Disclaimer: do NOT use this information to be a jerk. Don’t try to get the location of my examples, or you’re a big meanie.
What wardriving can’t do = track people via Bluetooth devices
Or shouldn’t be able to work. Most modern Bluetooth devices use MAC randomization, which changes the MAC address of the Bluetooth device at random. Even if you can track a device it may only be short-term, as it’ll change again. But sometimes they don't turn over to a randomized MAC. Do what you will with that.
If you want to see how easy it is to make a random MAC go here.
But what if you only need a short-term answer? Better start stumblin’.
Let’s forget the purpose of needing that MAC address long-term. With all MAC addresses, OUI can tell you what the device hardware should be. Should – because MAC address spoofing allows for the OUI to be spoofed. You can use this tool from Wireshark to lookup an OUI. Although this list has a lot of devices, it is not complete. There are wardrivers who collect OUIs so maybe you could help contribute too.
Looking for a vulnerable device for future exploitation
With the OUIs/name we can hopefully identify devices for reconnaissance. There’s one that caught my eye.
Next, let’s see if exploit DB has any results for this model
https://www.exploit-db.com/exploits/42176 this is a 2017 vuln, so maybe it’ll work.
and maybe this will be an opportunity for the HPP based on a previous exploit https://www.exploit-db.com/ghdb/4219
What else can we find that could be vulnerable? I targeted the previous device knowing printers don’t have the best security. What other devices are around?
Default creds: There’s a TON of xfinity router modem combos around. That’s low-hanging fruit, and can be susceptible to many wireless attacks. You do not need a special exploit for these, but there are some specific vulns look for, but remember the default creds are “admin” and “password” unless your ISP is Frontier, then it’s "admin" "admin", and AT&T default passwords are random. If you’re using the XFSET for Xfinity, it's “XFSET” and “become” as the password (thank wisair for that one). The sticker on the AT&T modem with the password, which you can’t access. AT&T uses a common word like sand and bucket to make passwords like this sandbucket2358 all lowercase, no special characters. There’s a wordlist out for these passwords, so keep a lookout.
I digressed, but you get the idea. Hover outside the building and try to find the weakest devices you can. Some suggest targeting IoT devices as these constrained devices don’t have a lot of security built in.
Social Engineering Spice
So now we have vulnerable devices and some other unusual networks. Let’s say we’re outside an office building, and you need to find a reason in. Now that you know some of office equipment, here is a social engineering gag to pull:
Do not send deauth packets and then going into a
building claiming to fix the internet.
There's our printer, what are the other two devices? The Shield is a settop box, so it's not a personal device. The Shield is broadcasting two different signals so both are going to be ruled out. What's the D&B speaker? Is it personal or not? Giving it a google, you wouldn't know it's a tiny rubber duck speaker. There's not an exact science. The best thing to do is to survey your target more than once to understand what's permanent and what's not.
Sometimes name dropping helps. How can we figure out the name of someone in the building? Their device of course. I would recommend naming your devices someone else's name (thanks hackerdad, stole your idea).
Answer time - I do know that the name of this device matches its owner's name. Not everyone is hackerdad trying to troll, so
Personal devices are ubiquitous; almost everyone has one. Let’s count the number of possible people behind a building’s walls. I wouldn’t recommend just doing this from your phone, use Kismet or another platform on a laptop to make it easier to count. If you need to be stealthy, use a smaller device.
This method is helpful if you need to figure out who / how many people are in the room next to you.
Tip: turn off scanning for other network types if you can to only view Bluetooth. Vice versa for only wifi.
As you can see, none of these devices are known via there OUIs. No surprise. We have a device count, but not a people count. Let’s see what we can do. To get a better idea, move away from your starting position to a few meters in either direction. I walked from one end of the building toward the middle of the perimeter.
I recommend doing this in a car, or just walking outside
unsuspiciously. You can figure it out.
Obviously, we’ve got more devices, and we don’t know what they are. What now?
How’s the signal? You can see the signal strength on the left. Here – we’re going to make a lot of assumptions.
Assumptions. This is where it’s a lot easier if you can copy and paste these MACs easily into something else, not WiGLE’s app. Personal smart devices like smart watches and headphones are better to count than desktops, TVs, and other non-personal devices.
Next, take into context where you’re scanning. This is outside of a residential building, so it’s likely there’s more than one device per person. In a school, mass gathering, or shopping center, it’s more likely there’s 1 device per person. 1 in 5 Americans have a smart watch, so turn that one into 1.2 devices per person and you’re more accurate. What about headphones? Do we know if they are on? I’m going to count the personal devices and the unique Bluetooth devices. You’ll be the best judge of the adoption of these devices. For me, I assume there’s 1.5 devices per person, and that makes it easy on the math.
See a lot of personal devices? You’ve got employees inside. Come back after
hours when the business is closed to a baseline of what’s always at the scene.
You’ll remove things like conference room TVs or printers, and be left with
unique devices during the day. Think of it like a site survey, but for people.
Wrap up these tools should help with your recon. I hope this helps!
ps who the heck names their wifi: