Question: Expected probe behavior for "Known Secure WiFi" on clients

[Brett Ferrell]

So, I can't seem to find any clear references anywhere that describe the intended/expected behavior, but this is what I'm seeing.

• When doing recon, my Nano captures any SSID being broadcast by an AP within Range
• When doing recon, my Nano captures any Open Wifi networks that my client devices (iPhone, iPad, etc.) recall and are looking for
• When doing recon, my Nano DOES NOT capture any Secure (WPA/WPA2) neworks that my client devices recall and are looking for

Basically, I was asked to do a demo where the Pineapple captured all of the home WiFi network SSIDs of my coworkers, and then rebroadcast them to demonstrate their vulnerability.  My Nano dutifully capture the Starbucks, airport, and hotel open SSIDs from these devices, but none of their password-protected home networks.   Is this expected?

Brett

[UnLo]

I can't speak for Recon itself. But I know for a fact that when i'm running PineAP I pick up and re-broadcast WPA/WPA2 SSIDs.

Also called probe requests. And I believe you can add probes to the SSID pool 

Edited November 2, 2017 by UnLo

[Brett Ferrell]

@UnLo  Thanks for the response, but to double check.  Recon Captures the Access Points, PineAP captures the Clients.   I see/capture access point SSIDs that are WPA/WPA2 in Recon, and I see/capture SSIDs from clients where there was no password (Open and captive portal) required to connect in PineAP... I actually don't know you can tell from PineAP what encryption standard a network is using...  but I get _No Client SSIDs where there is a required PSK/password_, from a phone or computer.  If this is what you're saying your Nano can and does do, then neither mine is broken or I have a bad configuration and would love any pointers. 

I have a colleague that believes is Tetra can do this, but he could not show is Nano do it either, and he was a bit perplexed and wondered if he was misremembering what he had seen his Tetra do.

[UnLo]

unfortunately I'm not near my nano to confirm (had to leave it home to focus on real work) But i'm quite positive. with a BLANK SSID pool, using ONLY pineAP I am picking up and re-broadcasting KNOWN WPA/WPA2 networks. 

[Brett Ferrell]

Apologizes, but there is still room for ambiguity there, and although I think I know what you mean I want to be clear. 

I get LOTS of know networks in PineAP, but I exactly ZERO that require a pre-shared-key or password, they are all OPEN networks. 

I think you're saying that shouldn't be the case, but I can't find any setting to change the behavior I'm getting.

[UnLo]

Yes I am saying that should NOT be the case. My two test environments are home and work. Both have multiple known secured networks. While running PineAP daemon at both sites I am discovering and rebroadcasting multiple secured networks. 

[biob]

Don’t think the probe request from the clients includes whether the AP it’s looking for is encrypted or not

isnt the encryption type included in the probe response?

Edited November 2, 2017 by biob

[biob]

Am I right in thinking that your trying to record the probe requests from the client(phones, tablets etc) devices?

if that is the case and they aren’t associated and the AP isn’t present I don’t see how you would be able to see what encryption they are using!

i could be totally wrong an if that is the case I apologise.

[Brett Ferrell]

Right, I'm trying to find known WiFi that the client devices are beaconing for, and correct, I don't know what encryption they're using, but what I'm seeing is that I can capture the beacons for Open WiFi that my devices have connected to (I know what those are) and that I don't get the secured/preshared key WiFi that they know (again, for my devices I know what it should be finding).

As an example, when I'm home, the Nano picks up my secure WiFi "Ferrell" SSID because it sees the Access Point, but it doesn't capture my "C0nnect" work WiFi that my phone remembers, and is (presumably) beaconing.  And I see the opposite behavior at work, the Nano finds the "C0nnect" SSID because of the AP, but not "Ferrell".  It finds "Hilton", "Marriot", "Airport", and "Starbucks" from my client devices beacons but no PSK SSIDs.  I thought it should, but I can't for the life of me make it do it.

[Brett Ferrell]

And these are not the only known WiFi (with PSK passwords) that it's not finding from my phone/clients, my in-laws "UD-Flyers" and friends "Fruitger", none of these are discovered, yet when I come within range I connect automatically.  iOS must not be beaconing these for some reason (and indeed I don't see them in the PineAP log), but it's not clear why this is, and why some folks like @UnLo are seeing them (well, to be fair, he didn't say he saw it from an iOS device, so could be his/her result was from a computer). 

It just seems strange that it is finding the open ones, and in fact, my phone then connects to the open network that it "recalls" on the Pineapple.

[biob]

A Beacon is a management from from the AP.

I’m unsure and would have to test, but if the client is associated with an AP would it still be sending out probe requests for other AP’s?

[biob]

Don’t Apple devices randomise their MAC addresses when I not associated with an AP?

[biob]

What’s happens if you tell the iPhone to forget the network it’s associated with? Does it start probing for the other networks?

sorry I’m still learning about WiFi myself.

Edited November 2, 2017 by biob

[brettferrell]

Yes, the iPhone randomizes MAC before it connects, but I can see these probes (on the known OPEN WiFi that only my phone could be sending, because of the SSID).  It is not connected to my work WiFi as that is not allowed, so it does IN FACT connect to one of the OPEN WiFi SSIDs that the NANO is broadcasting, so for Open networks, everything is working as I would expect.  As far as Beacons I should have said Probes. 

Summary, I can see the randomized Probes for known open WiFi networks that my iPhone sends, because of the network SSID I know it's my phone, and my phone does connect to the Nano on one of these OPEN networks that the Pineapple captures and rebroadcast.  However, I never see probes for secure networks (that I know my iPhone knows) in the PineAP log, and so these are never captured into the SSID pool, nor rebroadcast by the Nano.  Is it possible that iOS is configured to not do this?  As I say, my colleague thinks his Tetra has captured these in the past and was going to try to confirm.