Catching a Laptop Thief/Wi-Fi Hacker
by Douglas Berdeaux (douglas@weaknetlabs.com)
Years ago, when I first saw the movie Track Down (Takedown), I was impressed.
I thought it was a cool movie and have been bashed several times for such a statement. I even heard Kevin Mitnick once say that the movie "sucked" in an interview on a radio show. But out of all of the cheesy hacker movies, I felt that it had the coolest feel to it. The part in the movie were Shimomora is in the van searching for Mitnick gave me an idea. I could possibly do the same thing with MAC addresses and the Aircrack-ng suite. With a cheap wireless card, a free light-weight coding language, and some patience, I too could be trolling in the back of a van. But again, searching for a MAC address and not a MIN or ESN (yet).
Now, I don't own a van, I don't have friends, and I wouldn't really care if someone cracked my network security. But I would care if, say, I had a laptop stolen from me in a mugging, or from my house when I wasn't home, etc. I could then check the MAC address I wrote down of the internal Wi-Fi card, or on the side of the laptop box, for even better evidence, and search for it! This would, of course, only going to work if the thief weren't smart enough to change the card, leave the state, etc. If you think of this situation with mathematical crime statistics and probability, it's most likely the case.
Windows, and any other OS that has a network manager-like client running, will either be connected to an AP listed in your preferences, or will be probing for APs in your list. Also, it will be actively sniffing for surrounding APs to suggest them to you, as if its life depended on it.
When a client probes for a preference AP, the data sent via Wi-Fi will be visible to anyone in the surrounding area equipped with the proper setup. By this I mean anyone with a card that can be set to "monitor" mode by the user and running Airodump-ng while channel hopping.
I have had a lot of experience with Wi-Fi cards, vendor types, and driver issues in the labs here and have found that almost any card that is detected by a Linux/UNIX flavor OS can be set into "monitor" mode for sniffing. This means that the card has the ability to "sniff" surrounding APs, to list them for you to connect to, but does not always mean it can "inject" fabricated packets. You would want to inject fabricated packets to deauthenticate a user in order to grab a WPA/WPA2 handshake, which would allow you to attempt to crack, with a dictionary file or hash file, the login info using Aircrack-ng or coWPAtty 4.0+.
But in our case, we are simply sniffing, so any old card should do the trick. You can skim forums where they talk about this sort of thing, like wireless security, to find out which cards are best for the job. I would first recommend the Remote-Exploit forums, as they have almost benchmarked every card on the market for their sniffing capabilities! They have a lot of experience with wireless hacking and are first to point out a vulnerability, or code to exploit it.
Once you have a good card, you're ready to start searching for your cracker/laptop thief!
First, boot up into a Live Linux disk like WeakNet Linux Assistant. Then connect to your wired Internet and download the Catchme-ng tarball here: weaknetlabs.com/code/catchme-ng
Now disconnect and save the tarball for future use on a flash drive. Put your wireless cards down and kill network-manager. By typing ifconfig, you can list the cards that you have "turned on." Then ifconfig <cardname> down will turn them off temporarily.
This can also be accomplished by killing network-manager with killall network-manager. Usually that turns off all of the network cards in one fell swoop.
Now we want to set our wireless card to monitor mode and turn it back on.
Type iwconfig to list all of your wireless cards.
Type iwconfig <cardname> mode monitor to set it to monitor mode.
This is where you can determine if your card is capable, with the drivers included in your OS, of going into monitor mode. The OS isn't very embarrassed at this point to cry out! If successful, turn the card back on with ifconfig <cardname> up, and start Airodump-ng with the --write to file option.
Make sure you remember what your current working directory is and where you are saving your files to. I'd suggest changing directories and just saving them in: /tmp
Once started, fire up Catchme-ng and click on the "..." button to find your "dump file" created by Airodump-ng. Then select the MAC address you want to hunt for and click start. If your prey (MAC you're searching for) comes within your wireless card's sniffing range, you will see it. A loud siren sound will play, and a box will pop-up saying "I've found the MAC specified."
Now, simply toss your laptop into your car/bookbag/etc. and walk/drive/bike around your neighborhood with headphones on in search of your machine. If you find the machine, you can now set up nearby and zero in even closer by watching the "PWR" field of Airodump-ng. You can see the "power," or pretty much the range, of the client that is either "probing" for, or connected to, an AP.
And that's all there is to it, really.
Imagine the possibilities of these applications in parallel. Law enforcement can find the MAC address of a stolen laptop. You can pinpoint, with quite good accuracy, who broke into your network by comparing the logs of MAC addresses with your very own addresses and the foreign address being specified as the "prey." You can search for anything with a MAC address. If you aren't sure how to find a MAC address in your logs, you can simply write a shell script to frequently check your LAN for new MAC addresses and dump them to a text file, without creating doubles or overwriting previously seen MAC addresses.
Here is an example of such a LAN-nanny:
$ sudo ettercap -Tpi eth0 // // -k 1.txt -s q && cat 1.txt | awk '{print $2}' >> 2.txt && cat 2.txt | sort -u > MAC_List.txtThis relies on Ettercap to find the MAC addresses on your LAN. This is a good choice because it's fast, and speed counts when you know that some wireless security measures areflawed when it comes to ARP requests.
If we were to use the basic ARP program arp -a, it would take a bit longer.
What the above script actually does, in plain English, is "run Ettercap, use text mode, in non-promiscuous mode (so there's not a bunch of packets flooding the screen), use interface eth0, ARP for all clients on LAN and make text file 1.txt with results, print each line in 1.txt but only the MAC addresses column and append it to 2.txt, print every line in 2.txt sorting out the duplicates and spitting all of the unique MAC addresses into the text file: MAC_List.txt
Now simply make this run every, say, 5 or 10 minutes or so. ARPs can seriously bog downtraffic, of course, so maybe less often would be recommended.
Another application of the program would be to create a game to with your friends to wirelessly search for them!
The program is not biased and you can specify even an ESSID that you once used and have fond memories of.
There are endless possibilities!
Catchme-ng was a Perl script that greps the output file from Airodump-ng repeatedly for a specified MAC Address. It was inspired by the movie Track Down where Tsutomu Shimomora was searching with his computer equipment for Kevin Mitnick (though it was cellular this is based off of 802.11). Say you find a MAC address of a wireless hacker in your router logs and you want to catch him/her. Plug in the MAC and cruise the neighborhood... When catchme-ng finds the MAC it plays an alarm(.mp3)
Catchme-ng 2010 WeakNetLabs.com