Back to all activities

Monitor Open Wireless Traffic

Summary

It can be valuable to to listen to broadcast wireless traffic at the physical office location, even before knowing anything about the organization's network itself. This outside, passive information gathering can reveal a surprising amount of data on not only what devices are connecting to which networks, but also what type of devices they are (based on their unique MAC addresses), and what other networks those devices have historically connected to. These probes can reveal personal, organizational, locational, and device information that, taken in context, can be dangerous or lead to other vulnerabilities.

Considerations

    • Despite this exercise covering only broadcast data, check the local laws which might cover this process before conducting it.
    • Consider how it looks to third parties as you are scanning a network, especially from outside an office.
    • Confirm that all devices you are accessing/scanning belong to the organization.
    • Delete all devices from your scan that do not belong to the organization.
    • Study outputs for any obviously embarrassing personal information (especially network beacon records) before sharing.

Walkthrough

    Step 1: Monitor Mode

    You should disconnect from any wifi network you may be connected to to capture the widest amount of data.

    Switch your wireless adapter to monitor mode**

    $ airmon-ng start <interface>

    You may need to stop your network manager system to prevent it from interfering. Running

    $ airmon-ng check

    to list anything that is causing problems, and

    $ airmon-ng check kill

    to try and stop them automatically, and running stop network-manager && stop avahi-daemon may keep them from re-starting automatically.

    Step 2: Listen for wifi probes.

    Run airodump-ng on the monitor mode interface (usually mon0). This listens to wifi beacons and you can begin analyzing who is on what network, and see historical networks.

    airodump-ng -w filename mon0

    This scans all networks and channels, collecting broadcast network information. Note that, despite its broadcast nature, this is privacy invasive and can be considered illegal: http://www.slate.com/blogs/future_tense/2013/09/16/google_street_view_wi_fi_snooping_case_good_news_and_bad_news.html . You can restict this to a specific channel or base station ID (BSSID) with -c and --bssid:

    airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w filename mon0

    Step 3: de-auth (optional)

    Send de-authentication packets to force clients to reconnect and send out additional probes. Take note that by its very nature, de-authentication causes annoying interruptions to wifi traffic. This breaks connections, drops skype calls, and can make the wireless network temporarily unusable -- Make sure to check with staff before going through this (to make sure no one is doing a live webcast or on an important VOIP call, and to expect some network instability).

    $ aireplay-ng -0 1 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0
    
     15:54:48  Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 1
     15:54:49  Sending 64 directed DeAuth. STMAC: [AA:BB:CC:DD:EE:FF] [ 5| 3 ACKs]
    

    This command de-authenticates one targeted user with one attempted deauth packet. "-0 10" would try 10 times (potentially disconnecting the user multiple times!). With permission, you can also target all users on a network by leaving out the "-c ..." flag.

    There are scripts, like wifijammer, which use this same approach to jam all wifi connections in range of the attacking computer, so check against the documentation at http://www.aircrack-ng.org and act responsibly to protect yourself and the organization.

    Step 4: MAC Address Research

    The first three hex numbers of each MAC address designate the vendor, which can reveal useful information in matching MAC addresses to devices. The MAC address is a unique identifier, so never post or search using the full address. Note that increasingly, devices are using MAC address randomization, but if it implemented, it often is poorly implemented against even minimally determined adversaries, as per this 2017 research study.

    To compare found MAC addresses to the bendor database offline you can download the full vendor database from IEEE or use the Wireshark list

    Step 4: Ongoing Monitoring

    The longer you leave this running (particularly when staff are first entering the office or returning after lunch/meetings), the better sense of what devices are connected to the network you will get.

    Watch what probes the various devices are sending out (especially when they are deauthenticated, as above). You will see each computer on the network, as identified by their mac addresses, broadcast information about previous networks to which they have connected.

    BSSID              STATION            PWR   Rate    Lost    Frames Probe
    
    00:11:22:33:44:55   0F:3E:DF:DA:2D:E2   -67 0   0   234567  SampleOrg,linksys¸John Smith's iPhone,Free Public Wifi
    00:11:22:33:44:55   F8:7E:FC:03:CC:43   -80 -24 0   234567  amygreen,SampleOrg,android-hotspot,Starbucks,united_club,Dulles Airport WiFi
    00:11:22:33:44:55   F8:19:F3:DF:75:19   -58 -54 0   234567  SampleOrg
    00:11:22:33:44:55   38:08:95:EB:7E:0B   -75 -12 0   234567  HolidayInn,SampleOrg,John Smith's Mac mini,android-hotspot
    

Recommendation

    For most devices, deleting networks from the “saved” network list will stop them from being probed. Obviously, this can be an annoyance for networks you regularly connect to, so renaming these networks to non-revealing names would help, as would creating non-name-associated “guest” networks for colleagues connecting to your home network.

    On iPhones and iPads, it is not possible to selectively remove historical networks unless you are currently in range of that network. It is however possible to remove all history: go to Settings > General > Reset > Reset Network Settings . When you take this step, it is worth going through this reset multiple times – approximately once per year of device ownership, as the first reset appears to only remove recently-connected networks, and older networks will be broadcast.

    Organizations may want to choose innocent or generic network names, and/or not broadcast network names. It is worth noting that devices seeking out hidden networks will "beacon" for the actual network name, so this has extremely limited security use and must be combined with other protective measures. See this Acrylic blog post for further details.

    It is worth noting that wifi access points are also tracked to assist in location services, and as such the location of a wireless network can be learned from its name or the MAC address of the access point. WiGLE is a community-managed database for such information, but both Google and Microsoft, and likely many others, also track this locational information, so the opt-out information below is only minimally useful.

    Removal options: See wikipedia for public listings. Some opt-out options exist below: