Track devices through passive listening to WiFi

Original author: Edward
  • Transfer
Over the past year, I have come across many stories of using passive WiFi tracking. Mostly everyone focuses on security and privacy, but few tell how it works. I did a whole project Casual Encounters and I can share information about the system, how to avoid surveillance, and how to build it (for research purposes, of course). Do not try to repeat this at home.

Trial Requests

When a WiFi client tries to connect to a known network, it has two options. The first is used by laptops and other devices that are not smartphones. It includes the search for signal packets (Beacon Frames). These packets are sent by routers to announce their presence. The client finds the network it already knows and connects to it. The second option, which is commonly used by smartphones, includes periodic distribution of Probe Requests containing a unique pop-up address of the client and sometimes the name of the network that he knows. The advantage of the second approach is that it works faster. And besides this, it is much easier to use for your own purposes.

Listening Mode (Monitor Mode)

WiFi devices can work in six modes. To listen to traffic, the device must switch to listening mode. After that, it does not advertise itself, so the presence of such devices is very difficult to establish.


Theoretically, it is very easy to defend against these wiretaps. If you turn off WiFi on the phone when it is not needed (that is, you are far from those places where there are trusted networks), the phone will stop sending requests and you will not be able to track. Practically, turning off WiFi every time would be rather tedious.

There are several applications for android to facilitate the process. For example, AVG PrivacyFix allows you to configure a list of trusted networks, in the presence of which your WiFi will be turned on. There are other applications on this subject.

In the case of iOS, your choice is limited. If you do not use jailbroken, the protected mode of operation of the apple tree will not let the application to the WiFi switch. Only more convenient access to the WiFi menu appeared in iOS 7, but you still need to do this manually.

Build a tracker

You can, of course, just use a laptop - even a MacBook. Install Wireshark and configure the filter for trial requests. But this is not so interesting, in addition, if you want to build a whole network of trackers, using laptops for this will be quite expensive.

For such non-invasive purposes, the Raspberry Pi with a wireless adapter, or (which I prefer), a TP-LINK MR-3020 router with special firmware, is enough. These options are small and can be powered by a 5-volt battery.

Setting up Pi will be very simple, because there is already a working file system, but I prefer the MR-3020 router. This is an inexpensive and standalone solution. Therefore, I will describe the configuration of the router, and if you want to use Pi, then:

- you can skip the steps to Setting the listening mode
- these two devices have different versions of Linux, so some settings files can be in different places and they can have different package managers
- more powerful radios like AWUS036H may require an external powered USB hub

Router setup

You will need:

- TP-LINK MR-3020 router ($ 34.99 on Amazon). Analogs should also work, such as TP-LINK TL-WR703N
- USB flash drive (2-4 GB)
- Ethernet cable

The first part of the instructions was taken from the PirateBox project , since the initial configuration of the devices is identical.

1. Download a copy of OpenWrt for the MR3020 (a modification from Matthias Strubel includes all the necessary kernel modules).
Additional information: , 3974,4009 # msg-4009
Discussion of firmware:
Firmware for WR703N: attitude_adjustment / 12.09-beta2 / ar71xx / generic

2. Switch the switch next to the LAN / WAN port to WISP

3. Disconnect the laptop’s WiFi

4. Connect the router via ethernet to the computer and open (MR3020) or (WR703N) in your browser

5. Enter your login / password ( admin / admin)

6. Go to System Tools> Firmware Upgrade, select OpenWRT

firmware. WR703N Chinese firmware text. For firmware via the web interface, select the last menu on the left, then the third item on the submenu. More details .

7. After the upgrade, the system will restart

8. Go there via telnet


9. Use the passwd command to set a password. This will give access to SSH.


10. Use vi to edit the network settings. Suppose your primary gateway has an address of The OpenWrt address must not match it, but must be on the same subnet.

    vi /etc/config/network

Change the file to this state:

    config interface 'loopback'                                                               
            option ifname 'lo'                                                                
            option proto 'static'                                                             
            option ipaddr ''                                                         
            option netmask ''                                                        
    config interface 'lan'                                                                    
            option ifname 'eth0'                                                              
            option type 'bridge'                                                              
            option proto 'static'                                                             
            option ipaddr ''                                                       
            option netmask ''                                                    
            option gateway ''                                                     
            list dns ''                                                           
            list dns ''

11. Disconnect the router from the network

12. Turn on WiFi on the laptop

13. Connect the MR3020 (or WR703N) to the router gateway via Ethernet and connect the configured router to the network. Wait a minute. From a computer connected to LAN, try logging into the router

    ssh root@

14. Ping google to check settings


15. Add USB support to OpenWrt (if you have not used the already configured firmware from step 1):

    opkg update
    opkg install kmod-usb-uhci
    insmod usbcore ## may return: file exists
    insmod uhci
    opkg install kmod-usb-ohci ## may return: up to date.
    insmod usb-ohci

USB setup

Format the flash drive into two partitions - the main Ext4 and swap. swap should be between 256 and 512 MB.
Log in via ssh to the router.
Install packages to support Ext4:

    root@OpenWrt:~# opkg update
    root@OpenWrt:~# opkg install block-mount kmod-fs-ext4 

Insert the flash drive into the router. Check that she has decided.

    root@OpenWrt:~# ls /dev | grep sda

Configuring the file system

Now we will make sda1 the basis of the root file system
(as described here )

root@OpenWrt:~# mkdir /mnt/sda1
root@OpenWrt:~# mount /dev/sda1 /mnt/sda1

Check that everything is mounted (should return / dev / sda1 to / mnt / sda1 type ext4):

root@OpenWrt:~# mount | grep sda1

We copy the files from the router to the USB flash drive so that all the necessary settings are available when we reboot and USB will be the basis of the file system.

root@OpenWrt:~# tar -C /overlay -cvf - . | tar -C /mnt/sda1 -xf -

Add the automatic connection / dev / sda1 to / etc / config / fstab.

root@OpenWrt:~# vi /etc/config/fstab

Use the following settings:

config global automount
    option from_fstab 1
    option anon_mount 1
config global autoswap
    option from_fstab 1
    option anon_swap 0
config mount
    option target   /overlay
    option device   /dev/sda1
    option fstype   ext4
    option options  rw,sync
    option enabled  1
    option enabled_fsck 0
config swap
    option device   /dev/sda2
    option enabled  0

Reboot the router

root@OpenWrt:~# reboot

When all the lights come on again, go to ssh and check that the flash drive is correctly picked up.

root@OpenWrt:~# mount | grep sda1
/dev/sda1 on /overlay type ext4 (rw,sync,relatime,user_xattr,barrier=1,data=ordered)

If you can’t access via ssh, then copying the files went wrong. Remove the flash drive, reboot it through power. When it starts, you can log in there via ssh. Then reinsert the flash drive and repeat the previous steps.

Customize swap

The router has a little memory, long processes can take it all. To check the memory, enter

root@OpenWrt:~# free

To solve memory problems, you can use the swap partition. First, check that it works:

root@OpenWrt:~# mkswap /dev/sda2

Now connect it to the swap:

root@OpenWrt:~# swapon /dev/sda2

Run free again to verify that it is connected.

root@OpenWrt:~# free
             total         used         free       shared      buffers
Mem:         29212        19160        10052            0         1972
-/+ buffers:              17188        12024
Swap:       475644            0       475644    

For this to happen automatically, it is best to make a separate script. By the way, at the same time you will learn how to make such scripts.

Script to connect Swap at startup

Let's start by creating a script:

root@OpenWrt:~# vi /etc/init.d/swapon

Enter the following into the file:

#!/bin/ash /etc/rc.common
start() {
    echo "start swap"
    swapon /dev/sda2
    echo "stop"

Make it executable:

root@OpenWrt:~# chmod +x /etc/init.d/swapon

Now you need to make symlink with /etc/rc.d on it:

root@OpenWrt:~# ln -s /etc/init.d/swapon /etc/rc.d/S109swapon

S109 tells the system the priority of the script. All files in /etc/rc.d begin with S ##. S109 should place it at the very end, after all the others have started.

Reboot, go through ssh and check the swap connection:

root@OpenWrt:~# free
             total         used         free       shared      buffers
Mem:         29212        19276         9936            0         2152
-/+ buffers:              17124        12088
Swap:       475644            0       475644

Set the listening mode

Almost everything is ready. We need to edit the wireless settings:

root@OpenWrt:~# vi /etc/config/wireless

Comment out the wifi ban line:

#option disabled 1

Use the following settings:

config wifi-iface
    option device   radio0
    option network  lan
    option mode     monitor
    option hidden 1

Restart wifi interface:

root@OpenWrt:~# wifi down; wifi up

Error messages such as those presented below should not affect the operation of wifi:

ifconfig: SIOCSIFHWADDR: Invalid argument
command failed: Device or resource busy (-16)

Verify that wifi is working and in monitor mode:

root@OpenWrt:~# iwconfig
lo        no wireless extensions.
wlan0     IEEE 802.11bgn  Mode:Monitor  Frequency:2.412 GHz  Tx-Power=15 dBm
          RTS thr:off   Fragment thr:off
          Power Management:on
eth0      no wireless extensions.
br-lan    no wireless extensions.

Package Installation

Now we will install all the packages necessary for the scanner:

root@OpenWrt:~# opkg update
root@OpenWrt:~# opkg upgrade tar wget
root@OpenWrt:~# opkg install python tcpdump unzip
root@OpenWrt:~# wget
root@OpenWrt:~# tar -xvf scapy-latest.tar.gz
root@OpenWrt:~# cd scapy*
root@OpenWrt:~# python install
root@OpenWrt:~# cd ..; rm -rf scapy*

Scan script check

Copy the scripts with git (or they can be downloaded as zip)

root@OpenWrt:~# mkdir /overlay/scripts; cd /overlay/scripts
root@OpenWrt:/overlay/scripts# wget --no-check-certificate -O
root@OpenWrt:/overlay/scripts# unzip
root@OpenWrt:/overlay/scripts# mv edkeeble-wifi-scan-e2a08627f05d wifi-scan  

As responsible hackers, we will not intercept all requests. We will make a whitelist where we include only our phones.

root@OpenWrt:/overlay/scripts# cd wifi-scan
root@OpenWrt:/overlay/scripts/wifi-scan# vi
WHITELIST = [‘00:00:00:00:00:00’,] # замените на мак-адрес телефона

Check the script:

root@OpenWrt:/overlay/scripts/wifi-scan# python wlan0

Take out the phone, disconnect from the current network, but do not turn off wifi. In the terminal, you should start to see requests sent to them. You may notice that not all requests will have an SSID. Requests without an SSID are broadcast; they are intended for all access points within reach.

Ctrl-C will stop the script


Well, that’s it. Now you have a router that monitors smartphones passing by it. Of course, our script is not particularly useful in this form. For example, you can edit it so that it collects more data, writes it to the log, tracks the movement of smartphones between your different devices, etc.

Also popular now: