7.1 Wireless Concepts and Standards
Key Takeaways
- IEEE 802.11 amendments evolved from 802.11a/b/g to 802.11n (Wi-Fi 4), 802.11ac (Wi-Fi 5), and 802.11ax (Wi-Fi 6/6E), increasing speed and spectral efficiency
- The 2.4 GHz band offers longer range but more interference and only three non-overlapping channels (1, 6, 11), while 5 GHz offers more channels and less interference at shorter range
- An SSID is the human-readable network name; the BSSID is the access point radio's 48-bit MAC address that uniquely identifies a basic service set
- Wi-Fi authentication modes range from Open (no auth) to PSK (shared passphrase) to Enterprise/802.1X (per-user credentials via a RADIUS server)
- A wireless frame is one of three types: management (beacons, probes, auth, deauth), control (RTS/CTS, ACK), or data — management frames are the basis of many attacks
Why Wireless Concepts Matter for the CEH Exam
Wireless Network Hacking is roughly 5% of the CEH v13 blueprint, but its vocabulary bleeds into the sniffing, network, and IoT modules, so the payoff is larger than the weighting suggests. Most wireless questions are won or lost on precise definitions: confusing an SSID with a BSSID, or mixing up an authentication mode with an encryption cipher. This section builds the terminology that the attack (7.3) and defense (7.4) sections depend on. Treat everything here as defensive, authorized knowledge — CEH teaches how attacks work so you can detect and stop them on networks you are permitted to test.
The IEEE 802.11 Standard Family
IEEE 802.11 is the family of standards governing wireless local area networks (WLANs). Each amendment improves throughput, range, or spectral efficiency, and the Wi-Fi Alliance markets them with simpler generation names. Wireless uses the same OSI layer 1 (physical/radio) and layer 2 (MAC) concepts as Ethernet, but the shared, unbounded RF medium is what makes it attackable from a parking lot.
| Amendment | Wi-Fi name | Band(s) | Typical max PHY rate | Key feature |
|---|---|---|---|---|
| 802.11b | (legacy) | 2.4 GHz | 11 Mbps | Long range, heavy interference |
| 802.11a | (legacy) | 5 GHz | 54 Mbps | Less interference, shorter range |
| 802.11g | (legacy) | 2.4 GHz | 54 Mbps | Backward compatible with b |
| 802.11n | Wi-Fi 4 | 2.4/5 GHz | 600 Mbps | Introduced MIMO |
| 802.11ac | Wi-Fi 5 | 5 GHz | ~3.5 Gbps | Wider channels, MU-MIMO |
| 802.11ax | Wi-Fi 6/6E | 2.4/5/6 GHz | ~9.6 Gbps | OFDMA; 6E adds the 6 GHz band |
Frequency Bands and Channels
The 2.4 GHz band penetrates walls well and reaches farther, but it is crowded (Bluetooth, microwaves, cordless phones) and offers only three non-overlapping 20 MHz channels in most regions: 1, 6, and 11. The 5 GHz band provides far more non-overlapping channels and less interference at the cost of range. Wi-Fi 6E opens the 6 GHz band — clean spectrum reserved for newer hardware. For an attacker, the band and channel matter because a capture or deauthentication tool must be tuned to the exact channel the target AP uses.
SSID, BSSID, and ESSID
Three identifiers anchor every wireless question:
- SSID (Service Set Identifier): the human-readable network name, such as
CorpWiFi. It is not a security control — a "hidden" SSID is still recoverable from client probe requests and association frames. - BSSID (Basic Service Set Identifier): the 48-bit MAC address of the access point (AP) radio. It uniquely identifies one basic service set (BSS).
- ESSID / ESS: an extended service set is multiple APs sharing one SSID to enable roaming across a building. Several distinct BSSIDs can advertise the same SSID.
This distinction is load-bearing: evil-twin and rogue-AP attacks copy the SSID (and often spoof a BSSID) to impersonate a trusted network, so a defender must compare observed SSID/BSSID pairs against an authorized inventory.
The Three 802.11 Frame Types
Every 802.11 transmission is one of three frame types. Knowing which type an attack abuses is a frequent exam discriminator.
| Frame type | Examples | Why it matters to attackers/defenders |
|---|---|---|
| Management | Beacon, Probe Request/Response, Authentication, Association, Deauthentication/Disassociation | Unprotected by default (pre-802.11w) — basis of deauth DoS, evil twins, SSID discovery |
| Control | RTS, CTS, ACK | Coordinate medium access; abused in some DoS/jamming scenarios |
| Data | Encrypted user payload | The traffic WEP/WPA2/WPA3 actually protects |
Beacon frames are broadcast by the AP ~10 times per second and announce the SSID, supported rates, and capabilities. Probe requests are sent by clients looking for known networks — they leak the names of every saved network a device is searching for, which an evil twin can exploit.
Wireless Authentication Modes
Authentication mode controls who may join. It is independent of the encryption cipher, which protects data in transit (covered in 7.2).
| Mode | How identity is proven | Key management | Typical use |
|---|---|---|---|
| Open | None | No encryption (or OWE) | Public hotspots, captive portals |
| Pre-Shared Key (PSK) | One shared passphrase for all | Passphrase derives the keys | Home, small office (WPA2/WPA3-Personal) |
| Enterprise / 802.1X | Per-user credentials or certificate | Per-session keys after EAP auth | Corporate WPA2/WPA3-Enterprise |
IEEE 802.1X is a port-based network access control framework. The client (supplicant) authenticates through the AP (authenticator) to a back-end RADIUS server using an EAP method such as EAP-TLS. Because every user holds unique credentials, a compromised account is revoked centrally without re-keying the whole network — the key advantage over PSK.
Exam Tip
When a question contrasts "WPA2-Personal" with "WPA2-Enterprise," the differentiator is the authentication mode (PSK vs 802.1X/RADIUS), not the cipher — both use AES-CCMP.
Wireless Components and Topologies
A few more terms appear in scenario questions:
- Access Point (AP): the bridge between the wireless and wired LAN; it sends beacons and relays client traffic.
- Station (STA): any wireless client — laptop, phone, IoT device.
- Wireless NIC / adapter: the client radio; an attacker's adapter must support monitor mode and packet injection to capture and inject frames (not all consumer chipsets do).
- Wireless controller (WLC): centrally manages many APs in enterprise deployments.
- Hotspot / captive portal: an open network that intercepts the first HTTP request to force a login or terms page; common at hotels and airports and a frequent evil-twin lure.
Topologies also matter: infrastructure mode routes all traffic through an AP, while ad-hoc (IBSS) lets stations talk peer-to-peer with no AP. Wi-Fi Direct is a modern peer-to-peer variant. Most enterprise networks use infrastructure mode, so a station-to-station data flow with no AP is a red flag for ad-hoc or a misbehaving device. Understanding these components clarifies where each attack in 7.3 inserts itself — an evil twin impersonates the AP, a deauth flood targets the station-to-AP management channel, and a monitor-mode adapter is the attacker's listening post.
A CEH candidate sees three access points in different parts of a building all advertising the network name "CampusNet" but each reporting a different MAC address. Which statement is correct?
Which 802.11 frame type includes deauthentication frames that, in pre-WPA3 networks, an attacker can forge to knock clients offline?
Which statement best describes the practical difference between WPA2-Personal and WPA2-Enterprise?