| name | offensive-wifi-recon |
| description | Wi-Fi reconnaissance methodology — adapter selection, monitor mode and packet injection setup, regulatory domain handling, multi-band airspace mapping, hidden SSID discovery, BSSID/ESSID/channel/PMF/encryption fingerprinting, client probe analysis, vendor OUI lookup, war-driving with Kismet/airodump-ng/Wigle, and structured airspace data capture for downstream attacks. Use at the start of any wireless engagement to build the target map before active attacks; covers 2.4 GHz, 5 GHz, and 6 GHz (Wi-Fi 6E) bands and adapter compatibility for each. |
Wi-Fi Reconnaissance
The first phase of any wireless engagement. Build a complete picture of the airspace before you deauth, evil-twin, or capture handshakes — every later attack depends on knowing the right BSSID, channel, encryption, and client population.
Quick Workflow
- Pick the right adapter for the target's band(s) and PHY
- Verify monitor mode + injection actually work
- Set the regulatory domain (legal channels and TX power)
- Sweep all bands passively
- Drill down on each in-scope BSSID for client population and PMF status
- Record everything in a structured target list before any active attack
Adapter Selection
| Chipset | Strengths | Notes |
|---|
| Atheros AR9271 (Alfa AWUS036NHA) | Solid 2.4 GHz monitor + injection | 802.11n only |
| Realtek RTL8812AU (AWUS036ACH) | Dual-band, injection | Driver: aircrack-ng/rtl8812au |
| MediaTek MT7612U (AWUS036ACM) | Stable dual-band | In-tree driver on modern kernels |
| MediaTek MT7921AU | Wi-Fi 6 monitor (limited) | Patched drivers required |
| AWUS036AXML / AXM | Wi-Fi 6E (6 GHz) | Bleeding edge — verify per release |
lsusb | grep -iE "(atheros|realtek|mediatek|alfa)"
iw dev
iw list | grep -A 8 "Supported interface modes"
iw list | grep -E "Frequencies:" -A 30
Monitor Mode Setup
sudo airmon-ng check kill
sudo airmon-ng start wlan0
sudo ip link set wlan0 down
sudo iw wlan0 set monitor control
sudo ip link set wlan0 up
sudo aireplay-ng --test wlan0mon
The injection test should report 30/30 ack rates against nearby APs. Lower scores indicate driver, antenna, or position issues.
Regulatory Domain
iw reg get
sudo iw reg set US
Setting the right regdomain unlocks legitimate channels (US: 1–11 on 2.4, 36–165 on 5; JP adds 12–13 + 184+ DFS) and TX power. Operate within the regdomain you're authorized to use.
Passive Multi-Band Sweep
sudo airodump-ng wlan0mon --band abg
sudo airodump-ng wlan0mon --band a
sudo airodump-ng wlan0mon --band ax
sudo airodump-ng wlan0mon -c 1,6,11,36,40,44,48
Capture to file for later analysis:
sudo airodump-ng wlan0mon --band abg --write recon --output-format pcap,csv
Targeted Capture
Once you've identified an in-scope BSSID:
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w target wlan0mon
Pin to the channel — channel-hopping during a focused capture loses frames.
Hidden SSIDs
Hidden APs broadcast beacons with empty ESSID. The name leaks during client probes (active scan) or association requests:
sudo aireplay-ng --deauth 1 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
(Only deauth with explicit authorization — see offensive-deauth-disassoc.)
Kismet for War-Driving
sudo kismet -c wlan0mon
Kismet handles GPS integration, plots APs to a map, fingerprints by IE order, identifies probable IoT vendors from OUI prefixes, and tags known-vulnerable models.
For long-running captures, drop --no-ncurses and run headless under tmux.
Wigle Submission
If the engagement permits:
kismetdb_dump_devices --in capture.kismet --out devices.csv
(Wigle aggregates wireless network observations geographically — useful for mapping but check ROE.)
Vendor / OUI Identification
echo "AA:BB:CC" | wireshark-tools/manuf-lookup
Vendor identification informs:
- Likely default credentials (router brand → known defaults)
- Known firmware bugs (CVE per chipset)
- Whether WPS is likely vulnerable (Pixie Dust per chipset)
- Whether KRACK / FragAttacks patches are likely applied (vendor patch cadence)
Data to Record per Target
| Field | Why |
|---|
| BSSID | Required for every active attack |
| ESSID | Match against PNL probes; client probe correlation |
| Channel + width | Pin radio for capture |
| Band | Adapter selection |
| Encryption | WPA2-PSK / WPA2-Enterprise / WPA3-SAE / Open / WEP |
| PMF (Protected Management Frames) | Whether deauth works |
| RSSI | Position planning |
| Beacon interval / TIM | Anomaly detection vs. evil-twin defenders |
| Vendor (OUI) | Likely default creds, known bugs |
| Client list (MACs + RSSI) | Targets for deauth/relay |
| WPS enabled? | Pixie Dust candidate |
Detection Considerations
A defender's WIDS sees:
- New device entering the airspace (probe requests reveal even before association)
- Channel hopping patterns of monitor-mode interfaces
- Non-standard probe behavior (KARMA-style universal responses, see
offensive-evil-twin)
Pure passive recon (no probes from your radio) is invisible to most WIDS deployments. Stay passive until you're committed to the active phase.
Engagement Cheatsheet
sudo airmon-ng check kill && sudo airmon-ng start wlan0
sudo iw reg set US
sudo aireplay-ng --test wlan0mon
sudo airodump-ng wlan0mon --band abg --write recon --output-format pcap,csv
sudo kismet -c wlan0mon --no-ncurses --daemonize
sudo airodump-ng -c <ch> --bssid <BSSID> -w <name> wlan0mon
Key References
