Recon

airodump-ng wlan0

From the image below we can get the following information:

• The wireless network with the ESSID "Corporate" has the following BSSID (mac address): 68:7F:77:C2:C2:9A.

• The wireless network Corporate runs on the WPA2-PSK scheme.

• The Corporate network is running on channel 1.

• There is one device that is connected to the Corporate network. This mac address of this device is: 02:00:00:00:07:00.

• PWR: Higher is the PWR, closer the connected device is from the access point.

A PWR of -1 means that the driver doesn’t support signal level reporting

Example of a airodump-ng scan

Hidden SSID

The image below shows an example of hidden SSID where the value of the SSID is <length: 0>

Example of a hidden SSID

Monitoring on 2.4 Ghz and 5 Ghz

It is important to monitor both on the 2.4 Ghz and 5 Ghz bands. Otherwise, we can miss some information such as devices connected and access points.

The two images below shows that some BSSIDs are missing for the network EvilCorp when only monitoring for 2.4Ghz.

Example of monitoring for only 2.4 Ghz

Example of monitoring for both 2.4 Ghz and 5 Ghz

Tip and tricks to identify Connected Clients

It can happen that connected clients are not visible from the monitoring screen. This can be due to no packet exchange between the access point and the device. Sending deauthentication packets on the targeted network can help to make the connected client visible.

Probing clients

The image below shows two probing clients. Probing requests are sent by devices in order to connect to a known network. Probes requests can be used by an attacker to identify or track a user based on the network his device has already connected to. Prefered Networks List (PNL) is the list of SSIDs the device has already connected to.

Preferred Networks List - Souce: PentesterAcademy