Taken from Webopedia, Wikipedia, the IEEE 802.11 standard, Data Over Wireless Networks by Gil Held (McGraw-Hill 2001), Nortel VoIP Technologies book (Nortel Press 2008), and Pearson's CCNA Wireless 200-355 Complete Video Course. Frames formats and sequence need to be updated to reflect additional security for 802.11a, 802.11g, WPA, WPA2, etc...
WiFi Specifications

  • Direct Sequence Spread Spectrum - signal spread through the use of sequence, uses more bandwidth with lower power density.
  • CSMA/CA (carrier sense multiple access/collision avoidance
  • ack packet from AP indicates packet received and checksummed correctly. if no ack, resend entire packet
  • Active Scanning - Send probe packet, wait for probe response packet from AP.
  • Passive Scanning - Listen for beacon frame from AP.
  • Authentication
  • Association - Info about station, capabilities of BSS are exchanged.
  • Roaming - moving from one cell to another without losing cnonection.
  • ISM band 2.4-2.4835GHz.  UNII band 5-6GHz.
  • Power limited to 100mW  ETSI limits DSSS power density to 20 dbW/MHz and FHSS power density to -10dbW/100kHz.
  • Speeds of each standard downshift as you get farther away from transmitting source (e.g. AP).

802.11 1997. Original std. 2.4-2.6 GHz FCC unregulated range. FHSS and DSSS and IR. Barker11. BPSK/QPSK. Up to 2 Mbps.
802.11b 1999. 2.4-2.6 GHz FCC unregulated range. FHSS and DSSS. Barker11. BPSK/QPSK/CCK. Rated at 1, 2, 5.5, and 11Mbps. Wifi Alliance certs DSSS as "wifi".  (achieved throughput is 4.3-6Mbps).  Range ~38meters depending on environment.  Uses CCK (Complementary Code Keying) as opposed to Barker Chipping Codes. Taken from Webopedia. "Not interoperable with 802.11a. Requires fewer access points than 802.11a for coverage of large areas. Offers high-speed access to data at up to 300 feet from base station. 14 channels (5MHz) available in the 2.4GHz band (only 11 of which can be used in the U.S. due to FCC regulations) with only three non-overlapping channels."  US typically uses channel 1, 6, and 11.  Consider using different channels when you have neighboring APs.  Channel is 22MHz wide with 1MHz carrier.  Each channel is 5MHz away from next channel and 22 MHz wide, which is way there are overlapping channels.  Uses DSSS.
802.11a 1999 5GHz (4.915 - 5.825) range. OFDM. BPSK/QPSK/16-QAM/64-QAM. Chan avail varies country to country. Theoretical Max bandwidth of 6,9,12,18,24,36,48,and 54Mbps.  (achieved throughput 32Mbps). Range max - Taken from Webopedia. "Eight available channels. Less potential for RF interference than 802.11b and 802.11g. Better than 802.11b at supporting multimedia voice, video and large-image applications in densely populated user environments. Relatively shorter range than 802.11b. Not interoperable with 802.11b."  Allows for 12 non-overlapping channels (not all bands available in all countries).  Can be colocated with more APs than 802.11a/g.  Uses OFDM (Orthogonal Freq Div Multiplexing) to transmit sub-signals simultaneously on diff frequencies.  
802.11g 2003. 2.4 GHz FCC unregulated range. OFDM. BPSK/QPSK/16-QAM/64-QAM. Backwards compatable with 802.11b. Theoretical max speed of 6,9,12,18,24,36,48,54Mbps. Cells are smaller than 802.11b because power is lower for OFDM.  (achieved throughput 32Mbps). OFDM.
  • To coexist b and g rts/cts (with duration) sent in b before g data frame. could also send (less clean) 'CTS to self' only. This protection good for b, not g clients drops percieved throughtput from ~23Mbps to ~8Mbps
  • In beacons: non-ERP (802.11b), in the cell yes/no, use protection yes/no
Taken from Webopedia. "Improved security enhancements over 802.11. Compatible with 802.11b. 14 channels available in the 2.4GHz band (only 11 of which can be used in the U.S. due to FCC regulations) with only three non-overlapping channels."  US typically uses channel 1, 6, and 11.  Consider using different channels when you have neighboring APs.  If used with 802.11b will slow down and use CCK modulation.  Otherwise uses Barker code.  Uses OFDM.
802.11n 2009. Focus on features not band
  • Channel Aggregation
    • 128 subcarriers (vs. 64) for 40MHz channel aggregate, 14 zero subcarriers (vs. 12) for calibration on sides and center. 6 pilot subcarriers (vs. 4) for synch and tracking. Result 108 data subcarrriers (vs. 48).
    • Cisco doesn't do channel aggregation in 2.4. not enough channels
    • only aggregate channels that aren't going to conflict with your neighbors (e.g. 46 and 40 not 40 and 44)
  • block acknowledgements
  • short guard intervals - reduce from 800ns to 400ns - affected by echos
  • mimo - send and recieve several useful signals (instead of unused echoes). Input to antenna. Output from antenna. siso - single in single out. simo - single in multi out, miso, mimo, etc. radio chain multiple radios and antennas. spatial stream. sending symbols from 1 source across multiple streams - recombine at receiving end - spacial multiplexing.
    • Transmit Beamforming (Cisco calls ClientLink - based on signal back from client) - form beams so receiving station receives all parts of mimo transmissions at same time.
    • OR Maximal Ration Combining - receiving side synch signals for stronger signal
    • up to 4 streams, in practice max is 3, most handheld devices have 1 or 2 SS, save battery
  • Spatial streams Data rate (20MHz channel, 800ns GI) Data rate (20MHz channel, 400ns GI) Data rate (40MHz channel, 800ns GI) Data rate (40MHz channel, 400ns GI)
  • now protection header bit is modulated at slow speed, rest of fram higher speed
Taken from Webopedia. An extension to 802.11 specification developed by the IEEE for wireless LAN (WLAN) technology. 802.11n builds upon previous 802.11 standards by adding multiple-input multiple-output (MIMO). The additional transmitter and receiver antennas allow for increased data throughput through spatial multiplexing and increased range by exploiting the spatial diversity (up to 4 streams) through coding schemes like Alamouti coding. The speed is 100 Mbit/s (even 250 Mbit/s in PHY level), and so up to 4-5 times faster than 802.11g. 802.11n also offers a better operating distance than current networks.
802.11ac Only on 5GHz. Up to 80 MHz or 160 MHz channels. Up to 8 spatial streams/radio circuits (hard). up to 256-QAM. Better manage the cell.
  • MU-MIMO - use unused antenna/radios to communicate with another client. downstream only
    • 160 MHz-wide channel, 8 antenna AP with MU-MIMO support - Example best case depending on stations
      • One 4-SS, 160MHz client, 3.47Gbps data rate, AT THE SAME TIME AS
      • One 2-SS, 160MHz client, 1.73Gbps data rate, AT THE SAME TIME AS
      • Two 1-SS, 160MHz client, 867 MBps data rate.
  • 256-QAM - need high quality signal and snr. only works very close. a lot of points. bbecause so many points, slow down modulation a little.
  • Protection header bit modulated at slow speed, same as 802.11n, also protects against channel width RTS on all 4 sub channels, client only responds where it can
  • Wave 1 - 80 MHz, 3 ss, no MU-MIMO, 256-QAM Optional
  • Wave 2 - 160 MHz, 4 ss, yes MU-MIMO, 256-QAM included
Taken from wikipedia. Expected multi-station throughput of at least 1 gbit/sec. Single link throughput of at least 500 mbits/sec. Wider RF bandwitdth up to 160 MHz, more MIMO spacial streams (upt o 80, downlink multi-user MIMO (up to 4 clients), hi density modulation (up to 256-QAM).
  • 80 MHz channel bandwidth, 160 MHz channel optional
  • Up to 8 spatial streams
  • 256-QAM
  • Beamforming
  • Coexistence between 802.11ac and 802.11a/n
  • 4 new fields in PPDU header identifying fram as VHT
802.11adWiGig, 60 GHz millimeter wave spectrum, 7gbit/sec. 802.11aj rebands 802.11ad for use in 45GHz unlicenseced spectrum available in some regions of world (esp China)
802.11afWhite-Fi, Super WiFi, operates in TV white space between VHF and UHF between 54 and 797mhz. uses cognitive radio tech to transmit on unused tv channels, limiting interference for regular analog/digital tv signals, wireless microphones. OFDM, based on 802.11ac. Increased range, adn can get through brick/concrete better. 5 - 8 MHz wide freq channells. up to 4 channels may be bonded. MIMO possible with up to 4 streams with either space-time block code or multi-user operation. 26.7 Mbit/s or 35.6 mbit/s. 4 spacial streams and 4 bonded channls = max data rate of 426.7 bit/s for 6 an d 7 MHz, and 568.9 Mbit/s for 8 Mhz channels
802.11ahsub 1GHz license exemt bands. improved transmission range compared to conventianal 802.11. purposes inclde large scale sensor networks, extended range hotspot, outdoor wifi for cel traffic offloading
802.11axsuccessor to 802.11ac. increase efficiency of WLAN networks. Adds 6GHz range to the 2.4GHz and 5GHz ranges already in use. Marketing type have designated that this is part of what makes WiFi 6E. Uses orthogonal frequency-division multiple access (OFDMA), which is equivalent to cellular technology applied into Wi-Fi. Better power-control methods to avoid interference with neighboring networks, higher order 1024-QAM, up-link direction added with the down-link of MIMO and MU-MIMO to further increase throughput, as well as dependability improvements of power consumption and security protocols such as Target Wake Time and WPA3

802.11e QoS standards over wireless LANs. Geered towards real-time apps like IP telpehony. 4 potential classes - voice, video, best-effort, background. Allows client to mark priority. enhances from PCF and DCF with HCCA and EDCA to define traffic categories. TCMA protocol variation on csma/ca using shorter arbitration interframe space for hi prio packets. ECDA/Transmit Op (TXOP) bounded time interval given whicha station can send as many frames as possible. TXOP time interval of 0 means single MAC svc data unit or MAC mgmt proto data unit. ECDA also has access categories (ACs). Contention window set according to AC of packet.
taken from wikipedia
- 802.1P 802.11e
Priority Priority Code Point (PCP) Acronym Traffic Type Access Category (AC) Designation
Lowest 1 BK Background AC_BK Background
0 BE Best Effort AC_BE Best Effort
2 EE Excellent Effort AC_BE Best Effort
3 CA Critical Applications AC_VI Video
4 VI Video AC_VI Video
5 VO Voice AC_VO Voice
6 IC Internetwork Control AC_VO Voice
Highest 7 NC Network Control AC_VO Voice
HCCA - multi beacon frams CP and CP. CFP is Controlled Access Phase (CAP. initiated whenever AP wants to send or receive frame contention free. Traffic Clas and Traffic Streams defined. HC can giv prio to one station over another depeending on queue information of station. Prio can also be given using TXOP.
802.11k limit scanning needs. ap can return channels for neighboring APs
802.11p wireless for car to car comms
802.11r Roaming speedup. Standard designed to speed handoffs between access points or cells in a wireless LAN. Makes sure QoS and Security are in place before transition to new AP
  • Prenegotiate QoS and Credentials on new wap before leaving old one
802.11s Standard submitted to IETF to allow for wireless mesh of WiFi networks. A wireless mesh uses a radio to interconnect the access points and route wireless packets over the best available route. Mesh benefits include potentially higher performance and more reliable nets.
802.11u hotspot 2.0 - describe how station can discover svcs - free wifi or, private, internet, can you connect me to my cell isp secure svr? automate authentication with EAP-SIM/WPA2
802.11v BSS Transition Mgmt (better than 802.11k). AAP returns list of neighbors where to roam to.
802.11w Secures mgmt frames by signing them. eliminates de-auth hacking
802.11ai faster initial link setup
802.11aq enable pre-association discovery of services. extends mechanisms in 802.11u to discover services running on a device or provided by a network

WEP Obsolete security scheme.
  • RC4 stream cipher for confidentiality
  • CRC-32 checksum for integrity.
  • 64-bit WEP uses a 40-bit key, and 24-bit initialization vector (IV). 24-bit IV is too short.
  • 128-bit WEP with 104-bit key size was put in place after US Gov export restrictions lifted. Key size turned out not to be the issue with this standard. Weak keys and related-key attacks.
  • WiFi Protected Access, (based on 802.11i draft(v4 2002)
  • RC4 stream cipher, 128-bit key, stronger (48-bit) IV.
  • 'Michael' Message Auth Code/Message Integrity Code (MIC) - as opposed to CRC for integrity.
  • TKIP - dynamically changes keys as system is used. Insures that every data packet is sent with its own unique encryption key. Can detect whether or not pkt has been damaged or altered using message-integrity check (MIC or Mikey).  Makes sure packets arrive in sequence (using sequence id (incr by one for each pkt).  When key changes, seq goes to zero).  Combined with larger IV (initialization vector), defeats key recovery attacks on WEP.
  • 802.1X or (less-secure) pre-shared key
  • Put in place because WPA2 work was taking longer then anticipated.
802.11i (published 2004)
Updated security standard. Interoperable implementations called WPA2 by Wi-Fi Alliance. Superceeds WEP and WPA which have demonstrated security weaknesses.
  • AES block cipher (block size of 128 bits, key size of 128, 192 or 256 bits)
  • CCMP Message Authentication Code
  • 802.1X
  • TKIP not recommended, but allowed. Wifi alliance says don't use.
  • PSK or 802.1x/EAP
802.1xPort-based access ctrl to the network at L2.  Users are not allows to join network until they are authenticated.  Uses one of the EAPs to authenticat.
WISPr(Wireless Internet Service Provider roaming) - allows users to roam between wireless internet service providers.
Extensible Authentication Protocol
  • LEAP - Lightweight Extensible Authentication Protocol - Cisco Special - Crackable, though Cisco claims secure if sufficiently complex passwords are used.
  • EAP-TLS - IETF open standard. Uses TLS (Transport Layer Security) with PKI to a Radius auth svr. Client-side certs needed, so can be hard to deploy.   Mostly widely supported standard.  Only weakness is that username passed from client in the clear before certs are exchanged.
    Supplicant                      Authenticator                Auth Svr
               ------EAP Start----->
               <--Identity Request--
               --Identity Response->             --------------->
               <-Server Certificate-             <---------------
               --Client Certificate->            --------------->
    	   -----Session keys---->            <---------------
    	   <----Session keys-----            <---------------
    (gen PMK)							(gen PMK)
  • EAP-MD5 - IETF open standard - MD5 hash function vulnerable to dictionary attacks. EAP does not support dynamic WEP.  Client has no way to auth svr.  Challeng string sent to client in the clear.
  • EAP-POTP - Protected One-Time Password (RFC4793) - developed by RSA Laboratories, uses one-time password (OTP) tokens to generate auth keys. Provides 2-factor user auth - user needs phys access to token and knowledge of PIN to perform authentication
  • EAP-PSK - Preshared key (RFC4764) - provides protected comm channel, when mutual auth is successful. Lightweight and extensible EAP metho does not require any public-key crtyto. 4 msg exchange
  • EAP-PWD - shared pw used for auth (RFC5931) - low entropy pw may be used and drawn from some set of possible pws like a dictionary. Underlying key exchange resistant to active / passive / dictionary attacks. Android 4.0+, freeradious, radioator servers, hostapd wpasupplicant
  • EAP-TTLS/MSCHAPv2 - Funk Software/Certicom - IETF draft open standard. Good security. PKI certs only on auth svr.
  • EAP-IKEv2 - based on Internet Key Exchange protocol v2 (RFC5106) - provides mutual auth, and session key establishemnt between peer and server. Auth techniques can be asymmetric key pairs, passwords, symmetric keys. Possible to use different credtials/techniques in each directionn.
  • EAP-FAST - replacment for LEAP, while maintaining lightweight implementation. Uses Protected Access Credential (PAC) to establish TLS tunnel in which client credentials are verified. PAC can be intercepted and compromise user credential - mitigated by manual PAC provisioning or by using server certs for provisioning phase. PAC file issued per-user
    • Phase Zero - Done in advance. Server give locked box with key inside it to client, give key outside box also. PAC contains svr id, locked key/pw, and clear key/pw
    • Phase One - Client comes back, gives locked box with pw inside it
    • Phase Two - Exchange ID Req and Resp. Client sends credentials to server. Server returns session keys.
    Supplicant                      Authenticator                Auth Svr
               ------EAP Start----->
               <--Identity Request--
               --Fake ID response-->		 
    <------Auth-ID------- <--------------- -----PAC Opaque-----> --------------->
    <--Identity Request-- ---------------> --Identity Response--> ---------------> -----Credentials-----> ---------------> <----Session keys----- <--------------- (gen PMK) (gen PMK)
  • PEAPv0/EAP-MSCHAPv2 - Cisco/Microsoft/RSA - open standard. Good Security. Similar to EAP-TTLS. Only requires server side PKI cert. Usually what people most commonly refer to as PEAP. 2nd most commonly supported form of EAP. Internet Draft.
    Supplicant                      Authenticator                Auth Svr
               ------EAP Start----->
               <--Identity Request--
               --Fake ID response-->		 
    <-Server Certificate- <--------------- -Pre-Master Certificate-> --------------->
    <--Identity Request-- ---------------> --Identity Response--> ---------------> -----Credentials-----> ---------------> <----Session keys----- <--------------- (gen PMK) (gen PMK)
  • PEAPv1/EAP-GTC - Cisco - Alternative to PEAPv0/EAP-MSCHAPv2. Uses inner auth protocol other then (Microsoft's) MSCHAPv2. Microsoft doesn't suppoort PEAPv1.
  • EAP-FASTv1 - GTC
  • EAP-SIM - auth/session key distribution using GSM SIMs.
  • EAP-AKA - auth/session key distribution using UMTS SIMs.
  • EAP-AKA-PRIME - ???auth/session key distribution using UMTS SIMs.
  • EAP-GTC - Generic Token Card (RFC2284 and RFC3748 - meant as alternative to PEAPv0/EAP-MSCHAPv2. Carries text challenge from auth server, reply generated by security token
  • EAP-EKE - Encrypted key exchange (RFC6124) - provide secure mutual auth using short passwords and no public key cert. 3-route exchange, based on DiffieHellman veriant.
IPSecUse IPSec over WLAN.  Especially ESP.

Hacking Tools

Hacking tools can listen on the air an dgain access ot the following info:
  • MAC addr of AP
  • SSID
  • Manufacturer
  • Channel is was heard on
  • WEP enabled (yes/no)
  • Signal strenth and signal strength-to-noise ratio


Types of WLAN attacks

  • Active Attacks
  • DoS
  • DDoS
  • Impersonation - use a spoofed MAC addr
  • Jamming - generate a signal strong enough so WLAN clients and APs can no longer hear each other.
  • Man-in-the-middle - Generate a stronger AP signaland users are forced to roam
  • Modification and insertion - modify packet and get CRC correct
  • Passive attacks - eavesdrop.  What isn't encrypted...?
  • Stealing bandwidth - use for access.

Wireless Protection

  • Do not connect WLAN dirctly to wired lan.  FW or security switch.
  • Use (at least) 128-bit WEB.  Basic form of auth between client and AP.  Even better WPA2.  Nortel suggests VPN (IPSec).
  • Implement MAC filters.  
  • Turn of AP's SSID broadcasting beacons and probe responses.  
  • Turn on 802.1x and EAP (preferable EAP-TTLS or some other strong EAP).
  • Set up AP to notify net admin of rogue APs.
Additional definitions Took the following list from Wikipedia - 8/29/2005.
The following standards and task groups exist within the working group:

IEEE 802.11 - The original 1 Mbit/s and 2 Mbit/s, 2.4 GHz RF and IR standard
IEEE 802.11a - 54 Mbit/s, 5 GHz standard (1999, shipping products in 2001)
IEEE 802.11b - Enhancements to 802.11 to support 5.5 and 11 Mbit/s (1999)
IEEE 802.11d - International (country-to-country) roaming extensions
IEEE 802.11e - Enhancements: QoS, including packet bursting
IEEE 802.11F - Inter-Access Point Protocol (IAPP)
IEEE 802.11g - 54 Mbit/s, 2.4 GHz standard (backwards compatible with b) (2003)
IEEE 802.11h - 5 GHz spectrum, Dynamic Channel/Frequency Selection (DCS/DFS) and Transmit Power Control (TPC) for European compatibility
IEEE 802.11i (ratified 24 June 2004) - Enhanced security
IEEE 802.11j - Extensions for Japan
IEEE 802.11k - Radio resource measurement enhancements
IEEE 802.11n - Higher throughput improvements
IEEE 802.11p - WAVE - Wireless Access for the Vehicular Environment (such as ambulances and passenger cars)
IEEE 802.11r - Fast roaming
IEEE 802.11s - Wireless mesh networking
IEEE 802.11T - Wireless Performance Prediction (WPP) - test methods and metrics
IEEE 802.11u - Interworking with non-802 networks (e.g., cellular)
IEEE 802.11v - Wireless network management
IEEE 802.11w - Protected Management Frames

Frame format
PMD HeaderPLCP Header
Frame Control Duration/ID Addr 1 Addr 2 Addr 3 Seq Ctrl Addr 4 (QoS) Frame Body FCS
2 2 6 6 6 2 6 2 0-2312 4
Type/Subtypes (taken from IEEE Std 802.11, 1999 Edition R2003)
Type value
b3 b2
Type description Subtype value
b7 b6 b5 b4
Subtype description
00 Mgmt 0000 Association Request
00 Mgmt 0001 Association Response
00 Mgmt 0010 Re-association Request
00 Mgmt 0011 Re-association Response
00 Mgmt 0100 Probe Request
00 Mgmt 0101 Probe Response
00 Mgmt 0110-0111 Rsvd
00 Mgmt 1000 Beacon
00 Mgmt 1001 Announcment Traffic indication msg (ATIM)
00 Mgmt 1010 Disassociation
00 Mgmt 1011 Autdentication
00 Mgmt 1100 Deautdentication
00 Mgmt 1101-1111 Rsvd
01 Ctrl 0000-1001 Rsvd
01 Ctrl 1010 Power Save (PS)-Poll
01 Ctrl 1011 RTS - optional collision reduction scheme. send RTS as 1st step in 2way handshake before sending data frames
01 Ctrl 1100 CTS - response to RTS
01 Ctrl 1101 Ack
01 Ctrl 1110 Contention-Free (CF)-End
01 Ctrl 1111 CF-End + CF-Ack
10 Data 0000 Data
10 Data 0001 Data + CF-Ack
10 Data 0010 Data + CF-Poll
10 Data 0011 Data + CF-Ack + CF-Poll
10 Data 0100 Null function (no data)
10 Data 0101 CF-Ack (no data)
10 Data 0110 CF-Poll (no data)
10 Data 0111 CF-Ack + CF-Poll (no data)
10 Data 1000-1111 Rsvd
11 Rsvd 0000-1111 Rsvd