OBJECTIVE 04 — WIRELESS HACKING METHODOLOGY

CEH WIRELESS HACKING — CORE DEFINITION

Item Memorize
Wireless Hacking Identifying and exploiting vulnerabilities in wireless networks to gain unauthorized access

CEH WIRELESS ATTACK METHODOLOGY (EXAM SEQUENCE)

Phase # Phase Name
1 Reconnaissance
2 Scanning
3 Gaining Access
4 Maintaining Access
5 Covering Tracks

MEMORY HOOK:
Recon → Scan → Access → Persist → Hide

PHASE 1 — WIRELESS RECONNAISSANCE

PURPOSE

Purpose
Identify wireless networks
Identify SSID, BSSID
Identify channels
Identify encryption

INFORMATION GATHERED

Parameter
SSID
BSSID
Channel
Signal strength
Encryption type

TOOLS USED (PASSIVE MODE)

Tool Purpose
airodump-ng Capture wireless packets
Kismet Passive wireless sniffer
NetStumbler Detect WLANs
inSSIDer WLAN discovery

MEMORY HOOK:
Recon = listen only

PHASE 2 — WIRELESS SCANNING

PURPOSE

Purpose
Identify active targets
Identify connected clients
Identify security mechanisms

ACTIVE SCANNING TOOLS

Tool Purpose
airmon-ng Enable monitor mode
iwconfig Configure wireless interface
wash Detect WPS-enabled APs

COMMAND RECOGNITION (EXAM)

Command Purpose
airmon-ng start wlan0 Enable monitor mode
iwconfig Display wireless interface info

MEMORY HOOK:
Monitor mode = hacking mode

PHASE 3 — GAINING ACCESS

COMMON ACCESS METHODS

Method
WEP cracking
WPA/WPA2 handshake cracking
Evil Twin
WPS PIN attack

WEP ATTACK METHOD (LOGIC)

Step
Capture packets
Collect IVs
Crack key

WPA/WPA2 ATTACK METHOD

Step
Capture handshake
Deauth client
Crack PSK offline

TOOLS USED

Tool Purpose
aireplay-ng Deauth and packet injection
aircrack-ng Crack WEP/WPA keys
reaver WPS brute force
bully WPS attack

COMMAND RECOGNITION (EXAM)

Command Purpose
aireplay-ng –deauth Deauthentication attack
aircrack-ng capture.cap Crack captured handshake

MEMORY HOOK:
Handshake first, crack later

PHASE 4 — MAINTAINING ACCESS

METHODS

Method
Backdoor AP
MAC spoofing
Persistent connection

TOOLS

Tool Purpose
macchanger Change MAC address
hostapd Create fake AP

MEMORY HOOK:
Persistence = stay connected

PHASE 5 — COVERING TRACKS

TECHNIQUES

Technique
MAC address spoofing
Clearing logs
Disabling AP logs

MEMORY HOOK:
No logs, no proof

CEH WIRELESS TOOLS — MASTER TABLE (VERY HIGH YIELD)

Tool Function
Aircrack-ng Crack WEP/WPA
Airodump-ng Capture packets
Aireplay-ng Packet injection
Airmon-ng Monitor mode
Kismet Passive sniffing
Reaver WPS brute force
Bully WPS attack
Wash WPS detection
NetStumbler WLAN discovery
inSSIDer WLAN analysis

TOOL → ATTACK MAPPING (MEMORY TABLE)

Tool Attack
airodump-ng Recon
aireplay-ng Deauth
aircrack-ng Key cracking
reaver WPS brute force
Kismet Passive sniffing

EXAM TRAPS (VERY IMPORTANT)

Trap Correct Answer
Monitor mode needed for sniffing YES
Hidden SSID secure NO
WPA2 immune to attacks NO
Deauth breaks encryption NO

OBJECTIVE 04 — MEMORY BLOCK

Recon listens.
Monitor mode captures.
Deauth forces handshake.
Aircrack cracks keys.
Reaver attacks WPS.