WiFi Reconnaissance

Reconnaissance
🌱 Beginner
T1040 T1592

Reconnaissance involves discovering available networks (ESSIDs), their security configurations, and connected clients.

What to Record During Recon

For each target AP note: BSSID, channel, encryption type (ENC), signal strength (PWR), and the number of associated clients. A strong signal (PWR > -60) + active clients = ideal handshake target. Save airodump output with -w so you can re-analyse offline.
wifi-recon.sh
bash 
# Scan for networks with airodump-ng
sudo airodump-ng wlan0mon

# Target specific channel and BSSID
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Output columns explained:
# BSSID - Access point MAC address
# PWR - Signal strength (higher = closer)
# Beacons - Beacon frames received
# #Data - Data frames captured
# CH - Channel
# ENC - Encryption (WPA2, WEP, OPN)
# ESSID - Network name

# Scan for hidden networks
sudo airodump-ng wlan0mon
# Hidden networks show <length: X> instead of ESSID

# Reveal hidden ESSID (wait for client probe or deauth)
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF wlan0mon

# Save results in different formats
sudo airodump-ng -w output --output-format pcap,csv,kismet wlan0mon

# Kismet (advanced scanner)
sudo kismet -c wlan0mon
# Scan for networks with airodump-ng
sudo airodump-ng wlan0mon

# Target specific channel and BSSID
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Output columns explained:
# BSSID - Access point MAC address
# PWR - Signal strength (higher = closer)
# Beacons - Beacon frames received
# #Data - Data frames captured
# CH - Channel
# ENC - Encryption (WPA2, WEP, OPN)
# ESSID - Network name

# Scan for hidden networks
sudo airodump-ng wlan0mon
# Hidden networks show <length: X> instead of ESSID

# Reveal hidden ESSID (wait for client probe or deauth)
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF wlan0mon

# Save results in different formats
sudo airodump-ng -w output --output-format pcap,csv,kismet wlan0mon

# Kismet (advanced scanner)
sudo kismet -c wlan0mon
🎯

Practice Labs

Practice wireless recon techniques in isolated environments.

🏠
WiFi Hacking 101 TryHackMe easy
airodump-ngBSSID/ESSID enumerationclient discovery
Open Lab
🔧
Wireless Recon Lab Custom Lab easy
kismet scanninghidden SSID revealpassive monitoring
Need help setting up? Check our Lab Setup Guide →
01. Setup 03. WPA Cracking

Related Topics

Wireless Pentesting

WPA Cracking

Wireless Tools

Nmap Cheatsheet