martes, diciembre 17, 2019

Analisis de Probe request

Para conectarse a las redes WIFI, los dispositivos deben descubrir o detectar las redes existentes, para esto utilizan los clientes los probe request en todos los canales de la banda en los que está habilitado para transmitir.



Estos paquetes se pueden capturar y así obtener la información de los dispositivos WIFI que están cercanos.


En Linux para conseguir esto debemos realizar los siguientes pasos:

1.- Configuración de Interface en modo Monitor


Para esto primero deshabilitamos el network-manager y deshabilitamos la interface con ifconfig:

sudo service network-manager stop
sudo ifconfig wlp1s0 down


Configuramos la interface en modo monitor y la volvemos a activar:

sudo iwconfig wlp1s0 mode monitor
sudo ifconfig wlp1s0 up


Verificamos que la interface este en modo monitor:

sudo iwconfig wlp1s0
wlp1s0    IEEE 802.11bgn  Mode:Monitor  Frequency:2.412 GHz  Tx-Power=15 dBm  
                Retry short limit:7   RTS thr:off   Fragment thr:off
                Power Management:off




en modo normal deberia verse asi:

sudo iwconfig wlp1s0
wlp1s0    IEEE 802.11bgn  ESSID:"XXXXX" 
          Mode:Managed  Frequency:2.412 GHz  Access Point: 9A:8A:20:XX:XX:XX  
          Bit Rate=72.2 Mb/s   Tx-Power=15 dBm  
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=62/70  Signal level=-48 dBm 
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:31   Missed beacon:0



Ya estamos listo para verificar los probe request a traves de tcpdump o Wireshark


2.- Capturar a traves de TCPDUMP


En tcpdump debemos filtrar los probe request en nuestra interface WIFI:

sudo tcpdump -i wlp1s0 -s 0 -nne '(type mgt and subtype probe-req)' 

Para mas información de como filtrar por favor revisen [1]

Con esto obtendrán algo así:


 sudo tcpdump -i wlp1s0 -s 0 -nne '(type mgt and subtype probe-req)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp1s0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
10:26:06.146207 249112607us tsft 1.0 Mb/s 2412 MHz 11b -31dBm signal -31dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request () [1.0 2.0 5.5 11.0 Mbit]
10:26:06.151624 249117920us tsft 1.0 Mb/s 2412 MHz 11b -27dBm signal -27dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request (prueba-wireshark) [1.0 2.0 5.5 11.0 Mbit]
10:26:06.166410 249132835us tsft 1.0 Mb/s 2412 MHz 11b 4dBm signal 4dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request () [1.0 2.0 5.5 11.0 Mbit]
10:26:06.169342 249135654us tsft 1.0 Mb/s 2412 MHz 11b 7dBm signal 7dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request (prueba-wireshark) [1.0 2.0 5.5 11.0 Mbit]
10:26:06.249639 249216271us tsft 1.0 Mb/s 2412 MHz 11b -28dBm signal -28dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request () [1.0 2.0 5.5 11.0 Mbit]
10:26:06.252041 249218017us tsft 1.0 Mb/s 2412 MHz 11b -10dBm signal -10dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request (prueba-wireshark) [1.0 2.0 5.5 11.0 Mbit]
10:26:06.269873 249236306us tsft 1.0 Mb/s 2412 MHz 11b -22dBm signal -22dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request () [1.0 2.0 5.5 11.0 Mbit]
10:26:06.271229 249237709us tsft 1.0 Mb/s 2412 MHz 11b -21dBm signal -21dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request (prueba-wireshark) [1.0 2.0 5.5 11.0 Mbit]
10:26:06.372397 249338889us tsft 1.0 Mb/s 2412 MHz 11b -10dBm signal -10dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request () [1.0 2.0 5.5 11.0 Mbit]
10:26:07.263172 250230286us tsft 1.0 Mb/s 2412 MHz 11b -67dBm signal -67dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:34:e1:2d:12:df:a4 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
10:26:07.395149 250362383us tsft 1.0 Mb/s 2412 MHz 11b -60dBm signal -60dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:34:e1:2d:12:df:a4 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
10:26:07.803719 250771377us tsft 1.0 Mb/s 2412 MHz 11b -42dBm signal -42dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:34:e1:2d:14:b2:bb Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
10:26:07.966819 250934075us tsft 1.0 Mb/s 2412 MHz 11b -90dBm signal -90dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:10:98:c3:01:f5:37 Probe Request () [1.0 2.0 5.5 11.0 Mbit]
10:26:07.980292 250947789us tsft 1.0 Mb/s 2412 MHz 11b -54dBm signal -54dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:34:e1:2d:14:b2:bb Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
10:26:08.003021 250970953us tsft 1.0 Mb/s 2412 MHz 11b -58dBm signal -58dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:34:e1:2d:14:b2:bb Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
10:26:08.333273 251300852us tsft 1.0 Mb/s 2412 MHz 11b -87dBm signal -87dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:30:07:4d:c0:d2:b7 Probe Request (RAYTEL) [1.0 2.0 5.5 11.0 Mbit]
10:26:08.807109 251775003us tsft 1.0 Mb/s 2412 MHz 11b -48dBm signal -48dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request () [1.0 2.0 5.5 11.0 Mbit]



Aqui como puntos importantes son, utilizando la ultima linea:

SA:70:bb:e9:aa:b1:9f: MAC desde dispositivo que genera el Probe Request

-48dBm: Es el nivel de señal con que se capturo ek paquete, esto puede darte una idea de que tan lejos o cerca este el dispositivo

[1.0 2.0 5.5 11.0 Mbit]: codificaciones que soporte el dispositivo

3.- Capturar a traves de Wireshark


en Wireshark debemos capturar en la interface WIFI y utilizar el siguiente filtro:

lan.fc.type_subtype == 0x0004

para mas detalles ver [2]





[1]: http://infosec.vishalmishra.in/2013/09/capture-wireless-traffic.html

 [2]: https://notasinalambricas.wordpress.com/2016/11/17/descubriendo-redes-inalambricas-parte-2/

[3]: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.html