Wireless beacon monitoring (for fun and profit)

Wifi Beacons

    This was an adventure.

    Some back story first, when any device you have that listens for connections for wifi wants to connect to something, even when the access point it's trying to reach isn't there, the default tends to be probe for it. That's basically a small little radio in your phone, car, watch, light bulb, whatever saying publicly "YO! IS MY WIFI OUT THERE? WHAT ABOUT THIS OTHER ONE!!?!? NOT THAT ONE EITHER, OKAY NEVER MIND!". When doing wireless network pentesting, it's pretty common to use tools like kismet or airodump and include these beacons, in part to flag what's relating to what network you're targeting / have permission to access and in part to see if network devices in scope are connecting so you can redirect their traffic to a fake network as part of the test. But I came up with an idea a while back due to having a scan going at my house and I kept seeing these "ROPD-CAR4" (fake, but something like that) sort of essid (access point name) suggesting the same cop was driving around my house. But how could you like, map that. Originally I considered the idea in blocks such as what was used in the anime deathnote to denote the times of day to find a schedule. This, apparently, is really weird to do with mapping software in python because everything wants stats maps or direct xy coordinates. 

    I decided to settle on using a heatmap as the method for this, just because that way I could at least flag this by timestamp.  

Scripting

    Coding this idea was kind of a pain in the back side, due to the excessive need to google to hammer through each part. I had an original script up and running after a couple days. Which, while it gave a usable output, was not really readable and still had some bugs. So, since we live in a day of AI doing our thinking for us. I tried to see if the AI could rewrite this for me in a way that it worked for the goal. Long story short from that, it didn't really understand the goal, so it kind of just did some timestamps which overwrote itself every single time, and not really much else. 

    So, as the classic meme about "vibe coding" tends to represent, I spent substantially longer trying to debug that than just rewriting something that made sense to me. Trying to test if it would work for fixing itself, ran me into a LOOONG series of problems I've never had with matplotlib and numpy and even with that I had to google and mix and match until I got something useful again. But it was helpful for migrating from the tinydb logic (didn't hold up well when trying to save multiple things) to the sqlite database version. The regex that it gave was also not working so had to tweak and modify and guess and eventually replace that.

    Effectively my thoughts on vibe coding, is that you're using an ai for google instead of google. Don't let it do the coding for you because you'll spend even more of your time trying to find out what's not working, and of course its better at common tasks than weird tasks. So if you're making it build something there's statistically millions of, its more likely to work than something there's less of. Censorship and weirdness also have a play in AI training these days, and hallucinations are prone (things that are statistically likely to be correct based on similarities to reality, but aren't the real thing or otherwise can be manipulated by a 3rd party actor) in programming due to the massive constant fluxuation of libraries and features. But if you're looking for a technique to use, or understanding troubleshooting data that's too massive for you to directly look though, sometimes it's useful. 

At least it's working

    So I got this setup and running over on my github (here) and this does do a sort of heat map analysis for things that fall into the same 15 minute bracket (lets be real, its' just normalized to it). In this image, here's an example where something connected once at 8am on wednesday, then many times between 5 and 6 am thursday. This is of course not any relevance to the original idea behind this (not some cop's car) but based on mac address and timestamp tracking, this script can either run it's own or pull from a pcap, then build a database and map these things. The use cases for this could be weird, because in essence you're monitoring devices shouting publicly, but the ability to track times of day allow targeting from a pentesting technique for when devices (legally and in scope) are in range. Comparing these graphs will give a pentester the ability to identify best target devices to target clients of the access point with a fake access point or a deauth attack.

    
    This example showcases not only the ability to track by time of day, which can be mapped over several weeks or months enabling the idea of schedule identification without someone manually documenting all these, but also it shows roughly the amount of times it was seen during a timeframe. which draws both on deviation analysis and similarity analysis. Meaning, if a pentest was geared towards targeting a known computer in the office, and a raspberry pi tracked it for a few weeks. If the wifi itself wasn't directly able to be compromised such as a secure password and usage and what not, but the known computer was seen as coming online at 6am every morning. You could begin a deauth attack against the client for the real access point, and create a fake access point for them to connect to with a captive portal saying the network needs their credentials to reset. Because it's first thing in the morning, when it comes online, it will have a higher success rate than any other time of day because its when they're starting up and expecting weirdness. But now you have their credentials, and can stop the deauth, let them reconnect, then connect to the network once they're back offline at the end of the night mimicking that mac address and now the user's password. 

Implications, disclaimers, and privacy considerations

    This could be used for potentially criminal behavior in some places, based on how it impacts privacy laws or in use for other criminal behavior. Much like lockpicks aren't b&e tools unless they're used in connection to a crime, there are legal uses and illegal uses for most any tool. This tool makes what people have been doing for 30 years by hand on paper, a little quicker. 

    The ability to showcase this use /should be/ considered a personal security risk for devices that have wifi turned on while not actually in the area to connect. When possible, having randomly generated mac addresses is also beneficial for this same cause. This doesn't introduce new stalking risks for people as these techniques are already a thing that's widely known about (I was asked about this so putting disclaimer in, there have been talks on this topic since 2005). 

    This script is not well protected against injection attacks, nor is it protected against radio reflection analysis, so if someone is using this illegally, a simple hackrf or flipper can track this down. Some corporate networks already capture this sort of data directly from their wireless access points, saving it in it's own database and can be searched through with elastic search to build the same style of heatmap, so an unscrupulous sysadmin can be doing this already and people not know about it.

    Please do not use this illegally, cops won't have trouble catching you.

Thanks for reading

If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.

Comments

Post a Comment

Popular Posts

pyscript, nim, aaaaand go

Image
     Just wanted to drop some stuff over what I've been playing with lately. Please be aware, tools and links described here might be or be able to be used maliciously, don't click or run things without understanding them. Much of the code referenced here can be found on github . Pyscript      To start with, I found the latest version of pyscript and couldn't really think of anything to do with it, outside of visualizations for web interface, or making integrations with jypyter widgets a little different without learning javascript. So I went a different route. In case anyone isn't aware, pyscript is intended to go along side pyodide or micropython (web versions of python) to leverage python programming inside a web page (loading these as javascript modules with fun little interface features). There is a wide range of examples (https://pyscript.com/@examples) and even an online ide (coding environment) to play with.     That's where I came in, af...
Read more

ISP Routing Hell

Image
Weird Routes?  History:      So I wasn't really sure how to start this post, but I guess some back story. Many in the IT world know consumer ISPs (internet service providers) like ATT, Comcast, Charter (now spectrum), all have a weird history of "you can't prove there's a problem because we don't escalate it properly, now you're stuck with this while we replace your router 200 times because it can't be on us" sort of problems. I switched to spectrum because in my area its the only non-att fiber lines, and ATT couldn't tell me why my router had an ssh server listening on it. They couldn't think it was compromised or could be compromised, they couldn't tell me anything they just replaced it. Then replaced it again. Then again. After 2 years of doing that, I just had enough. Later that year after leaving ATT, https://en.wikipedia.org/wiki/Salt_Typhoon . But sadly, despite my contempt for ATT by this point, this post isn't about them. More ...
Read more

DNS-Rebinding and such

      What started off as an interesting read on how DNS rebinding attacks work, and how they're leveraged to scan internal networks. The high level gist of the scenario is that if you have multiple A records, or the ability to rapidly change A records during someone's visit to a page, you can cause them to run push requests to other pages. This may include things like scanning a web-page visitor's local network, or replaying known addresses (maybe due to public dns resolving internal addresses) there is potential for attempting things like xss to steal credentials. Since it's the same domain being resolved, the browser often won't have any issue attempting requests.     Now, what this turned into was my general thought of "I've seen attacks before where people used webrtc, wasm, flash, vbs, etc... to port scan a network, I wonder if you could just use javascript targeting subdomains of other websites that have sub-domains pointing to private ips. This woul...
Read more