Jump to content

Question: Expected probe behavior for "Known Secure WiFi" on clients


Brett Ferrell
 Share

Recommended Posts

So, I can't seem to find any clear references anywhere that describe the intended/expected behavior, but this is what I'm seeing.

  • When doing recon, my Nano captures any SSID being broadcast by an AP within Range
  • When doing recon, my Nano captures any Open Wifi networks that my client devices (iPhone, iPad, etc.) recall and are looking for
  • When doing recon, my Nano DOES NOT capture any Secure (WPA/WPA2) neworks that my client devices recall and are looking for

Basically, I was asked to do a demo where the Pineapple captured all of the home WiFi network SSIDs of my coworkers, and then rebroadcast them to demonstrate their vulnerability.  My Nano dutifully capture the Starbucks, airport, and hotel open SSIDs from these devices, but none of their password-protected home networks.   Is this expected?

Brett

Link to comment
Share on other sites

I can't speak for Recon itself. But I know for a fact that when i'm running PineAP I pick up and re-broadcast WPA/WPA2 SSIDs.

Also called probe requests. And I believe you can add probes to the SSID pool 

Edited by UnLo
Link to comment
Share on other sites

@UnLo  Thanks for the response, but to double check.  Recon Captures the Access Points, PineAP captures the Clients.   I see/capture access point SSIDs that are WPA/WPA2 in Recon, and I see/capture SSIDs from clients where there was no password (Open and captive portal) required to connect in PineAP... I actually don't know you can tell from PineAP what encryption standard a network is using...  but I get _No Client SSIDs where there is a required PSK/password_, from a phone or computer.  If this is what you're saying your Nano can and does do, then neither mine is broken or I have a bad configuration and would love any pointers. 

I have a colleague that believes is Tetra can do this, but he could not show is Nano do it either, and he was a bit perplexed and wondered if he was misremembering what he had seen his Tetra do.

Link to comment
Share on other sites

Apologizes, but there is still room for ambiguity there, and although I think I know what you mean I want to be clear. 

I get LOTS of know networks in PineAP, but I exactly ZERO that require a pre-shared-key or password, they are all OPEN networks. 

I think you're saying that shouldn't be the case, but I can't find any setting to change the behavior I'm getting.

Link to comment
Share on other sites

Yes I am saying that should NOT be the case. My two test environments are home and work. Both have multiple known secured networks. While running PineAP daemon at both sites I am discovering and rebroadcasting multiple secured networks. 

Link to comment
Share on other sites

Don’t think the probe request from the clients includes whether the AP it’s looking for is encrypted or not

isnt the encryption type included in the probe response?

Edited by biob
Link to comment
Share on other sites

Am I right in thinking that your trying to record the probe requests from the client(phones, tablets etc) devices?

if that is the case and they aren’t associated and the AP isn’t present I don’t see how you would be able to see what encryption they are using!

i could be totally wrong an if that is the case I apologise.

Link to comment
Share on other sites

Right, I'm trying to find known WiFi that the client devices are beaconing for, and correct, I don't know what encryption they're using, but what I'm seeing is that I can capture the beacons for Open WiFi that my devices have connected to (I know what those are) and that I don't get the secured/preshared key WiFi that they know (again, for my devices I know what it should be finding).

As an example, when I'm home, the Nano picks up my secure WiFi "Ferrell" SSID because it sees the Access Point, but it doesn't capture my "C0nnect" work WiFi that my phone remembers, and is (presumably) beaconing.  And I see the opposite behavior at work, the Nano finds the "C0nnect" SSID because of the AP, but not "Ferrell".  It finds "Hilton", "Marriot", "Airport", and "Starbucks" from my client devices beacons but no PSK SSIDs.  I thought it should, but I can't for the life of me make it do it.

Link to comment
Share on other sites

And these are not the only known WiFi (with PSK passwords) that it's not finding from my phone/clients, my in-laws "UD-Flyers" and friends "Fruitger", none of these are discovered, yet when I come within range I connect automatically.  iOS must not be beaconing these for some reason (and indeed I don't see them in the PineAP log), but it's not clear why this is, and why some folks like @UnLo are seeing them (well, to be fair, he didn't say he saw it from an iOS device, so could be his/her result was from a computer). 

It just seems strange that it is finding the open ones, and in fact, my phone then connects to the open network that it "recalls" on the Pineapple.

Link to comment
Share on other sites

What’s happens if you tell the iPhone to forget the network it’s associated with? Does it start probing for the other networks?

sorry I’m still learning about WiFi myself.

Edited by biob
Link to comment
Share on other sites

Yes, the iPhone randomizes MAC before it connects, but I can see these probes (on the known OPEN WiFi that only my phone could be sending, because of the SSID).  It is not connected to my work WiFi as that is not allowed, so it does IN FACT connect to one of the OPEN WiFi SSIDs that the NANO is broadcasting, so for Open networks, everything is working as I would expect.  As far as Beacons I should have said Probes

Summary, I can see the randomized Probes for known open WiFi networks that my iPhone sends, because of the network SSID I know it's my phone, and my phone does connect to the Nano on one of these OPEN networks that the Pineapple captures and rebroadcast.  However, I never see probes for secure networks (that I know my iPhone knows) in the PineAP log, and so these are never captured into the SSID pool, nor rebroadcast by the Nano.  Is it possible that iOS is configured to not do this?  As I say, my colleague thinks his Tetra has captured these in the past and was going to try to confirm.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...