Track devices via passive WiFi listening
Over the past year I have come across many stories using passive WiFi tracking. Basically, everyone focuses on security and privacy issues, but few tell us how it works. I made a whole project of Casual Encounters and I can share information about how the system works, how to avoid surveillance, and how to build it (for research purposes, of course). Do not try this at home.
When a WiFi client tries to connect with a known network, it has two options. The first is used by laptops and other devices that are not smartphones. It includes the search for signal packets (Beacon Frames). These packets send routers to announce their presence. The client finds the already known network and connects to it. The second option, which is usually used by smartphones, includes periodic distribution of trial requests (Probe Requests), containing a unique client MAC-address and sometimes the name of the network that it knows. The advantage of the second approach is that it works faster. And besides this, it is much easier to use for their own purposes.
WiFi devices can work in six modes. To listen to the traffic, the device must switch to the listening mode. After that, it does not advertise itself, so the presence of such devices is very difficult to install.
Theoretically, it is very easy to protect against these bugs. If you turn off WiFi on your phone when it is not needed (that is, you are far from places where there are trusted networks), the phone will stop sending requests and you will not be able to track down. Almost every time to turn off WiFi would be pretty tedious.
')
For android there are several applications to facilitate the process. For example, AVG PrivacyFix allows you to configure a list of trusted networks, in the presence of which your WiFi will be enabled. There are other applications on this topic.
In the case of iOS, your choice is limited. If you do not use jailbroken, the protected mode of the apple will not allow applications to the WiFi switch. In iOS 7, there was perhaps more convenient access to the WiFi menu, but you still need to do it manually.
You can, of course, just use a laptop - even a MacBook. Install Wireshark and configure the filter for test requests. But this is not so interesting, besides, if you want to build a whole network of trackers, it will be quite expensive to use laptops for this.
For such non-master purposes, the Raspberry Pi with a wireless adapter, or (which I prefer), TP-LINK MR-3020 router with a special firmware is enough. These options are small and can be powered by a 5-volt battery.
Setting Pi will be quite simple, because there is already a working file system, but I prefer the MR-3020 router. It is an inexpensive and standalone solution. Therefore, I will describe the configuration of the router, and if you want to use Pi, then:
- you can skip steps to Listening mode settings
- these two devices have different versions of Linux, so some configuration files may be in different places and they may have different package managers.
- more powerful AWUS036H type radios may require an external powered USB hub
You will need:
- TP-LINK MR-3020 router ($ 34.99 on Amazon). Should work and analogues, such as TP-LINK TL-WR703N
- USB flash drive (2-4 GB)
- Ethernet cable
The first part of the instructions is taken from the PirateBox project , since the initial configuration of the devices is identical.
1. Download a copy of OpenWrt for the MR3020 (a modification from Matthias Strubel includes all the necessary kernel modules).
More information: forum.daviddarts.com/read.php?2 , 3974,4009 # msg-4009
Discussion firmware: forum.openwrt.org/viewtopic.php?pid=207769#p207769
Firmware for WR703N: downloads.openwrt.org/attitude_adjustment/12.09-beta2/ar71xx/generic
2. Switch the switch next to the LAN / WAN port to WISP
3. Turn off laptop wifi
4. Connect the router via ethernet to the computer and open in the browser 192.168.0.254 (MR3020) or 192.168.1.1 (WR703N)
5. Enter login / password (admin / admin)
6. Go to System Tools> Firmware Upgrade, select OpenWRT firmware.
WR703N Chinese firmware text. For firmware via the web interface, select the last menu on the left, then the third submenu item. More details .
7. After the upgrade, the system will restart.
8. Go there via telnet
9. Use the passwd command to set a password. This will give access to SSH.
10. Using vi, edit the network settings. Suppose your main gateway has an address of 192.168.2.1. The OpenWrt address must not be the same, but must be on the same subnet.
Change the file to this state:
11. Disconnect the router from the network.
12. Turn on wifi on laptop
13. Connect the MR3020 (or WR703N) to the gateway router via Ethernet and turn on the configured router in the network. Wait a minute. From a computer connected to LAN, try to log into the router.
14. Pingan google to check settings
15. Add USB support to OpenWrt (if you did not use the already configured firmware from step 1):
USB setup
Format the flash drive into two partitions - the main Ext4 and swap. swap should be between 256 and 512 MB.
Log in to ssh on the router.
Install packages to support Ext4:
Insert the flash drive into the router. Check that it is defined.
File system setup
Now we will make sda1 the root of the filesystem.
(as described here by wiki.openwrt.org/doc/howto/extroot#openwrt )
Let's check that everything got out of order (should return / dev / sda1 to / mnt / sda1 type ext4):
Copy the files from the router to the flash drive so that all the necessary settings are available when we reboot and USB will be the basis of the file system.
Add the automatic connection / dev / sda1 to / etc / config / fstab.
Use the following settings:
Reboot the router
When all the lights come on again, go to ssh and check that the flash drive is correctly hooked.
If you can not log in via ssh, then copying the files went wrong. Remove the flash drive, reboot it via power. When it starts up, you can go there via ssh. Then reinsert the flash drive and repeat the previous steps.
The router has a little memory, long processes can take it all. To test the memory, enter
To solve memory problems, you can use the swap partition. First, check that it works:
Now connect it to the swap:
Run free again to check that it is connected.
To make this happen automatically it is best to make a separate script. By the way, at the same time you will learn how to make such scripts.
Let's start by creating a script:
Enter the following into the file:
Make it executable:
Now you need to make a symlink with /etc/rc.d on it:
S109 tells the system the priority of the script. All files in /etc/rc.d begin with S ##. S109 should place it at the very end, after all the rest are launched.
Reboot, log in via ssh and check the swap connection:
Almost everything is ready. We need to edit the wireless settings:
Comment out the wifi ban line:
Use the following settings:
Restart the wifi interface:
Error messages such as those presented below should not affect the operation of wifi:
Check that wifi is working and is in monitor mode:
Now we will install all the packages required for the scanner:
Copy scripts with git (or you can download them as zip)
As responsible hackers, we will not intercept all requests. We will make a white list, which will include only our phones.
Check the script:
Remove the phone, disconnect from the current network, but do not turn off wifi. In the terminal, you should start to see the requests sent to them. You may notice that not all requests will have an SSID. Non-SSID requests are broadcast and are intended for all access points that are within reach.
Ctrl-C will stop the script
Well, that's it. Now you have a router that tracks smartphones passing by. Of course, our script is not very useful in this form. For example, it can be edited so that it collects more data, writes them to the log, tracks the movement of smartphones between your various devices, etc.
Trial requests
When a WiFi client tries to connect with a known network, it has two options. The first is used by laptops and other devices that are not smartphones. It includes the search for signal packets (Beacon Frames). These packets send routers to announce their presence. The client finds the already known network and connects to it. The second option, which is usually used by smartphones, includes periodic distribution of trial requests (Probe Requests), containing a unique client MAC-address and sometimes the name of the network that it knows. The advantage of the second approach is that it works faster. And besides this, it is much easier to use for their own purposes.
Listening Mode (Monitor Mode)
WiFi devices can work in six modes. To listen to the traffic, the device must switch to the listening mode. After that, it does not advertise itself, so the presence of such devices is very difficult to install.
Protection
Theoretically, it is very easy to protect against these bugs. If you turn off WiFi on your phone when it is not needed (that is, you are far from places where there are trusted networks), the phone will stop sending requests and you will not be able to track down. Almost every time to turn off WiFi would be pretty tedious.
')
For android there are several applications to facilitate the process. For example, AVG PrivacyFix allows you to configure a list of trusted networks, in the presence of which your WiFi will be enabled. There are other applications on this topic.
In the case of iOS, your choice is limited. If you do not use jailbroken, the protected mode of the apple will not allow applications to the WiFi switch. In iOS 7, there was perhaps more convenient access to the WiFi menu, but you still need to do it manually.
We build a tracker
You can, of course, just use a laptop - even a MacBook. Install Wireshark and configure the filter for test requests. But this is not so interesting, besides, if you want to build a whole network of trackers, it will be quite expensive to use laptops for this.
For such non-master purposes, the Raspberry Pi with a wireless adapter, or (which I prefer), TP-LINK MR-3020 router with a special firmware is enough. These options are small and can be powered by a 5-volt battery.
Setting Pi will be quite simple, because there is already a working file system, but I prefer the MR-3020 router. It is an inexpensive and standalone solution. Therefore, I will describe the configuration of the router, and if you want to use Pi, then:
- you can skip steps to Listening mode settings
- these two devices have different versions of Linux, so some configuration files may be in different places and they may have different package managers.
- more powerful AWUS036H type radios may require an external powered USB hub
Configure the router
You will need:
- TP-LINK MR-3020 router ($ 34.99 on Amazon). Should work and analogues, such as TP-LINK TL-WR703N
- USB flash drive (2-4 GB)
- Ethernet cable
The first part of the instructions is taken from the PirateBox project , since the initial configuration of the devices is identical.
1. Download a copy of OpenWrt for the MR3020 (a modification from Matthias Strubel includes all the necessary kernel modules).
More information: forum.daviddarts.com/read.php?2 , 3974,4009 # msg-4009
Discussion firmware: forum.openwrt.org/viewtopic.php?pid=207769#p207769
Firmware for WR703N: downloads.openwrt.org/attitude_adjustment/12.09-beta2/ar71xx/generic
2. Switch the switch next to the LAN / WAN port to WISP
3. Turn off laptop wifi
4. Connect the router via ethernet to the computer and open in the browser 192.168.0.254 (MR3020) or 192.168.1.1 (WR703N)
5. Enter login / password (admin / admin)
6. Go to System Tools> Firmware Upgrade, select OpenWRT firmware.
WR703N Chinese firmware text. For firmware via the web interface, select the last menu on the left, then the third submenu item. More details .
7. After the upgrade, the system will restart.
8. Go there via telnet
telnet 192.168.1.1 9. Use the passwd command to set a password. This will give access to SSH.
passwd 10. Using vi, edit the network settings. Suppose your main gateway has an address of 192.168.2.1. The OpenWrt address must not be the same, but must be on the same subnet.
vi /etc/config/network Change the file to this state:
config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config interface 'lan' option ifname 'eth0' option type 'bridge' option proto 'static' option ipaddr '192.168.2.111' option netmask '255.255.255.0' option gateway '192.168.2.1' list dns '192.168.2.1' list dns '8.8.8.8' 11. Disconnect the router from the network.
12. Turn on wifi on laptop
13. Connect the MR3020 (or WR703N) to the gateway router via Ethernet and turn on the configured router in the network. Wait a minute. From a computer connected to LAN, try to log into the router.
ssh root@192.168.2.111 14. Pingan google to check settings
ping google.com 15. Add USB support to OpenWrt (if you did not use the already configured firmware from step 1):
opkg update opkg install kmod-usb-uhci insmod usbcore ## may return: file exists insmod uhci opkg install kmod-usb-ohci ## may return: up to date. insmod usb-ohci USB setup
Format the flash drive into two partitions - the main Ext4 and swap. swap should be between 256 and 512 MB.
Log in to ssh on the router.
Install packages to support Ext4:
root@OpenWrt:~# opkg update root@OpenWrt:~# opkg install block-mount kmod-fs-ext4 Insert the flash drive into the router. Check that it is defined.
root@OpenWrt:~# ls /dev | grep sda sda sda1 sda2 File system setup
Now we will make sda1 the root of the filesystem.
(as described here by wiki.openwrt.org/doc/howto/extroot#openwrt )
root@OpenWrt:~# mkdir /mnt/sda1 root@OpenWrt:~# mount /dev/sda1 /mnt/sda1 Let's check that everything got out of order (should return / dev / sda1 to / mnt / sda1 type ext4):
root@OpenWrt:~# mount | grep sda1 Copy the files from the router to the flash drive so that all the necessary settings are available when we reboot and USB will be the basis of the file system.
root@OpenWrt:~# tar -C /overlay -cvf - . | tar -C /mnt/sda1 -xf - Add the automatic connection / dev / sda1 to / etc / config / fstab.
root@OpenWrt:~# vi /etc/config/fstab Use the following settings:
config global automount option from_fstab 1 option anon_mount 1 config global autoswap option from_fstab 1 option anon_swap 0 config mount option target /overlay option device /dev/sda1 option fstype ext4 option options rw,sync option enabled 1 option enabled_fsck 0 config swap option device /dev/sda2 option enabled 0 Reboot the router
root@OpenWrt:~# reboot When all the lights come on again, go to ssh and check that the flash drive is correctly hooked.
root@OpenWrt:~# mount | grep sda1 /dev/sda1 on /overlay type ext4 (rw,sync,relatime,user_xattr,barrier=1,data=ordered) If you can not log in via ssh, then copying the files went wrong. Remove the flash drive, reboot it via power. When it starts up, you can go there via ssh. Then reinsert the flash drive and repeat the previous steps.
Customize swap
The router has a little memory, long processes can take it all. To test the memory, enter
root@OpenWrt:~# free To solve memory problems, you can use the swap partition. First, check that it works:
root@OpenWrt:~# mkswap /dev/sda2 Now connect it to the swap:
root@OpenWrt:~# swapon /dev/sda2 Run free again to check that it is connected.
root@OpenWrt:~# free total used free shared buffers Mem: 29212 19160 10052 0 1972 -/+ buffers: 17188 12024 Swap: 475644 0 475644 To make this happen automatically it is best to make a separate script. By the way, at the same time you will learn how to make such scripts.
Script to connect Swap at startup
Let's start by creating a script:
root@OpenWrt:~# vi /etc/init.d/swapon Enter the following into the file:
#!/bin/ash /etc/rc.common START=109 STOP=151 start() { echo "start swap" swapon /dev/sda2 } stop(){ echo "stop" } Make it executable:
root@OpenWrt:~# chmod +x /etc/init.d/swapon Now you need to make a symlink with /etc/rc.d on it:
root@OpenWrt:~# ln -s /etc/init.d/swapon /etc/rc.d/S109swapon S109 tells the system the priority of the script. All files in /etc/rc.d begin with S ##. S109 should place it at the very end, after all the rest are launched.
Reboot, log in via ssh and check the swap connection:
root@OpenWrt:~# free total used free shared buffers Mem: 29212 19276 9936 0 2152 -/+ buffers: 17124 12088 Swap: 475644 0 475644 Customize listening mode
Almost everything is ready. We need to edit the wireless settings:
root@OpenWrt:~# vi /etc/config/wireless Comment out the wifi ban line:
#option disabled 1 Use the following settings:
config wifi-iface option device radio0 option network lan option mode monitor option hidden 1 Restart the wifi interface:
root@OpenWrt:~# wifi down; wifi up Error messages such as those presented below should not affect the operation of wifi:
ifconfig: SIOCSIFHWADDR: Invalid argument command failed: Device or resource busy (-16) Check that wifi is working and is in monitor mode:
root@OpenWrt:~# iwconfig lo no wireless extensions. wlan0 IEEE 802.11bgn Mode:Monitor Frequency:2.412 GHz Tx-Power=15 dBm RTS thr:off Fragment thr:off Power Management:on eth0 no wireless extensions. br-lan no wireless extensions. Package installation
Now we will install all the packages required for the scanner:
root@OpenWrt:~# opkg update root@OpenWrt:~# opkg upgrade tar wget root@OpenWrt:~# opkg install python tcpdump unzip root@OpenWrt:~# wget http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz root@OpenWrt:~# tar -xvf scapy-latest.tar.gz root@OpenWrt:~# cd scapy* root@OpenWrt:~# python setup.py install root@OpenWrt:~# cd ..; rm -rf scapy* Scan script check
Copy scripts with git (or you can download them as zip)
root@OpenWrt:~# mkdir /overlay/scripts; cd /overlay/scripts root@OpenWrt:/overlay/scripts# wget http://bitbucket.org/edkeeble/wifi-scan/get/e2a08627f05d.zip --no-check-certificate -O wifiscan.zip root@OpenWrt:/overlay/scripts# unzip wifiscan.zip root@OpenWrt:/overlay/scripts# mv edkeeble-wifi-scan-e2a08627f05d wifi-scan As responsible hackers, we will not intercept all requests. We will make a white list, which will include only our phones.
root@OpenWrt:/overlay/scripts# cd wifi-scan root@OpenWrt:/overlay/scripts/wifi-scan# vi wifiscan.py WHITELIST = ['00:00:00:00:00:00',] # - Check the script:
root@OpenWrt:/overlay/scripts/wifi-scan# python wifiscan.py wlan0 Remove the phone, disconnect from the current network, but do not turn off wifi. In the terminal, you should start to see the requests sent to them. You may notice that not all requests will have an SSID. Non-SSID requests are broadcast and are intended for all access points that are within reach.
Ctrl-C will stop the script
Results
Well, that's it. Now you have a router that tracks smartphones passing by. Of course, our script is not very useful in this form. For example, it can be edited so that it collects more data, writes them to the log, tracks the movement of smartphones between your various devices, etc.
Source: https://habr.com/ru/post/252831/
All Articles