The various 802.11 concepts are discussed a lot throughout this chapter. 802.11 is often referred to as wireless Ethernet; in reality, aside from using the same address format, 802.11 is very different. Unlike Ethernet, it is a fairly complicated protocol at the link layer, and a complete description of all its details and idiosyncrasies is beyond the scope of this book. This section discusses the most important parts of the protocol, which should be enough for you to get started using the tools covered here.
802.11 networks can be one of two basic types: infrastructure or adhoc. These two modes define the way in which the wireless network is organized and influence what type of information is gathered. Both types of networks are of interest, but for different things.
When most people talk about a wireless network, they are usually referring to infrastructure type networks. In this configuration, the network is composed of one or more access points, which coordinate wireless traffic between nodes and usually connect the nodes to a wired network as a router or a bridge. Access points perform a number of functions in the infrastructure mode network, such as sending out a signal at a regular interval to advertise the network to clients (more on this later). They are also responsible for relaying traffic from one wireless client to another. Depending on the configuration, the access point may also be a central coordinator determining which clients have access to the channel. When a wireless client connects to an infrastructure mode network, it is said to be associated with that network's access point.
Each access point forms a network called a basic service set or a BSS. This network is identified by a globally unique six-octet network ID called a BSSID. This is almost always the MAC address of the access point. Each BSS is part of a (possibly) larger extended service set or ESS. Every ESS is identified by a 32-octet identifier (known as an ESSID or simply an SSID) and is almost always a human-readable string. A network can have many access points on the same ESSID, but each has its own BSSID.
To gain access to this type of network, you need to know both the SSID and the BSSID of the target network. This type of network is ideal for reconnaissance because it is designed so that clients can very easily find the network. As access point technology matures, there are new ways for legitimate users to locate these networks, while hiding essential information such as the SSID from potential attackers, thus preventing them from connecting. The tools in this section are designed to find this information.
The second configuration type for wireless networks is adhoc mode. In this operating mode, there is no access point used for central coordination; each node connects to each other in a peer-to-peer fashion. This sort of network is called an independent basic service set or IBSS. Adhoc networks also have an SSID associated with them that must be known before a client can connect. There are a number of security implications specific to adhoc networks, so a wireless security audit should give just as much attention to adhoc as to infrastructure networks.