Once you have identified a hotspot, you may want to attack locally connected clients. Specific client attacks will be discussed later in this chapter. The following tool, NetStumbler, can be used to pick out a popular hotspot for attacking clients.
This utility can be used to discover wireless networks, but it is also useful for finding the clients connected to the hotspot. For many years, this utility was the tool of choice for war drivers. The last release was in 2004, but it is still a very functional tool. It performs active scanning only, but has good support for GPS. Figure 9-3 shows a screenshot of how it can used to discover networks and clients. Popular hotspots are recommended for the client attacks discussed later in this chapter.
NetStumbler also allows you to view signal strength, which can be very useful for finding the right hotspot or client to attack. Figure 9-4 shows the low end of a client you should try to attack. I don't recommend attacking a client with very low signal strength; many of the enumeration and exploit techniques may fail or experience false positives and negatives.
There are many other tools that have the same functionality, ranging from open-source tools to bundled applications designed to help Wi-Fi administrators. Please experiment with all these tools. Some access points have proprietary features that can be used to gather information on hotspot weaknesses. Research your target and you may discover some vendor "features" that can be used to your advantage.