1 00:00:06,560 --> 00:00:09,420 - When it comes to footprinting wireless networks, you know 2 00:00:09,420 --> 00:00:12,510 just listening to the air and, and seeing what's out there, 3 00:00:12,510 --> 00:00:13,510 what we could connect to. 4 00:00:13,510 --> 00:00:14,880 We have two different ways to do this. 5 00:00:14,880 --> 00:00:16,290 We have passive methods 6 00:00:17,620 --> 00:00:20,400 and active methods. With passive methods 7 00:00:20,400 --> 00:00:23,210 we're simply going to listen to the air. 8 00:00:23,210 --> 00:00:26,430 So we put our wireless network interface card 9 00:00:26,430 --> 00:00:27,580 into monitor mode 10 00:00:27,580 --> 00:00:29,880 and we start listening for those wireless beacons. 11 00:00:29,880 --> 00:00:33,090 And we can gather a lot of information from just beacons. 12 00:00:33,090 --> 00:00:35,250 And then we have active methods where we're going to 13 00:00:35,250 --> 00:00:38,170 actually probe with an empty SSID 14 00:00:38,170 --> 00:00:39,963 to try to see what's out there. 15 00:00:40,990 --> 00:00:43,350 Several tools we can use for this. 16 00:00:43,350 --> 00:00:45,410 Most often, you're going to see it done 17 00:00:45,410 --> 00:00:47,870 with software on a laptop 18 00:00:47,870 --> 00:00:51,140 with hopefully an external antenna that has some gain 19 00:00:51,140 --> 00:00:53,510 so that we can capture wireless networks that are 20 00:00:53,510 --> 00:00:54,970 a little bit further away. 21 00:00:54,970 --> 00:00:58,650 Some common tools used for finding these wireless networks. 22 00:00:58,650 --> 00:01:02,350 We have airodump-ng as part of the aircrack-ng suite. 23 00:01:02,350 --> 00:01:05,510 We have this URL here to get more information 24 00:01:05,510 --> 00:01:09,480 about the aircrack-ng suite. This is built into Kali Linux. 25 00:01:09,480 --> 00:01:13,280 So you just, provided you have a wireless adapter 26 00:01:13,280 --> 00:01:15,710 that will work with Kali Linux. 27 00:01:15,710 --> 00:01:19,330 Then you can run the aircrack-ng suite. 28 00:01:19,330 --> 00:01:22,170 Most of them will. The reason I mention that specific point, 29 00:01:22,170 --> 00:01:24,030 so let me go off on a little tangent here. 30 00:01:24,030 --> 00:01:26,150 So a lot of times you'll see someone 31 00:01:26,150 --> 00:01:28,870 on a laptop running Kali in a virtual machine, 32 00:01:28,870 --> 00:01:31,190 like virtual box, VMware or whatever the case may be. 33 00:01:31,190 --> 00:01:35,290 And then they will use a purpose built USB-connected 34 00:01:35,290 --> 00:01:39,200 wifi adapter that is connected to the virtual machine 35 00:01:39,200 --> 00:01:41,990 that allows them to maintain wireless internet access 36 00:01:41,990 --> 00:01:42,910 from the laptop. 37 00:01:42,910 --> 00:01:45,910 And then the virtual machine is using this USB-connected 38 00:01:45,910 --> 00:01:50,910 wifi adapter in order to run the aircrack suite of tools. 39 00:01:51,290 --> 00:01:54,760 That's what I commonly do in order to run these tools. 40 00:01:54,760 --> 00:01:56,430 We also have MetaGeek Complete. 41 00:01:56,430 --> 00:02:00,040 This is a commercial offering that will analyze channels, 42 00:02:00,040 --> 00:02:02,450 display SSIDs, et cetera. 43 00:02:02,450 --> 00:02:05,570 We also have Vistumbler, V-I-stumbler. 44 00:02:05,570 --> 00:02:07,680 It will provide you with SSIDs, 45 00:02:07,680 --> 00:02:11,660 as well it can take GPS latitude, longitude input. 46 00:02:11,660 --> 00:02:13,280 So you run the software, 47 00:02:13,280 --> 00:02:17,560 connect a GPS receiver to your laptop, as well as a-- 48 00:02:17,560 --> 00:02:20,190 the wireless interface grabbing this information 49 00:02:20,190 --> 00:02:24,123 and we can tie SSIDs to physical locations. 50 00:02:25,550 --> 00:02:27,680 Now, most of us are walking around 51 00:02:27,680 --> 00:02:31,820 with some sort of wifi-enabled device in our pocket. 52 00:02:31,820 --> 00:02:35,630 We have this application, NetSpot for both iOS and Android 53 00:02:35,630 --> 00:02:37,310 that will listen to the air 54 00:02:37,310 --> 00:02:41,570 and show you interesting piece of information 55 00:02:41,570 --> 00:02:44,220 the signal strength, that's the height, 56 00:02:44,220 --> 00:02:48,113 as well as the channel that the particular SSIDs are on. 57 00:02:50,290 --> 00:02:53,280 Wigle is a service that's been around for a long time. 58 00:02:53,280 --> 00:02:56,180 It's crowdsourced, war driving database. 59 00:02:56,180 --> 00:02:58,640 So you run this app on your phone. 60 00:02:58,640 --> 00:03:01,300 That information is passively listening in the background. 61 00:03:01,300 --> 00:03:04,110 That information is then uploaded to wigle.net 62 00:03:04,110 --> 00:03:07,870 and plotted out on a map. Here, we see San Francisco. 63 00:03:07,870 --> 00:03:11,840 So it will gather those SSIDs along with location 64 00:03:11,840 --> 00:03:13,230 gathered from your phone 65 00:03:13,230 --> 00:03:15,603 and upload that information to Wigle. 66 00:03:18,330 --> 00:03:21,780 When we are capturing this information, 67 00:03:21,780 --> 00:03:24,593 what sort of information can we glean from this, 68 00:03:25,590 --> 00:03:28,270 from this data? We get names of networks. 69 00:03:28,270 --> 00:03:31,230 And most often you're going to see a name associated 70 00:03:31,230 --> 00:03:32,930 with a business name. 71 00:03:32,930 --> 00:03:36,830 If you have grocery store and you see grocery store SSID, 72 00:03:36,830 --> 00:03:39,570 it's a, it's a safe bet that that SSID 73 00:03:39,570 --> 00:03:41,940 belongs to that grocery store. 74 00:03:41,940 --> 00:03:45,120 We can learn encryption protocols, authentication methods, 75 00:03:45,120 --> 00:03:49,290 as well, we can know if they are doing multiple APs 76 00:03:49,290 --> 00:03:54,290 on the same SSID and using that BSSID concept in order to 77 00:03:54,810 --> 00:03:58,963 distribute a single SSID across a wired network. 78 00:04:00,140 --> 00:04:04,590 The OmniPeek tool can be used to analyze wireless traffic. 79 00:04:04,590 --> 00:04:06,000 And what we're talking about here is actually 80 00:04:06,000 --> 00:04:09,710 capturing the wifi frames themselves, 81 00:04:09,710 --> 00:04:11,020 not the data in the frame, 82 00:04:11,020 --> 00:04:13,500 but the frame which contains the data. 83 00:04:13,500 --> 00:04:16,990 So OmniPeek from live action is available to do that. 84 00:04:16,990 --> 00:04:20,670 And then off the shelf non-commercial, we have Wireshark. 85 00:04:20,670 --> 00:04:23,550 Wireshark can capture frames, 86 00:04:23,550 --> 00:04:25,370 show you 802.11. 87 00:04:25,370 --> 00:04:27,550 Here, we see a bunch of beacon frames 88 00:04:27,550 --> 00:04:30,560 that are being captured by a wireless interface, 89 00:04:30,560 --> 00:04:31,983 connected to Wireshark.