The Wi-Fi Alliance (www.wi-fi.org) is an organization that supports and certifies wireless technologies to ensure interoperability between vendors, and it has been instrumental in bringing Wi-Fi to homes and businesses around the world. Early implementations of wireless technologies for network communications were hampered by interoperability issues and conflicting implementations because the IEEE did not have the testing equipment to ensure compliance with its standards. This led to the creation of the Wireless Ethernet Compatibility Alliance, or WECA, who were promoting a new higher speed standard for wireless communication, which ultimately became 802.11b. WECA was rebranded in 2002 as the Wi-Fi Alliance continues to validate and certify wireless technologies until this day in order to ensure interoperability and promote standards in the industry. Today, wireless networking technologies used to implement WLANs (Wireless Local Area Networks) are organized under the IEEE 802.11 specifications. They are an alphabet soup of protocols that define the frequencies, transmission rates, bandwidth, and modulation of the wireless communications. The following is a list of the protocols we will be focusing on in this book and those that are the most relevant to wireless security professionals:
|
Protocol |
Frequency |
Bandwidth |
Maximum data rate |
Modulation |
|---|---|---|---|---|
|
802.11b |
2.4 GHz |
22 MHz |
11 Mbps |
DSSS |
|
802.11a |
5 GHz |
20 MHz |
54 Mbps |
OFDM |
|
802.11g |
2.4 GHz |
20 MHz |
54 Mbps |
OFDM |
|
802.11n |
2.4 or 5 GHz |
20 or 40 MHz |
150 Mbps |
OFDM |
|
802.11ac |
5 GHz |
20, 40, 80, or 160 MHz |
866.7 Mbps |
OFDM |
In the preceding table, DSSS indicates Direct-Sequence Spread Spectrum, and OFDM is Orthogonal Frequency-Division Multiplexing. These technologies refer to how the radio allocates the bandwidth to transmit the data over the air. Again, a big thanks to wireless engineers for incorporating this complexity into a standard so that we don't necessarily need to know exactly how this works in order to send and receive packets wirelessly.
As we get into wirelessly capturing packets from the air, the concept of channels will come into play. The term channel refers to a specific frequency within either the 2.4 GHz or 5 GHz frequency spectrum that the wireless radios on the access point and the client have either negotiated or been told to use for the communication of the data between them. This is similar to the channel on your television set—think analog here—where the station transmits at a specific frequency and the television is configured to receive that specific frequency by you tuning it to a specific channel. If both sides are configured to talk on the same channel, then the communication between the two devices can proceed. A side note: there is an entirely tangential discussion we could launch into here about the channel selection, co-channel interference, and channel design, but for the purposes of this discussion, we will focus on the channels available in each range and the frequency on which they run. This is explained in detail in the next section.
The 2.4 GHz spectrum is commonly used for wireless deployments due to its range and support for many common Wi-Fi protocols, such as 802.11b, g, and n. You will typically find it used either exclusively in your target network or as a co-resident with the 5 GHz spectrum in dual-mode access points. The following table lists the channels and associated frequencies that you will encounter when you conduct your wireless penetration test. We will be using these channel numbers in the subsequent chapters as we set up our captures and define channels for our virtual access points.
|
Channel |
Frequency (MHz) |
|---|---|
|
1 |
2412 |
|
2 |
2417 |
|
3 |
2422 |
|
4 |
2427 |
|
5 |
2432 |
|
6 |
2437 |
|
7 |
2442 |
|
8 |
2447 |
|
9 |
2452 |
|
10 |
2457 |
|
11 |
2462 |
|
12 |
2467 |
|
13 |
2472 |
|
14 |
2484 |
In North America, only channels 1-11 are used, while in most of the world, 1-13 are used. Channel 14 is only used in Japan under the 802.11b protocol. These same channels apply whether your wireless interface is using 802.11b, 802.11g, or 802.11n. In the next chapter, when we look at wireless scanning, you will be able to see which channel the access point and client are communicating on using the airmon-ng application. You will then proceed to specifically select one of these channels when we want to capture the traffic being sent between the wireless devices.
The 5 GHz spectrum is massive and varies widely in its implementation depending on which part of the world it is operating in. Fundamentally, it ranges between Channel 36 at 5180 MHz and Channel 165 at 5825 MHz; however, some parts of the world use frequencies ranging down to 4915 MHz, and channels range from 7 to 196. The most common channels and frequencies are represented in the following table. However, you should reference the standards that are in use in your geography before conducting a wireless security assessment as the range might be expanded in your area.
|
Channel |
Frequency (MHz) |
|---|---|
|
36 |
5180 |
|
40 |
5200 |
|
44 |
5220 |
|
48 |
5240 |
|
52 |
5260 |
|
56 |
5280 |
|
60 |
5300 |
|
64 |
5320 |
|
100 |
5500 |
|
104 |
5520 |
|
108 |
5540 |
|
112 |
5560 |
|
116 |
5580 |
|
132 |
5660 |
|
136 |
5680 |
|
140 |
5700 |
|
149 |
5745 |
|
153 |
5765 |
|
157 |
5785 |
|
161 |
5805 |
|
165 |
5825 |
The same principles come into play when you are capturing the traffic from the 802.11a or 802.11n networks running at 5 GHz, as they do at 2.4 GHz. The tools provided by Kali will let you specify the frequency your wireless adapter is listening on by the associated channel number. You will identify the channel that the client and access point are communicating over and then set up your capture accordingly.