Estos paquetes se pueden capturar y así obtener la información de los dispositivos WIFI que están cercanos.
En Linux para conseguir esto debemos realizar los siguientes pasos:
1.- Configuración de Interface en modo Monitor
Para esto primero deshabilitamos el network-manager y deshabilitamos la interface con ifconfig:
sudo service network-manager stop
sudo ifconfig wlp1s0 down
Configuramos la interface en modo monitor y la volvemos a activar:
sudo iwconfig wlp1s0 mode monitor
sudo ifconfig wlp1s0 up
Verificamos que la interface este en modo monitor:
sudo iwconfig wlp1s0
wlp1s0 IEEE 802.11bgn Mode:Monitor Frequency:2.412 GHz Tx-Power=15 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
en modo normal deberia verse asi:
sudo iwconfig wlp1s0
wlp1s0 IEEE 802.11bgn ESSID:"XXXXX"
Mode:Managed Frequency:2.412 GHz Access Point: 9A:8A:20:XX:XX:XX
Bit Rate=72.2 Mb/s Tx-Power=15 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=62/70 Signal level=-48 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:31 Missed beacon:0
Ya estamos listo para verificar los probe request a traves de tcpdump o Wireshark
2.- Capturar a traves de TCPDUMP
En tcpdump debemos filtrar los probe request en nuestra interface WIFI:
sudo tcpdump -i wlp1s0 -s 0 -nne '(type mgt and subtype probe-req)'
Para mas información de como filtrar por favor revisen [1]
Con esto obtendrán algo así:
sudo tcpdump -i wlp1s0 -s 0 -nne '(type mgt and subtype probe-req)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp1s0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
10:26:06.146207 249112607us tsft 1.0 Mb/s 2412 MHz 11b -31dBm signal -31dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request () [1.0 2.0 5.5 11.0 Mbit]
10:26:06.151624 249117920us tsft 1.0 Mb/s 2412 MHz 11b -27dBm signal -27dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request (prueba-wireshark) [1.0 2.0 5.5 11.0 Mbit]
10:26:06.166410 249132835us tsft 1.0 Mb/s 2412 MHz 11b 4dBm signal 4dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request () [1.0 2.0 5.5 11.0 Mbit]
10:26:06.169342 249135654us tsft 1.0 Mb/s 2412 MHz 11b 7dBm signal 7dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request (prueba-wireshark) [1.0 2.0 5.5 11.0 Mbit]
10:26:06.249639 249216271us tsft 1.0 Mb/s 2412 MHz 11b -28dBm signal -28dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request () [1.0 2.0 5.5 11.0 Mbit]
10:26:06.252041 249218017us tsft 1.0 Mb/s 2412 MHz 11b -10dBm signal -10dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request (prueba-wireshark) [1.0 2.0 5.5 11.0 Mbit]
10:26:06.269873 249236306us tsft 1.0 Mb/s 2412 MHz 11b -22dBm signal -22dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request () [1.0 2.0 5.5 11.0 Mbit]
10:26:06.271229 249237709us tsft 1.0 Mb/s 2412 MHz 11b -21dBm signal -21dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request (prueba-wireshark) [1.0 2.0 5.5 11.0 Mbit]
10:26:06.372397 249338889us tsft 1.0 Mb/s 2412 MHz 11b -10dBm signal -10dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request () [1.0 2.0 5.5 11.0 Mbit]
10:26:07.263172 250230286us tsft 1.0 Mb/s 2412 MHz 11b -67dBm signal -67dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:34:e1:2d:12:df:a4 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
10:26:07.395149 250362383us tsft 1.0 Mb/s 2412 MHz 11b -60dBm signal -60dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:34:e1:2d:12:df:a4 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
10:26:07.803719 250771377us tsft 1.0 Mb/s 2412 MHz 11b -42dBm signal -42dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:34:e1:2d:14:b2:bb Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
10:26:07.966819 250934075us tsft 1.0 Mb/s 2412 MHz 11b -90dBm signal -90dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:10:98:c3:01:f5:37 Probe Request () [1.0 2.0 5.5 11.0 Mbit]
10:26:07.980292 250947789us tsft 1.0 Mb/s 2412 MHz 11b -54dBm signal -54dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:34:e1:2d:14:b2:bb Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
10:26:08.003021 250970953us tsft 1.0 Mb/s 2412 MHz 11b -58dBm signal -58dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:34:e1:2d:14:b2:bb Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
10:26:08.333273 251300852us tsft 1.0 Mb/s 2412 MHz 11b -87dBm signal -87dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:30:07:4d:c0:d2:b7 Probe Request (RAYTEL) [1.0 2.0 5.5 11.0 Mbit]
10:26:08.807109 251775003us tsft 1.0 Mb/s 2412 MHz 11b -48dBm signal -48dBm signal antenna 0 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:70:bb:e9:aa:b1:9f Probe Request () [1.0 2.0 5.5 11.0 Mbit]
Aqui como puntos importantes son, utilizando la ultima linea:
SA:70:bb:e9:aa:b1:9f: MAC desde dispositivo que genera el Probe Request
-48dBm: Es el nivel de señal con que se capturo ek paquete, esto puede darte una idea de que tan lejos o cerca este el dispositivo
[1.0 2.0 5.5 11.0 Mbit]: codificaciones que soporte el dispositivo
3.- Capturar a traves de Wireshark
en Wireshark debemos capturar en la interface WIFI y utilizar el siguiente filtro:
lan.fc.type_subtype == 0x0004
para mas detalles ver [2]
[1]: http://infosec.vishalmishra.in/2013/09/capture-wireless-traffic.html
[2]: https://notasinalambricas.wordpress.com/2016/11/17/descubriendo-redes-inalambricas-parte-2/
[3]: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.html
