Recon - BookJMP

Overview

Reconnaissance is the first step in any wireless engagement. Monitor mode allows passive capture of all 802.11 frames to identify access points, clients, channels, encryption types, and probe requests, without transmitting any packets.

Full Scan (All Bands)

Scan 2.4 GHz, 5 GHz, and 6 GHz bands with manufacturer info and WPS detection:

sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon -w ~/wifi/scan --manufacturer --wps --band abg

Focus on Target AP

Lock to BSSID and channel to filter out noise from other networks:

sudo airodump-ng wlan0mon --band abg --manufacturer --bssid <BSSID> -c <CHANNEL> -w ~/wifi/target

Focus on a Single Channel

Once a target is identified, lock to its channel to reduce noise:

sudo airodump-ng wlan0mon -w ~/wifi/scan-ch6 --manufacturer --wps -c 6

Identify Client Probes

Clients broadcast probe requests for networks they have previously connected to. These appear in the lower section of airodump-ng output under the Probes column. Useful for:

Identifying target users
Discovering hidden SSIDs a client is looking for
Setting up a rogue AP with a matching SSID

Discover Hidden SSID

If an AP is broadcasting with a hidden SSID and no client is connected, probe responses won’t reveal the name. Use mdk4 to brute force the SSID by sending probe requests: Build a prefixed wordlist:

cat ~/rockyou-top100000.txt | awk '{print "wifi-" $1}' > ~/wifi-wordlist.txt

Set the interface to the correct channel and launch the probe attack:

iwconfig wlan0mon channel 11
mdk4 wlan0mon p -t <BSSID> -f ~/wifi-wordlist.txt

The AP will respond to the correct SSID, revealing it in airodump-ng.

Documentation Index

​Overview

​Full Scan (All Bands)

​Focus on Target AP

​Focus on a Single Channel

​Identify Client Probes

​Discover Hidden SSID