Skip to main content

Wardriving OSINT & SE

 Disclaimer: do NOT use this information to be a jerk. Don’t try to get the location of my examples, or you’re a big meanie.

There's already a post out there about tracking people with wifi. It's helpful for those who use a hotspot or maybe a vehicle hotspot. I believe a personal device that broadcasts Bluetooth is more likely than a hotspot. 


What wardriving can’t do = track people via Bluetooth devices

Or shouldn’t be able to work. Most modern Bluetooth devices use MAC randomization, which changes the MAC address of the Bluetooth device at random. Even if you can track a device it may only be short-term, as it’ll change again. But sometimes they don't turn over to a randomized MAC. Do what you will with that.

If you want to see how easy it is to make a random MAC go here.

But what if you only need a short-term answer? Better start stumblin’.

Let’s forget the purpose of needing that MAC address long-term. With all MAC addresses, OUI can tell you what the device hardware should be. Should – because MAC address spoofing allows for the OUI to be spoofed. You can use this tool from Wireshark to lookup an OUI. Although this list has a lot of devices, it is not complete. There are wardrivers who collect OUIs so maybe you could help contribute too.

Looking for a vulnerable device for future exploitation

With the OUIs/name we can hopefully identify devices for reconnaissance. There’s one that caught my eye.

Next, let’s see if exploit DB has any results for this model of device: this is a 2017 vuln, so maybe it’ll work.

and maybe this will be an opportunity for the HPP based on a previous exploit


What else can we find that could be vulnerable? I targeted the previous device knowing printers don’t have the best security. What other devices are around?

Default creds: There’s a TON of xfinity router modem combos around. That’s low-hanging fruit, and can be susceptible to many wireless attacks. You do not need a special exploit for these, but there are some specific vulns look for, but remember the default creds are “admin” and “password” unless your ISP is Frontier, then it’s "admin" "admin", and AT&T default passwords are random. If you’re using the XFSET for Xfinity, it's “XFSET” and “become” as the password (thank wisair for that one). The sticker on the AT&T modem with the password, which you can’t access. AT&T uses a common word like sand and bucket to make passwords like this sandbucket2358 all lowercase, no special characters. There’s a wordlist out for these passwords, so keep a lookout.

I digressed, but you get the idea. Hover outside the building and try to find the weakest devices you can. Some suggest targeting IoT devices as these constrained devices don’t have a lot of security built in.

Social Engineering Spice

So now we have vulnerable devices and some other unusual networks. Let’s say we’re outside an office building, and you need to find a reason in. Now that you know some of office equipment, here is a social engineering gag to pull:

 “Hi, I’m here to fix your 9020 printer” go to the printer, find the ink or toner shake it. They don’t know what the model is, but if they check or know, you’ll be right. Taking printers/copiers apart is meant to be easy to not damage the device and make repairs. You’ll look like you’re servicing it if you aren’t afraid to get some toner on your hands. If you want to take it a step further, bring a makeup brush and clear off their cartridges/toner heads and print a blank sheet before doing a test sheet. Always looks a little better, and you’ve done a small favor while you’ve dropped a bash bunny or two around the office. Look at YouTube for a video if you need it.

·        Do not send deauth packets and then going into a building claiming to fix the internet.

There's our printer, what are the other two devices? The Shield is a settop box, so it's not a personal device. The Shield is broadcasting two different signals so both are going to be ruled out. What's the D&B speaker? Is it personal or not? Giving it a google, you wouldn't know it's a tiny rubber duck speaker. There's not an exact science. The best thing to do is to survey your target more than once to understand what's permanent and what's not.  

Device Names

Sometimes name dropping helps. How can we figure out the name of someone in the building? Their device of course. I would recommend naming your devices someone else's name (thanks hackerdad, stole your idea). 

Answer time - I do know that the name of this device matches its owner's name. Not everyone is hackerdad trying to troll, so 

People Count

Personal devices are ubiquitous; almost everyone has one. Let’s count the number of possible people behind a building’s walls. I wouldn’t recommend just doing this from your phone, use Kismet or another platform on a laptop to make it easier to count. If you need to be stealthy, use a smaller device.

This method is helpful if you need to figure out who / how many people are in the room next to you.

Tip: turn off scanning for other network types if you can to only view Bluetooth. Vice versa for only wifi.

As you can see, none of these devices are known via there OUIs. No surprise. We have a device count, but not a people count. Let’s see what we can do. To get a better idea, move away from your starting position to a few meters in either direction. I walked from one end of the building toward the middle of the perimeter.

I recommend doing this in a car, or just walking outside unsuspiciously. You can figure it out.
Obviously, we’ve got more devices, and we don’t know what they are. What now?
How’s the signal? You can see the signal strength on the left. Here – we’re going to make a lot of assumptions. 

Assumptions. This is where it’s a lot easier if you can copy and paste these MACs easily into something else, not WiGLE’s app. Personal smart devices like smart watches and headphones are better to count than desktops, TVs, and other non-personal devices.

 Let’s assume that there are not two devices right on top of each other. Any distance even a foot could change the -db signal. Also, we want to remove anything that is too close with the OUI. That leaves us with 4 devices at -98db and a couple at -96db. There are 9 unique signal strengths. Wait for the device list to update and move around, count again. I averaged anywhere from 8 unique signals to 11. I'm guessing there are 6-9 people in range.

Next, take into context where you’re scanning. This is outside of a residential building, so it’s likely there’s more than one device per person. In a school, mass gathering, or shopping center, it’s more likely there’s 1 device per person. 1 in 5 Americans have a smart watch, so turn that one into 1.2 devices per person and you’re more accurate. What about headphones? Do we know if they are on? I’m going to count the personal devices and the unique Bluetooth devices. You’ll be the best judge of the adoption of these devices. For me, I assume there’s 1.5 devices per person, and that makes it easy on the math.

See a lot of personal devices? You’ve got employees inside. Come back after hours when the business is closed to a baseline of what’s always at the scene. You’ll remove things like conference room TVs or printers, and be left with unique devices during the day. Think of it like a site survey, but for people.

 For me - I try to B&E when there's no one around.

Wrap up these tools should help with your recon. I hope this helps!

ps who the heck names their wifi:





Popular posts from this blog

How to Wardrive: Know where to go

Inspired by others, and my goal of getting a golden WiGLE badge, I went wardriving for my birthday. I was hoping for 50k, and I ended up with just over 61k. I'm less than 80k away from my goal! But how do you pick a place to wardrive, and how do you actually do  it? The easiest way is to download WiGLE on an android phone, get some transportation, and be set on your way. But if you want more detail or some tips, keep reading.  Avon Lady Method : Find a city within reasonable distance of travel Examine the results for the past few years of the area; do not use the overall coverage of all time.  Verify if the city is desirable for wardriving Little coverage in the past few years Most residential areas are not covered Use maps to search and define high density residential areas (i.e. apartments, town homes).  Create an order that allows for little overlapping and in a convenient driving pattern. Use landmarks around the city to define the internal roads Wardrive Profit ("internet

Goal Setting: Creating a vision board

 Hey y'all! I know I've missed my 2022 resolution to post once a month on the blog. It's something I think about frequently. I have been pouring my efforts into other areas of my life and haven't set enough time to create content or write blog posts. I've recently been reinvigorated after coming back from GrrCON 2022. Not only was GrrCON so much fun, I presented a pretty good talk: Hey Ma' Where's Malware Come From? It'll have it's own blog post once all the content is ready.  If you want to follow along, make your own vision board for free here .  I have a lot on my plate of tasks I don't attend to; things I want to do and things I need to do. I decided to help me clarify my goals and give myself some good mile markers via a vision board. Here's what the board means to me: (from left to right) Fox: I want to strive to do my best a work and position myself for future career growth and opportunities. I value where I work and want to be a helpf


 I've attempted, with mixed results, to establish a hashtag on Mastodon on Wednesdays for wardriving. Why? Because I feel like it. There are so many awesome people in the wardriving space that could probably do it better, but I'm going to do it instead.  I cannot recall where I heard this general rule of thumb, but I believe it was Dragorn who said " For every adapter you can go about 10mph ". I wonder how true that is, and I wonder more how I would begin to test that theory. This is something I'd like to figure out, and will likely need some assistance.  I also plan on remaking my rigs with raspberry pi alternatives. Right now there is a lot of drama surrounding raspberry pi, but I'm doing it just because of the cost and supply issues. There are many alternatives now, and I'm sure they'll make a few rigs. I'll keep the updates posted under the hashtag on Wednesday. If you're interested in wardriving you should join the RF Sanctuary Discord.