The idea of this article came from a colleague of mine. He wrote a first version of the script described below. I found it very useful and asked his permission to re-use it and to write this blog article. Thanks to him! In the mean time, during my researches, I also found that a friend, Didier Stevens, published on his blog the same kind of script but for an AirCap adapter. Mine uses any adapter capable to be switched to “monitor” mode.
All devices have Wi-Fi interfaces (laptops, tablets, mobile phones, consoles, etc) and their operating systems have features to easily manage the wireless networks you connect them to. When you connect for a first time to a new network, most users save the informations for later use (or the system stores it for you without notification). This small database will be used later by the operating system to discover which known network(s) is(are) available and automatically connect to them.
This database may contains a lot of interesting data. Some may reveal private information like your employer, your ISP, where you go to party, to eat, where you go on holidays or which security conference you attended. Why? Simply because networks are often configured with explicit names. Have a look at the screenshots below taken from a laptop running Ubuntu:
By default, when a new wireless network is configured, the flag “auto-connect” is enabled. This is the case on Ubuntu, MacOS and Windows 7. What does this mean? Each time you boot your computer or you reconfigure your Wireless card, the device will sent “Probe Request” management frame over the air. This can be compared to a message like “Hey! Network xxx are you there?“. Even if your network uses encryption, all those probes are sent in clear! In Wi-Fi technologies, they are several methods available to detect the available networks or SSIDs:
- Probe Requests,
- Probe Responses,
- Association Requests,
- Reassociation Requests
“Probe Requests” are very interesting to be captured to detect the SSID’s already configured and used by people. To achieve this, we just need a BackTrack 5, a Wi-Fi network card that supports monitoring mode and some tools. To collect “Probe Requests“, just use the following commands:
# iwconfig wlan0 mode monitor # iwconfig wlan0 channel <i> # tshark -i wlan0 subtype probereq
It’s easy but not very convenient! If you keep tshark running a few hours, you could miss data. The purpose of the script is to automate this process and keep some statistics about the detected probe requests (clients MAC addresses and SSID’s). It’s also important to scan all the available channels (1-14) to grab as much SSID’s as possible. This is called “channel hopping” and to achieve this, the script starts a child process which changes the Wi-Fi channel every 5 seconds within an infinite loop. The script syntax is the following:
Usage: ./hoover.pl --interface=wlan0 [--help] [--verbose] [--iwconfig-path=/sbin/iwconfig] [--ipconfig-path=/sbin/ifconfig] [--dumpfile=result.txt] Where: --interface : Specify the wireless interface to use --help : This help --verbose : Verbose output to STDOUT --ifconfig-path : Path to your ifconfig binary --iwconfig-path : Path to your iwconfig binary --tshark-path : Path to your tshark binary --dumpfile : Save found SSID's/MAC addresses in a flat file (SIGUSR1)
It will dump all detected SSID’s to the console in a completely passive way. No packets are sent over the air from the scanning host! When you kill the script or wake it up via a SIGUSR1 signal, it will dump all detected SSID’s, MAC addresses, packets count and the last time if was seen. The example below shows the result of one day of scan in my neighborhood. 40 SSID’s detected in my area is not bad (I’m leaving in the countryside).
!! Dumping detected networks: !! MAC Address SSID Count Last Seen !! -------------------- ------------------------------ ---------- ------------------- !! 7E-62-89-9E-C4-E4 Billi-Wifi 43 2012/01/10 22:15:36 !! 07-46-6E-4F-61-4E Réseau de ****** 2732 2012/01/11 16:28:09 !! 6F-B6-11-2E-AF-74 LA HAGOULLE 1 2012/01/11 16:17:08 !! 8F-9F-B1-5B-73-C8 Go-Away-Lamerz 85 2012/01/11 16:28:09 !! 00-ED-E1-3A-A9-1C wifi94 6 2012/01/10 18:25:27 !! E1-28-7F-6A-C6-44 3cles 1 2012/01/11 16:17:08 !! 4E-CD-8A-BD-1C-EB NOW-X-54 10 2012/01/10 20:08:02 !! 0B-8C-A1-1C-BB-51 CRAPS 5598 2012/01/11 16:28:09 !! 91-4A-F0-42-A6-63 bbox2-**** 1 2012/01/11 10:48:49 !! 0B-A7-51-ED-E1-FA SpeedTouchD4288C 2 2012/01/11 16:17:08 !! C09-C2-23-89-2D-E9 ISFS 4 2012/01/10 18:12:25 !! CE-7C-B6-58-39-D3 HAYEZ 1 2012/01/11 10:48:49 !! 44-45-60-E6-61-1B Guest 1 2012/01/11 16:17:08 !! 0B-A7-51-ED-E1-FA bbox2-**** 8 2012/01/11 16:15:11 !! 09-C2-23-89-2D-E9 biblio 1 2012/01/11 10:48:49 !! CE-7C-B6-58-39-D3 free-hotspot.com 2 2012/01/11 16:17:08 !! 37-F3-65-28-35-0C 123EURO 1 2012/01/11 16:17:08 !! E4-8F-02-9B-E8-3C FREE_DELIRIUM 1 2012/01/11 10:48:49 !! 6E-2C-81-CE-13-E3 bbox2-**** 4 2012/01/10 18:25:27 !! E9-4A-D6-4F-72-0C chateau_magique 1 2012/01/11 16:19:07 !! A4-B4-B3-FC-B0-75 WiFi_FD 1 2012/01/11 16:17:08 !! E3-9E-A3-9F-A1-F7 TP-LINK_****** 519 2012/01/11 16:10:51 !! DA-6C-E2-D8-D8-A7 bbox2-**** 6 2012/01/10 18:25:27 !! 03-94-41-21-6C-C2 bbox2-**** 3 2012/01/10 18:25:27 !! 27-E3-1F-61-5A-69 linksys-n 1 2012/01/11 10:48:49 !! 81-8A-48-1B-DF-20 Philips WiFi 1 2012/01/11 10:48:49 !! 55-C3-BE-F9-63-60 SpeedTouch****** 1 2012/01/11 16:17:08 !! F0-3D-CC-D3-16-A4 blanmont 27 2012/01/11 16:28:09 !! 7A-19-39-BC-3B-A6 chouchou 1 2012/01/11 10:48:49 !! 7E-62-89-9E-C4-E4 belgacom 1 2012/01/11 10:48:49 !! 07-46-6E-4F-61-4E Réseau UAH 4 2012/01/10 18:25:27 !! 6F-B6-11-2E-AF-74 dlink 5 2012/01/11 10:48:49 !! 8F-9F-B1-5B-73-C8 sagem-**** 1 2012/01/11 16:17:08 !! 00-ED-E1-3A-A9-1C bbox2-**** 1 2012/01/11 10:48:49 !! E1-28-7F-6A-C6-44 bbox2-**** 2 2012/01/11 10:48:49 !! 4E-CD-8A-BD-1C-EB QuickWiFi 1 2012/01/11 16:17:08 !! 91-4A-F0-42-A6-63 bbox2-**** 1 2012/01/11 16:17:08 !! 81-8A-48-1B-DF-20 linksys 14 2012/01/11 16:19:07 !! 27-E3-1F-61-5A-69 WiFi_6E 1 2012/01/11 16:17:08 !! 82-94-05-84-30-ED Sitecom 1 2012/01/11 16:17:08 !! Total unique SSID: 40
Note: the MAC addresses have been randomized using the MAC Address Generator.
That’s all for the technical part. Now that you have a list of MAC addresses and SSID’s, what can you do with them? How can this script be useful from an attacker perspective?
First, use this as a “presence detection” mechanism. You can track the presence of people in a specific area. Being at home, I could detect when my neighbor is back at home and uses his laptop. Same for companies. Behind outside, you could detect the presence of employees in the office. More your antenna is powerful more you will be able to detect activity from a long way. Then, the detected SSID’s could help you to learn a lot about your potential victim. The goal is to “put a face” on the MAC address. You can learn the type of device/ISP they use. You can learn about the habits (and later to perform social engineering). hotel SSID’s, restaurant SSID’s etc.Some people defines SSID’s with personal data: pet names, street addresses, nick names. Always interesting stuff… If you know that your victim booked an room in a specific hotel, it’s a step forward to asking him to click on a rogue document coming from this hotel. But that’s another story!
The script is available here.