Knowledge Base - WiFi
Deauthentication Frames Explained
Deauthentication, or, in short, “deauth” frames are an infamous part of the WiFi protocol (802.11) and play a role in many types of attacks on wireless infrastructure. They have the important and legitimate use-case of actively disconnecting stations from networks, but can also be easily abused because they are almost always unencrypted and easily spoofed or crafted.
Deauthentication Attacks Explained
A WiFi deauthentication, or, in short, a "deauth" attack, can be destructive by itself or part of a larger malicious campaign. Luckily there are ways to detect such attacks, even if this is not always easy.
Monitoring Probe Request SSIDs
Probe requests are frames sent by WiFi devices to discover nearby networks. When a device isn't connected to WiFi, it periodically sends these requests, containing its MAC address and sometimes a preferred network's name (SSID). Nearby access points respond, helping the device identify and connect to networks. In certain situations, monitoring probe requests can help prevent privacy issues and data leaks.
Monitoring SSIDs (Networks) in Range
Monitoring SSIDs (wireless network names) in range provides situational awareness, allowing you to manually verify that no potentially malicious networks are nearby—especially those that similar-sounding or restricted SSID monitoring might miss. It also enables you to detect new, unexpected networks, such as a printer automatically starting its own network for device adoption, or unauthorized mobile hotspots which could introduce vulnerabilities without your knowledge.
What are random MAC addresses?
Modern WiFi devices randomize their MAC address when probing for available networks. This method drastically enhances privacy but brings some challenges to WiFi security operations. Learn more about how to consider randomized MAC addresses in your traffic analysis techniques.