2

A similar question was answered here for sniffing MAC addresses from clients connected to 802.11 wireless access points. My question is, is it possible to sniff MAC addresses from clients which are currently not connected an access point? For example, does an active WiFi on a smartphone or PC broadcast its MAC address when it is searching for access points, or is it only in receiving mode?

Captain Normal
  • 123
  • 1
  • 3
  • There are many articles online and in the news citing privacy concerns about this functionality; how you can be tracked based on your wireless MAC address. This is why many systems now randomize their MAC address while scanning. – multithr3at3d Dec 11 '17 at 20:29
  • @korockinout13 - You'd ideally want to keep the randomised MAC for then connecting to the AP. Otherwise the tracker can just imitate the AP and wait for the connection request to get the real MAC. – Hector Dec 12 '17 at 09:09

2 Answers2

5

802.11 devices send probe requests to identify if a given network is nearby. Probe requests still contain standard MAC headers - which would contain destination and sender address fields. The destination address would be set to the broadcast address ("ff:ff:ff:ff:ff:ff") but yes in normal client operation you would expect the client to fill their own address into the sender address field.

Hector
  • 10,893
  • 3
  • 41
  • 44
  • Now that I know what it's called, searching the internet for "802.11 probe request" provides plenty of further information. – Captain Normal Dec 12 '17 at 12:14
0

Yes! As said by @hector, before connecting to the AP, Wi-Fi devices sends probe requests looking for APs that they "know" or to declare themselves to the APs around.

You will need a tool to sniff wireless packets (like airodump-ng), a card with "monitor mode" and the rest is easy. You can find good tutorials for that using your favorite search engine.

Because of the OSI-model, the physical layer is usually not encrypted so you can get the MAC address and even more information. This makes MAC address filtering not really efficient as means of access restriction.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
BR.Hamza
  • 107
  • 2
  • 2
  • 13