The Physical Layer: Radio at 2.4GHz and 5GHz

WiFi operates on two primary frequency bands: 2.4 GHz and 5 GHz. Some newer hardware also supports 6 GHz (WiFi 6E and WiFi 7).

The 2.4 GHz band spans 2.4–2.4835 GHz and is broken into 13 overlapping channels (in most countries), each 20 MHz wide. Only 3 channels don't overlap: 1, 6, and 11. This band penetrates walls and objects better but is crowded with interference from microwaves, Bluetooth devices, cordless phones, and neighboring WiFi networks.

The 5 GHz band offers many more non-overlapping channels (typically 25+ in the US) and provides faster data rates with less interference. However, it has shorter range and is absorbed more readily by walls and floors.

SSID, BSSID, and Access Points

Every WiFi network has an SSID (Service Set Identifier) — the network name you see when you scan for networks on your phone or laptop. SSIDs can be up to 32 characters and are transmitted in plain text in management frames, which is why attackers can sniff them without joining the network.

The BSSID (Basic Service Set Identifier) is the MAC address of the specific access point radio broadcasting the network. If you have three access points all broadcasting "Office_Network," each has a different BSSID but the same SSID. This is how client devices decide which AP to associate with based on signal strength.

How Devices Connect to a Network

When your device joins a WiFi network, it goes through a multi-step handshake with the access point:

  1. Scanning: Your device actively sends probe requests on each channel asking for specific SSIDs, or passively listens for beacon frames broadcast by APs.
  2. Authentication: Your device sends an authentication request to the AP. In open networks, this is just an empty exchange. In secured networks, this initiates the key exchange.
  3. Association: Your device sends an association request specifying supported data rates and security capabilities. The AP responds with an association ID.
  4. Key Exchange (WPA/WPA2/WPA3): If using a secured network, the 4-way handshake occurs — a cryptographic exchange that establishes the session key used to encrypt all subsequent traffic.

WiFi Frames: The Structure of Wireless Communication

Everything sent over WiFi is packaged into 802.11 frames. There are three main types:

  • Management Frames: Control network membership — beacon frames, probe requests/responses, authentication frames, association requests/responses. These are sent unencrypted even on secured networks.
  • Control Frames: Facilitate frame delivery — ACK frames, RTS/CTS (Request to Send / Clear to Send) used for channel contention.
  • Data Frames: Carry actual user data. When you browse the web over WiFi, your HTTP traffic travels inside data frames, encrypted using the session key established in the 4-way handshake.

Each frame contains:

  • A Frame Control field specifying the frame type and subtype
  • Duration/Connection ID
  • Address fields (up to 4 MAC addresses: destination, source, BSSID, receiver)
  • A Sequence Control field for deduplication
  • A Frame Body containing the payload
  • A Frame Check Sequence (FCS) — a CRC-32 checksum for error detection

802.11 Standards: From a to ax (and beyond)

The 802.11 family has evolved significantly:

  • 802.11a (1999): First mainstream OFDM-based standard. 5 GHz, up to 54 Mbps.
  • 802.11b (1999): 2.4 GHz, up to 11 Mbps. Cheaper to implement, became dominant.
  • 802.11g (2003): 2.4 GHz, up to 54 Mbps. Backward-compatible with 802.11b. Merged the best of a and b.
  • 802.11n (WiFi 4, 2009): Introduced MIMO (Multiple Input, Multiple Output) and channel bonding. 2.4/5 GHz, up to 600 Mbps.
  • 802.11ac (WiFi 5, 2013): 5 GHz only, MU-MIMO (multi-user MIMO), wider channels (80 MHz, 160 MHz), up to 6.9 Gbps.
  • 802.11ax (WiFi 6, 2019): OFDMA (orthogonal frequency-division multiple access) for better efficiency in dense environments. 2.4/5/6 GHz, up to 9.6 Gbps. Better battery life for IoT via TWT (Target Wake Time).
  • 802.11be (WiFi 7, ongoing): Extremely High Throughput (EHT). 320 MHz channels, Multi-Link Operation (MLO) — simultaneous use of multiple bands.

Encryption and Security

WiFi security has evolved through several generations:

  • WEP (Wired Equivalent Privacy): Introduced with 802.11b. Uses RC4 stream cipher with a 24-bit IV. Fundamentally broken — can be cracked in minutes. Do not use.
  • WPA (WiFi Protected Access): Interim fix for WEP. Uses TKIP (Temporal Key Integrity Protocol) with RC4. Also has weaknesses but significantly better than WEP.
  • WPA2 (WiFi Protected Access II): The standard from 2004. Uses AES-CCMP (AES Counter Mode CBC-MAC Protocol). Still considered secure unless a weak password is used (enabling brute-force or dictionary attacks via the 4-way handshake).
  • WPA3 (2018): Mandatory PMF (Protected Management Frames), SAE (Simultaneous Authentication of Equals) for password-based networks — resistant to offline dictionary attacks. Still vulnerable to implementation-specific issues and some known attacks like Dragonblood.

The 4-Way Handshake

The 4-way handshake is the critical cryptographic exchange that establishes a session key between a client and an AP. It's designed so that even an attacker who captures all four messages cannot derive the session key. Here's how it works:

  1. AP to Client: AP sends a random number (ANonce).
  2. Client to AP: Client generates its own random number (SNonce), derives the session key (PTK), and sends SNonce along with a MIC (Message Integrity Code) of the first two messages.
  3. AP to Client: AP derives the same PTK, verifies the MIC, and sends a confirmation (Key Replay Counter).
  4. Client to AP: Client installs the encryption keys and sends a final confirmation.

Attackers capture the handshake to perform offline dictionary attacks on the password. Tools like aircrack-ng and hashcat can crack weak passwords from captured handshakes.

Why This Matters for Security

Understanding WiFi at this level is prerequisite to understanding the attacks. When you run aireplay-ng to deauth a client, you're sending forged management frames. When you capture a 4-way handshake with wireshark, you're intercepting the cryptographic handshake. When you perform an Evil Twin attack, you're impersonating an AP by transmitting beacon frames and responding to association requests with your own BSSID.

Every attack is an exploitation of some aspect of how WiFi was designed to work. The protocol was built on the assumption that the physical medium (radio waves) was difficult to intercept — an assumption that stopped being true the moment software-defined radios became affordable.

Continue Learning

Attack Evil Twin Attacks Defense Securing Your Home Network Fundamentals Understanding Encryption