The following article is a discussion that explores Wave Behaviors to Locate Wireless Penetration Testing Points and Devices
Radio Frequencies(RF) are a range of Electro-Magnetic Frequencies(EMF) that Cellular, WiFi, Bluetooth, and other telecommunication technologies are built upon. Radio waves have numerous ways of interacting with an environment. These forms of interaction are referred to as “Wave Behaviors.” The commonly known forms of wave behavior include absorption, reflection, refraction, and diffraction.
When performing a wireless penetration test, it is often important to physically locate and identify scoped wireless access points (APs) and potential Rouge APs. Finding these access points can often be difficult in larger testing sites and requires a degree of skill to do so. Accounting for wave behavior can often make or break attempts to locate APs. Received Signal Strength Indicator(RSSI) is the primary indicator of proximity to wireless devices. In airodump-ng it is displayed under the label PWR. RSSI is measured in dBm(decibel-milliwatts). Measurements are represented as negative numbers, the stronger the RSSI, the closer to 0. In practice, anything higher (closer to zero) than -30 means you are likely close enough to touch the device. Below is an airodump-ng capture taken from antenna inches from a cellphone’s wireless hotspot.
Figure 1: Strong RSSI -Close Proximity to Target
Next is an example of weak RSSI, meaning your antenna is far from the target. In practice, anything lower than -70 indicates that you are either far from the target or have obstructions attenuating the signal.
Figure 2: Weak RSSI – Further from Target
Absorption is one of the easiest to implement and most directly applicable wave behaviors that can be manipulated to find and locate an AP. Water is a potent material for absorbing radio waves. Fortunately, humans are about 70% water, meaning your body can be a crucial element in your wireless penetration toolkit. By placing your body or sometimes even just a hand in front of your antenna and observing the loss of signal strength, you can estimate the target’s general direction. The greater the loss in RSSI, the more likely it is in the direction your hand or body was blocking. This technique is helpful in quickly narrowing down the potential direction of a device without having to walk through every part of a building physically. Often times it is used to determine which direction of a hallway to walk down. Concrete walls are also fairly absorbent and can significantly attenuate signals. Knowing this, if you experience a sharp decline in signal strength after rounding a corner where a concrete or cinder-block wall replaces drywall, then it is likely that the target AP is on the opposite side of that wall.
Understanding reflection can also help in locating access points. Many materials can be reflective. Mirrors and most metals are reflective, some polishes or finishes can make otherwise permeable or absorptive surfaces reflective of RF. Reflection can oftentimes be deceptive and lead a penetration tester into spending time investigating a location that turns out to be a false positive. Concave reflective surfaces create something called a focal point. When situated at or near a focal point, the signal strength will be stronger than the signal closer to or further from the concave reflective surface. This can lead a penetration tester to believe they are standing near the target, even if they are a fair distance away.
Fortunately, it is uncommon (though not extremely rare) to encounter a concave reflective surface large enough to create a focal point capable of deceiving a penetration tester.
A more common example would be a reflective wall (typically metal) or mirror. A reflective wall, depending on the angle, can bounce the signal of an AP from one hallway down a different hall. If approaching from the latter hallway, the penetration tester would experience stronger RSSI as they approached the wall. A penetration tester could reasonably presume that the AP must be on the opposite side of the wall that they are picking up a strong signal from. A tester with a solid understanding of reflection as a wave behavior would note the material of the wall, posit that reflection was in play, look for possible directions the signal could be coming from, and find the AP more expediently.
Despite being very common, refraction is not as evidently applicable to a penetration tester as absorption or reflection. Refraction becomes significantly more impactful in long-distance site-to-site connections. Rain, fog, humidity, pressure, temperature, and other factors can induce refractive behavior, the effect of which is exacerbated by distance. Keeping this in mind can be helpful for a penetration tester conducting a wireless assessment of a large outdoor footprint, but in most cases, it does not apply. Regarding smaller, mostly indoor environments, it can be useful to note that all sorts of materials, including, drywall, wood, plastic, and windows, elicit refractive wave behavior. A pentester should keep in mind that receiving a strong signal in front of a window does not inherently mean that the AP or target device is directly in front of them, on the other side of that window. Refraction could be taking place and altering the angle of the signal. Additionally if the rest of the building is made with stone or cinder-block, diffraction could be pushing signal through the windows.
Diffraction plays a huge factor in the interactions between RF and the local environment, especially in urban or mountainous locations. Thick stone, brick, and cinder-block are common materials that cause diffraction. Within a building, diffraction can “push” signal through hallways, and out doorways or windows. This can create some interesting scenarios depending on the layout of a building and the placement of APs. For example, in a stone hallway aligned in the North-South direction, a penetration tester could get a stronger signal from the north end of the hall despite the AP being on the south end of the building on the other side of the wall. In a diffraction-heavy environment like the one just described, the presence of thick metal doors could also create a scenario where the “flow” of RF can drastically change whether doors are open or closed.
It is also important to remember that diffraction can create something called a dead zone. A dead zone is an area with little to no signal on the outer side of a diffractive object. For example, picture an AP behind a stone wall with a window about two feet above head height running the length of the wall. Diffraction from the wall will cause the signal exiting the window to follow several different angles. Most of the RF waves will push straight out of the window with a decreasing gradient of signal strength when approaching the external face of the wall until there is little to no signal. This creates both a dead zone next to the wall and a “sweet spot” several meters away from the wall. A tester may become deterred by the lack of signal near the wall and follow the increasing signal to the “sweet spot” leading them in the opposite direction of the AP. Understanding this principle can be crucial to finding an AP in a timely manner.
One final note a penetration tester should keep in mind is that diffraction is heavily influenced by the wavelength of the signal, 2.4GHz WIFI diffracts more easily and retains power significantly better than the 5GHz band. This means that 5GHz signal can be “trusted” to a greater degree in environments where diffraction is abundant. For this reason, it is recommended to listen on both frequency bands. Use the 2.4GHz band to get a broad approximate location and the 5GHz band to do the more precise locating. Bluetooth can also be used for ultra-precise identification but is rarely required as the 5GHz band is typically more than accurate enough to get the job done.
The difficulty of physically locating an AP is largely dependent on the environment. Some environments induce a plethora of wave behaviors that can complicate the process. Having a strong understanding of the fundamentals of wave behavior can be integral to the timely and expedient location of a target. Knowledge of wave behavior can allow a penetration tester to use techniques that exploit wave behavior in their favor. Additionally, understanding the fundamentals of radio waves can assist them in avoiding the deceptive nature and effects of wave behaviors. This can help a tester spend less time running around a site hunting for devices, allowing them to successfully locate Rouge APs, and assess the security of the placement of scoped APs and whether they are at risk of easy physical access to a malicious actor.
Conner brings 6+ years of military cyber operations experience and served as a Cyber Operations Specialist with the work roles of Special Activities Team (SAT) Technician, Expeditionary Cyber Operator (ECO), Information Operations Operator, and Pilot Operator. Conner emulates malicious actors and provides the customer with the knowledge necessary to prevent a security incident before it happens – Simulating Real World Attacks – Before they Become Real…
Blattenberger , Kirt. “Understanding Electromagnetic Wave Physics.” RF Cafe, 4 Mar. 2020, https://www.rfcafe.com/references/electrical/electromagnetic-wave-behavior.htm.
Stone, W. (1997), Electromagnetic Signal Attenuation in Construction Materials, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.6055 (Accessed January 5, 2023)
Science Mission Directorate. “Wave Behaviors” NASA Science. 2010. National Aeronautics and Space Administration. 09 Jan. 2023 http://science.nasa.gov/ems/03_behaviors
Book a discovery call or request a rapid quote for services, tailored to your priorities and budget.
From manual testing of IT Networks and Web / Mobile Applications to advanced Red Team operations, Cloud Security, and OT-network assessments, Redbot Security delivers laser-focused, senior-level expertise, without breaking the bank.
America’s critical infrastructure faces rising cyber threats while legacy OT systems and shrinking federal support leave operators exposed. This article explores how Redbot Security uses Purdue and NIST methodologies to deliver safe, manual, and holistic OT network testing that protects ICS environments from real-world disruption.
SOC 2 compliance is now essential for building trust with clients. This step-by-step guide explains the process and how consulting services accelerate success.
Dynamic Application Security Testing (DAST) goes beyond tools. Discover how Redbot Security combines automated scanning with expert penetration testing for proven results.
Zero Trust requires strict verification of people as well as technology. Allowing foreign or crowdsourced hackers into your environment opens the door to sanctions violations, insider threats, and export-control breaches. Learn why U.S. companies should restrict penetration testing to vetted U.S.-based experts.
U.S. critical infrastructure is facing unprecedented cyber risk. This article explores ICS/SCADA security, the Purdue Model, and safe OT penetration testing practices. Discover why layered testing is essential and how Redbot Security helps organizations strengthen defenses against ransomware, remote access threats, and operational disruption.
Prompt injection attacks are a rising AI security risk in 2025. Learn how attackers manipulate LLMs to exfiltrate data, bypass safeguards, and cause real damage, and how Redbot Security uses penetration testing, OWASP frameworks, and risk assessments to defend against this evolving threat..
Redbot Security explains how RAG (Retrieval-Augmented Generation) Testing protects AI systems from prompt injection, data poisoning, and hallucinations
APIs power today’s digital economy but are prime targets for attackers. Redbot Security delivers advanced API penetration testing and compliance-ready reports for PCI DSS, HIPAA, and ISO 27001.
Political shutdowns are dismantling U.S. cyber defenses at the very moment attackers are escalating. Redbot Security warns why proactive penetration testing is critical in 2025.
Red team testing, also called a red team test, simulates real-world cyberattacks to measure detection and response. Discover the process, benefits, common scenarios, and how to choose the right red team testing provider for your organization’s cybersecurity resilience.
APIs power today’s digital economy but are prime targets for attackers. Redbot Security delivers advanced API penetration testing and compliance-ready reports for PCI DSS, HIPAA, and ISO 27001.
Ransomware-as-a-Service is exploding in 2025, giving even low-level hackers nation-state-level power. Discover how Redbot Security’s penetration testing and red team engagements help organizations stay ahead of this growing cyber threat.
Redbot Social