13

My goal is to see the SSIDs requested by mobile devices in my home. For example, my Windows phone knows about SSIDs called "coffee_shop", "planet_fitness" and "library". I have my phone set to "connect automatically" to those known networks.
I understand from this article that that I should be able to capture the SSIDs my phone knows about by sniffing wireless traffic on another device.

On another computer, I have a wireless adapter put into monitor mode by airmon-ng (channel 6, but all channels seemed about equal in the traffic captured).

Reading the packets with t-shark with the command tshark -i wlan0mon subtype probereq I can see many probe requests that include the SSIDs of (hidden or not ) wireless access points in my home that other devices are connecting to. I can see other probe requests coming from my Windows phone (based on the MAC address is the same), but the SSID for those probes just says "broadcast".

A probe request is a special frame sent by a client station requesting information from either a specific access point, specified by SSID, or all access points in the area, specified with the broadcast SSID

Can I conclude from this that my phone only sends "broadcast" probe requests and connects automatically to known access points when they identify themselves (rather than my phone sending the specific info "coffee_shop")? If so, can I then conclude that my phone does not reveal access points it knows about unless one responds to a broadcast probe request?

If all mobile devices behaved like my phone, then how would an attacker pull off the type of attack used by Wifi Pineapple, which works by answering "yes" to probe requests from wireless devices sending specific SSIDs?

mcgyver5
  • 6,807
  • 2
  • 24
  • 45

2 Answers2

1

This is what the WiFi Pineapple abuses.

When you walk around with your digital device with WiFi enabled and connect automatically set to on, everytime your device detects a wireless signal it will send out probe requests to see if the SSIDs match.

With a regular Access Point nothing happens, meaning the AP just discards the probe, but with the WiFi Pineapple or a similar device, it will say yes, I am this network. Connect to me, and emails and applications that auto-update will do so.

If this malicious AP then runs wireshark, or another packet sniffer, and a version of SSLstrip (or something similar), it will sniff credentials. On the Pineapple this feature is called Karma. If a connection is established you get the MAC address of the device.

This problem has become quite known these days, and methods to hinder this simple MITM attack are put in place by forcing the clients browser to use HSTS layers. This means that if the client will send a request to the server over HTTP, the server will respond that it only accepts HTTPS and will force the client to use it. You can find more info on the Pineapple at Pineapple Uni.

Not all sites use HSTS yet, so the Karma function will still work on some websites, but either way, the Pineapple, or a similar device, will sniff the SSID.

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
Evan
  • 36
  • 1
  • Very informative description of what Pineapple and HSTS do. (Will have to check Pineapple out.) But would the particular way the OP's phone is sending out /not sending out previously-connected ssids still be vulnerable to this? – mostlyinformed Nov 03 '15 at 20:49
  • Vulnerable in the sense that it will reveal SSIDs, yes, Alle Probe Requests are sent in the clear over the air. You can monitor the signals with a WiFi adapther set to monitor mode. This will grab SSIDs and MAC addresses. You can then perform _channel_ _hopping_ to cover all channels. No packets are sent from your _sniffing_ device. – Evan Nov 04 '15 at 00:39
0

I could imagine, that a malicious Access Point, when presented the "broadcast SSID" request, could go through a list of somewhat generic SSID's like the ones you mentioned and advertise these.

Here is a statistic of SSID's in use.

By luck, one or more of them matches one of the phone's list, the phone tries to initiate a connection, and voilà, the Access Point has learned, that this specific phone hat that one on the list.

nulldev
  • 154
  • 9