Finding security configurations on the client
In previous chapters, we have seen how to create Honeypots for open access points, WEP-protected and WPA, but, when we are in the field and see Probe Requests from the client, how do we know which network the probed SSID belong to?
Though this seems tricky at first, the solution to this problem is simple. We need to create access points advertising the same SSID but with different security configurations simultaneously. When a roaming client searches for a network, it will automatically connect to one of these access points based on the network configuration stored on it.
So, let the games begin!