Normally, when a wireless client such as a laptop is turned on, it will probe for networks it has previously connected to. These networks are stored in a list called the Preferred Network List (PNL) on Windows-based systems. Also, along with this list, the wireless client will display any networks available in its range.
A hacker may do one or more of the following things:
Silently monitor the probes and bring up a fake access point with the same ESSID the client is searching for. This will cause the client to connect to the hacker machine, thinking it is the legitimate network.
Create fake access points with the same ESSID as neighboring ones to persuade the user to connect to him. Such attacks are very easy to conduct in coffee shops and airports where a user might be looking to connect to a Wi-Fi connection.
Use recorded information to learn about the victim's movements and habits, as we show in detail in a later chapter.