2.4 GHz BAND
14 channels (1–14). Only channels 1, 6, 11 are non-overlapping in most regions. Channel 14 only allowed in Japan. 22 MHz bandwidth per channel.
◆ Non-overlapping channels: 1, 6, 11 (or 1, 5, 9, 13 in some EU configs with 4-channel spacing). Overlapping channels cause co-channel interference — APs may retry indefinitely, degrading throughput for all users.
Non-overlapping
Overlapping
| Ch | Centre Freq | Range (20MHz) | Non-Overlap | Legal (UK/EU) | Notes |
|---|
5 GHz BAND
More channels, less congestion. Shorter range. DFS (Dynamic Frequency Selection) required on many channels to avoid radar interference. Channels spaced 5 MHz apart.
⚠ DFS channels (52–144) require radar detection. AP must vacate channel within 10 seconds of radar detection. During CAC (Channel Availability Check, 60s) no data is transmitted — check if CAC is complete before testing.
Non-DFS (always available)
DFS required
| Ch | Centre Freq | DFS? | UNII Band | Legal UK | 40MHz Pairs | Notes |
|---|
6 GHz BAND (Wi-Fi 6E / 7)
Wi-Fi 6E (802.11ax). 59 non-overlapping 20MHz channels. No DFS. No legacy devices. WPA3 mandatory. AFC (Automated Frequency Coordination) required for standard power in UK/EU.
◆ UK Ofcom: Indoor low-power (LPI) permitted without AFC. Standard power requires AFC approval. 6 GHz band is essentially clean — far less congestion than 2.4/5 GHz in current deployments.
| Ch | Centre Freq | UK Legal | Channel Width Options | Notes |
|---|
RECON NOTES
◆ Key insight: finding an AP on a DFS channel is significant — it suggests the AP is authorised and managed (DFS compliance = likely enterprise). APs on 1/6/11 only = SOHO/consumer.
| Observation | Implication | Action |
|---|---|---|
| AP on ch 1/6/11 only, WPA2-PSK | SOHO router | PMKID capture, EAPOL handshake |
| AP on 5GHz DFS ch, WPA2-Enterprise | Managed enterprise | EAP recon, evil twin with MSCHAPv2 capture |
| SSID on 2.4 + 5GHz (band steering) | Dual-band AP | Deauth on 5GHz to force clients to 2.4GHz for capture |
| Hidden SSID | Obscurity ≠ security | Probe request sniffing reveals SSID on client assoc |
| WPS enabled | Pixie Dust / brute force | reaver/bully — WPS PIN attack |
| OWE (Enhanced Open) | Open with per-session encryption | Downgrade to Open if AP supports both |
| WPA3-SAE | Dragonfly handshake | Downgrade to WPA2 if transition mode, or CVE timing attacks |
| PMKID in beacon | PMKID caching enabled | Capture with hcxdumptool --enable_status=3, no client needed |
| 802.1X / RADIUS | Enterprise auth | hostapd-wpe evil twin → MSCHAPv2 → hashcat -m 5500 |
| Ch 13 (EU only) | EU-region device | Some US adapters can't scan ch 12-13 — use EU driver settings |
| iw/iwconfig Commands | Purpose |
|---|---|
| iw dev wlan0 scan | grep -E 'SSID|freq|signal' | Quick AP scan |
| iw reg get | Check regulatory domain |
| iw reg set GB | Set UK regulatory domain (enable ch 12/13) |
| airmon-ng start wlan0 | Enable monitor mode |
| airodump-ng wlan0mon --band abg | Scan all bands |
| hcxdumptool -i wlan0mon -o cap.pcapng --enable_status=3 | PMKID + EAPOL capture |
| hcxpcapngtool cap.pcapng -o hashes.hc22000 | Convert to hashcat format |