Reconnaissance
Wi-Fi reconnaissance is the process of identifying and exploiting wireless networks. Using reconnaissance we can identify the unauthorized access points (rogue APs) or malicious devices on a network.
Passive Reconnaissance
By observing beacon frames and probe requests, an attacker can map out access points, clients, and SSIDs (network names). Tools like wireshark, kismet can be used for this purpose
Active Reconnaissance
Using probing we can reach the access point and gather informations like signal strength, device manufacturer etc
Deauthentication Attacks - Forcing the device off to observe their behaviour
DEMO
A dual-band monitor mode capable WiFi interface is present on the user machine. Lets use Airodump-ng and Horst to analyze the live WiFi traffic
Lets start typing airmon-ng to check whether the airmon was present in the machine
Again we are tyring to enable the monitor mode and listens on the channel 13 by setting itup in the interface We sent 30 packets to the accesspoint, from this we can see that none of came back to the client. So it shows that we cannot transmit on channel 13
That ok, but why we cant transmit on the channel 13. Lets explore it further
From the screenshot we can see that channel 13 is having (no IR) which means it not having intial raidation. So we are not allowed talk first to the channel.
1
2
3
2467 MHz [12] (20.0 dBm) (no IR)
2472 MHz [13] (20.0 dBm) (no IR)
2484 MHz [14] (20.0 dBm) (no IR)
Using this command root@root:~# iw reg get we can see that the channel 12,13 and 14 are in the passive-scan only. Hence we cant inject on those channels.
(2457 - 2482 @ 20), (N/A, 20), (N/A), AUTO-BW, PASSIVE-SCAN