The first order of business for any network reconnaissance is to find the target network. We tend to forget about this step on traditional wired networks because finding the target is almost always a simple matter of routing to its IP address. In the case of wireless reconnaissance, this step cannot be overlooked; in fact, finding your target's wireless network and all its associated client nodes is what most wireless reconnaissance is all about. After you find the network, most sleuthing about follows the ordinary network scanning methods, as discussed in Chapter 2.
The basic goal of wireless reconnaissance is to locate the target network and gather as much information about its configuration and associated clients as possible. This information includes what is needed to connect to the target network such as network identifiers, authentication credentials, encryption keys, and addressing information.
In the time before the Internet when networks would communicate over point-to-point modem connections, attackers had similar problems trying to locate a target network. The solution that was developed was to dial every number in a given area code until they found the right modem. This technique was eventually called wardialing.
With wireless networks, we have a similar search problem, but this time, instead of searching through telephone numbers, we are physically searching for the network street by street. Loading up the car with laptops and driving around has proven to be the most practical and entertaining way to find what we are looking for. This activity has come to be known as wardriving.
Wardriving is easily among the most entertaining parts of a network assessment, and it can provide a fun excuse to get out of the office every once in a while.
The first step to any wireless reconnaissance excursion is acquiring the right gear. A wardriving kit can be made with as little as a laptop and a supported wireless card, but some extra gear can really improve the experience. A well-equipped wardriver often has at least one of the following:
Laptop
Supported wireless card
Power inverter for powering devices on long drives
External magnetic mounted antenna for better reception
GPS receiver capable of interfacing with your laptop
GPRS/EVDO or similar method to connect to the Internet from a car
Not all wireless cards are supported by every application. Some tools require a lower-level control over the hardware, so you need to check to be sure that your card is supported for each application. I will try to give you an up-to-date list of supported wireless adapters for each tool, but as this changes from time to time, you should always check with the software vendor to get the most up-to-date information. As with most things, it is OK to start out with a bare-bones setup and build up to the ultimate kit as your needs grow.
In most cases, support for a wireless card is determined by the hardware and driver's ability to enter a special processing mode called monitor or rfmon. In this mode, the driver is able to pass raw 802.11 traffic to applications. As a general rule, you want to make sure your operating system has support for monitor mode with the wireless card you want to use.