Everyone, thanks for coming back to Wi Fi fundamentals with location and analytics. This course will help you to master the air. Every station has its own unique identifier, which is the MAC address, it's momentarily rssi signal. The time is spent in different location all add up to behavior pattern. Yet, in the last couple of years, vendors such as Apple have started to randomize the MAC address, at least when the station is not associated. Can we do something about it?

You bet. Since MAC address is randomized, new fingerprint techniques were developed to identify users. One of them is information elements found in a probe request. In Wireshark information elements are called tagged parameters. They reveal this station capabilities, supported data rate, vendor specific information, supported modulation and more. Let's see it in Wireshark.

Let's look at my Apple device as it broadcasts a broad probe request towards my gateway. The first thing to note is the radio tap header. The radio tap header has nothing to do with the probe request. It is actually the physical attributes as Wireshark collects them for my wireless card. It includes information as the channel frequency, the channel type, the rssi signal, and the amount of noise as we continue, we can see in the frame control the frame sequence number which is also an information that we will need later on and detect parameters, the information elements that reveals it supported rate extended supported rate, is it an HDX capable device? Yes it is and specific vendor information.

So, we have so many information in the probe request coming out as the text parameters of our frame. different tags such as the height throughput capabilities include a lot of information which varies from one device to another and can be used as an identifier stations with identical information elements in their probe request can be grouped into clusters. From the different attributes in the information elements, we can create a unique signature for different devices based on their SSID sequence number, high throughput capabilities, but there is more. Another technique to tracking recognized stations is timing order stations broadcast probe request in different intervals. observed timing between probe request burst can be used for tracking different stations can be recognized by their probe. Each probe has a sequence number that is incrementally increased with each probe request.

Following that sequence number can also help us to track the same device. We can even link authentication and association sequence number to the proper request sequence number. They start increasing as they move from a probe request to an associated mode. Another way to recognize stations is by their SSID identifier, known SSID published in a direct probe request. A direct probe request I remind you is a probe request of networks that are station already joined in the past and that can also be used as an identifier. Now let's look at an SSH D as it shows up in a probe request.

In the Linux tool named Arrow dump energy. I'm using a Kali Linux machine on my MacBook, you probably should also still want using virtual box. Kelly and other Linux distributions allows us to use different tools to capture and sniff the air. One of them is airmon ng G, which already comes pre installed in Kali. The first thing to do is to check if my machine recognized my wireless card. Yep, it does.

It's an 802 11 BGN and cards. It has a transmission power of 20 dBm and its mode is managed. Now, we need to turn it into a monitor mode so it can passively sniff the air in different channels. To do so, I will use airmon ng g And tell it to turn my interface, my wireless interface which is W LAN zero into m monitor mode interface. And Yep, it turned it into a monitor mode. And now let's open errata which is another tool in the airman energy suit and tell us to sniff the air using our new monitor mode interface.

The outcome should be a list similar to that. Many smartphones today just don't reveal the SSID in the probe request in their direct probe request. One technique to overcome it is that is for educational purposes only, is to use a hotspot to use a hotspot of a well known brand, one that your smartphone probably already have been associated with. So the moment the smartphone arrives to the area, it will associate immediately and reveal its global MAC address. Our last technique is using RTS and CTS. This to control frame that deals with various situations, mostly in a hidden note case, are good only if you want to look out a specific device that you already know it's global Mac App.

When you send an RTS to that device, he will reveal itself and respond with a CTS frame. Next case study. See you soon