Skip to main content

Wardriving OSINT & SE

 Disclaimer: do NOT use this information to be a jerk. Don’t try to get the location of my examples, or you’re a big meanie.

There's already a post out there about tracking people with wifi. It's helpful for those who use a hotspot or maybe a vehicle hotspot. I believe a personal device that broadcasts Bluetooth is more likely than a hotspot. 


What wardriving can’t do = track people via Bluetooth devices

Or shouldn’t be able to work. Most modern Bluetooth devices use MAC randomization, which changes the MAC address of the Bluetooth device at random. Even if you can track a device it may only be short-term, as it’ll change again. But sometimes they don't turn over to a randomized MAC. Do what you will with that.

If you want to see how easy it is to make a random MAC go here.

But what if you only need a short-term answer? Better start stumblin’.

Let’s forget the purpose of needing that MAC address long-term. With all MAC addresses, OUI can tell you what the device hardware should be. Should – because MAC address spoofing allows for the OUI to be spoofed. You can use this tool from Wireshark to lookup an OUI. Although this list has a lot of devices, it is not complete. There are wardrivers who collect OUIs so maybe you could help contribute too.

Looking for a vulnerable device for future exploitation

With the OUIs/name we can hopefully identify devices for reconnaissance. There’s one that caught my eye.

Next, let’s see if exploit DB has any results for this model of device: this is a 2017 vuln, so maybe it’ll work.

and maybe this will be an opportunity for the HPP based on a previous exploit


What else can we find that could be vulnerable? I targeted the previous device knowing printers don’t have the best security. What other devices are around?

Default creds: There’s a TON of xfinity router modem combos around. That’s low-hanging fruit, and can be susceptible to many wireless attacks. You do not need a special exploit for these, but there are some specific vulns look for, but remember the default creds are “admin” and “password” unless your ISP is Frontier, then it’s "admin" "admin", and AT&T default passwords are random. If you’re using the XFSET for Xfinity, it's “XFSET” and “become” as the password (thank wisair for that one). The sticker on the AT&T modem with the password, which you can’t access. AT&T uses a common word like sand and bucket to make passwords like this sandbucket2358 all lowercase, no special characters. There’s a wordlist out for these passwords, so keep a lookout.

I digressed, but you get the idea. Hover outside the building and try to find the weakest devices you can. Some suggest targeting IoT devices as these constrained devices don’t have a lot of security built in.

Social Engineering Spice

So now we have vulnerable devices and some other unusual networks. Let’s say we’re outside an office building, and you need to find a reason in. Now that you know some of office equipment, here is a social engineering gag to pull:

 “Hi, I’m here to fix your 9020 printer” go to the printer, find the ink or toner shake it. They don’t know what the model is, but if they check or know, you’ll be right. Taking printers/copiers apart is meant to be easy to not damage the device and make repairs. You’ll look like you’re servicing it if you aren’t afraid to get some toner on your hands. If you want to take it a step further, bring a makeup brush and clear off their cartridges/toner heads and print a blank sheet before doing a test sheet. Always looks a little better, and you’ve done a small favor while you’ve dropped a bash bunny or two around the office. Look at YouTube for a video if you need it.

·        Do not send deauth packets and then going into a building claiming to fix the internet.

There's our printer, what are the other two devices? The Shield is a settop box, so it's not a personal device. The Shield is broadcasting two different signals so both are going to be ruled out. What's the D&B speaker? Is it personal or not? Giving it a google, you wouldn't know it's a tiny rubber duck speaker. There's not an exact science. The best thing to do is to survey your target more than once to understand what's permanent and what's not.  

Device Names

Sometimes name dropping helps. How can we figure out the name of someone in the building? Their device of course. I would recommend naming your devices someone else's name (thanks hackerdad, stole your idea). 

Answer time - I do know that the name of this device matches its owner's name. Not everyone is hackerdad trying to troll, so 

People Count

Personal devices are ubiquitous; almost everyone has one. Let’s count the number of possible people behind a building’s walls. I wouldn’t recommend just doing this from your phone, use Kismet or another platform on a laptop to make it easier to count. If you need to be stealthy, use a smaller device.

This method is helpful if you need to figure out who / how many people are in the room next to you.

Tip: turn off scanning for other network types if you can to only view Bluetooth. Vice versa for only wifi.

As you can see, none of these devices are known via there OUIs. No surprise. We have a device count, but not a people count. Let’s see what we can do. To get a better idea, move away from your starting position to a few meters in either direction. I walked from one end of the building toward the middle of the perimeter.

I recommend doing this in a car, or just walking outside unsuspiciously. You can figure it out.
Obviously, we’ve got more devices, and we don’t know what they are. What now?
How’s the signal? You can see the signal strength on the left. Here – we’re going to make a lot of assumptions. 

Assumptions. This is where it’s a lot easier if you can copy and paste these MACs easily into something else, not WiGLE’s app. Personal smart devices like smart watches and headphones are better to count than desktops, TVs, and other non-personal devices.

 Let’s assume that there are not two devices right on top of each other. Any distance even a foot could change the -db signal. Also, we want to remove anything that is too close with the OUI. That leaves us with 4 devices at -98db and a couple at -96db. There are 9 unique signal strengths. Wait for the device list to update and move around, count again. I averaged anywhere from 8 unique signals to 11. I'm guessing there are 6-9 people in range.

Next, take into context where you’re scanning. This is outside of a residential building, so it’s likely there’s more than one device per person. In a school, mass gathering, or shopping center, it’s more likely there’s 1 device per person. 1 in 5 Americans have a smart watch, so turn that one into 1.2 devices per person and you’re more accurate. What about headphones? Do we know if they are on? I’m going to count the personal devices and the unique Bluetooth devices. You’ll be the best judge of the adoption of these devices. For me, I assume there’s 1.5 devices per person, and that makes it easy on the math.

See a lot of personal devices? You’ve got employees inside. Come back after hours when the business is closed to a baseline of what’s always at the scene. You’ll remove things like conference room TVs or printers, and be left with unique devices during the day. Think of it like a site survey, but for people.

 For me - I try to B&E when there's no one around.

Wrap up these tools should help with your recon. I hope this helps!

ps who the heck names their wifi:





Popular posts from this blog

The problem with sensing finger magnets

 Okay, I have to make this post quick, but the second part will be way worth the payoff. October 3rd I'm having one of my sensing magnets taken out that I've had for about 5 years; since Nov 2016. It's clearly rejected and when I tried to make the situation better, I made it worse.  In previous posts or tweets, I've mentioned I had a method to re-stimulate the magnet. Do not attempt. It's likely the reason it's now rejected after so many years.  Biohacking comes with a lot of risk, especially if you're afraid of needles and knives, but the benefits outweight the risks. I loved having a strong magnetic sense with both of the magnets. I love the honor I've had to have them all this time. But now it's painful to use my finger and there's a large black bulge where the magnet wants to exit my finger.  Some questions I have before cutting open: 1. How am I going to numb my finger? What method will work? 2. Is the coating or silicone broken? Any risk of

How to Wardrive: Know where to go

Inspired by others, and my goal of getting a golden WiGLE badge, I went wardriving for my birthday. I was hoping for 50k, and I ended up with just over 61k. I'm less than 80k away from my goal! But how do you pick a place to wardrive, and how do you actually do  it? The easiest way is to download WiGLE on an android phone, get some transportation, and be set on your way. But if you want more detail or some tips, keep reading.  Avon Lady Method : Find a city within reasonable distance of travel Examine the results for the past few years of the area; do not use the overall coverage of all time.  Verify if the city is desirable for wardriving Little coverage in the past few years Most residential areas are not covered Use maps to search and define high density residential areas (i.e. apartments, town homes).  Create an order that allows for little overlapping and in a convenient driving pattern. Use landmarks around the city to define the internal roads Wardrive Profit ("internet

My next talk: Come see me at CactusCon 2023!

Your smartphone is your best friend and worst enemy. Are you being listened to? Do you want to listen to someone else? This apps on your phone know more about you than you think, and there are more tools to make you cringe. Yes and no, “they are listening.” The apps are gathering so much information it seems like they are listening. This talk will discuss what privacy concerns you should have with your smartphone and will discuss how you can use your smartphone to do some surveillance of your own.