rerant Posted June 22, 2013 Share Posted June 22, 2013 Hi, I want to determine the MAC address of an iPhone without having direct access to it. I have read that the iPhone frequently sends wifi packets to determine whether known wifi networks are around. Do these packets already contain the MAC or is it possible to use these packets to get the MAC adress of the iPhone? How would that be possible as easy and mobile as possible. I have read about the "WiFi Pineapple Mark IV". Is this device capable of doing so? Any other ideas? Regards Rer Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted June 22, 2013 Share Posted June 22, 2013 Yes, absolutely! Quote Link to comment Share on other sites More sharing options...
no42 Posted June 22, 2013 Share Posted June 22, 2013 You can generally identify make of devices through mac address prefix analysing; http://www.coffer.com/mac_find/?string=apple will give you the Vendor mac address prefixes assigned to Apple - this includes Laptops, Desktops, aswell as iDevices - you will have to do your own research to narrow it down. Quote Link to comment Share on other sites More sharing options...
Subspace3 Posted June 22, 2013 Share Posted June 22, 2013 (edited) If you have an iphone or android device yourself, and connected to the same network just get a network scanner app, simple. Will show host names, MAC addresses and any open ports. Ah mis read your post, I'm guessing you want this info while the iphone is just sending out probes? Edited June 22, 2013 by Subspace3 Quote Link to comment Share on other sites More sharing options...
rerant Posted June 25, 2013 Author Share Posted June 25, 2013 @Sebkinne: I tried to order a "Wifi Pineapple" and emailed them, but they do not delivery to the country I am currently living at (in southeastasia). I will be able to buy that device in three months, but that will be too late for this purpose. Any other idea? @midnitesnake: I assume you try to help me to analyse the data I might retrieve with a "Wifi Pineapple". In that case why do I need to do a MAC prefix analysis? To find the MAC? I would assume they are always at the same offset of the data packages. @Subspace3: Generally I would just like to read out the MAC from the "probes". But what would be a network scanner app which work on the iPhone? Furthermore if I open a hotspot with my iPhone (jailbreak available) and someone else connects to it, would it be possible to read out the MAC? Quote Link to comment Share on other sites More sharing options...
thesugarat Posted June 25, 2013 Share Posted June 25, 2013 rerant, Do you have a laptop or other computer avaiable? Or do you only have an iPhone? If you have a computer, you could use a BackTrack LiveCD and use the airmon-ng suite... I believe it's airodump-ng that you want. Quote Link to comment Share on other sites More sharing options...
rerant Posted June 28, 2013 Author Share Posted June 28, 2013 @thesugarat: For my purpose a computer would not be appropriate. I might let that device be delivered to another country and pick it up there. Anyway in that case I will on have half a day to get used to it until I need it for my first experiment. 1) Is it easy enough to set this device to just "recording" so that it basically logs all wifi traffic, which I then analyse later? 2) Any easy explanation available which I could read now already to be able to setup the device as mentioned in point 1)? If yes, where? 3) Is the MAC really inside the "probes" an iPhone sends randomly to connect to wifi hotspots? Quote Link to comment Share on other sites More sharing options...
RebelCork Posted July 1, 2013 Share Posted July 1, 2013 Have you tried building a svartkast (Irongeek.com - props to Adrian Crenshaw, I'm just reposting ) Basically it's a modified Pogoplug, ebay is full of them. You can get them for next to nothing and stick in a low profile usb stick. They are fairly inconspicuous (apart from being bright pink :) ) I use it a fair bit for testing and packet captures - you can install debian and all of its tools. http://forums.hak5.org/index.php?/topic/26512-pineapple-fun/ Quote Link to comment Share on other sites More sharing options...
rerant Posted July 9, 2013 Author Share Posted July 9, 2013 Hello, I was able to get the Pineapple Mark IV. I can access it via Browser or SSH, but how can I record probes from an iPhone and extract its MAC if I am NOT connected to the same network? Any help appreciated! Quote Link to comment Share on other sites More sharing options...
thesugarat Posted July 9, 2013 Share Posted July 9, 2013 You could use a seperate Alfa WiFi card, or a seperate laptop, to deauthenticate users on the other access point. This would force users off the other AP and potentially onto yours. Even if it doesn't connect to your pineapple permanently, the iPhone might respond to Karma and then you would have it's information. Anybody else think that's incorrect? Quote Link to comment Share on other sites More sharing options...
rerant Posted July 10, 2013 Author Share Posted July 10, 2013 I do not want and need to disconnect users from access points. The phones are not connected to a wifi network. Quote Link to comment Share on other sites More sharing options...
thesugarat Posted July 10, 2013 Share Posted July 10, 2013 "and extract its MAC if I am NOT connected to the same network?" Then what "network" are you talking about in the above quote? If the target iPhone isn't on an AP and you just run your Pineapple with Karma the iPhone might respond but only if it has the wifi turned on. And if there are other devices around when you run Karma more than likely you'll get more devices to respond so you might have to do a little more digging to find the one you're looking for. If somehow you are expecting the pineapple to provide information from the cellular side of the iphone that's not what the pineapple does. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted July 10, 2013 Share Posted July 10, 2013 Karma can log probing MAC addresses. You could then run all collected MAC addresses through a filter and see which ones are actually iPhones (check the oui). I think that is what you are asking. Quote Link to comment Share on other sites More sharing options...
rerant Posted July 11, 2013 Author Share Posted July 11, 2013 @Sebkinne: Yes that is what I am asking. I passively want to monitor iPhone probes which are not connected to any network, but have (of course) their wifi functionality on. Where can I find the "oui" or any documentation which helps me a bit? Quote Link to comment Share on other sites More sharing options...
tom564 Posted July 11, 2013 Share Posted July 11, 2013 00:1B:63 is one of the OUIs for Iphones Quote Link to comment Share on other sites More sharing options...
rerant Posted July 11, 2013 Author Share Posted July 11, 2013 OK, got it. But that is already a step too far. How can I set up karma to log passively? Quote Link to comment Share on other sites More sharing options...
thesugarat Posted July 11, 2013 Share Posted July 11, 2013 (edited) When Karma is turned on it passively logs everything that responds to the screen on the main page. I'm not sure how to get that into a log on say a USB drive for assessment later... That would be nice. If you want to check a MAC address to see who makes it you can check the OUI database. http://standards.ieee.org/develop/regauth/oui/public.html Edited July 11, 2013 by thesugarat Quote Link to comment Share on other sites More sharing options...
rerant Posted July 15, 2013 Author Share Posted July 15, 2013 The probe request are recorded by Karma and printed to the main page. Thanks The same information is logged in /tmp/karma.log. I now want that the log file should be created on the usb stick. I could create a job (over the browser screen) to copy it to USB. But isn't there a way to just directly write it to the USB stick? Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted July 15, 2013 Share Posted July 15, 2013 Right now, the best way to do it is by making a soft link. Quote Link to comment Share on other sites More sharing options...
rerant Posted July 15, 2013 Author Share Posted July 15, 2013 The log file is created in the tmp directory which seems to be deleted every startup/shutdown(?). If I created the softlink there it is deleted as well. So I have to created the soft link every startup after tmp is deleted and before karma starts logging. How do I do that? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.