search

schloss / insecurity-demos

A packaged, graphical user interface for demonstrating various digital security threats and mitigations in a training room context.
4 stars 2 forks source link

Demo: "Where else have they been?" #7

Closed poser closed 10 years ago

poser commented 11 years ago

Uses monitor mode to sniff wireless network traffic and correlates each associated device with a set of wireless network names (ESSIDs) to which that device has previously connected. This is possible because, in the interest of reducing the time required to obtain a working Internet connection, devices are often quite aggressive about broadcasting WLAN probes that contain the ESSIDs of the networks they have used in the past. With this information, combined with the output of the who's in the room demo described above, it would be relatively easy for an attacker to correlate human beings with IP addresses.

Demo script:

sudo airmon-ng start wlanX
sudo tshark -n -l -i mon0 -T fields -e wlan.sa -e wlan_mgt.ssid subtype probereq -E separator=, -R "wlan.fc.type_subtype eq 4"
<sort and populate table>

Shutdown:

<kill tshark>
sudo airmon-ng stop mon0
double-green-vole commented 11 years ago

Where does the initial channel parameter come from? Is it even necessary?

double-green-vole commented 11 years ago

It is unnecessary for the WLAN probes demo, and probably unnecessary for the mDNS demo on an unencrypted WLAN. On an encrypted WLAN, however, in which we have to decrypt each WiFi network individually, it may be necessary (or at least helpful), as it stops the adapter from channel-hopping. So, to clarify, for this particular demo it was a typo.

poser commented 10 years ago

Moving content to wiki and deleting