0phoi5

https://en.wikipedia.org/wiki/DBm "-10 dBm - Maximal received signal power of wireless network (802.11 variants)"

Thank you :) I'm attempting to put together a simple script to test feasibility. If one uses airodump-ng to start collecting data, is there a way to see which access points a mobile device has previously connected to? I can see under the 'Probes' header that there are some devices showing SSIDs and some are simply showing 'unassociated'. Are the SSIDs shown under here the access points that a device has previously connected to? Does this work even when they are out of range of the SSID? I'm thinking that, if the PI could work out which Access Point belongs to the target's home, then the script could monitor for any MACs that are probing for this SSID. Then, even if the MAC changes every few minutes, airodump-ng could still tell which mobile device is related to the target?

If a PI were to run airodump-ng to see whether someone was at home then, it would work if they were connected to their home Wi-Fi, but if they weren't, then the station MAC would change every few minutes? So, for example; Joe Bloggs is at home with his iOS device and connected to his Wi-Fi. PI Dave collects Joe's device MAC address using airodump-ng Joe Bloggs goes for a drive with his iOS device, with it's Wi-Fi still turned on, but no longer in range of his home Wi-Fi, so it's not associated. PI Dave follows, with airodump-ng still collecting MACs In this scenario, would PI Dave's airodump still pick up Joe's iOS MAC, or would the MAC change within minutes and therefore not be recognised as the same device by airodump?

They're not bad, I can get around 100m with a good strength signal, with line-of-sight. Not the best at penetration through walls/glass. You can get them from Alfa on Amazon for around £7.00 here, so I'd say they're more than worth it at that price.

Thanks :) All very good points. Thanks for the script also. May I ask what kind of set up you had? I currently have 2 x 7dBi Panel Antennas I was thinking of using with an RPi, to experiment. A couple of questions regarding your points, if you don't mind; 1) Would the interference cause much of an issue? I feel that, if the beam widths did not cross, the strength of the signal from one direction or the other shouldn't be affected too much by 'bouncing' signals. The antenna pointing towards the actual target should still get a stronger signal than the antenna picking up 'bounced' packets? 3) I wasn't aware of this, thanks. How often do they tend to change the MAC? If it's daily, this could be an issue for the PI to use this method. If it's weekly or monthly, probably not a massive issue. 4) Damn, wasn't aware of this either. Do a lot of phones do this? I do agree though. this is going to be a 'will work under certain circumstances' thing, where it could be highly useful in one situation and unusable in another. But options are always nice! Perhaps I could add in some warning messages. Based on the input MAC address, the script could advise the user of any possible issues with that product type and advise on feasibility. Thanks.

On a side note - airodump-ng could be great for PI work in other situations. You could tell when a target was home, even if you don't actually eyeball them.

Hi all, I was recently talking with someone regarding Private Investigator work, and the discussion included ways in which one could tell which direction a tailed vehicle/person had turned when you get to a junction and are not certain whether they turned left or right etc. This has given me an idea regarding using the Station MAC of their mobile phone to determine which direction they went. Kind of like a poor-mans GSM Directional Finder, but using the target's WiFi signal instead of the actual phone signal. I would like your thoughts on the following, whether you think this would be feasible, and possible best methods if it is. Minimum 2 x directional WiFi antennas in the PI vehicle, one facing forwards and left, one facing forwards and right. Beam widths set so that they are close to each other, but not actually crossing, at the front of the vehicle. A device (RPi / laptop) with both antennas connected. Both antennas in Monitor Mode, using airodump-ng to monitor nearby Station MACs. A script created on the device to read which antenna is picking up a Station MAC with a higher signal strength than the other, and then output this to a screen / phone. Now, presuming the PI is able to get the mobile phone Station MAC of the person being investigated (not massively difficult) and the target has their phone WiFi on (happens often), in theory this method could make following them easier, as even without obvious sight of the vehicle/person ahead, the PI could have at least a rough idea of which direction they are in, in relation to their current position. It could perhaps also be possible to add more antennas, such as in each corner of the vehicle. Would this work? I'm tempted to have a play. Thanks.

Agreed with barry. RPis are fantastic little things for having an on-the-go box for pen testing, however they certainly shouldn't be used for password cracking themselves. Use an RPi to grab a password hash or WiFi handshake, sure, but then transfer the hash to a more powerful machine or use an online service to get the password. RPis would take years to crack a hash, compared with days for a desktop PC.

Please see the below topic.

Huge difference. And yes, this is probably the case. Most older hub passwords only use A-F, which is so insecure. So, the new math; 6 possible randomised digits A-F or 0-9 1 digit with 3 possiblities (4,5,6) (6+10)^6 + 1^3 = 16,777,217 My GTX 970 could crack this, with oclHashCat, in 2 minutes. Your laptop CPU, with HashCat, could do it in 3 hours. -a 3 -1 ABCDEF?d 2511,456,?10?1?1?1?1?1 Absolutely laughable security, if this is indeed their password standard.

https://hashcat.net/wiki/doku.php?id=mask_attack -a 3 -1 ?d?u 2511,456,?10?1?1?1?1?1

12 characters Format : 2511[4,5,6]*0***** 6 possible randomised digits A-Z or 0-9 1 digit with 3 possiblities (4,5,6) (26+10)^6 + 1^3 = 2,176,782,337 My GTX 970 could crack this, with oclHashCat, in 4 hours. Your laptop CPU, with HashCat, could do it in 14 days (2 weeks)

I don't have any figures to hand, but the 1080 should get more. I would guess around 200,000 per second, but that is a complete guess. It certainly won't be worse than the 970.

Do you parents have the same WiFi router? Sounds like the router is doing something to make the Tetra hang. Maybe a security feature, or simply the way in which it transmits it's data. Try your hub elsewhere?

Use HashCat (uses CPU) / oclHashCat (uses GPU). It'll have that baby cracked in no time. If it's the IT Director, the password is probably 'bossman123'. Anyone else, it would be 'Tuesday123'.

Rubber Ducky can do that fine. With any, and all, hardware for pen testing, it entirely depends on the circumstances. Rubber Ducky is (slightly) more discreet, cheaper, and maybe easier to set up, but not as powerful. Bash Bunny is powerful, but costs more. Personally, I'd get both. But if you have to buy one at a time, get the Ducky first, then play with it and learn whilst you save for the Bunny.

Couldn't agree more :) I think that, in this case, it would be whatever was best for the situation of the pen test.

NetHunter is really great, of course, however; It doesn't work on iPhones It's created by someone else. RPi's mean you can install whatever you like. It's not as anonymous. It's way more expensive, if you take in to account that you can use any cheap phone + $40 RPi vs having to buy a Nexus device. It's in BETA. I'm cheap I like playing with RPis

https://null-byte.wonderhowto.com/how-to/hide-virus-inside-fake-picture-0168183/ I assume this is what you want to do?

Yep. For general instructions, if it helps; 1.) Install Raspbian (I've also had this working with Kali) on an RPi3. 2.) Use these instructions to turn it in to a WiFi hotspot when there is no recognised WiFi nearby 3.) Install Termius on your iThingy/Android/Potato 4.) Connect your iThingy/Android/Potato to the WiFi hotspot the RPi3 is kicking out 5.) Use an application to confirm the RPi's IP address (I use Fing on Android, there's loads of applications for listing WiFi stations), or you may be able to figure that out from the instructions followed in step 2. 6.) Connect to that IP address, using port 22 and the credentials required (Raspbian is userID pi and password raspberry, so it would be pi@0.0.0.0:22 as an example) 7.) Profit. Install what you like (nmap, aircrack etc.), plug in an extra wifi card, throw it in a backpack or a pocket with a mini battery and off you go. PRO TIP: Create BASH files and simply run them using SSH from your phone. Hardly any typing, quick and easy.

Much appreciated, thank you.

Hiya barry, Sorry to be a pain, but are you able to elaborate or provide a link? I did a search for 'fox and hound signal locating' but didn't have much luck finding a good explanation. Cheers.

Termius. https://www.raspberrypi.org/documentation/remote-access/ssh/ios.md

Any. As long as your phone has the ability to connect to WiFi and has an SSH application available in the store, you can use the RPi + phone method.

Don't use a tablet. You'll come across situations where it's a pain. For on-the-fly, discreet pen testing, use your phone and a Raspberry Pi 3. You can turn the RPi in to a WiFi hotspot, or connect to it via Bluetooth, and use a terminal on your phone. You can also then use applications to create SSH 'buttons' to complete commands instantly, then discreetly just stand around whilst the Pi does the work. Good for public, good for quick movement, good for hiding, good for taking in a car, good for everything you don't need a PC for.