The first order of business for any network reconnaissance is to find the target network. We tend to forget about this step on traditional wired networks because finding the target is almost always a simple matter of routing to its IP address. In the case of wireless reconnaissance, this step cannot be overlooked; in fact, finding your target’s wireless network and all its associated client nodes is what most wireless reconnaissance is all about. After you find the network, most sleuthing about follows the ordinary network scanning methods, as discussed in Chapter 2.

The basic goal of wireless reconnaissance is to locate the target network and gather as much information about its configuration and associated clients as possible. This information includes what is needed to connect to the target network such as network identifiers, authentication credentials, encryption keys, and addressing information.

In the time before the Internet when networks would communicate over point-to-point modem connections, attackers had similar problems trying to locate a target network. The solution that was developed was to dial every number in a given area code until they found the right modem. This technique was eventually called wardialing.

With wireless networks, we have a similar search problem, but this time, instead of searching through telephone numbers, we are physically searching for the network street by street. Loading up the car with laptops and driving ...