WiFi 802.11 Protocol Vulnerability.
Introduction:
It’s been a while since I wrote my last post, I was thinking about what I could do to move further towards vulnerability research, I decided to take something from the communications field since I started my path in the networking field, and then combine it with something interesting.
But really, if you think about it deeply, it all started with a conversation from a nice person on LinkedIn who gave me advice on how to enter the field and get into it. He said that I should take 1-day vulnrability (such that have no patch, or have apatch but have no real PoC that approve the vulnrability) instead of looking for 0-day since it’s a little more complex, and then base on 1-day build a POC that properly exploits the weakness.
I tried to think about what should be done when I wanted to focus on the worlds of Wireless, so I said “let’s start with WiFi”, this WiFi standard is 802.11 with all sorts of older or more advanced versions.
I looked for weaknesses about it, you would understand that this is a networking protocol that has an RFC from the IEEE standards organization, and I didn’t find anything interesting, only weaknesses related to a devices and drivers who implemented 802.11 in a driver or something that is actually vulnerable because of the way it was built, but that’s a weakness per manufacturer/product, you understand?
I wanted something in-depth about the protocol itself.
Anyone who knows me knows that these posts I write are built as I go along, meaning that right now, while writing these first words, I still not sure about that 802.11 protocol, but by the end of the post, you too will understand.
Bottom line Right now, I’m going to focus on the structure of the protocol, how it actually works, look at Frame launchers that are sent over the network with Wireshark and investigate them in depth, and then we’ll jump to attacks that exist at the WiFi level and try to understand why they work and do the magic they were supposed to do.
And finally, if there is a weakness related to it, we will analyze it and build a POC that exploits it.
As always, I am writing the post in a way that is suitable for beginners, those who know at least how to connect their mobile device to a local WiFi network without understanding how it works behind the scenes, and together we will dig deeper and by the end of the post we will be ninjas of WiFi experts and everything related to it.
Hold on tight, beginners!
Concepts - short primer on 802.11 architecture
To see why attacks work, we need a small mental model of 802.11 and its attack surface.
PHY (Physical layer)
802.11 covers many PHYs (802.11a, b, g, n, ac, ax). This is radio stuff: modulation, channels, power and timing. PHY affects range, speed, and low-level tricks like jamming or spectrum scans.
MAC (Medium Access Control)
This is how devices find each other, join, and send frames. There are three useful frame types to know:
Management frames - these say “hello”, “who are you”, “goodbye”. Old versions did not check who sent them. That made simple attacks possible.
Control frames - tiny helpers like ACKs.
Data frames - the real data, which can be encrypted.
Security primitives in 802.11 family
WEP - very old and broken. Don’t use it. WPA / WPA2 - added handshakes and better encryption. Most home Wi-Fi uses this. WPA3 - newer, fixes some old problems and makes password cracking harder. PMF (802.11w) - protects the management frames. Good to turn on.
Quick key note The password you type is not the same as the short-lived keys used during a connection. Many attacks mess with the temporary keys, not the typed password.
Why the protocol gives attackers chances
Most attacks use things the standard allows or things vendors did in different ways:
- Management frames were not protected for a long time, so attackers could fake them.
- Handshakes are a bit fiddly. If a device handles retries badly, attackers can abuse that.
- Phones and laptops try to be helpful: they auto-connect or remember networks. That leaks info and helps fake AP tricks.
- Supporting old modes or fallbacks makes life easier for attackers.
- Small bugs in how frames are reassembled or parsed can let attackers inject data.
Attacks - what they target (high level)
Below are common attack classes (protocol‑level) and the reason they succeed:
Deauthentication / Disassociation - exploits lack of protection for management frames (until PMF). Result: forced disconnects, phishing windows, forced reconnection to rogue APs.
Evil Twin / Rogue AP - protocol has no global mechanism to authenticate APs to clients; this allows a malicious AP to impersonate a legitimate SSID. Effective when clients auto‑connect or users are not checking certificates.
Handshake capture + offline cracking (4‑way / PMKID) - capturing handshake material permits offline brute‑forcing of weak PSKs. Works because PSKs of low entropy are brute‑forceable offline.
Key reinstallation (KRACK class) - manipulating retransmissions/reinstallations of session keys can cause nonce reuse, which breaks the security guarantees of stream/block modes and enables decryption or injection.
WPS / PIN attacks - WPS provides an external protocol that can be weaker than WPA; broken flows (or poorly implemented ones) can yield credentials quickly.
Fragmentation / aggregation weaknesses (FragAttacks and related) - protocol assumptions about reassembly and processing order combined with implementation bugs can let attackers inject or modify payloads.
Tools people use and what they do
A short list of widely referenced tools and platforms used by researchers to observe and reason about Wi‑Fi, plus a non‑exhaustive note about Raspberry Pi as a platform.
Kismet - listens quietly and maps what Wi-Fi is around you.
Airgeddon - a toolkit that ties tools together for auditing workflows.
Aircrack-ng family - used for captures and offline testing in labs.
Bettercap - shows what an attacker could do after they have link access.
Hostapd / CoovaChilli - let you emulate APs and captive portals for lab tests.
Raspberry Pi - cheap tiny computer to run experiments. The Pi is the brain; pick a proper radio for the air side.
At the end of that day everyone has a small set of scripts and sniffers they love. The trick is knowing how to read the data. Tools are neutral. Learn them to defend, not to cause trouble.