Wardriving OSINT & SE

 Disclaimer: do NOT use this information to be a jerk. Don’t try to get the location of my examples, or you’re a big meanie.

There's already a post out there about tracking people with wifi. It's helpful for those who use a hotspot or maybe a vehicle hotspot. I believe a personal device that broadcasts Bluetooth is more likely than a hotspot. 

Tracking

What wardriving can’t do = track people via Bluetooth devices

Or shouldn’t be able to work. Most modern Bluetooth devices use MAC randomization, which changes the MAC address of the Bluetooth device at random. Even if you can track a device it may only be short-term, as it’ll change again. But sometimes they don't turn over to a randomized MAC. Do what you will with that.

If you want to see how easy it is to make a random MAC go here.

But what if you only need a short-term answer? Better start stumblin’.

Let’s forget the purpose of needing that MAC address long-term. With all MAC addresses, OUI can tell you what the device hardware should be. Should – because MAC address spoofing allows for the OUI to be spoofed. You can use this tool from Wireshark to lookup an OUI. Although this list has a lot of devices, it is not complete. There are wardrivers who collect OUIs so maybe you could help contribute too.

Looking for a vulnerable device for future exploitation

With the OUIs/name we can hopefully identify devices for reconnaissance. There’s one that caught my eye.

Next, let’s see if exploit DB has any results for this model of device:

https://www.exploit-db.com/exploits/42176 this is a 2017 vuln, so maybe it’ll work.

and maybe this will be an opportunity for the HPP based on a previous exploit https://www.exploit-db.com/ghdb/4219

 

What else can we find that could be vulnerable? I targeted the previous device knowing printers don’t have the best security. What other devices are around?

Default creds: There’s a TON of xfinity router modem combos around. That’s low-hanging fruit, and can be susceptible to many wireless attacks. You do not need a special exploit for these, but there are some specific vulns look for, but remember the default creds are “admin” and “password” unless your ISP is Frontier, then it’s "admin" "admin", and AT&T default passwords are random. If you’re using the XFSET for Xfinity, it's “XFSET” and “become” as the password (thank wisair for that one). The sticker on the AT&T modem with the password, which you can’t access. AT&T uses a common word like sand and bucket to make passwords like this sandbucket2358 all lowercase, no special characters. There’s a wordlist out for these passwords, so keep a lookout.

I digressed, but you get the idea. Hover outside the building and try to find the weakest devices you can. Some suggest targeting IoT devices as these constrained devices don’t have a lot of security built in.

Social Engineering Spice

So now we have vulnerable devices and some other unusual networks. Let’s say we’re outside an office building, and you need to find a reason in. Now that you know some of office equipment, here is a social engineering gag to pull:

 “Hi, I’m here to fix your 9020 printer” go to the printer, find the ink or toner shake it. They don’t know what the model is, but if they check or know, you’ll be right. Taking printers/copiers apart is meant to be easy to not damage the device and make repairs. You’ll look like you’re servicing it if you aren’t afraid to get some toner on your hands. If you want to take it a step further, bring a makeup brush and clear off their cartridges/toner heads and print a blank sheet before doing a test sheet. Always looks a little better, and you’ve done a small favor while you’ve dropped a bash bunny or two around the office. Look at YouTube for a video if you need it.

·        Do not send deauth packets and then going into a building claiming to fix the internet.

There's our printer, what are the other two devices? The Shield is a settop box, so it's not a personal device. The Shield is broadcasting two different signals so both are going to be ruled out. What's the D&B speaker? Is it personal or not? Giving it a google, you wouldn't know it's a tiny rubber duck speaker. There's not an exact science. The best thing to do is to survey your target more than once to understand what's permanent and what's not.  

Device Names

Sometimes name dropping helps. How can we figure out the name of someone in the building? Their device of course. I would recommend naming your devices someone else's name (thanks hackerdad, stole your idea). 

Answer time - I do know that the name of this device matches its owner's name. Not everyone is hackerdad trying to troll, so 

People Count

Personal devices are ubiquitous; almost everyone has one. Let’s count the number of possible people behind a building’s walls. I wouldn’t recommend just doing this from your phone, use Kismet or another platform on a laptop to make it easier to count. If you need to be stealthy, use a smaller device.

This method is helpful if you need to figure out who / how many people are in the room next to you.

Tip: turn off scanning for other network types if you can to only view Bluetooth. Vice versa for only wifi.

As you can see, none of these devices are known via there OUIs. No surprise. We have a device count, but not a people count. Let’s see what we can do. To get a better idea, move away from your starting position to a few meters in either direction. I walked from one end of the building toward the middle of the perimeter.

I recommend doing this in a car, or just walking outside unsuspiciously. You can figure it out.
Obviously, we’ve got more devices, and we don’t know what they are. What now?
How’s the signal? You can see the signal strength on the left. Here – we’re going to make a lot of assumptions. 

Assumptions. This is where it’s a lot easier if you can copy and paste these MACs easily into something else, not WiGLE’s app. Personal smart devices like smart watches and headphones are better to count than desktops, TVs, and other non-personal devices.

 Let’s assume that there are not two devices right on top of each other. Any distance even a foot could change the -db signal. Also, we want to remove anything that is too close with the OUI. That leaves us with 4 devices at -98db and a couple at -96db. There are 9 unique signal strengths. Wait for the device list to update and move around, count again. I averaged anywhere from 8 unique signals to 11. I'm guessing there are 6-9 people in range.

Next, take into context where you’re scanning. This is outside of a residential building, so it’s likely there’s more than one device per person. In a school, mass gathering, or shopping center, it’s more likely there’s 1 device per person. 1 in 5 Americans have a smart watch, so turn that one into 1.2 devices per person and you’re more accurate. What about headphones? Do we know if they are on? I’m going to count the personal devices and the unique Bluetooth devices. You’ll be the best judge of the adoption of these devices. For me, I assume there’s 1.5 devices per person, and that makes it easy on the math.

See a lot of personal devices? You’ve got employees inside. Come back after hours when the business is closed to a baseline of what’s always at the scene. You’ll remove things like conference room TVs or printers, and be left with unique devices during the day. Think of it like a site survey, but for people.

 For me - I try to B&E when there's no one around.

Wrap up these tools should help with your recon. I hope this helps!

ps who the heck names their wifi: