802.11 networks have three types of frames: data, management, and control. Data frames carry the actual data on the network, and are similar to Ethernet frames. Management frames are used to maintain network configuration and connectivity; they control "plugging in" to the network. Control frames help manage access to the physical medium itself and try to prevent access points and wireless clients from jamming each other's traffic. It is not important that you understand the full details of how all these mechanisms work, but a working understanding of some basic management frames will help you better understand what each application is doing to gather information about a network. The following list describes the most important management frames for collecting information on a network.
The beacon frame is probably the most important frame type for wireless reconnaissance. That is because the purpose of the beacon frame is to advertise the existence and basic configuration of a network. Each beacon contains the network's BSSID as well as the SSID. The beacon also contains some information about basic authentication and encryption for the network.
Sometimes the SSID in beacons is obscured in an effort to make network reconnaissance more difficult. This technique often referred to as cloaking or masking the SSID; it is supported by most major access points, but is usually disabled by default.
Beacons are sent out at regular intervals, and in addition to advertising a network, they also serve as a way for associated clients to determine their link quality. For this reason, all networks must send out a constant stream of beacon frames, or every client on the network will assume they have lost link and will be disconnected. This comes in handy later.
The probe request frame is almost identical to the beacon frame, but it is sent from wireless clients trying to connect to a network. These contain information about the network they are trying to connect to; later, you will see that they can even give information about networks that are nowhere near the location of the wireless client.
The probe response frame is sent to a client in response to a probe request frame. It contains network capability information and various network configuration values that are useful for data mining.
The authentication request frame is sent by all clients trying to connect to a network. For infrastructure clients, this must be performed before they can proceed to associate with the access point.
There are two forms of authentication supported by this stage of the connection process: open (i.e., no authentication) and shared key. Originally, this type of frame was the primary mechanism used for authentication, but after fatal flaws were discovered in shared key authentication, most networks switched to using mechanisms that operate after the association phase of the connect process. For this reason, you will find most networks today using open authentication at this phase, with a stronger authentication method in use after association.
The authentication response frame is sent in response to an authentication request from a client, and it contains either status information or shared key authentication challenge information.
The association request frame is sent by a client to an access point to create an association between the client and the network. This contains a lot of the same data that the probe request contains, and it must always have the SSID for the network. This can be useful when gathering information about a network that is configured to obscure the SSID information in beacon broadcasts.
The association response frame is sent to a client in response to an association request frame. It contains some minor network information and a status indicating whether the association was created successfully.
The deauthentication and disassociation frames are sent to notify a network node that a given authentication or association has been made invalid and must be reestablished.