WiFi Reconnaissance

Reconnaissance

Reconnaissance involves discovering available networks (ESSIDs), their security configurations, and connected clients.

wifi-recon.sh
bash 
# Scan for networks with airodump-ng
sudo airodump-ng wlan0mon

# Target specific channel and BSSID
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Output columns explained:
# BSSID - Access point MAC address
# PWR - Signal strength (higher = closer)
# Beacons - Beacon frames received
# #Data - Data frames captured
# CH - Channel
# ENC - Encryption (WPA2, WEP, OPN)
# ESSID - Network name

# Scan for hidden networks
sudo airodump-ng wlan0mon
# Hidden networks show <length: X> instead of ESSID

# Reveal hidden ESSID (wait for client probe or deauth)
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF wlan0mon

# Save results in different formats
sudo airodump-ng -w output --output-format pcap,csv,kismet wlan0mon

# Kismet (advanced scanner)
sudo kismet -c wlan0mon

Related Topics

Wireless Pentesting

WPA Cracking

Nmap Cheatsheet