Procedures / Wi-Fi (802.11) / RFSAM-WIFI-LL-01
RFSAM-WIFI-LL-01REVIEWED · high

Verify management-frame protection and identity exposure

Determine, from a passive monitor-mode capture, whether the network protects its 802.11 management frames (802.11w / PMF) and how much device identity the beacons, probe requests and association frames leak in the clear — establishing exposure to deauthentication DoS, handshake-forcing and evil-twin targeting.

802.11 b/g/n802.11 ac/ax LL · Link / Protocol MEDIUM
802.11 management frames (beacons, probe request/response, association and deauthentication) are sent in the clear, and unless Management Frame Protection (802.11w / PMF) is enforced they are unauthenticated. That exposure lets forged deauth frames evict clients at will and lets probe requests leak the networks a client remembers. This LL control reads the exposure from a capture; the active deauth and evil-twin techniques it scopes are executed under the Wi-Fi Attack layer (RFSAM-WIFI-AT-*).

Mechanism

802.11 separates management, control and data frames. Beacons, probe request/response, and association/authentication frames are sent in the clear, and — critically — by default they carry no cryptographic authentication, so a receiver cannot tell a genuine frame from a forged one. The 802.11w-2009 amendment (“Protected Management Frames”, PMF) was published specifically to close this: it adds integrity, origin authentication and replay protection to a subset of management frames, principally deauthentication, disassociation and robust action frames [ieee80211w2009]. By design the amendment cannot protect beacons or probe request/response frames, since those are exchanged before any security association exists [ieee80211w2009]. So even with PMF fully enforced, the discovery frames still leak; PMF only stops the forged-deauth class.

Where PMF is absent or not enforced, the canonical consequence is the deauthentication/disassociation denial-of-service: an attacker spoofs the AP or client MAC and transmits a single forged deauth frame to evict a station, repeatedly to deny service, or tactically to force a client to reconnect and emit a fresh 4-way handshake. Bellardo and Savage documented this management-frame DoS class in 2003 and noted that, unlike the confidentiality flaws of the era, these availability attacks need no key and target the protocol’s own management plane [bellardo2003dos]. The forced-reconnect variant is the lever that feeds the handshake-capture path assessed under RFSAM-WIFI-CR-01.

The second exposure is identity. A client doing active scanning broadcasts directed probe requests naming SSIDs it has joined before — its Preferred Network List. Cunche, Kaafar and Boreli showed in 2012 that these lists fingerprint a device and even let social links between owners be inferred from overlapping network histories [cunche2012linking]. MAC-address randomization was meant to blunt this, but Vanhoef et al. demonstrated in 2016 that probe-request information elements, scrambler seeds and sequence numbers fingerprint and track devices despite randomized MACs, correctly following a sizable fraction of devices for tens of minutes [vanhoef2016randomization]. More recently, McDougall et al. found users frequently type sensitive strings — including passwords and email addresses — into SSID fields, which then leak verbatim in probe requests [mcdougall2022probing]. Together these make management-frame capture both a tracking surface and the reconnaissance that seeds evil-twin (AP-impersonation) targeting, executed under the Wi-Fi Attack layer.

Procedure

All capture below is passive and non-transmitting. Steps 1–4 observe only. The active deauth check in step 5 transmits and must be run only on equipment you own or are explicitly authorised to test, ideally in an RF-shielded enclosure; classic deauth is a real denial of service against bystanders. The active execution properly belongs to the Wi-Fi Attack layer — here it is a one-shot confirmation of the exposure read in step 4.

  1. Put the adapter into monitor mode and park it on the target’s channel (RFSAM-RES-11):

    sudo airmon-ng start wlan0
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF wlan0mon

    The live table lists the BSSID, channel, encryption and any associated client (STATION) MACs.

  2. Capture management frames to a PCAP for offline decode:

    sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wifi-ll wlan0mon

    This writes wifi-ll-01.cap containing beacons, probes and any handshake.

  3. Read whether the BSS advertises Protected Management Frames in its RSN Information Element. In Wireshark/tshark, the MFP Required / MFP Capable bits live in the RSN Capabilities field of the beacon:

    tshark -r wifi-ll-01.cap -Y "wlan.fc.type_subtype == 0x08" \
  -T fields -e wlan.ssid \
  -e wlan.rsn.capabilities.mfpr -e wlan.rsn.capabilities.mfpc

    mfpr=1 (MFP Required) means PMF is enforced — deauth DoS is blocked. mfpc=1, mfpr=0 means capable but optional. Both 0 (or no RSN IE at all, i.e. Open/WEP) means management frames are unprotected.

  4. Inventory the identity leakage — broadcast SSIDs and the probe-request history of nearby clients (their PNLs):

    tshark -r wifi-ll-01.cap -Y "wlan.fc.type_subtype == 0x04 && wlan.ssid != \"\"" \
  -T fields -e wlan.sa -e wlan.ssid | sort -u

    Each line is a client MAC and an SSID it is actively seeking — the data the tracking and evil-twin work in [cunche2012linking] and [vanhoef2016randomization] consumes. Note any SSID strings that look like credentials [mcdougall2022probing].

  5. (Authorised scope only) If step 3 showed PMF absent, confirm deauth susceptibility against your own test client with a single, bounded burst, then stop:

    sudo aireplay-ng --deauth 1 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

    --deauth 1 sends one round (not a flood). The test client disassociating confirms the exposure; airodump-ng on the same channel should then show the renewed association (and, if a client reconnects, an EAPOL handshake — the input to RFSAM-WIFI-CR-01). Against a PMF-enforced BSS the client stays connected.

Field case

Steps 3–4 are demonstrated below against a documented public sample so the read-out can be reproduced exactly; the step-5 active confirmation is left as an illustrative lab walk-through, where every unmeasured datum is marked [FILL: …] and must not be cited as a real finding.

Worked against the public Wireshark sample capture wpa-Induction.pcap (Wireshark SampleCaptures wiki, “Wifi / Wireless LAN captures / 802.11”) [wireshark-wpa-induction] — a passive 802.11 trace, not a live engagement of our own:

  • Step 3 on its WPA2-PSK beacon for SSID Coherer (BSSID 00:0c:41:82:b2:55, AKM = PSK) returns RSN Capabilities 0x0000mfpr=0, mfpc=0, PMF neither required nor capable — so management frames are unprotected and an associated client stays deauth-susceptible [wireshark-wpa-induction].
  • Step 4 over the same capture inventoried 2 distinct client MACs emitting directed probe requests (00:0d:93:82:36:3a probing Coherer, 00:0f:66:16:94:73 probing linksys) and 2 distinct probed SSIDs, of which none observed resembled credentials or email addresses [wireshark-wpa-induction].

For the active confirmation, an illustrative lab walk-through against a consumer AP on channel 6 with an ALFA AWUS036ACH — substitute the values you capture:

  • Step 4 over a [FILL: N]-minute capture in a [FILL: location type, e.g. office lobby] would inventory the live PNLs of nearby clients.
  • Step 5, on the operator’s own test laptop, a single aireplay-ng --deauth 1 round dropped the client and airodump-ng captured the renewed EAPOL handshake within [FILL: seconds].

An Electronic Cats Minino (ESP32-C6) reproduces steps 1–4 standalone on 2.4 GHz, writing the capture to microSD and logging the survey geographically over its onboard GPS for the wardriving variant — useful where a laptop is impractical, with the caveat that it sees only 2.4 GHz management/handshake frames, not 5/6 GHz traffic. A WiFi Pineapple consumes the same step-4 PNL inventory to seed an evil-twin clone, but that is an Attack-layer action outside this control’s scope and must be separately authorised.

Remediation

Developer (client/STA firmware and OS): Implement MAC-address randomization and minimize probe-request fingerprintability — randomize sequence numbers and avoid distinctive information-element ordering, since randomized MACs alone do not prevent tracking [vanhoef2016randomization]. Prefer passive scanning (listen for beacons) over directed active probing so the Preferred Network List is not broadcast [cunche2012linking]; never echo user-entered SSID strings that could carry secrets [mcdougall2022probing].

Integrator (AP / network design): Enable 802.11w with MFP Required (mfpr=1), not merely capable, on every BSS — this authenticates deauth/disassoc frames and defeats the forged-deauth DoS and handshake-forcing class [ieee80211w2009] [bellardo2003dos]. PMF is mandatory under WPA3 and on 6 GHz; enforce it on WPA2 too. Note that PMF does not protect beacons or probe frames, so identity leakage must be addressed at the client [ieee80211w2009].

Operator (deployment/policy): Audit beacons for mfpr enforcement across the estate; treat any PMF-optional BSS as deauth-exposed. On managed clients, disable auto-join for sensitive SSIDs and clear stale saved networks to shrink the leaked PNL. Avoid hidden SSIDs as a security measure — they force clients to actively probe the hidden name, worsening the leakage this control measures rather than reducing it.

KNOWN ATTACKS

Deauthentication / disassociation DoS

Because deauth/disassoc frames are unauthenticated without 802.11w, a single forged frame spoofing the AP or client MAC drops the targeted station.

Impact:Forged deauth/disassoc frames evict one or all clients on demand — a denial of service, and the lever that forces a fresh 4-way handshake for offline cracking under RFSAM-WIFI-CR-01.
Preconditions:Management Frame Protection (802.11w / PMF) absent or not enforced on the BSS.
bellardo2003dos
Probe-request identity / PNL leakage

Probe requests broadcast remembered SSIDs in the clear, fingerprinting and tracking the device and its owner.

Impact:Directed probe requests disclose the SSIDs a device has joined before (its Preferred Network List), enabling device tracking, social-link inference and evil-twin targeting; users sometimes type credentials into SSID fields that then leak verbatim.
Preconditions:Client performs active scanning with directed (non-broadcast) probe requests; passive capture within range.
cunche2012linking, mcdougall2022probing
MAC-randomization bypass via probe fingerprinting

Information-element fingerprints, scrambler seeds and sequence numbers in probe requests let devices be tracked even when the MAC address is randomized.

Impact:Tracks and re-identifies a device across sessions despite randomized MAC addresses, undermining the identity protection clients rely on.
Preconditions:Client uses MAC randomization but emits fingerprintable probe-request information elements / sequence numbers.
vanhoef2016randomization

REFERENCES

  1. [ieee80211w2009]
    IEEE 802.11w-2009 — Amendment 4: Protected Management Frames — IEEE, IEEE Standards Association, 2009(standard)
  2. [bellardo2003dos]
    802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions — J. Bellardo, S. Savage, 12th USENIX Security Symposium, 2003(paper)
  3. [cunche2012linking]
    I know who you will meet this evening! Linking wireless devices using Wi-Fi probe requests — M. Cunche, M. A. Kaafar, R. Boreli, IEEE WoWMoM 2012, 2012(paper)
  4. [vanhoef2016randomization]
    Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms — M. Vanhoef, C. Matte, M. Cunche, L. S. Cardoso, F. Piessens, ACM AsiaCCS 2016, 2016(paper)
  5. [mcdougall2022probing]
    Probing for Passwords — Privacy Implications of SSIDs in Probe Requests — J. Ansohn McDougall, C. Burkert, D. Demmler, M. Schwarz, V. Hubbe, H. Federrath, ACNS 2022 (arXiv:2206.03745), 2022(paper)
  6. [wireshark-wpa-induction]
    wpa-Induction.pcap — Wireshark SampleCaptures wiki (Wifi / Wireless LAN captures / 802.11) — Wireshark project, Wireshark SampleCaptures wiki(tool)

RELATED RESOURCES

RFSAM-RES-11Wi-Fi monitor-mode capture and surveyRFSAM-RES-12Wi-Fi handshake / PMKID capture and cracking
← PREVIOUS
Survey bands, channels and monitor-mode capture feasibility
NEXT →
Assess WPA handshake and PMKID key recovery