Scan a open Wifi that has Client-side Isolation

[macymoodstwin]

im looking to scan a wifi hotspot that has Client side isolation i've tried nmap --Pn (i think that the correct command from memory ) but nothing i can only see the firewall and the server.

Thanks,

Macy

[macymoodstwin]

I'm looking to scan a wifi hotspot that has Client side isolation i've tried nmap --Pn (i think that the correct command from memory ) but nothing i can only see the firewall and the server.

Thanks,

Macy

[digip]

not that you should be scanning people on a wifi hotspot or network not your own, but try an arp scan. All clients, even ones that deny a ping reply, will show on arp when pinged if on the same subnet. networking 101.

[macymoodstwin]

i was given access by my college admins to try to run some test with man in the middle attacks ( I have full permission), what program would you recommend to use for arp scan ? ( i have a macbook pro running kali in a virtual machine ) so yeah.

thanks for the advice tho.

Macy.

[macymoodstwin]

I think -Pn is arp scan and that didn't work :(.

[digip]

-PN is "do not ping" and assumes the IP is up. manually ping an address you know that refuses a reply, then in a console, check arp. You will see its IP and MAC address (only works on internal network since its a layer 2 function). Also, nmap has the ability to do an arp sweep. read the help file. AS for MITM, use a tool designed for that...

[i8igmac]

Nmap -PR 192.168.1.*

Arp sweep

[newbi3]

depending on how the client isolation is happening you might have to do some vlan hopping

[digininja]

In nmap -Pn means to assume the machine is up.

Client isolation means that the AP won't send traffic out to the clients so two clients can't talk to each other, doesn't matter what nmap parameters you use, the AP won't forward the traffic so you can't scan it directly.

There are tools which can use monitor mode to craft packets so you can send traffic directly to other clients and then sniff their responses. The AP will drop both sets of messages but as you can see the traffic in the air you can read it. This won't work with WPA based networks as each client has their own temporal key which you wouldn't know so couldn't encrypt traffic to the client or decrypt their responses.

[macymoodstwin]

So I tryed : sudo nmap -Pn 10.10.67.1/255

but all I got back was :

Starting Nmap 6.47

Illegal netmask in "10.10.67.1/255" Assuming /32 (one host)

Nmap done: 1 IP address (0 hosts up) scanned in 0.58 seconds

I'm trying to scan every ip on the network im not sure im doing it correctly that why im getting this error I think.

Macy.

[cooper]

The number after the slash is the amount of bits in your IP, counting from the left, that must remain the same.

So /32 means the full IP. /8 means only the first number stays the same, /16 the first 2 numbers, /24 all but the last number. Use what applies to your network.

Edited January 14, 2015 by Cooper

[digip]

Or, nmap 192.168.1.* as pointed out by @i8igmac, wildcards will work too.

Just gonna throw this out there too ;)

Nmap 6.00 ( http://nmap.org )

Usage: nmap [scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:

Can pass hostnames, IP addresses, networks, etc.

Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254

-iL <inputfilename>: Input from list of hosts/networks

-iR <num hosts>: Choose random targets

--exclude <host1[,host2][,host3],...>: Exclude hosts/networks

--excludefile <exclude_file>: Exclude list from file

HOST DISCOVERY:

-sL: List Scan - simply list targets to scan

-sn: Ping Scan - disable port scan

-Pn: Treat all hosts as online -- skip host discovery

-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports

-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes

-PO[protocol list]: IP Protocol Ping

-n/-R: Never do DNS resolution/Always resolve [default: sometimes]

--dns-servers <serv1[,serv2],...>: Specify custom DNS servers

--system-dns: Use OS's DNS resolver

--traceroute: Trace hop path to each host

SCAN TECHNIQUES:

-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

-sU: UDP Scan

-sN/sF/sX: TCP Null, FIN, and Xmas scans

--scanflags <flags>: Customize TCP scan flags

-sI <zombie host[:probeport]>: Idle scan

-sY/sZ: SCTP INIT/COOKIE-ECHO scans

-sO: IP protocol scan

-b <FTP relay host>: FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:

-p <port ranges>: Only scan specified ports

Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9

-F: Fast mode - Scan fewer ports than the default scan

-r: Scan ports consecutively - don't randomize

--top-ports <number>: Scan <number> most common ports

--port-ratio <ratio>: Scan ports more common than <ratio>

SERVICE/VERSION DETECTION:

-sV: Probe open ports to determine service/version info

--version-intensity <level>: Set from 0 (light) to 9 (try all probes)

--version-light: Limit to most likely probes (intensity 2)

--version-all: Try every single probe (intensity 9)

--version-trace: Show detailed version scan activity (for debugging)

SCRIPT SCAN:

-sC: equivalent to --script=default

--script=<Lua scripts>: <Lua scripts> is a comma separated list of

directories, script-files or script-categories

--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts

--script-args-file=filename: provide NSE script args in a file

--script-trace: Show all data sent and received

--script-updatedb: Update the script database.

--script-help=<Lua scripts>: Show help about scripts.

<Lua scripts> is a comma separted list of script-files or

script-categories.

OS DETECTION:

-O: Enable OS detection

--osscan-limit: Limit OS detection to promising targets

--osscan-guess: Guess OS more aggressively

TIMING AND PERFORMANCE:

Options which take <time> are in seconds, or append 'ms' (milliseconds),

's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

-T<0-5>: Set timing template (higher is faster)

--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes

--min-parallelism/max-parallelism <numprobes>: Probe parallelization

--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies

probe round trip time.

--max-retries <tries>: Caps number of port scan probe retransmissions.

--host-timeout <time>: Give up on target after this long

--scan-delay/--max-scan-delay <time>: Adjust delay between probes

--min-rate <number>: Send packets no slower than <number> per second

--max-rate <number>: Send packets no faster than <number> per second

FIREWALL/IDS EVASION AND SPOOFING:

-f; --mtu <val>: fragment packets (optionally w/given MTU)

-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys

-S <IP_Address>: Spoof source address

-e <iface>: Use specified interface

-g/--source-port <portnum>: Use given port number

--data-length <num>: Append random data to sent packets

--ip-options <options>: Send packets with specified ip options

--ttl <val>: Set IP time-to-live field

--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address

--badsum: Send packets with a bogus TCP/UDP/SCTP checksum

OUTPUT:

-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,

and Grepable format, respectively, to the given filename.

-oA <basename>: Output in the three major formats at once

-v: Increase verbosity level (use -vv or more for greater effect)

-d: Increase debugging level (use -dd or more for greater effect)

--reason: Display the reason a port is in a particular state

--open: Only show open (or possibly open) ports

--packet-trace: Show all packets sent and received

--iflist: Print host interfaces and routes (for debugging)

--log-errors: Log errors/warnings to the normal-format output file

--append-output: Append to rather than clobber specified output files

--resume <filename>: Resume an aborted scan

--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML

--webxml: Reference stylesheet from Nmap.Org for more portable XML

--no-stylesheet: Prevent associating of XSL stylesheet w/XML output

MISC:

-6: Enable IPv6 scanning

-A: Enable OS detection, version detection, script scanning, and traceroute

--datadir <dirname>: Specify custom Nmap data file location

--send-eth/--send-ip: Send using raw ethernet frames or IP packets

--privileged: Assume that the user is fully privileged

--unprivileged: Assume the user lacks raw socket privileges

-V: Print version number

-h: Print this help summary page.

EXAMPLES:

nmap -v -A scanme.nmap.org

nmap -v -sn 192.168.0.0/16 10.0.0.0/8

nmap -v -iR 10000 -Pn -p 80

Edited January 14, 2015 by digip

[digininja]

I'll try to explain again, with client isolation you can't send ANY traffic to the other clients on the Wifi network, doesn't matter what nmap options you give, the packets will reach the AP and it will see that they are for other clients and it will drop them in some way, either with rejects or silent drops.

You can't do this using a standard network set up, you have to resort to wifi monitor mode and spoofing packets to send then listening to responses. This won't work on WPA, will work on unencrypted and should theoretically work on WEP but that would depend if the tools have been written to do it.

[digip]

I'll try to explain again, with client isolation you can't send ANY traffic to the other clients on the Wifi network, doesn't matter what nmap options you give, the packets will reach the AP and it will see that they are for other clients and it will drop them in some way, either with rejects or silent drops.

You can't do this using a standard network set up, you have to resort to wifi monitor mode and spoofing packets to send then listening to responses. This won't work on WPA, will work on unencrypted and should theoretically work on WEP but that would depend if the tools have been written to do it.

I've got client isolation on at one location, and while nmap does not return anything, I can force a response with manual pings and checking the arp table on my machine. WPA2, AP Isolation on using a Cisco e2000. My Asus will drop everything though, but I don't think all routers work with AP isolation exactly the same, or at least, the e2000, is not. Manages to ignore nmap, but not manual workstation pings, even though they don't respond, I get their MAC address and IP with an arp -a. Anything you suggest I should look into to enforce full dropping everything?

edit: I do probably need to login and check if it needs a firmware update **

Edited January 14, 2015 by digip

[digininja]

I guess it all depends on the individual implementation and what they do decide to drop or allow through but when done properly then all should be dropped.

Can you check if it is the client that is responding or the AP, they may be doing something funky and having the AP respond on behalf of the client.

[digip]

After some messing around, bit of a rant, but for your original question, my nic sends the broadcast, and the gateway is responding with the "Who has x.x.x.x? Tell x.x.x.x" in wireshark. - You can stop reading here..lol

However, I am getting results I wasn't expecting depending on how I generate and capture the data in wireshark via nmap vs a regular ping from windows. Still trying to figure out whats going on, but AP isolation appears to be broken so I will need to probabpy reset/flash/update the router and turn AP isolation back on. That said, I am not getting anything from nmap other than myself when scanning the subnet. Thought it was maybe the AP isolation until I tested with native ping in windows. Um, yeah. Weird.

I notice with nmap, results vary depending on what I try scanning with, but nmap will only find myself with an "-sn" against the whole subnet. It doesn't show anything in wireshark with the following:

example:

nmap -PR 192.168.1.*

Starting Nmap 6.00 ( http://nmap.org ) at 2015-01-14 19:03 Atlantic Standard Time

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

Nmap done: 1 IP address (0 hosts up) scanned in 0.61 seconds

nmap -sn 192.168.1.* shows only me in a reply, with no ICMP(obviously since its coming from me i guess but the gateway is doing the sending of info) with the source of the data the gateway sending it back to me.

Wireshark filter set to " icmp || arp " shows nothing from nmap against the lan for any other nodes though no matter what tests I try with it. Maybe I'm missing something, but I should be seeing some kind of data in wireshark for the LAN generated by nmap regardless of it they reply, I would think. When I do it against external sites and addresses like my own domains, everything shows just fine in wireshark and with normal results in the console via nmap scans. Its almost like nmap is not doing anything locally other than the -sn. No clue really what is happening, since wireshark isn't generating anything with no filters.

- Now - if I send a ping from my workstation to a node I know to be up on the LAN, I get the reply and the arp in wireshark, with the router not blocking it, even though AP isolation is on. Even to an address I know doesn't exist, I at least get an arp broadcast in wireshark from my nic asking for who has it. I think AP isolation on the cisco router, is not working at all though at this point, in addition to nmap not properly scanning my the LAN for some reason, which is skewing my results and frustrating to say the least.

I can log all of the up nodes with the following from a cmd window (does not work in a BAT file but when pasted in a windows console shows results in text files afterwards)

FOR /L %s in (1,1,255) do ping -n 1 -w 10 192.168.1.%s | arp -a > arp.txt | FIND /N "static" ./arp.txt >> upstatic.txt | FIND /N "dynamic" ./arp.txt >> updynamic.txt

I think windows in general may be doing something different in how it sends the data, which in the case of nmap, for whatever reason, I can't see any of the traffic on the local lan from it in wireshark other than the "-sn" showing only myself(although in VM's, works as expected against other VM's in same subnet and to host machine, etc). To external websites, shows fine, but no layer 2 stuff happening or IP data I guess because of the AP isolation somehow stopping something? That sounds fundamentally wrong, even to me saying it. Maybe my nmap isn't working locally on my box for some reason in how I have my box locked down. Don't know. Firewall down and up, same results too. Not sure why built in ping is showing me data that nmap isn't generating locally on the subnet, but against external networks with nmap, works fine. I've no clue at the moment why its working like this. Gah...

[i8igmac]

could you try arpspoof 192.168.1.1 ? Or maybe knowing a clients ipaddress could you arpspoof 192.168.1.100?

I would also check other options ettercap offers with -M

Edited January 15, 2015 by i8igmac

[digip]

I can't from my machine, mainly because I have static entries via netsh for my routers and I keep the firewall up unless testing(which could probably get cain to work if I drop the firewall and such), but from a VM, I can MITM other nodes on the home network on the wireless side, but generally just locks up the wired ones after a few minutes.