Determine MAC from iPhone only over Wifi without an actual connection

[rerant]

Hi,

I want to determine the MAC address of an iPhone without having direct access to it. I have read that the iPhone frequently sends wifi packets to determine whether known wifi networks are around. Do these packets already contain the MAC or is it possible to use these packets to get the MAC adress of the iPhone? How would that be possible as easy and mobile as possible. I have read about the "WiFi Pineapple Mark IV". Is this device capable of doing so? Any other ideas?

Regards

Rer

[Sebkinne]

Yes, absolutely!

[no42]

You can generally identify make of devices through mac address prefix analysing;

http://www.coffer.com/mac_find/?string=apple

will give you the Vendor mac address prefixes assigned to Apple - this includes Laptops, Desktops, aswell as iDevices - you will have to do your own research to narrow it down.

[Subspace3]

If you have an iphone or android device yourself, and connected to the same network just get a network scanner app, simple. Will show host names, MAC addresses and any open ports.

Ah mis read your post, I'm guessing you want this info while the iphone is just sending out probes?

Edited June 22, 2013 by Subspace3

[rerant]

@Sebkinne:

I tried to order a "Wifi Pineapple" and emailed them, but they do not delivery to the country I am currently living at (in southeastasia). I will be able to buy that device in three months, but that will be too late for this purpose. Any other idea?

@midnitesnake:

I assume you try to help me to analyse the data I might retrieve with a "Wifi Pineapple". In that case why do I need to do a MAC prefix analysis? To find the MAC? I would assume they are always at the same offset of the data packages.

@Subspace3:

Generally I would just like to read out the MAC from the "probes". But what would be a network scanner app which work on the iPhone? Furthermore if I open a hotspot with my iPhone (jailbreak available) and someone else connects to it, would it be possible to read out the MAC?

[thesugarat]

rerant,

Do you have a laptop or other computer avaiable? Or do you only have an iPhone? If you have a computer, you could use a BackTrack LiveCD and use the airmon-ng suite... I believe it's airodump-ng that you want.

[rerant]

@thesugarat: For my purpose a computer would not be appropriate.

I might let that device be delivered to another country and pick it up there. Anyway in that case I will on have half a day to get used to it until I need it for my first experiment.

1) Is it easy enough to set this device to just "recording" so that it basically logs all wifi traffic, which I then analyse later?

2) Any easy explanation available which I could read now already to be able to setup the device as mentioned in point 1)? If yes, where?

3) Is the MAC really inside the "probes" an iPhone sends randomly to connect to wifi hotspots?

[RebelCork]

Have you tried building a svartkast (Irongeek.com - props to Adrian Crenshaw, I'm just reposting )

Basically it's a modified Pogoplug, ebay is full of them. You can get them for next to nothing and stick in a low profile usb stick. They are fairly inconspicuous (apart from being bright pink :) )

I use it a fair bit for testing and packet captures - you can install debian and all of its tools.

http://forums.hak5.org/index.php?/topic/26512-pineapple-fun/

[rerant]

Hello,

I was able to get the Pineapple Mark IV. I can access it via Browser or SSH, but how can I record probes from an iPhone and extract its MAC if I am NOT connected to the same network?

Any help appreciated!

[thesugarat]

You could use a seperate Alfa WiFi card, or a seperate laptop, to deauthenticate users on the other access point. This would force users off the other AP and potentially onto yours. Even if it doesn't connect to your pineapple permanently, the iPhone might respond to Karma and then you would have it's information. Anybody else think that's incorrect?

[rerant]

I do not want and need to disconnect users from access points. The phones are not connected to a wifi network.

[thesugarat]

"and extract its MAC if I am NOT connected to the same network?"

Then what "network" are you talking about in the above quote? If the target iPhone isn't on an AP and you just run your Pineapple with Karma the iPhone might respond but only if it has the wifi turned on. And if there are other devices around when you run Karma more than likely you'll get more devices to respond so you might have to do a little more digging to find the one you're looking for.

If somehow you are expecting the pineapple to provide information from the cellular side of the iphone that's not what the pineapple does.

[Sebkinne]

Karma can log probing MAC addresses. You could then run all collected MAC addresses through a filter and see which ones are actually iPhones (check the oui).

I think that is what you are asking.

[rerant]

@Sebkinne: Yes that is what I am asking. I passively want to monitor iPhone probes which are not connected to any network, but have (of course) their wifi functionality on. Where can I find the "oui" or any documentation which helps me a bit?

[tom564]

00:1B:63 is one of the OUIs for Iphones

[rerant]

OK, got it. But that is already a step too far. How can I set up karma to log passively?

[thesugarat]

When Karma is turned on it passively logs everything that responds to the screen on the main page. I'm not sure how to get that into a log on say a USB drive for assessment later... That would be nice. If you want to check a MAC address to see who makes it you can check the OUI database.

http://standards.ieee.org/develop/regauth/oui/public.html

Edited July 11, 2013 by thesugarat

[rerant]

The probe request are recorded by Karma and printed to the main page. Thanks

The same information is logged in /tmp/karma.log.

I now want that the log file should be created on the usb stick. I could create a job (over the browser screen) to copy it to USB. But isn't there a way to just directly write it to the USB stick?

[Sebkinne]

Right now, the best way to do it is by making a soft link.

[rerant]

The log file is created in the tmp directory which seems to be deleted every startup/shutdown(?). If I created the softlink there it is deleted as well. So I have to created the soft link every startup after tmp is deleted and before karma starts logging. How do I do that?