Follow the given instructions to get started:
- First of all, we need a device that's looking for multiple networks. Generally, a normal smartphone such as an Android device or iPhone will do the trick. Desktops don't generally make good targets as they tend to remain in one location. Newer iPhones and Android devices may have probe requests disabled or obfuscated, so do check before you give up.
- Once you have your device, make sure the Wi-Fi is turned on.
- Then set up your monitoring interface as we have done many times before:
- The next thing to be done is to look for probe requests with
tsharkvia the following command:tshark -n -i mon0 subtype probereqThe screenshot of the following command is as follows:
- Your output at this point is a little rough, as the default output from
tsharkis not designed to be readable, just to have as much information in it as possible. It should look like the following:
- You can clearly see the MAC address and SSID of the probe request; however, this output can be improved. We can use the following command to make it more readable:
tshark –n –i mon0 subtype probereq –T fields –e separator= -e wlan.sa –e wlan_mgt.ssidThe screenshot of the following command is as follows:
- The output here is much more readable:
- So, now we have the output in a readable format, what next? What we do is create a Python script that will run the command and record the output for later analysis. Before running the code, you will need to ensure that you have your monitoring interface ready and that a file called
results.txtis created in the directory you are in. The Python script is as follows:import subprocess import datetime results = open("results.txt", "a") while 1: blah = subprocess.check_output(["tshark –n –i mon0 subtype probereq –T fields –e separator= -e wlan.sa –e wlan_mgt.ssid –c 100"], shell=True) splitblah = blah.split(" ") for value in splitblah[:-1]: splitvalue = value.split(" ") MAC = str(splitvalue[1]) SSID = str(splitvalue[2]) time = str(datetime.datetime.now()) Results.write(MAC+" "+SSID+" "+time+" ")Let's get briefed on the python script:
import subprocesslibrary anddatetimelibrary: This allow us to refer to the subprocess and datetime libraries. Thesubprocesslibrary allows us to monitor the interface from the Linux command line, anddatetimeallows us to get the accurate time and date readings.while 1: This line means run until stopped.results = open("results.txt", "a"): This opens a file with the append rights and assigns it to results. The append rights only allow the script to add to the contents of the file. This stops the file from constantly being overwritten.blah = subprocess.check_output(["tshark –n –I mon0 subtype probereq –T fields –e separator= -e wlan.sa –e wlan_mgt.ssid –c 100"], shell=True): This opens a shell to perform our previously testedtsharkcommand. The only difference this time is—c 100. What this flag does is it limit the command to 100 queries. This allows us to return the results to ourselves without having to stop the program. Since we said run forever after writing the results, the script will restart again.- This line takes the output from the shell and assigns it to the variable
blah. splitblah = blah.split(" "): This takes the variable blah and splits it by line.for value in splitblah[:-1]: This repeats the following action for each line in the output, ignoring the first line that contains headers.splitvalue = value.split(" "): This breaks each line into further smaller chunks using thetabcharacter as the delimiter.- The following three lines take each chunk of text and assign it to a variable.
MAC = str(splitvalue[1]) SSID = str(splitvalue[2]) time = str(datetime.datetime.now())
results.write(MAC+" "+SSID+" "+time+" "): This takes all the values, writes them to a file separated by spaces, and ends with a return and a new line for neatness.
The output will be neat lines of text written to the file.
We took the input from probe requests and output them to a file using Python.
You may ask yourself what the purpose of this is. This can be achieved by simply performing the original tshark command and adding a >> results.txt command to the end. You would be correct; however, what we have created is a framework for integration with other tools, visualization platforms, databases, and services.
For example, using the WiGLE database that maps SSIDs to locations, you can add a few lines of code to take the SSID variable and query the WiGLE database.
Alternatively, you could set up a MySQL database and output the results there to perform the SQL commands on it.
This section has provided you with the first steps to create your own probe-monitoring tools. Through experimentation and using this simple code as the first step, a multitude of useful tools can be created.
Research which tools are available that allow visualization or data analytics and are easily integrated with Python. Tools such as Maltego have free versions that can be used to plot information.
Set yourself up a MySQL database to record the data and reconfigure the preceding Python script to output the results to the database. Then, build another script (or do it in the same one) to retrieve the data and output it to Maltego.
Reconfigure the script to query WiGLE, and collect geolocation data for probe requests. Output this data through Maltego.
Make an attempt to set up a web-based frontend through Flask, Django, or PHP to display your results. Investigate currently existing solutions for presenting the data and attempting to emulate or improve them through a discussion with their creators.