Sunday, March 20, 2011

Where Have You Been?

Probe Request frames are useful to gather information from Stations. For example, analyzing Probe Request traffic could be use for the following:
  • Finding potential targets for Karma attacks.
  • Finding Stations that had connected to other wireless networks(Hotspots, Open Networks, etc).
  • Finding the OS of Stations with Windows XP, searching for Probe Requests that has the SSID IE set with random binary data[1].
  • Finding possible relations between Stations, through the vendor or the SSID we could find stations belonging to certain network.
  • Finding rogue WAPs.
  • Social Engineering attacks to client Stations owners.

If your wireless network has client Stations that are vulnerable to client attacks, then the network is vulnerable.

I scripted a mini tool to sniff Probe Request Frames and generate a HTML report with the information.

Script requirements:
The script saves information on a sqlite3 db on the report directory defined by the user. When the user stops the script pressing Ctrl+C the HTML report is generated on the report directory.

            ./ wlan0 2010-06-29

The output of the tool is something like this:

Where Have You Been?
Press Ctrl+C to stop.
[2010-07-06 03:55:37] - 00:40:F4:XX:XX:XX - paXXXXXXXXXX
[2010-07-06 03:55:37] - 00:23:4D:XX:XX:XX - LaXXXXXXXXXX
[2010-07-06 03:55:37] - 00:24:2B:XX:XX:XX - AXXXXXXXXXX
[2010-07-06 03:55:37] - 00:24:2B:XX:XX:XX - linXXXXXXXXXX
Ctrl+C caught.

The script is available here.


  1. is it possible to get the RSSI of a packet using these tools?

    1. The tool doesn't do it, but the code is pretty simple so it can be modified to show the RSSI.