Cripter Posted October 22, 2015 Posted October 22, 2015 Are there any available scripts, tool kits or modules for the Pineapple which would allow me to only passively capture probe frames from iOS9 and other wifi enabled smartphones via the temporary setup of soft APs? My requirement is to upload a list of wifi networks such as 'Starbucks' or 'Virgin123' to create soft APs for the iOS devices (and any other device) to connect to and respond with their real MAC address. Once the real MAC addresses have been captured, I need to drop the connection and not re-establish with the device for the duration of its time in range. The final output (csv/pcap) should contain both the uncovered real MAC addresses and the bunch of random addresses. Quote
vailixi Posted October 24, 2015 Posted October 24, 2015 I'm not sure about the configurations on IOS. I know with Linux you can set a certain MAC address or each Wifi connection. I'm assuming IOS is similar.As far as getting the BSSID, ESSID, cipher, encryption, channel airodump -w and the grep out the station MAC addresses. So you would have the client MACs but not neccisarily the actual MAC addresses as the MAC spoofing happens client side. Are you trying to catch someone hacking from Starbucks and other free wifis with a Cell phone? Good luck. Quote
Cripter Posted October 24, 2015 Author Posted October 24, 2015 iOS 9 has now fully implemented MAC randomization for probe requests frames. The iDevices also no longer show SSIDs in the probe frames so it is passively scanning for broadcasts from APs within range. This explains why my reports are now displaying dozens of MAC addresses which do not resolve to any known vendor in my OUI database. The aim is to identify the real MAC address of the iDevice utilizing MAC randomization via comparison from multiple captures. I want to automate the process of creating soft APs based on a list of commonly connected APs such as starbucks in the hope that the device of interest has previously connect to at least one of these. I know I can load my soft AP ESSID list into a tool such as airbase-ng but I need something much more automated which will let the device automatically connect to the softAP (if the device is configured to) to reveal it's true MAC address, disconnect right after and then not allow re-connection whilst capturing into a pcap/csv. On occasions where I also have the key to a previously connected WPA2 AP I need the functionality to add that to the setup. I can then compare data from multiple captures in multiple locations to identify the device of interest. Quote
cutllas Posted February 1, 2016 Posted February 1, 2016 iOS 9 has now fully implemented MAC randomization for probe requests frames. The iDevices also no longer show SSIDs in the probe frames so it is passively scanning for broadcasts from APs within range. This explains why my reports are now displaying dozens of MAC addresses which do not resolve to any known vendor in my OUI database. The aim is to identify the real MAC address of the iDevice utilizing MAC randomization via comparison from multiple captures. I want to automate the process of creating soft APs based on a list of commonly connected APs such as starbucks in the hope that the device of interest has previously connect to at least one of these. I know I can load my soft AP ESSID list into a tool such as airbase-ng but I need something much more automated which will let the device automatically connect to the softAP (if the device is configured to) to reveal it's true MAC address, disconnect right after and then not allow re-connection whilst capturing into a pcap/csv. On occasions where I also have the key to a previously connected WPA2 AP I need the functionality to add that to the setup. I can then compare data from multiple captures in multiple locations to identify the device of interest It is very interesting idea and theoretically it seems to be possible. Since real MAC is only known when the iDevice is connected to an access point so i think there is no any other ways. apart from SSID like Starbucks, what are the other info on that list that you wanna get it uploaded on SoftAP? What about security information !? Have you implemented it yet ? Have you got any result that you can share here !! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.