How to Locate Wireless Devices

Using Wave Behavior to Locate Wireless Access Points and Devices

Manual Penetration Testing

A discussion:

Wave behaviors

The following article is a discussion that explores Wave Behaviors to Locate Wireless Access Points and Devices


Radio Frequencies(RF) are a range of Electro-Magnetic Frequencies(EMF) that Cellular, WiFi, Bluetooth, and other telecommunication technologies are built upon. Radio waves have numerous ways of interacting with an environment. These forms of interaction are referred to as “Wave Behaviors.” The commonly known forms of wave behavior include absorption, reflection, refraction, and diffraction. 

  • Absorption: The incoming waves strike a substance that stops or attenuates the signal. Typically, the energy of the wave is dissipated in the form of heat after causing atoms to vibrate. Water is well known for absorbing radio waves.
  • Reflection: Incoming waves bounce off a material or substance. Mirrors are common examples of reflection.
  • Refraction: Waves pass through a medium but exit from a different angle than they entered. A common example of refraction is a pencil in a glass of water. The pencil enters the water at one angle but, the refracting light causes the angle of the pencil to appear warped.
  • Diffraction: An incoming wave can warp or bend around the edge of objects. An easy-to-understand example of this is a boulder in the ocean. When a strong wave hits a boulder, some water shoots up and over the boulder, while some curve around the sides. Radio waves respond similarly to certain structures, typically stone or concrete buildings and roads.

Identifying Wireless Access Points

When performing a wireless penetration test, it is often important to physically locate and identify scoped wireless access points (APs) and potential Rouge APs. Finding these access points can often be difficult in larger testing sites and requires a degree of skill to do so. Accounting for wave behavior can often make or break attempts to locate APs.  Received Signal Strength Indicator(RSSI) is the primary indicator of proximity to wireless devices. In airodump-ng it is displayed under the label PWR. RSSI is measured in dBm(decibel-milliwatts). Measurements are represented as negative numbers, the stronger the RSSI, the closer to 0. In practice, anything higher (closer to zero) than -30 means you are likely close enough to touch the device. Below is an airodump-ng capture taken from antenna inches from a cellphone’s wireless hotspot.

Strong RSSI

Figure 1: Strong RSSI -Close Proximity to Target

Next is an example of weak RSSI, meaning your antenna is far from the target. In practice, anything lower than -70 indicates that you are either far from the target or have obstructions attenuating the signal.

Figure 2: Weak RSSI - Further from Target

Figure 2: Weak RSSI – Further from Target

RSSI is a good indicator of proximity, particularly in open environments with few obstructions. Unfortunately, due to the complexity and diverse use of materials in modern buildings, it is not always as simple as following strong RSSI and avoiding weak RSSI. For the duration of this article, we will discuss how to use the physics of the various wave behaviors to locate and identify APs.

How to use the physics of the various wave behaviors to locate and identify Access Points

Absorption is one of the easiest to implement and most directly applicable wave behaviors that can be manipulated to find and locate an AP. Water is a potent material for absorbing radio waves. Fortunately, humans are about 70% water, meaning your body can be a crucial element in your wireless penetration toolkit. By placing your body or sometimes even just a hand in front of your antenna and observing the loss of signal strength, you can estimate the target’s general direction. The greater the loss in RSSI, the more likely it is in the direction your hand or body was blocking. This technique is helpful in quickly narrowing down the potential direction of a device without having to walk through every part of a building physically. Often times it is used to determine which direction of a hallway to walk down. Concrete walls are also fairly absorbent and can significantly attenuate signals. Knowing this, if you experience a sharp decline in signal strength after rounding a corner where a concrete or cinder-block wall replaces drywall, then it is likely that the target AP is on the opposite side of that wall.

Understanding reflection can also help in locating access points. Many materials can be reflective. Mirrors and most metals are reflective, some polishes or finishes can make otherwise permeable or absorptive surfaces reflective of RF. Reflection can oftentimes be deceptive and lead a penetration tester into spending time investigating a location that turns out to be a false positive. Concave reflective surfaces create something called a focal point. When situated at or near a focal point, the signal strength will be stronger than the signal closer to or further from the concave reflective surface. This can lead a penetration tester to believe they are standing near the target, even if they are a fair distance away.

Fortunately, it is uncommon (though not extremely rare) to encounter a concave reflective surface large enough to create a focal point capable of deceiving a penetration tester.

A more common example would be a reflective wall (typically metal) or mirror. A reflective wall, depending on the angle, can bounce the signal of an AP from one hallway down a different hall. If approaching from the latter hallway, the penetration tester would experience stronger RSSI as they approached the wall. A penetration tester could reasonably presume that the AP must be on the opposite side of the wall that they are picking up a strong signal from. A tester with a solid understanding of reflection as a wave behavior would note the material of the wall, posit that reflection was in play, look for possible directions the signal could be coming from, and find the AP more expediently.

Despite being very common, refraction is not as evidently applicable to a penetration tester as absorption or reflection. Refraction becomes significantly more impactful in long-distance site-to-site connections. Rain, fog, humidity, pressure, temperature, and other factors can induce refractive behavior, the effect of which is exacerbated by distance. Keeping this in mind can be helpful for a penetration tester conducting a wireless assessment of a large outdoor footprint, but in most cases, it does not apply. Regarding smaller, mostly indoor environments, it can be useful to note that all sorts of materials, including, drywall, wood, plastic, and windows, elicit refractive wave behavior. A pentester should keep in mind that receiving a strong signal in front of a window does not inherently mean that the AP or target device is directly in front of them, on the other side of that window. Refraction could be taking place and altering the angle of the signal. Additionally if the rest of the building is made with stone or cinder-block, diffraction could be pushing signal through the windows.

Diffraction plays a huge factor in the interactions between RF and the local environment, especially in urban or mountainous locations. Thick stone, brick, and cinder-block are common materials that cause diffraction. Within a building, diffraction can “push” signal through hallways, and out doorways or windows. This can create some interesting scenarios depending on the layout of a building and the placement of APs. For example, in a stone hallway aligned in the North-South direction, a penetration tester could get a stronger signal from the north end of the hall despite the AP being on the south end of the building on the other side of the wall. In a diffraction-heavy environment like the one just described, the presence of thick metal doors could also create a scenario where the “flow” of RF can drastically change whether doors are open or closed.

Dead Zones

It is also important to remember that diffraction can create something called a dead zone. A dead zone is an area with little to no signal on the outer side of a diffractive object. For example, picture an AP behind a stone wall with a window about two feet above head height running the length of the wall. Diffraction from the wall will cause the signal exiting the window to follow several different angles. Most of the RF waves will push straight out of the window with a decreasing gradient of signal strength when approaching the external face of the wall until there is little to no signal. This creates both a dead zone next to the wall and a “sweet spot” several meters away from the wall. A tester may become deterred by the lack of signal near the wall and follow the increasing signal to the “sweet spot” leading them in the opposite direction of the AP. Understanding this principle can be crucial to finding an AP in a timely manner.

2.4GHz vs 5GHz

One final note a penetration tester should keep in mind is that diffraction is heavily influenced by the wavelength of the signal, 2.4GHz WIFI diffracts more easily and retains power significantly better than the 5GHz band. This means that 5GHz signal can be “trusted” to a greater degree in environments where diffraction is abundant. For this reason, it is recommended to listen on both frequency bands. Use the 2.4GHz band to get a broad approximate location and the 5GHz band to do the more precise locating. Bluetooth can also be used for ultra-precise identification but is rarely required as the 5GHz band is typically more than accurate enough to get the job done.

hacking wireless networks


The difficulty of physically locating an AP is largely dependent on the environment. Some environments induce a plethora of wave behaviors that can complicate the process. Having a strong understanding of the fundamentals of wave behavior can be integral to the timely and expedient location of a target. Knowledge of wave behavior can allow a penetration tester to use techniques that exploit wave behavior in their favor. Additionally, understanding the fundamentals of radio waves can assist them in avoiding the deceptive nature and effects of wave behaviors. This can help a tester spend less time running around a site hunting for devices, allowing them to successfully locate Rouge APs, and assess the security of the placement of scoped APs and whether they are at risk of easy physical access to a malicious actor.

Learn more about Redbot Security Wireless Penetration Testing Services

About the Author

Conner Buell, Sr. Security Engineer

Conner brings 6+ years of military cyber operations experience and served as a Cyber Operations Specialist with the work roles of Special Activities Team (SAT) Technician, Expeditionary Cyber Operator (ECO), Information Operations Operator, and Pilot Operator. Conner emulates malicious actors and provides the customer with the knowledge necessary to prevent a security incident before it happens – Simulating Real World Attacks – Before they Become Real…

Redbot Security

Redbot Security is a boutique penetration testing firm with a Sr. Level Team of industry experts. Since Redbot Security is a smaller more specialized penetration testing group, the company is able to focus on building client relationships and delivering a premier customer experience through continuously engaged Senior Engineers.

Learn More about Penetration Testing Services

Penetration Testing Quote
Related Posts
Load More Posts
Who is Redbot Security’s lead engineer?2022-07-26T17:37:56+00:00

Redbot Security’s principal security engineer is Andrew Bindner who is also Redbot Security’s CSO.  Andrew  was formerly a manager at Rapid7 and Coalfire Sr. Penetration Tester with 20+ years of hands-on security experience leading teams or working individually on highly technical engagements for a wide variety of commercial and government industries in IT and security.

Who is Redbot Security?2022-07-27T18:47:42+00:00

Redbot Security is a U.S. based Boutique Penetration Testing company that specializes in Network and Application Testing.  The company employs a small group of highly talented and experienced Sr. Level Engineers.

What is Redbot Security’s Manual Controlled Penetration Testing?2022-08-22T15:06:13+00:00

MCPT® or Manual Controlled Penetration Testing [manual penetration testing] is a controlled assessment of networks and applications that is able to safely identify and validate real world vulnerabilities that are potentially exploitable.  Manual Penetration Testing removes false positives and provides proof of concept reporting along with a exploit storyboard for easier remediation.

What Framework does Redbot Security follow?2022-07-26T17:52:04+00:00


What are the stages in a penetration test?2023-01-22T17:27:15+00:00

The Six Stages of Penetration Testing

  • Discovery. The first phase of penetration testing is OSINT and Discovery.
  • Testing. Testing phase is performed by qualified engineers that utilize both automated and manual exploitation testing techniques and tools
  • Assessment. Determine Risk to organization
  • Knowledge Sharing.  Provide clear results with Remediation planning
  • Remediation.  Organization remediates findings that pose a risk.
  • Retesting. Retesting of remediated vulnerabilities and final report delivery

Learn more about penetration testing services

Redbot Security is a boutique penetration testing house with a team of highly skilled U.S. Based Senior Level Engineers that specialize in providing ‘Penetration Testing Services’ for a wide range of industries.  The Company delivers True Manual Penetration Testing.

To learn more about Penetration Testing Services you can visit our in-depth articles that discuss a wide range of penetration testing services, or visit our Frequently Asked Questions page to quickly find the penetration testing information you are seeking.

If you have specific questions related to a penetration testing project, please reach out to us!

What are Penetration Testing Services?2023-01-22T17:02:57+00:00

Definition: Penetration Testing Services will  simulate a hacking attack and is usually performed by qualified penetration testing companies.  The simulated attack will test the security of networks, applications and devices. Many qualified Penetration testing engineers utilize the same tools and techniques that a malicious actor will use in the real world.  Once the Penetration Test is complete the business is able to access and remediate vulnerabilities that were found within their systems.

Is Redbot Security hiring?2022-07-26T17:38:58+00:00

Yes, Redbot Security is always on the lookout for top talent and pays the industry’s top pay.  You can learn more about opportunities on Redbot Security’s career page.

How long has Redbot Security been in business?2022-07-26T17:44:23+00:00

The company started as a VAR, partnering with Palo Alto, Fortinet and HPE in 2016 and transitioned to Pen-testing Company early 2019.

How do we schedule our service with Redbot Security?2022-07-26T17:28:19+00:00

Service scheduling is easy.  The first step is to contact us via our contact form and let us know what type of project you have.  Once we determine scope we provide a quick cost estimate.  When the estimate is approved we issue a contract and begin scheduling of your project.  We are rapid in our response, delivery of estimate and scheduling.

Does Redbot Security Test Critical Infrastructure?2022-07-26T17:37:42+00:00

Yes.  Redbot Security provides Industrial testing of ICS/SCADA networks that operate water, electric, manufacturing, transportation and more.

Does Redbot Security share a sample report?2022-07-26T17:40:19+00:00

Yes, Redbot Security will share a sample report with potential clients that sign a Mutual NDA and have a valid project.

Does Redbot Security Provide Social Engineering?2023-01-22T17:52:21+00:00

Yes, Redbot Security provides both physical and electronic Social Engineering and will utilize real word tactics to simulate an attack on a company. Want to know more about social engineering?  View Social Hacking article here.

Learn more about penetration testing services

Redbot Security is a boutique penetration testing house with a team of highly skilled U.S. Based Senior Level Engineers that specialize in providing ‘Penetration Testing Services’ for a wide range of industries.  The Company delivers True Manual Penetration Testing.

To learn more about Penetration Testing Services you can visit our in-depth articles that discuss a wide range of penetration testing services, or visit our Frequently Asked Questions page to quickly find the penetration testing information you are seeking.

If you have specific questions related to a penetration testing project, please reach out to us!

Does Redbot Security Provide Retesting?2022-07-26T17:28:10+00:00

Yes,  After your initial penetration test is performed, we deliver your 1st report that has proof of exploits and remediation steps to take to fix issues.  Once your company remediates findings, Redbot Security will perform a retest to validate that your issues have been resolved.  We then deliver a final report and client letter of attestation (if needed).  All of our retesting is built-in to our pricing model.

Does Redbot Security provide MDR?2023-01-23T16:54:31+00:00

No, Redbot Security does not provide Managed Threat Detection and Response, however the company provides Dark Web Monitoring and focuses on Penetration Testing only.

Does Redbot Security have verifiable certifications?2022-07-26T17:50:19+00:00

Yes, the combined team list only certifications that are verifiable.  The current team certifications are as follows:

Amazon Web Services Cloud Practitioner, CompTIA A+ CISSP, Certified Cloudera Administrator for Hadoop (CCAH), Certified Ethical Hacker (CEH), Cisco Certified Network Associate (CCNA), GIAC, CompTIA Linux+, Marine Corp Red Team Operator, Metasploit Professional, Certified Specialist, Nexpose, Certified Administrator (NCA,) Microsoft Certified Professional (MCP), CompTIA Network+, CompTIA IT, Operations Specialist (CIOS), CompTIA Secure Infrastructure Specialist (CSIS), Offensive Security Certified Professional (OSCP), GIAC Certified Penetration Tester (GPEN), Metasploit Professional, Certified Specialist Rapid7, Advanced Vulnerability Manager Rapid7, Network Assault Certified Rapid7, Application Assault Certified, GIAC Exploit Researcher, Advanced Penetration Tester (GXPN), GIAC Mobile Device Security Analyst (GMOB), GIAC Advanced Smartphone Forensics (GASF), GIAC Reverse Engineering Malware (GREM), GIAC Network Forensics Analyst (GNFA), GIAC Certified Intrusion Analyst (GCFA), GIAC Certified Forensic Examiner (GCFE), GIAC Security Essentials (GSEC), Portswigger Burpsuite Certified Practitioner, Cisco Certified Network Associate (CCNA), Cisco Certified Network Associate-wireless, Certified Ethical Hacker (CEH), CompTIA Network+US Navy, Joint Cyber Analyst Course (JCAC)

Does Redbot Security have to be onsite to test?2022-07-26T17:37:50+00:00

No. Redbot Security can test from a remote perspective, however many times with critical system testing Redbot Security will recommend onsite testing.

Does Redbot Security have a corporate office?2022-07-26T17:38:01+00:00

Yes. Redbot Security is located in the heart of Downtown Denver at the Dominion Towers.  Redbot Security’s Corporate office address is 600 17th Street, Denver, Colorado, USA.

Does Redbot Security employ U.S. Based Engineers?2023-01-24T16:02:13+00:00

Yes, due to security concerns, Redbot Security’s Engineering Team is 100% U.S. based, background checked and certified Full-time Sr. Level employees. Redbot Security does not use independent contractors, freelancers or sub contractors.

More Articles You Might Find Useful


Leave A Comment