Probe-requests can easily be exploited. The system relies on an access point responding when it receives a probe request with it's SSID. However, theoretically anyone can respond to these. There are devices such as the WiFi-pineapple that have the functionality of being a "yes-sayer", meaning they'll respond to any probe request they receive, saying they are the network, when in fact they are not. Because of this, they can get any device to connect to them, and preform man-in-the-middle-attacks.
Channels
WiFi runs on radiosignals. It usually runs in 2 frequencies: the 2.4GHz band, and the 5Ghz band. For the sake of simplicity, we'll focus on the 2.4GHz band.
The 2.4GHz band is divided in 11 channels. A channel is a part of the spectrum, each having a width of 22 MHz. Because of this, all of these channels have an overlap, which causes interference on the network. That is why conventionally, only 3 channels are used, being channel number 1, number 6 and number 11. You'll notice on the picture below that these 3 channels do not have any overlap, because they are spread out.
5Ghz channels
In 5GHz we also have channels, but there are a lot more channels without overlap (23). The reason we're not ditching 2.4GHz alltogether is because 5GHz isn't great when it comes to range, especially through walls. This is why you see more and more 5GHz setups at enterprise level, where there is an access point in each room, but not quite as much in an home-setup, where there usually is only one access point in the basement.
Channel availability
In the US, only channels 1-11 are regulated. All others are not allowed. In the rest of the world, people can use channels 1-13. Only channel 14 is reserved for Japan.
Interference
The 2.4 GHz band is not only used for WiFi. It's also used for microwaves, walkie-talkies, bluetooth... This means is why it is never a good idea to put an access point on a microwave.