CEH Wireless Security Topics: What the Exam Actually Covers

The Certified Ethical Hacker (CEH) certification, administered by EC-Council, dedicates a specific module to wireless network security, testing candidates on both conceptual knowledge and practical attack methodologies [4]. Understanding the scope and depth of these wireless topics is essential for efficient exam preparation and for applying offensive security skills in real-world assessments.

Wi-Fi Fundamentals and Encryption Weaknesses

The CEH wireless module begins with a strong emphasis on 802.11 protocol architecture, including frame types, management frames, and the role of each in network operations. Candidates are expected to understand the differences between WEP, WPA, WPA2, and WPA3 from an attacker’s perspective. This includes knowing why WEP is trivially crackable due to weak initialization vectors and small key space, how WPA’s Temporal Key Integrity Protocol (TKIP) addressed some but not all of those flaws, and the residual vulnerabilities in WPA2-Personal when weak passphrases are used. The exam expects familiarity with offline dictionary and brute-force attacks against captured four-way handshakes, not just theoretical weaknesses.

Access Point Attacks and Rogue Infrastructure

Beyond cracking encryption, the CEH curriculum covers infrastructure-level wireless attacks. Candidates must understand rogue access point (AP) deployment, evil twin attacks, and AP spoofing in detail. This includes the tools and techniques used to impersonate legitimate SSIDs, intercept client connections, and perform man-in-the-middle attacks through manipulated DHCP or DNS responses. The exam also tests knowledge of access point misconfigurations such as default credentials, broadcast SSID exposure, and the risks of open authentication combined with captive portals. Jamming and deauthentication attacks using tools like aireplay-ng to force client disconnections are also within scope [5].

Bluetooth and Non-Wi-Fi Wireless Vectors

The wireless security domain on the CEH is not limited to Wi-Fi. Bluetooth protocols receive dedicated coverage, including attacks targeting discovery mode, Bluejacking (unsolicited message sending), Bluesnarfing (unauthorized data access), and Bluebugging (remote device control). Candidates should understand the protocol stack differences between Classic Bluetooth and Bluetooth Low Energy (BLE) and the attack surfaces unique to each. The curriculum also touches on other wireless technologies such as RFID, NFC, and infrared, though at a lower depth compared to Wi-Fi and Bluetooth. Knowing which tools apply to each protocol category is important for the exam’s scenario-based questions.

Structured Breakdown of CEH Wireless Topics

The following table organizes the primary wireless security domains covered on the CEH exam, along with the associated attack types and representative tools candidates should be familiar with:

DomainKey Attack TypesRepresentative Tools
Wi-Fi EncryptionWEP cracking, WPA/WPA2 handshake capture and offline crackingAircrack-ng, Hashcat, Cowpatty
AP InfrastructureRogue AP, evil twin, deauthentication, MAC spoofingHostapd, aireplay-ng, mdk3
BluetoothBluejacking, Bluesnarfing, BluebuggingBluediving, BTScanner, Ubertooth
RFID / NFCCloning, eavesdropping, relay attacksProxmark3, NFCGate

Practical Lab Recommendations

The CEH training program emphasizes hands-on skill development through a curated lab plan [5]. For wireless topics, building a home lab with a supported wireless adapter capable of monitor mode and packet injection is the single most effective preparation step. Candidates should practice capturing handshakes on their own networks, running dictionary attacks, and configuring evil twin scenarios in isolated environments. While the exam tests conceptual understanding, the ability to recognize tool output and identify correct attack sequences significantly improves performance on practical questions.

FAQ

Does the CEH exam include hands-on wireless hacking labs?

The current CEH format includes scenario-based questions that reference tool output and attack workflows, but it does not require live hacking in the exam interface itself. Practical skills are tested indirectly through question design [4].

How deep does the CEH go into WPA3 security?

WPA3 is covered at a conceptual level. Candidates should understand SAE (Simultaneous Authentication of Equals) and why it mitigates offline dictionary attacks, but detailed WPA3 exploitation is not a primary focus given that practical attacks are still limited in most environments.

Is Bluetooth a significant portion of the wireless module?

Bluetooth receives less weight than Wi-Fi but is consistently tested. Expect questions on Bluejacking versus Bluesnarfing distinctions and basic protocol behavior. Do not skip this section.

Sources

[4] CCI Training Center – Ethical Hacking Certifications by Career Path

[5] EC-Council – Best Cybersecurity Courses: Beginners, Advanced & Specializations

[1] CERT.br – Cartilha de Segurança para Internet

Scroll to Top