The scary truth about what your device leaks about you – Part 1

Ever wondered how your phone or other devices know to connect to your Wi-Fi when you arrive home? Well, your phone will shout out is "Home Wi-Fi" there using a special frame called a Probe Request. So, when an access point (such as your home hub) hears this Probe Request Frame, it will send out a Probe Response, and then authentication and connection can resume. Sounds simple and convenient, right? 

Well, the problem is your phone is regularly shouting this out, no matter where you are, and it’s not just your home Wi-Fi, its every Wi-Fi you have connected to with your device and not removed from your list of Saved Networks. On your laptop there should be a list of saved networks somewhere in your Wi-Fi settings, If you are on iPhone you cannot see this list, however, if you have Keychain enabled you can view your networks under AirPort. On Android, you can check on Settings -> Wi-Fi -> Configure Wi-Fi -> Saved networks. 

If you check this list, does it include the names of the Wi-Fi (SSID) of your home, work, favourite restaurant and where you have been on holiday? Do you think with this kind of information someone can start to draw a rough picture of you as a person?

Well bad news, your device will most likely be shouting out probe request frames containing these SSID’s regularly wherever you are. Maybe you’re thinking it’s not too bad, what can someone do by just knowing the names of some SSID’s, they all look similar?

Bad news again. There is a website called Wigle.net which has currently mapped out as of writing this; 321,332,163 Wi-Fi Networks… aaah. 

Wigle does have a lot of good uses, such as educating the public on the amount of still unsecured Wi-Fi networks (WEP), research projects, site surveys and journalism. Instead, we will explore in this article how to collect data, and how this information can be used to essentially track someone through probe requests from your device.

The setup:

Sniffing probe requests requires a network card capable of monitor mode, I personally have an Alfa AWUS036NHA, you can also use these cards for packet injection (wireless hacking).

I wanted to still be portable, even though you could sit in a Café with a laptop, I like the idea of being able to sniff probe requests anywhere, so decided to hook the card up to a Raspberry Pi and a battery back. Fits in my backpack perfectly!

Now we had to get a couple of scripts running and our data saved. You may have heard of the Aircrack-ng suite which is essentially a complete set of tools for testing Wi-Fi Security. It is possible to run aerodump with the wlan.fc.type_subtype == 4 flag to sniff probe requests. However, a tool called hoover written by Xavier Mertens over at https://blog.rootshell.be which uses tshark (command line Wireshark), channel hopping and data parsing, which will give us easier and better results.

I am running the Kali Linux Raspberry Pi ARM image on my Pi, as I was having a few difficulties with my network card drivers and my card worked right away with Kali. I flashed my Micro SD with a tool called etcher.

Once you’ve flashed your micro SD card, connect your Pi into your network through Ethernet, and scan for it using Nmap and you should see one called kali:

nmap -sn 192.168.0.*

Now we can SSH into it using the default password of toor:

ssh root@192.168.0.117 

Remember the first time you SSH into your Kali Pi you must change the SSH host keys as all ARM images are pre-configured with the same keys:

rm /etc/ssh/ssh_host_*

dpkg-reconfigure openssh-server

service ssh restart

Once we have done that lets update everything:

apt-get update -y && apt-get upgrade -y && apt-get dist-upgrade -y

Next, let’s download our tool:

git clone https://github.com/xme/hoover

Now we have our environment set up we need to make a few changes and write a script to stop it after a certain amount of time, or you could manually stop it next time you SSH into it. 
(You may need to install wireshark with apt-get install wireshark)
Let’s edit our hoover script to have the right path to tshark:

Also within the hoover directory I created a quick script which will stop hoover running after a certain amount of time by searching for and killing Its PID, we can chose how long we want by changing the number after sleep, (600 = 10 minutes):

Before we start capturing data we need to put our network card in monitor mode. We can use this using the previous mentioned Aircrack-ng suite:

First find your wireless card name (normally wlan1):

Next kill any processes that might interfere with the network card and then put our network card into monitor mode:

Airmon-ng check kill Airmon-ng start wlan1 

I originally tried to get the script to start on boot and exit/save results after a certain amount of time. However, I was having problems with the parent process dying randomly after a certain amount of time (Still not 100% sure if this was just a Pi thing). So, after some trial and error I managed to put everything in their own process using screen. Unfortunately this meant I had to manually start it during an SSH session.You can easily install screen with:

apt-get install screen

Type screen, this will put us into a ‘new terminal’ Check what your wireless card in monitor mode is called (normally wlan1mon):

Now we start the hoover tool with:

./hoover.pl --interface wlan1mon --dumpfile=results.txt

Now press ctrl+a and then ctrl+d to exit the screen session but it will still resume. Now type screen again so we can start the timed_kill script:

Now press ctrl+a and then ctrl+d to do keep the sessions running. Now we can exit our SSH session, put our Pi in our backpack and wander around! 

After 20 minutes of wandering through the city centre I got a whopping 548 total unique SSID’s: 

Stay tuned for part 2 where we shall analyse our data and delve more into how frequent different devices and conditions will emit probe requests. The whole project will be typed up in an academic journal style. Cheers!