Wifi signal - user tracking

[fatalflaw]

I know there are systems out there where you setup sensors inside the building and walk the perimeter and afterwards it can triangulate locations of rogue users and other devices but I'm looking for something simpler, and preferrably open source.

I know that accuracy will be way down for what I'm asking but I'd like just a simple system that would run on XP, allow me to select a user on the wireless network or the router itself, hit track, and by walking around looking at the signal strength in relation to that one specific device I selected, I can do my own triangulation to help pin the loc down.

On the plus side my Orinoco gold card (frigen hard to find lately) supports passive rfmon so thats a bonus.

Any help would be appreciated. Also any opensource wifi security programs that can silently run in the background monitering traffic and if it sees anything suspecious, like all of a sudden a ton of packet floods coming my way from a connection that it knows without a doubt isnt what I'm initiating, that it'll set off an alarm. I've seen programs like this and the wifi tracker out there before but for the life of me I cannot find them, google is disappointing me, and I'm getting desperate.

If you made it this far, thank you for putting up with the long ass read,

Thanks in advance for any help!

Fatal Flaw

[melodic]

so basically you want to track people by there wifi card?

can this even be done :S

[fatalflaw]

Thats the thing, I'm sure I've seen a program that can do this running just from the laptop but I can't find it anymore. And I dont assume to be a professional, I know a little of alot, but lets just say my road of knowledge has pot holes lol. I'm thinking that if you and your attacker are on the same network, and you can ping him, by sending him an ack request when it responds given a within a set time span that it must be your target your trying to track and by measuring the signal that particular ack request got sent from and its strength you can track it to a fixed location.

Again, not sure, but its just a theory.

[calking]

it could be done. If you use auditor (or more recently, bactrack) you could use the GPS support built-in and track the physical location the wlan card i think. I know that you can track the location of the AP and maybe that goes for the client end because in Kismet if you pull up a certain listing for a specific AP it will list all the clients and I think you'll be able to track the GPS movements of the client wifi cards (granted you have a GPS solution).

anywhoo, it's just a theory seeing I haven't touched my Auditor CD in months.

[fatalflaw]

From what I've heard and understand it has something to do with the RADIUS protocol or tech (tired, cant think of the appropiate word) to measure signal strength and distance or at the very least strength. If it can atleast do that by focusing on a certain packet stream like a wifi packet sniffer with a filter does, by walking around and watching the signal strength get weaker or stronger you can find the person yourself with a little bit of legwork.

The reason why I ask is last time I was at a Barnes & Noble bookstore I was reading and doing some surfing while sippin on some starbucks (yum) and my alarm starts going off because I start getting flooded with name requests for workgroup and authentification requests from an actual user on that wifi network. I was pissed and I want the ability to find any ****er that does this just to walk up to him, tell him "You wanted in my laptop so bad, so here it is" and smash it over his head and kick his ass till the cops come and haul me off to jail. OOooor, fantasies aside, just to tell him to stop it, that you know he's the one, and just to see the look on his face *shudders* niiice :)

Anyways yeah, RADIUS.. I think.

[rFayjW98ciLoNQLDZmFRKD]

If you set up three laptops with WIfi, and if you can each get them to tell you how far away the signal is, you could easly track them.

[fatalflaw]

But if there is a program that can act as a stand alone measuring tool, you can walk around a given area where you suspect the person is or even the entire parking lot if your desperate enough and track the signal that way by just watching the strength rise and fall instead of having to setup triangulation stations.

Like if someone hides in a parking lot , I walk to the 4 corners of the parking lot to establish a perimeter. Then I divide the parking lot to 4 quadrents and walk through the middle of each quadrent, the quadrent with the highest signal strength is the area your target in, and you keep dividing in on it until your standing ontop of the asshat trying to get into your system and wail on his ass.

Manual triangulation. or rather would that be quadulation? O.o

[calking]

Yeah I just realized GPS is sorta limited indoors. But it's worth a shot. But again Kismet's GPSdrive acts like a radar in most cases so that would probably be the most efficient method seeing Auditor/Backtrack is free and you can find a cheap Linux compatible card and GPS unit.

[stingwray]

You could just walk around with Netstumbler running or something and when the signal gets weaker you are going in the wrong direction and if it gets stronger then you are getting warmer.

Unless you want to just look on your server or something from your desk and it tells you.

I suppose you could have a map with were your AP is and then if you know the signal strength and have a key that tells you how far away they are then you would have a pretty good idea of where they are.

[fatalflaw]

You could just walk around with Netstumbler running or something and when the signal gets weaker you are going in the wrong direction and if it gets stronger then you are getting warmer.

Unless you want to just look on your server or something from your desk and it tells you.

I suppose you could have a map with were your AP is and then if you know the signal strength and have a key that tells you how far away they are then you would have a pretty good idea of where they are.

Well I thought about Netstumbler but the problem with that is it can only track access points OR cards in Adhoc mode acting as an AP. It cant track individual users on a particular wireless network. And nah, not from a desk or a server, I'm talking on my laptop, I planned on carrying it around with me and use it to hone in on the guy who's trying to break into my laptop so I can wail on him.

[stingwray]

Well if he is trying to break in then he probably hasn't got a connection then so I don't know what to suggest.

If you can get his MAC address then you can probably work out who makes he adaptor but I don't know what use that would be.

I don't think you can do what you want with a wireless set up. You could try and get or build a directional wireless sensor that picks up signals at 2.4GHz then track him, that way if he is using his adaptor then you should pick him up. Long shot though of working.

[fatalflaw]

Well if he is trying to break in then he probably hasn't got a connection then so I don't know what to suggest.

I wasn't saying he had a connection with me :) We were both using the same access point at a book store Barnes & Noble, going through the same router, hence, on the same network. With a packet sniffer running while on the same network as the person via that wireless router in the store, the packet sniffer can hone in on an IP address and such. It is my hope that by being able to select that particular IP that is attacking you through that wireless network and sending the attacker a bunch of ICMP packets the tracker program I want can time the responses based on how long it takes it to respond by combining the timed pings with a frequency strength meter.

Basically here is what I'm thinking. First, we are on the same network connected together through a common router. I plug in the attackers network IP address into the tracker program. The program sends out a ping to that IP address. Based on reply time of wifi network type whether it be a/b/g it can measure the "likely" time it would take to hear the replyl cross over the air from it's target. In that time window it measures the signal strength of the burst from any wireless card that responds within that time frame. It keeps repeating the process while I walk around and try to make the signal strength get higher.

Like I said it's just a theory, it may not even be possible, but as of yet I see no reason it can't be possible.

[stingwray]

I don't think Ping packets will be able to do much, the time it takes also won't be effected much by the signal quality anyway I don't think.

If it does work then you would also have to take into account your position and signal quality. Too much like hardwork if you ask me.

[VaKo]

Just have a slowly rotating directional antena with a very narrow range? That way you should be able to get a vauge directional fix. If you have 2-3 of them in known locations you can then trianglulate the signal.. Thats the direction covered but distance might be a problem.

[Faith +1]

you can check out wifiscanner.

It looks as if the signal strenght of the node you are trying to find will change as it gets stronger or weaker. Not exactly sure though.

Linux OS. You could try this with a VM session for XP not sure how well it woks that way.

Let us know if you get this working, seems like a good idea to be able to find a user on a wireless network for security reasons, e.g. someone wants to deauth or start running arp poisen attacks.

[fatalflaw]

Will try it out :) Ty for the tip.

But I have just one other lil problem. I have Suse installed on my laptop, I also have live distros of Knoppix STD and Auditor Security Suite but it's giving me hell with my wireless card. Its weird, its a 2wire PCMCIA a/b card that identifies under linux as Orinoco and Hermes and when it tries to load the driver for it on ANY distro it fails to respond (the card) so it skips it.

I really REALLY dont know what the hell is going on.

Anyways the only clue I got is that XP detects it as a 2wire device, no mention of orinoco anywhere, but Linux dosent see it that way.

Now the fun explanation.. When I originally bought the card, I ordered a Orinoco classic gold card cause they are known for being very good in rfmon mode and linux friendly. Instead came the 2wire card with the apparent explanation that 2wire MADE the Orinoco card, similar to VGA or Asus making a "Nvidia" card. You get the picture. Makes me think they did something like flash the cards ident or something but I'm not sure and it confuses me cause it still works under windows. Even Winpcap can use it in monitor mode so I know its "functioning". meh I just don't know what to do. Also on a laptop, I COULD download 2wire drivers, but its impossible to find the right set of linux drivers, even harder to install them on a live distro with no floppy drive, and an even BIGGER killjoy about the horror stories I've heard about having to build the damn "special" driver into the kernel from friends. I know enough about linux to be an above average user but it dosent go beyond that so as far as that kind of advanced recompiling, I'm at a loss so that options out cause last time I did it it was a pain in the ass.

Please, if anyone can help me close this pandoras box so I can frigen FINALLY use Kismet I'd be ever so greatful!

Thanks in advance guys, keep the good info flowin, no one but the best on these forums. :)

[deleted]

I Know this topic is old but i found something i found useful.

I have never heard of Place Lab but they have built a sort of GPS WiFI Tracking program.

It works on Windows XP, Linux, Mac OSX, Pocket PC and Series 60 Phones.

http://www.placelab.org/toolkit/

[Deveant]

this can easly be done by the use of Wifi-fo-fum (spelt wrong i think) its a GPS / WiFi Application for Pocket PC, ive used it a few times on my PDA, and have been able to determin by about 5-10m the wareabouts of a user on a network, about 2-3meters for an access point, and 1-5m for an Ad-hoc user.

[Nakaori]

http://sourceforge.net/projects/magicmap

http://www2.informatik.hu-berlin.de/rok/MagicMap/index.htm

have phun :>

[mubix]

What you might want to check into are Wireless IDSs