قالب وردپرس درنا توس
Home / Tips and Tricks / How to track Wi-Fi devices and connect to Probequant «zero byte :: WonderHowTo

How to track Wi-Fi devices and connect to Probequant «zero byte :: WonderHowTo



Wi-Fi devices continue to issue "trial frames" and encourage users to connect to nearby Wi-Fi networks. In addition to privacy risk, sounding frames can also be used to track or take over the data connection from nearby devices. We'll explain how you can see nearby devices, send the sample frames with sample quests, and what can be done with that information.

In order to work, WLAN devices always try to find one of two things, available networks; They send either beacon frames or sample frames.

How Beacon Frames Work

Wi-Fi Access Points (APs) output packets called beacon frames that contain information about the access point they advertise. Using this information, nearby devices can detect that the access point exists and decide if the network was previously connected to the network. When the network is detected by a device, the device tries to connect to the network.

By opening a beacon frame in Wireshark we can see that it contains information about the device that has transmitted the packet. -Fi network The beacon frame gives advertising and information on which Channel of the AP works and what speeds the network supports. That way, your phone and laptop can offer you a list of nearby networks that seem to be out of thin, since your device recognizes those packets and gives the user the ability to connect if they want.

In Wireshark, a beacon frame looks like this:

How probe frames work

The second possibility of a Wi-Fi connection is to do so That your device is trying to find a nearby network Connect by sending out a kind of packet called a probe frame.

Probe frames work almost in the opposite direction of beacon frames. The client device sends packets searching for Wi-Fi networks it has recently connected to. This allows you to connect quickly and seamlessly to networks, such as your home or work network, when disconnected or temporarily leaving the network.

In Wireshark, we can look at a probe frame to get information about the device. Send the packet and the name and channel number of the access point it is being requested for. You can see the following sample frames sent on a subway:

Devices such as laptops and smart phones send sample frames on all channels even if the Wi-Fi devices Fi is turned off. This is because Wi-Fi-enabled geolocation is enabled by default and is not affected by the disabled Wi-Fi connection option. However, turning off your phone's Wi-Fi does not prevent the device from sending sounding frames.

What Probe Frames Can Show

This practice has attracted the attention of security researchers like Mathy Vanhoef, who demonstrated that probe frames can be used to track users with a high degree of accuracy, and even attempts to do so prevent (such as randomizing the MAC address used in probe frames sent by customer devices) is not very useful for preventing tracking. Mathy's work has shown many ways to read into the information contained in the probe frame, including several ways to reveal the real MAC address of a nearby device.

Randomization of MAC addresses is often non-uniform or truly random to be effective. This includes sending the device's real MAC address in response to a beacon frame detected by the device, including ESSIDs like "Google Starbucks". This means that most people who travel in a coffee shop with free Wi-Fi while in range are quickly removed.

Apart from poor MAC address randomization, the information elements in the trial frames contain information that is often enough to create a fingerprint for tracking a device. This is because many devices do not follow the Wi-Fi standard exactly and rearrange their elements slightly. The items may be in a different order or may include some vendor-specific information.

Since the data in the information elements contained in the probe frame, as well as the incremental sequence number of the packets being sent, can be used for zeroing. On special devices, probe frames may offer the most favorable option for both distance and home targets Automatically spy on up close. Using tools such as Wigle Wi-Fi we can also search for the physical address that has been a target device lately, by typing the ESSID that we see in trial frames into the search to see whether we find a suitable access point our area.

Tracking Wi-Fi Devices via Probe Frames

With probe frames and the ability to decrypt or track users, we can learn much information. Not only are we able to detect intruders in areas they should not be, we can also monitor human activity and track when people come and go. We can see which networks the users can connect to. With multiple Wi-Fi sensors, we can track their movement in real time. Large retailers use this practice to monitor store traffic through outlets, leveraging the retail space customers spend most of their time on manufacturers.

Because probe frames are essentially a device that periodically transmits an identifiable ping, it can track devices with a directional antenna with high precision. Because Wi-Fi has a line of sight, a directional antenna can observe activities within a one-mile radius to determine who is home and what equipment is present without being near the area.

Combined with a system such as a license plate or face recognition scanner, probe frames can allow a hacker to connect your phone to the face or the vehicle by setting up a camera and directional antenna.

The ability to track a target through their smartphone or laptop allows hackers to design attacks that act intelligently and respond to the presence of a target's devices by performing a malicious action, such as disrupting the machine a person from being able to be near networks. In addition, an attacker can use the information contained in the trial frames to build an attack to take over the data connection on the device of a target.

Adopting Data Connections with Watched ESSIDs

Listening in to trial frames allows an attacker to attempt to take over the data connection of the target device by exploiting the information contained in the probe frame. While many devices no longer include the ESSID of the network they are looking for in their trial frames, there is a significant percentage that is either still or under some circumstances still active.

What you will do Need for This Guide

To use Trial Query, you need a network adapter that can be put into monitor mode. This allows you to hear broadcasts from other channels and networks that your device wants to connect to. If your laptop's card is not compatible, you can check our list of compatible network adapters.

Trial Query is installed with pip, so Python must also be installed. If you are running Kali Linux, make sure you update and update your system before you start by typing the following in a terminal window:

  apt update
apt upgrade 

Step 1: Installing Probequest

Installing Probequest is very simple. In a new terminal window, enter the following to install ProbeQuest. If you receive an error message that you do not have pip3, you can install it by typing apt install python3-pip in the terminal window, and then run the following command again.

  sudo pip3 install - upgrade sounding quest

Collect Sonquest
Download from https://files.pythonhosted.org/packages/93/6f/aaaf91f35eb7082c03e17a543df0646ae71620b6a579d40aef19b6d09aea/probquest-0.6.1.tar.gz
Collection Argument> = 1.4.0 (by probequest)
Download from https://files.pythonhosted.org/packages/f2/94/3af39d34be01a24a6e65433d19e107099374224905f1e0cc6bbe1fd22a2f/argparse-1.4.0-py2.py3-none-any.whl
Collect Netaddr> = 0.7.19 (by probequest)
Download from https://files.pythonhosted.org/packages/ba/97/ce14451a9fd7bdb5a397abf99b24a1a6bb7a1a440b019bebd2e9a0dbec74/netaddr-0.7.19-py2.py3-none-any.whl (1.6MB)
100% | ████████████████████████████████ | 1.6MB 718kB / s
Collecting scapy> = 2.4.0 (from probequest)
Download from https://files.pythonhosted.org/packages/68/01/b9943984447e7ea6f8948e90c1729b78161c2bb3eef908430638ec3f7296/scapy-2.4.0.tar.gz (3.1MB)
100% | ████████████████████████████████ | 3.1 MB 468 kB / s
Request already up-to-date: urwid> = 2.0.1 in / usr / lib / python3 / dist-packages (by probequest)
Building wheels for multipacks: Trial quests, Scapy
Running setup.py bdist_wheel for Trial Quest ... done
Saved in the directory: /root/.cache/pip/wheels/0e/8a/6e/39dc49dd1f36136060c4b65edd8e6b33350498ca742f113073
Run Setup.py bdist_wheel for scapy ... done
Saved in the directory: /root/.cache/pip/wheels/cf/03/88/296bf69fee1f9ec7a87e122da52253b65f3067f6ea8719b473
Successfully built Probequest scapy
Install the collected packages: argparse, netaddr, scapy, probequest
Successfully installed argparse-1.4.0 netaddr-0.7.19 probequest-0.6.1 scapy-2.4.0 

You can also try to install the GitHub program with the following commands.

  git clone https: // github. com / SkypLabs / probequest.git
CD exploratory quest
sudo pip3 install --upgrade 

Step 2: Put the adapter into monitor mode

Next, we need to locate our wireless adapter and put it into monitor mode. To do this, we open a terminal window and use ifconfig to give you the name of the connected network adapters. In Kali Linux your system should be something like "wlan0".

  ifconfig 

If the adapter name is known, we can use Airmon-ng and enter the last command airmon-ng start wlan0 to start the adapter in monitor mode. This also changes the name of the adapter. Run ifconfig again to check the new name. It should be something like "wlan0mon" in Kali.

  airmon-ng start wlan0

3 processes were found that could cause problems.
If airodump-ng, aireplay-ng or airun-ng stop working
a short while, you might want to run "Airmon-ng Check Kill"

PID name
508 network manager
607 wpa_supplicant
8250 dhclient

PHY interface driver chipset

phy0 wlan0 ath9k Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01)

(mac80211 monitoring mode vif enabled for [phy0] wlan0 on [phy0] wlan0mon)
(19659035]  Step 3: Observe Nearby Devices 

Once Probequest is installed and our map is in Surveillance Mode, we can enter probequest a terminal window to see the primary commands. 19659029] test quest Use: Trialquest [-h] [--debug] -i INTERFACE [--ignore-case] [--mode {RAW,TUI}] [-o OUTPUT] [--version] [-e ESSID [ESSID ...] | -r REGEX] [--exclude EXCLUDE [EXCLUDE ...] | -s STATION [STATION ...]]

The most basic command that we can pass to Probequest to see probe frames is as follows:

  probequest -i wlan0mon 

This simple command will initiate Probe Quest to listen to the current channel. As you'll see in the issue, the information is also checked against a definition list to determine the manufacturer of the devices that are shipping nearby.

  [*] Start Sniffing Probe Request ...
Mon, 23 Jul 2018 04:06:38 PDT - xxxxxxxxxxxxxxxxx (Onkyo Corporation) -> ATT5qEg4lg
Mon, 23 Jul 2018 04:06:38 PDT - xxxxxxxxxxxxxxxxx (Onkyo Corporation) -> ATT5qEg4lg
Mon, 23 Jul 2018 04:06:39 PDT - xxxxxxxxxxxxxxxxx (Apple, Inc.) -> Employees of CrossCamp.us 

Based on the information we see, the identity of systems that work nearby should be get clear. Expect brands that are near printers, cell phones, IoT devices like Sonos and Nest Cams, and other devices.

  [*] Start Sniffing Probe Request ...
Mon, 23 Jul 2018 04:06:38 PDT - xxxxxxxxxxxxxxxxx (Onkyo Corporation) -> ATT5qEg4lg
Mon, 23 Jul 2018 04:06:38 PDT - xxxxxxxxxxxxxxxxx (Onkyo Corporation) -> ATT5qEg4lg
Mon, 23 Jul 2018 04:06:39 PDT - xxxxxxxxxxxxxxxxx (Apple, Inc.) -> Employees of CrossCamp.us
Mon, 23 Jul 2018 04:06:44 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:06:44 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:06:49 PDT - xxxxxxxxxxxxxxxxx (Nest Labs Inc.) -> CrossCamp.us employees
Mon, 23 Jul 2018 04:06:49 PDT - xxxxxxxxxxxxxxxxx (Nest Labs Inc.) -> CrossCamp.us employees
Mon, 23 Jul 2018 04:06:49 PDT - xxxxxxxxxxxxxxxxx (Nest Labs Inc.) -> CrossCamp.us employees
Mon, 23 Jul 2018 04:06:49 PDT - xxxxxxxxxxxxxxxxx (Nest Labs Inc.) -> CrossCamp.us employees
Mon, 23 Jul 2018 04:06:50 PDT - xxxxxxxxxxxxxxxxx (AzureWave Technology Inc.) -> WILDKATT
Mon, 23 Jul 2018 04:06:50 PDT - xxxxxxxxxxxxxxxxx (AzureWave Technology Inc.) -> WILDKATT
Mon, 23 Jul 2018 04:06:50 PDT - xxxxxxxxxxxxxxxxx (AzureWave Technology Inc.) -> WIFIBBA825
Mon, 23 Jul 2018 04:06:50 PDT - xxxxxxxxxxxxxxxxx (AzureWave Technology Inc.) -> WIFIBBA825
Mon, 23 Jul 2018 04:06:50 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:06:50 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:06:56 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:06:56 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:06:59 PDT - xxxxxxxxxxxxxxxxx (Onkyo Corporation) -> ATT5qEg4lg
Mon, 23 Jul 2018 04:06:59 PDT - xxxxxxxxxxxxxxxxx (Onkyo Corporation) -> ATT5qEg4lg
Mon, 23 Jul 2018 04:07:02 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:07:02 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:07:15 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:07:15 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:07:18 PDT - xxxxxxxxxxxxxxxxx (Apple, Inc.) -> Employees of CrossCamp.us
Mon, 23 Jul 2018 04:07:19 PDT - xxxxxxxxxxxxxxxxx (Onkyo Corporation) -> ATT5qEg4lg
Mon, 23 Jul 2018 04:07:19 PDT - xxxxxxxxxxxxxxxxx (Onkyo Corporation) -> ATT5qEg4lg 

If we want to be more specific, we can also use Trialquats -e and -s Exclude flags or just include devices that access a specific network.

Step 4: Throwing a Broader Net

Sometimes devices running on a channel other than the one we are scanning are run by Probequest by themselves. This is not desirable, so we can use another program to set up our WLAN card to roam around frequently, stumbling our chances of finding new devices nearby.

While running Probequest, open a new terminal window. To start scanning your network card, enter the following command: Airodump-ng

  airodump-ng wlan0mon 

This opens Airodump-ng and switches the map between networks. You can minimize this window and then watch new devices appear in the Probe Query window. As soon as I did this in our test setup, new IoT devices appeared.

  Mon, 23 Jul 2018 04:16:36 PDT - xxxxxxxxxxxxxxxxx (Sonos, Inc.) -> Sonos_dAQ4JQp4duS2hT8gqvKEQehK9c
Mon, 23 Jul 2018 04:16:38 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:16:38 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:16:43 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:16:50 PDT - xxxxxxxxxxxxxxxxx (AzureWave Technology Inc.) -> WILDKATT
Mon, 23 Jul 2018 04:16:50 PDT - xxxxxxxxxxxxxxxxx (AzureWave Technology Inc.) -> WILDKATT
Mon, 23 Jul 2018 04:16:54 PDT - xxxxxxxxxxxxxxxxx (Hon Hai Precision Ind. Co., Ltd.) -> unconfigured
Mon, 23 Jul 2018 04:17:02 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:17:02 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:17:02 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:17:02 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:17:08 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:17:08 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:17:08 PDT - xxxxxxxxxxxxxxxxx (Sonos, Inc.) -> Sonos_dAQ4JQp4duS2hT8gqvKEQehK9c
Mon, 23 Jul 2018 04:17:13 PDT - xxxxxxxxxxxxxxxxx (Apple, Inc.) -> Employees of CrossCamp.us
Mon, 23 Jul 2018 04:17:13 PDT - xxxxxxxxxxxxxxxxx (Apple, Inc.) -> Employees of CrossCamp.us
Mon, 23 Jul 2018 04:17:14 PDT - xxxxxxxxxxxxxxxxx (Onkyo Corporation) -> ATT5qEg4lg
Mon, 23 Jul 2018 04:17:14 PDT - xxxxxxxxxxxxxxxxx (Onkyo Corporation) -> ATT5qEg4lg
Mon, 23 Jul 2018 04:17:15 PDT - xxxxxxxxxxxxxxxxx (Sonos, Inc.) -> Sonos_dAQ4JQp4duS2hT8gqvKEQehK9c
Mon, 23 Jul 2018 04:17:16 PDT - xxxxxxxxxxxxxxxxx (Nest Labs Inc.) -> CrossCamp.us employees
Mon, 23 Jul 2018 04:17:20 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST
Mon, 23 Jul 2018 04:17:20 PDT - xxxxxxxxxxxxxxxxx (Hewlett Packard) -> TLLP_GUEST 

With this enhanced network, a hacker can use this output to trigger an action if a particular device is present. For example, you can use the output flag -o to save only the reading frame from a device to an output file, then have the data checked for new entries every few seconds. If one is found, you can program something if you know the target device is nearby.

Step 5: Attempting to Take Over

After you've found nearby devices, you can find devices that will transfer an ESSID network You will recognize these ESSIDs because they are popular cafes, hotels and others Include places where there is public Wi-Fi. If you identify an ESSID that you think is public, you may be able to use it to deploy a MiTM attack. Since a device does not automatically connect to a network with a password unless the network has the same password, it will only work in open networks or networks with an already known password.

If you choose, there are many tools available to create false APs, including Airgeddon. Although we do not come back to creating a nasty AP in Airgeddon in this manual, you can read our guide to creating a fake AP with Airgeddon below.

The only significant change from our previous guide to Airgeddon is that instead of creating a wrong network nearby, you can copy the ESSID from the probe frame and create an open Wi-Fi network with the same name, for which the target device is calling. If your destination connects, you can continue scanning the device for more information.

This may include the name of the device network, often the name of the user on iOS devices. You can also run all the usual malicious MiTM stuff, such as phishing sites, and sniff the packages coming out of the device to learn more about software and apps they run. While this attack only works against a percentage of devices, it can be strengthened by sending the ESSIDs from public free networks.

You can track probe frames even when your Wi-Fi is turned off

My research on Probe Frames has shown that they can be used to identify and track devices, even if the Wi-Fi is over 800 feet away. This means for users that smartphones or laptops betray your presence and even allow a hacker to write software that specifically responds to your presence.

This is the case because of the way Wi-Fi devices enabled network discovery. This can lead to even greater security risks if these probe frames contain information such as the names of networks that do not have a password set the device trusts. This allows an attacker to take over the data connection of the target device without warning to the user.

If you want to protect yourself from this kind of snooping, you also need to disable a-GPS or Wi-Fi support GPS, which also uses probing frames to achieve better positioning. With a-GPS turned off and your Wi-Fi turned off, you should be more secure against these threats.

You can also go to your list of saved networks and delete any networks that do not have a password because by transferring the names of these networks, your device will be decrypted and automatically connected. In general, it is not worth the risk for comfort.

As a final note, a "hidden" Wi-Fi network will cause your device to always send frames looking for the name, so be forewarned. Try this ingenious security trial to get all your Wi-Fi Fi-enabled devices are incredibly easy to track and retain, despite your device's attempts to randomly distribute your MAC address. Randomizing MAC addresses does not really help if everything you own always calls the same hidden network.

I hope you enjoyed this tutorial for understanding and using sample frames for tracking Wi-Fi enabled devices! If you have any questions about this tutorial or the sounding frame, do not hesitate to write a comment or reach me on Twitter @KodyKinzie .

Cover picture and screenshots of Kody / Null Byte




Source link