March 12, 2015 at 02:32Track devices through passive listening to WiFi
- Transfer
Over the past year, I have come across many stories of using passive WiFi tracking. Mostly everyone focuses on security and privacy, but few tell how it works. I did a whole project Casual Encounters and I can share information about the system, how to avoid surveillance, and how to build it (for research purposes, of course). Do not try to repeat this at home.
When a WiFi client tries to connect to a known network, it has two options. The first is used by laptops and other devices that are not smartphones. It includes the search for signal packets (Beacon Frames). These packets are sent by routers to announce their presence. The client finds the network it already knows and connects to it. The second option, which is commonly used by smartphones, includes periodic distribution of Probe Requests containing a unique pop-up address of the client and sometimes the name of the network that he knows. The advantage of the second approach is that it works faster. And besides this, it is much easier to use for your own purposes.
WiFi devices can work in six modes. To listen to traffic, the device must switch to listening mode. After that, it does not advertise itself, so the presence of such devices is very difficult to establish.
Theoretically, it is very easy to defend against these wiretaps. If you turn off WiFi on the phone when it is not needed (that is, you are far from those places where there are trusted networks), the phone will stop sending requests and you will not be able to track. Practically, turning off WiFi every time would be rather tedious.
There are several applications for android to facilitate the process. For example, AVG PrivacyFix allows you to configure a list of trusted networks, in the presence of which your WiFi will be turned on. There are other applications on this subject.
In the case of iOS, your choice is limited. If you do not use jailbroken, the protected mode of operation of the apple tree will not let the application to the WiFi switch. Only more convenient access to the WiFi menu appeared in iOS 7, but you still need to do this manually.
You can, of course, just use a laptop - even a MacBook. Install Wireshark and configure the filter for trial requests. But this is not so interesting, in addition, if you want to build a whole network of trackers, using laptops for this will be quite expensive.
For such non-invasive purposes, the Raspberry Pi with a wireless adapter, or (which I prefer), a TP-LINK MR-3020 router with special firmware, is enough. These options are small and can be powered by a 5-volt battery.
Setting up Pi will be very simple, because there is already a working file system, but I prefer the MR-3020 router. This is an inexpensive and standalone solution. Therefore, I will describe the configuration of the router, and if you want to use Pi, then:
- you can skip the steps to Setting the listening mode
- these two devices have different versions of Linux, so some settings files can be in different places and they can have different package managers
- more powerful radios like AWUS036H may require an external powered USB hub
You will need:
- TP-LINK MR-3020 router ($ 34.99 on Amazon). Analogs should also work, such as TP-LINK TL-WR703N
- USB flash drive (2-4 GB)
- Ethernet cable
The first part of the instructions was taken from the PirateBox project , since the initial configuration of the devices is identical.
1. Download a copy of OpenWrt for the MR3020 (a modification from Matthias Strubel includes all the necessary kernel modules).
Additional information: forum.daviddarts.com/read.php?2 , 3974,4009 # msg-4009
Discussion of firmware: forum.openwrt.org/viewtopic.php?pid=207769#p207769
Firmware for WR703N: downloads.openwrt.org/ attitude_adjustment / 12.09-beta2 / ar71xx / generic
2. Switch the switch next to the LAN / WAN port to WISP
3. Disconnect the laptop’s WiFi
4. Connect the router via ethernet to the computer and open 192.168.0.254 (MR3020) or 192.168.1.1 (WR703N) in your browser
5. Enter your login / password ( admin / admin)
6. Go to System Tools> Firmware Upgrade, select OpenWRT
firmware. WR703N Chinese firmware text. For firmware via the web interface, select the last menu on the left, then the third item on the submenu. More details .
7. After the upgrade, the system will restart
8. Go there via telnet
9. Use the passwd command to set a password. This will give access to SSH.
10. Use vi to edit the network settings. Suppose your primary gateway has an address of 192.168.2.1. The OpenWrt address must not match it, but must be on the same subnet.
Change the file to this state:
11. Disconnect the router from the network
12. Turn on WiFi on the laptop
13. Connect the MR3020 (or WR703N) to the router gateway via Ethernet and connect the configured router to the network. Wait a minute. From a computer connected to LAN, try logging into the router
14. Ping google to check settings
15. Add USB support to OpenWrt (if you have not used the already configured firmware from step 1):
USB setup
Format the flash drive into two partitions - the main Ext4 and swap. swap should be between 256 and 512 MB.
Log in via ssh to the router.
Install packages to support Ext4:
Insert the flash drive into the router. Check that she has decided.
Configuring the file system
Now we will make sda1 the basis of the root file system
(as described here wiki.openwrt.org/doc/howto/extroot#openwrt )
Check that everything is mounted (should return / dev / sda1 to / mnt / sda1 type ext4):
We copy the files from the router to the USB flash drive so that all the necessary settings are available when we reboot and USB will be the basis of the file system.
Add the automatic connection / dev / sda1 to / etc / config / fstab.
Use the following settings:
Reboot the router
When all the lights come on again, go to ssh and check that the flash drive is correctly picked up.
If you can’t access via ssh, then copying the files went wrong. Remove the flash drive, reboot it through power. When it starts, you can log in there via ssh. Then reinsert the flash drive and repeat the previous steps.
The router has a little memory, long processes can take it all. To check the memory, enter
To solve memory problems, you can use the swap partition. First, check that it works:
Now connect it to the swap:
Run free again to verify that it is connected.
For this to happen automatically, it is best to make a separate script. By the way, at the same time you will learn how to make such scripts.
Let's start by creating a script:
Enter the following into the file:
Make it executable:
Now you need to make symlink with /etc/rc.d on it:
S109 tells the system the priority of the script. All files in /etc/rc.d begin with S ##. S109 should place it at the very end, after all the others have started.
Reboot, go through ssh and check the swap connection:
Almost everything is ready. We need to edit the wireless settings:
Comment out the wifi ban line:
Use the following settings:
Restart wifi interface:
Error messages such as those presented below should not affect the operation of wifi:
Verify that wifi is working and in monitor mode:
Now we will install all the packages necessary for the scanner:
Copy the scripts with git (or they can be downloaded as zip)
As responsible hackers, we will not intercept all requests. We will make a whitelist where we include only our phones.
Check the script:
Take out the phone, disconnect from the current network, but do not turn off wifi. In the terminal, you should start to see requests sent to them. You may notice that not all requests will have an SSID. Requests without an SSID are broadcast; they are intended for all access points within reach.
Ctrl-C will stop the script
Well, that’s it. Now you have a router that monitors smartphones passing by it. Of course, our script is not particularly useful in this form. For example, you can edit it so that it collects more data, writes it to the log, tracks the movement of smartphones between your different devices, etc.
Trial Requests
When a WiFi client tries to connect to a known network, it has two options. The first is used by laptops and other devices that are not smartphones. It includes the search for signal packets (Beacon Frames). These packets are sent by routers to announce their presence. The client finds the network it already knows and connects to it. The second option, which is commonly used by smartphones, includes periodic distribution of Probe Requests containing a unique pop-up address of the client and sometimes the name of the network that he knows. The advantage of the second approach is that it works faster. And besides this, it is much easier to use for your own purposes.
Listening Mode (Monitor Mode)
WiFi devices can work in six modes. To listen to traffic, the device must switch to listening mode. After that, it does not advertise itself, so the presence of such devices is very difficult to establish.
Protection
Theoretically, it is very easy to defend against these wiretaps. If you turn off WiFi on the phone when it is not needed (that is, you are far from those places where there are trusted networks), the phone will stop sending requests and you will not be able to track. Practically, turning off WiFi every time would be rather tedious.
There are several applications for android to facilitate the process. For example, AVG PrivacyFix allows you to configure a list of trusted networks, in the presence of which your WiFi will be turned on. There are other applications on this subject.
In the case of iOS, your choice is limited. If you do not use jailbroken, the protected mode of operation of the apple tree will not let the application to the WiFi switch. Only more convenient access to the WiFi menu appeared in iOS 7, but you still need to do this manually.
Build a tracker
You can, of course, just use a laptop - even a MacBook. Install Wireshark and configure the filter for trial requests. But this is not so interesting, in addition, if you want to build a whole network of trackers, using laptops for this will be quite expensive.
For such non-invasive purposes, the Raspberry Pi with a wireless adapter, or (which I prefer), a TP-LINK MR-3020 router with special firmware, is enough. These options are small and can be powered by a 5-volt battery.
Setting up Pi will be very simple, because there is already a working file system, but I prefer the MR-3020 router. This is an inexpensive and standalone solution. Therefore, I will describe the configuration of the router, and if you want to use Pi, then:
- you can skip the steps to Setting the listening mode
- these two devices have different versions of Linux, so some settings files can be in different places and they can have different package managers
- more powerful radios like AWUS036H may require an external powered USB hub
Router setup
You will need:
- TP-LINK MR-3020 router ($ 34.99 on Amazon). Analogs should also work, such as TP-LINK TL-WR703N
- USB flash drive (2-4 GB)
- Ethernet cable
The first part of the instructions was taken from the PirateBox project , since the initial configuration of the devices is identical.
1. Download a copy of OpenWrt for the MR3020 (a modification from Matthias Strubel includes all the necessary kernel modules).
Additional information: forum.daviddarts.com/read.php?2 , 3974,4009 # msg-4009
Discussion of firmware: forum.openwrt.org/viewtopic.php?pid=207769#p207769
Firmware for WR703N: downloads.openwrt.org/ attitude_adjustment / 12.09-beta2 / ar71xx / generic
2. Switch the switch next to the LAN / WAN port to WISP
3. Disconnect the laptop’s WiFi
4. Connect the router via ethernet to the computer and open 192.168.0.254 (MR3020) or 192.168.1.1 (WR703N) in your browser
5. Enter your login / password ( admin / admin)
6. Go to System Tools> Firmware Upgrade, select OpenWRT
firmware. WR703N Chinese firmware text. For firmware via the web interface, select the last menu on the left, then the third item on the submenu. More details .
7. After the upgrade, the system will restart
8. Go there via telnet
telnet 192.168.1.1
9. Use the passwd command to set a password. This will give access to SSH.
passwd
10. Use vi to edit the network settings. Suppose your primary gateway has an address of 192.168.2.1. The OpenWrt address must not match it, but must be on the same subnet.
vi /etc/config/network
Change the file to this state:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.2.111'
option netmask '255.255.255.0'
option gateway '192.168.2.1'
list dns '192.168.2.1'
list dns '8.8.8.8'
11. Disconnect the router from the network
12. Turn on WiFi on the laptop
13. Connect the MR3020 (or WR703N) to the router gateway via Ethernet and connect the configured router to the network. Wait a minute. From a computer connected to LAN, try logging into the router
ssh root@192.168.2.111
14. Ping google to check settings
ping google.com
15. Add USB support to OpenWrt (if you have not used the already configured firmware from step 1):
opkg update
opkg install kmod-usb-uhci
insmod usbcore ## may return: file exists
insmod uhci
opkg install kmod-usb-ohci ## may return: up to date.
insmod usb-ohci
USB setup
Format the flash drive into two partitions - the main Ext4 and swap. swap should be between 256 and 512 MB.
Log in via ssh to the router.
Install packages to support Ext4:
root@OpenWrt:~# opkg update
root@OpenWrt:~# opkg install block-mount kmod-fs-ext4
Insert the flash drive into the router. Check that she has decided.
root@OpenWrt:~# ls /dev | grep sda
sda
sda1
sda2
Configuring the file system
Now we will make sda1 the basis of the root file system
(as described here wiki.openwrt.org/doc/howto/extroot#openwrt )
root@OpenWrt:~# mkdir /mnt/sda1
root@OpenWrt:~# mount /dev/sda1 /mnt/sda1
Check that everything is mounted (should return / dev / sda1 to / mnt / sda1 type ext4):
root@OpenWrt:~# mount | grep sda1
We copy the files from the router to the USB flash drive so that all the necessary settings are available when we reboot and USB will be the basis of the file system.
root@OpenWrt:~# tar -C /overlay -cvf - . | tar -C /mnt/sda1 -xf -
Add the automatic connection / dev / sda1 to / etc / config / fstab.
root@OpenWrt:~# vi /etc/config/fstab
Use the following settings:
config global automount
option from_fstab 1
option anon_mount 1
config global autoswap
option from_fstab 1
option anon_swap 0
config mount
option target /overlay
option device /dev/sda1
option fstype ext4
option options rw,sync
option enabled 1
option enabled_fsck 0
config swap
option device /dev/sda2
option enabled 0
Reboot the router
root@OpenWrt:~# reboot
When all the lights come on again, go to ssh and check that the flash drive is correctly picked up.
root@OpenWrt:~# mount | grep sda1
/dev/sda1 on /overlay type ext4 (rw,sync,relatime,user_xattr,barrier=1,data=ordered)
If you can’t access via ssh, then copying the files went wrong. Remove the flash drive, reboot it through power. When it starts, you can log in there via ssh. Then reinsert the flash drive and repeat the previous steps.
Customize swap
The router has a little memory, long processes can take it all. To check the memory, enter
root@OpenWrt:~# free
To solve memory problems, you can use the swap partition. First, check that it works:
root@OpenWrt:~# mkswap /dev/sda2
Now connect it to the swap:
root@OpenWrt:~# swapon /dev/sda2
Run free again to verify that it is connected.
root@OpenWrt:~# free
total used free shared buffers
Mem: 29212 19160 10052 0 1972
-/+ buffers: 17188 12024
Swap: 475644 0 475644
For this to happen automatically, it is best to make a separate script. By the way, at the same time you will learn how to make such scripts.
Script to connect Swap at startup
Let's start by creating a script:
root@OpenWrt:~# vi /etc/init.d/swapon
Enter the following into the file:
#!/bin/ash /etc/rc.common
START=109
STOP=151
start() {
echo "start swap"
swapon /dev/sda2
}
stop(){
echo "stop"
}
Make it executable:
root@OpenWrt:~# chmod +x /etc/init.d/swapon
Now you need to make symlink with /etc/rc.d on it:
root@OpenWrt:~# ln -s /etc/init.d/swapon /etc/rc.d/S109swapon
S109 tells the system the priority of the script. All files in /etc/rc.d begin with S ##. S109 should place it at the very end, after all the others have started.
Reboot, go through ssh and check the swap connection:
root@OpenWrt:~# free
total used free shared buffers
Mem: 29212 19276 9936 0 2152
-/+ buffers: 17124 12088
Swap: 475644 0 475644
Set the listening mode
Almost everything is ready. We need to edit the wireless settings:
root@OpenWrt:~# vi /etc/config/wireless
Comment out the wifi ban line:
#option disabled 1
Use the following settings:
config wifi-iface
option device radio0
option network lan
option mode monitor
option hidden 1
Restart wifi interface:
root@OpenWrt:~# wifi down; wifi up
Error messages such as those presented below should not affect the operation of wifi:
ifconfig: SIOCSIFHWADDR: Invalid argument
command failed: Device or resource busy (-16)
Verify that wifi is working and in monitor mode:
root@OpenWrt:~# iwconfig
lo no wireless extensions.
wlan0 IEEE 802.11bgn Mode:Monitor Frequency:2.412 GHz Tx-Power=15 dBm
RTS thr:off Fragment thr:off
Power Management:on
eth0 no wireless extensions.
br-lan no wireless extensions.
Package Installation
Now we will install all the packages necessary for the scanner:
root@OpenWrt:~# opkg update
root@OpenWrt:~# opkg upgrade tar wget
root@OpenWrt:~# opkg install python tcpdump unzip
root@OpenWrt:~# wget http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz
root@OpenWrt:~# tar -xvf scapy-latest.tar.gz
root@OpenWrt:~# cd scapy*
root@OpenWrt:~# python setup.py install
root@OpenWrt:~# cd ..; rm -rf scapy*
Scan script check
Copy the scripts with git (or they can be downloaded as zip)
root@OpenWrt:~# mkdir /overlay/scripts; cd /overlay/scripts
root@OpenWrt:/overlay/scripts# wget http://bitbucket.org/edkeeble/wifi-scan/get/e2a08627f05d.zip --no-check-certificate -O wifiscan.zip
root@OpenWrt:/overlay/scripts# unzip wifiscan.zip
root@OpenWrt:/overlay/scripts# mv edkeeble-wifi-scan-e2a08627f05d wifi-scan
As responsible hackers, we will not intercept all requests. We will make a whitelist where we include only our phones.
root@OpenWrt:/overlay/scripts# cd wifi-scan
root@OpenWrt:/overlay/scripts/wifi-scan# vi wifiscan.py
WHITELIST = [‘00:00:00:00:00:00’,] # замените на мак-адрес телефона
Check the script:
root@OpenWrt:/overlay/scripts/wifi-scan# python wifiscan.py wlan0
Take out the phone, disconnect from the current network, but do not turn off wifi. In the terminal, you should start to see requests sent to them. You may notice that not all requests will have an SSID. Requests without an SSID are broadcast; they are intended for all access points within reach.
Ctrl-C will stop the script
Summary
Well, that’s it. Now you have a router that monitors smartphones passing by it. Of course, our script is not particularly useful in this form. For example, you can edit it so that it collects more data, writes it to the log, tracks the movement of smartphones between your different devices, etc.