52

I just watched an interesting talk from Glen Glenn Wilkinson titled: The Machines that Betrayed their Masters.

He said that your phone is constantly broadcasting all the SSIDs it has ever connected to. How would an attacker be able to capture these wifi requests?

HopelessN00b
  • 3,385
  • 19
  • 27
that guy
  • 668
  • 1
  • 6
  • 9
  • 1
    What research have you done? What have you tried? Are you familiar with Wireshark? Trying to gauge the appropriate level of the response for your personal situation... – D.W. Jun 30 '14 at 21:43
  • 1
    I am highly skeptical of the claim that any device is "constantly broadcasting all the SSIDs it has ever connected to". – Michael Jul 01 '14 at 18:40
  • 5
    It is not constantly broadcasting the SSIDs it has connected to. If it is connected to a network, it does not. However, if an iPhone is _not_ connected to a network, it will attempt to [probe for networks it knows](http://arstechnica.com/apple/2012/03/anatomy-of-an-iphone-leak/). – Alan Shutko Jul 01 '14 at 20:12
  • Related: http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html and http://www.troyhunt.com/search/label/WiFi%20Pineapple – Harry Johnston Jul 02 '14 at 00:04
  • This actually go beyond simply broadcast. Newer models of Android phones also keep WiFi constantly on and scanning, even though you may think it is disabled, since there's no active wifi indicator shown. This is why Chainfire came up with [Pry-Fi](https://play.google.com/store/apps/details?id=eu.chainfire.pryfi) which also use MAC randomization to prevent MAC collection as "Dog eat..." mention below. – not2qubit Jul 02 '14 at 12:26
  • 1
    I asked a similar question a while ago on the Android site. I heard about a hacker using this to setup a fake network with same name where users would connect to, after which he could track what they did on the web. https://android.stackexchange.com/questions/66244/wifi-scanning-for-known-networks-that-dont-broadcast-their-ssid – SPRBRN Jul 02 '14 at 12:33

6 Answers6

49

Fairly easy to be honest, all you need is to do is listen for Probe Requests. There is a nice blog explaining how to go about setting up a computer with BT5 to listen for them here.

With a networking card that supports "Monitor mode", you are able to pick up so called "Probe requests". Once the networking card is set up to be in monitor mode you can use something like aircrack, wireshark or hoover to capture the probe requests.

For example when using ubuntu and wireshark, set the network card in monitor mode:

sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ifconfig wlan0 up

Now start wireshark and set the filter for "wlan.fc.type_subtype eq 4".

That's it, now you can see all the SSIDs being probed for around you.

Léo Lam
  • 107
  • 1
  • 1
  • 4
BadSkillz
  • 4,404
  • 24
  • 29
  • 7
    Just out of curiosity, could you use Google's network mapping project to get a history of every place someone has ever connected to the internet? Because that sounds kinda creepy - but also pretty cool.. – KnightOfNi Jun 30 '14 at 14:20
  • 1
    In theory, yes. If the SSID and MAC are collected by google, one could find the location of this AP. – BadSkillz Jun 30 '14 at 14:41
  • 1
    +1. This is the point where technology becomes scary to me. Being a computer science major, I know exactly how far this stuff can go. This is ridiculous! There are lots of cool and interesting uses for this type of data (Google's network mapping project), but just imagine if I were the creepy stalker type. One could map out behavioral patterns and use it to harm others. I understand why phones probe for previous networks, but this is kind of sick if you think about the possibilities for social engineering... – Chris Cirefice Jul 01 '14 at 17:08
  • 3
    Not only can you collect information; you can also create a malicious access point that mimics an access point the victim will automatically connect to, then immediately have access to any non-encrypted network traffic their apps use as well as an open channel for remote attacks on the device. – R.. GitHub STOP HELPING ICE Jul 01 '14 at 19:41
  • @ChrisCirefice The tech giants (GAFAM) are the creepy stalker types and they are using social engineering to dominate the world and make huge profits. It's sick, I agree. – Jake Mar 13 '22 at 02:41
10

For example, using the great aircrack-ng, specifically the airodump-ng utility from it. The information you are looking for will show up under "Probes" in the lower section.

6

This should work for most Linuxes:

sudo apt-get install aircrack-ng

sudo airmon-ng start <card>

sudo airodump-ng mon0

This outputs a list of what all devices are trying to connect to. Some devices only probe networks that are available, however, as you suspected, smartphones probe all networks that they know about, no matter whether they are available or not·

Quora Feans
  • 1,861
  • 1
  • 12
  • 20
6

After putting your wireless network card in monitor mode as mentioned in the other answers, you can do something like the following to print out MAC addresses and ssid. This code is dependent on the scapy library/tool.

#!/usr/bin/env python

from scapy.all import *
conf.iface = "mon0"


def handle_pkt(pkt):
    if Dot11 in pkt and pkt[Dot11].type == 0 and pkt[Dot11].subtype == 4:
        hwaddr = pkt[Dot11].addr2
        ssid = pkt[Dot11Elt][0].info
        print hwaddr, repr(ssid)

sniff(prn=handle_pkt)

Happy hacking

Alternative to airmon-ng is to use iwconfig to set the card in monitor mode (if it supports it) - The downside with this method, is that you cannot associate with an accesspoint while sniffing raw wireless packets.

ifconfig wlan0 down
iwconfig wlan0 mode Monitor
iwconfig wlan0 channel 1
ifconfig wlan0 up
Dog eat cat world
  • 5,759
  • 1
  • 27
  • 46
4

My approach to this was to use an OpenWRT (could be done with DDwrt or other similar projects) device (a TPlink 3600) and to use only tcpdump and monitor mode (not airodump). Using TCPdump lets you see all traffic (to profile area activity as well as watching for beacons/probes) The advantage to using a dedicated device is they are inexpensive, use little electricity, and have two radios that work independently. I used a flash drive mounted on /media/drive1 to hold the files. The below commands will watch channel 11 on the b/g/n bands and channel 149 on the a/n bands, obviously this can be changed to suit local needs. With this running at startup you can move the device to the desired area, plug it in, wait, and then unplug it and review the files from the flash drive on your PC. The possible wireless security audit scenarios with this platform are many.

Also, as a point of clarification to your original thesis that "phones broadcast the SSIDs of all networks they have ever connected to" this is a bit oversimplified: devices will send probes for any network currently in their wi-fi configuration, which for most users are all the networks they have signed on to in the past but you can easily remove unused entries from this list to reduce the information leaked by your device. An option like "only associate to broadcasted SSIDs, do not probe" would be desirable but alas this is really a low priority when it comes to security, compared to other issues on most mobile devices.

/usr/sbin/iw phy phy0 interface add mon0 type monitor;
/sbin/ifconfig mon0 up;
/usr/sbin/iw mon0 set channel 11;
/usr/sbin/iw phy phy1 interface add mon1 type monitor;
/sbin/ifconfig mon1 up;
/usr/sbin/iw mon1 set channel 149;

capdir="/media/drive1/`date +%Y%m%d-%H%M`";
mkdir $capdir;
echo "starting with $capdir" >> /tmp/capstartup

/usr/sbin/tcpdump -i mon0 -C 50 -w $capdir/mon0.pcap &> /tmp/error.myprog0 &
/usr/sbin/tcpdump -i mon1 -C 50 -w $capdir/mon1.pcap &> /tmp/error.myprog1 &
Jeff Meden
  • 3,966
  • 13
  • 16
  • Do you have any idea why one would get a busy error when trying to set the channel of `mon0`: `command failed: Device or resource busy (-16)`? I get a busy response whether I use `iw` or `iwconfig` to try to set the channel. – JellicleCat Jul 23 '15 at 16:04
1

Not only is your device sending probe requests to the networks it has been connected to (unless it is already connected), but in some cases it seems that when you are spoofing MAC address of another device in your surroundings (and this one is being shut down), it may even replicate sending probe requests to APs it was never connected to and are out of reach at the same time. At least this was my puzzling observation: How can spoofing a certain MAC address enable sending probe requests that I was never connected to?

peter b
  • 51
  • 2