I recently was able to meet up with Bob while he was on the run. He told me that he was on a long flight recently headed in to Boston
several weeks back (he’s gotta keep on the move!), and he decided to fire up Kismet for some passive captures while on the plane. He let it run for an hour or so, and passed the captures to me for analysis. I trimmed them down to just spit out some interesting stuff that we can use for this example.
We’ll replay them with tcpdump:
$ tcpdump -r bobs_intersting_packets
…and we get a bunch of probe requests. We’ve talked bout this ad-nauseum before. This is why we love Karma (and Karmetasploit). Windows (and other OSes, even some gaming consoles), automatically tries to connect to wireless networks in the preferred network lists. Kismet can then see those connect requests as the OS cycles through the list.
So, here’s the first list from the first capture from the same MAC address:
16:32:04.483854 Probe Request (Free Public WiFi) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:06.763062 Beacon (Free Public WiFi) [1.0* 2.0* 5.5 11.0 Mbit] IBSS CH: 11 16:32:11.977047 Probe Request (Hyatt) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:13.978262 Probe Request (fcc) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:16.071853 Probe Request (Lake) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:18.130698 Probe Request (public1) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:20.099906 Probe Request (The Point) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:22.069924 Probe Request (REDZONE) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:24.085280 Probe Request (belkin54g) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:26.115367 Probe Request (hhonors) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:28.146203 Probe Request (GlobalSuiteWireless) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:30.084600 Probe Request (1811) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:32.092157 Probe Request (Wayport_Access) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:34.118208 Probe Request (guestnet) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:36.123724 Probe Request (FourSeasons) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:38.138125 Probe Request (killington) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:42.153053 Probe Request (Hotel Griffon) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:46.160227 Probe Request (RGPublic) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:50.115316 Probe Request (oakbluffs) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:52.122565 Probe Request (Cuttyhunk) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:54.175486 Probe Request (MARYA) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:56.131065 Probe Request (mattapoisett) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:32:58.131358 Probe Request (linksys) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:33:00.137978 Probe Request (HBS) [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
Now, go log in to wigle.net and search for some of the more unusual SSIDs. What do you want to bet we can figure out where this particular person lives/works/plays based on where they show up on the map. Then add the more common names to the list, and you can bet that they show up in those same two neighborhoods as well. Yes, several of them show up in very close proximitiy spread out over to distinct neighborhoods.
The second capture Bob provided also had more interesting SSIDs, just in case we REALLY wanted to triangulate:
16:26:51.357853 Probe Request (ibahn) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:26:53.106024 Probe Request (Elysium) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:26:57.259488 Probe Request (JFKRL) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:26:59.080305 Probe Request (phspiaguest) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:03.281251 Probe Request (needadog) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:05.260271 Probe Request (guest_ssid) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:09.408208 Probe Request (NUwave) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:11.080215 Probe Request (SpotOn) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:13.233782 Probe Request (holden) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:15.484724 Probe Request (SMC) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:17.131279 Probe Request (Wayport_Access) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:19.183281 Probe Request (Seaport) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:21.182520 Probe Request (Hynes Wireless Network) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:23.146459 Probe Request (iscguest) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:25.096483 Probe Request (LawLibrary) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:27.095193 Probe Request (roofnet) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:29.176267 Probe Request (in4net) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:33.146455 Probe Request (Harvard University) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:35.185946 Probe Request (default) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:37.613369 Probe Request (Back Bay Events Center) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:39.170252 Probe Request (Algonquin Club WiFi) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:43.587718 Probe Request (BostonPublicLibrary) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:45.285541 Probe Request (loganwifi) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:47.388067 Probe Request (CRS WAP) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:49.336783 Probe Request (HCBostonMember) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:51.285535 Probe Request (Linksys Secure) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit] 16:27:53.285419 Probe Request (Warehouse) [1.0* 2.0* 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
From Bob’s capture, and again from the same MAC address, we also are able to capture some interesting network traffic. We can use this information in conjunction with the wireless info to create an even more detailed picture about the individual:
16:36:08.526921 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from 00:1e:52:b6:19:9b (oui Unknown), length 300 16:36:10.307924 IP 169.254.140.137 > 224.0.0.251: igmp v2 report 224.0.0.251 16:36:12.949124 IP 169.254.140.137.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0 (Cache flush) A 169.254.140.137 (40) 16:36:37.923110 arp who-has 10.71.0.123 tell 10.71.0.123 16:36:43.001662 IP 10.71.0.123.netbios-ns > 10.71.15.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST 16:36:49.532485 IP 169.254.44.240.netbios-ns > 169.254.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 16:46:53.719602 IP 169.254.44.240.netbios-ns > 169.254.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 16:47:21.229266 IP 169.254.44.240.netbios-ns > 169.254.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
For some reason, Wireshark displayed some interesting domain information in the netbios requests. I suspect that I exported the packtes wrong, so the info isn’t shown with the tcpdump output, but here they are in Wireshark:
Now, what else can we assume about the individual, and potential network/desktop policies in play?
You know what else I found frightening? While looking for images to be included in this posting, I stumbled across an interesting device from Teledyne Controls; An Aircraft Wireless LAN Unit (AWLU), which the vendor touts as being wireless for the cockpit, as well as the cabin all in one unit. There is also the ability to utilize the unit to upload FMS navigation databases for loading into a Flight Management Computer! While it doesn’t state that you can do this over the 802.11 protocol, it also doesn’t say you can’t. Interesting.
– Larry “haxorthematrix” Pesce