Best way to find devices/clients that should be probing for a known AP?

[SigNet44]

For example, I have a known AP (SSID, MAC, password, channel, etc) that's located in one part of town. With only using Kali and wifi adaptors (no Pineapple or Coconut), what would be the best way to detect devices in another part of town that normally connect the AP?

A couple thoughts,

1) Maybe use hostapd to create a fake AP that has the same exact setup as the known AP (SSID, MAC, password, channel, etc) and see if anything connects. I know if I just do an Evil Twin setup and only mmic the SSID and MAC, the devices won't automatically connect, so I *think* hostapd is best? Maybe even have it provide a proper internet connection so it stays connected to direction find using Wireshark I/O graph. No intention of doing any MITM here, just find devices by spoofing a known AP, have them connect and be connected long enough see signal strength.

2) Maybe I don't need to create a fake AP at all to find devices that connect to it. I wonder if I can configure Kismet to alert me when it see devices probe for the known SSID. I want to be able to see the device long enough to see signal strength though.

3) Any other ideas?

 

Thanks! -Sig

[dark_pyrro]

Maybe you can interact with the user that posted the thread linked below. You seem to have pretty much exactly the same scenario...

 

 

[SigNet44]

It looks sort of related. I'm on the physical security team at my work. We have a public location and a few non-public sites that the locations are confidential. The employees use their personal devices to access the wifi at the public location, but I'm assuming their devices could be a huge security issue if they are sending out probes for the public location wifi. The project I've been tasked with is to show how easy it could be for someone to spoof the public location wifi and if they were to get close to the other off-site locations, show all the employee devices that connect to it, thus exposing the location of the off-site. The objective is to use the results to implement policies to mitigate this risk.

UPDATE: I tried using hostapd, but I cannot spoof the MAC address. I can spoof the SSID and password, but not the MAC. I'm not if I'm approaching this wrong.

[dark_pyrro]

I think that you rather easily can assume that the risk is likely to be valid without any need of proof that it's possible to do it in a practical use case.

Difficult to say anything about hostapd and spoofed MAC without knowing what you have tried this far (if it's needed at all, why spoof the MAC address?).

[SigNet44]

I'm assuming that spoofing the MAC of the known AP at the public location would trick the devices to automatically connect to my AP, right? Wouldn't their devices need to ensure that the MAC, SSID and password be the same in order to automatically connect?

[dark_pyrro]

MAC address shouldn't be mandatory in such a scenario.

[SigNet44]

I got it to work. Perhaps I did it in a more compacted way, but it seems to work.

My setup:

1) Kali running on a VM using host laptop internet on eth0 (host laptop on mobile hotspot)

2) wlan0 is running as an AP (hotspot - using "Linux Wifi Hotspot)

3) wlan1mon is monitoring the AP and stations that connect. Then I use Wireshark to look at the live I/O Graph chart to see signal strength of devices connected to the AP (signal strength between the device and the AP)

I installed Linix Wifi Hotspot (https://github.com/lakinduakash/linux-wifi-hotspot) and it does almost everything for me! I can spoof the SSID, MAC, password, channel, etc) and then it goes live and allows any connections to use the internet on eth0. Then I run airodump-ng and only watch the bssid of the hotspot. I also have Wireshark up filtering only inbound connections to the hotspot's spoofed MAC. Then I drive around with omnidirectional antenna attached to the hotspot wifi adapter. Once I'm close enough to a device that trusts the AP I'm spoofing and connects, airodump and wireshark light up like a christmas tree. Then I switch out the omnidirectional antenna for a panel on the hotspot adapter and can use the signal strength graph to see the power signal between the target device and my hotspot get stronger (pointing at it) or grow weaker.

If there's an easier way to accomplish this without a pineapple or coconut (I can't wait until I can buy a coconut!), please let me know. So far, this works.

[0phoi5]

airmon-ng can give you this information easily.
If you have a known WiFi ESSID that the target uses in mind, you can scan for nearby Stations that are calling out to the same ESSID.

https://www.aircrack-ng.org/doku.php?id=airodump-ng

See under 'Usage Tips', the image shows you nearby Station MAC addresses and the Probes they are sending (ESSIDs they are attempting to handshake with)

BSSID              STATION            PWR   Rate   Lost  Packets  Notes  Probes
                                
 00:14:6C:7A:41:81  00:0F:B5:32:31:31   51   36-24    2       14
 (not associated)   00:14:A4:3F:8D:13   19    0-0     0        4           mossy 
 00:14:6C:7A:41:81  00:0C:41:52:D1:D1   -1   36-36    0        5
 00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35   54-54    0       99           teddy

In this case, if you knew the target uses a WiFi access point with the ESSID 'teddy', and it's unique enough, you can surmise that 00:0F:B5:FD:FB:C2 is the target.