5

Recently I bought a raspberry pi and some wifi adapters with monitoring mode. I installed airodump-ng to detect wifi devices in the vicinity and this seemed to be working well. Over the course of a few days I was able to collect 150 distinct mac addresses, not only from within my own home but also from the neighbours (assuming this from their wlan ssids).

I had a visitor for a couple of hours whose wifi on his smartphone was on but not connected to my own wifi network and he didn't show up on airodump-ng? I tested by disconnecting my wifi connection on my phone and I still showed on airodump; this is obviously also the case with my neighbours who have their wifi on but are not connected to my network. Now my question is: why do my neighbours show up and my visitor does not show up? What kind of devices will airodump see and which ones will it not detect?

Héctor van den Boorn
  • 151
  • 2
  • 2
  • AFAIS, `airodump-ng` only listen probes form "associated" clients. If the client is associated with any nearby AP, then it's prob will be listen. May be I am wrong but that's what I observed. – haccks Apr 22 '16 at 12:09

2 Answers2

4

My guess is that your visitor is owning a Windows Phone.

A windows phone does not announce what SSID networks it is looking for, but instead, it will wait for an access-point to announce its presence before connecting to it. This can be the reason why you never saw your visitors phone - it had no need to waste power or privacy on looking for a network it knew it was not there. [Where've you been?]

The cost of this feature, is that it is not possible to connect to a hidden-network (no ssid) unless you configure it to activley send wifi probe requests. Remember, a hidden access-point does not broadcast the SSID, and the phone does not know it should connect to it. [Non-broadcast Wireless Networks with Microsoft Windows]

Apple phones on the other hand, has solved this privacy problem by randomizing the source mac address for Probe Requests. You can no longer passively identify a iPhone by its mac address alone - but you should be able to use the list broadcasted SSID's to create an identity. See for more details: [iOS 8 MAC address randomization]

I suspect the motivation for Apple was different for adding this privacy feature. Being able to identify customers through wifi probes would be in competition with the iBeacon - but thats my conspiracy theory.

I am still waiting for Android to make a similar move. It should not be that easy to uniquely identify a phone, its current whereabouts and past whereabouts with consumer grade electronics. Remember Wifi Enabled Smart Bins

Dog eat cat world
  • 5,759
  • 1
  • 27
  • 46
  • I had two visitors: one with an apple iphone and one with a android phone (i forgot which make it was). I am able to detect other iphones and other android phones in the house, just not of my visitors – Héctor van den Boorn Jan 30 '16 at 11:46
  • You might notice that the iPhone will rotate the mac address when it is probing, but will use its real mac address when associated with an AP. As for your guest, do you know if he had wifi turned on? I am using an app called Tasker, and turns off Wifi when it cannot detect basestations near my house. – Dog eat cat world Jan 30 '16 at 15:54
  • The wifi was turned on for both devices (although both devices were not connected to wifi) and the phones were being used (they were browsing the web). Could it be that airodump-ng accesses the wifi router and only shows mac addresses that are usually in the neighbourhood of said router? The first time I connected my raspberry pi to the wifi network, I saw multiple addresses via airodump that were not connected to my home network – Héctor van den Boorn Jan 30 '16 at 19:46
  • Maybe your sniffer is not able to receive 802.11n. Otherwise, I cannot explain it. – Dog eat cat world Jan 30 '16 at 23:20
0

My guess is that it may depend on the different power of the wireless adapters installed on the devices involved.

I suggest that the adapter installed on their smartphones is less powerful and less capable of being detected than the internal adapter of your neighbour's pc.

On the other hands the wireless adapter installed on your pc is probably less powerful than your modem (the antenna of a modem is usually more powerful than the integrated one of a wireless adapter for pc).

So I suggest the following scenario ->

  • your modem detects your visitor's smartphones since they connect to your wifi (if they do), but:
  • your pc can't detect them and therefore you don't see their 3g/4g connection while running airodum-ng.
  • your neighbour is using a modem and so the signal of his wifi is powerful enough to be detected by your adapter;
  • your neighbour is connected with his pc whose signal may be more powerful than the signal of the wifi modules of the smartphones.

I suggest to repeat the trial by keeping the smartphones closer to your pc.

While running the aircrack-ng suite I also noticed that by using different wireless adapters (both internal and external) I was able to detect different ssid.

franz1
  • 481
  • 1
  • 6
  • 13