3.13.2018

A study in neighbor stalking

Anyone ever notice that security blogs always have stuff you couldn't possibly do where you live? Rural area? Good luck being able to smash wep on all your two neighbors within range. Good luck trying to multiplex someone's cable connection when you have to run into their yard to do it. etc...

So, while I was quietly minding my own business with airodump running, I came across a name of a neighbor down the street from me. It seems they drove by just slowly enough to catch a single beacon from them and show me their name in the probes section. Now, realistically this could either be the phone name, or the name of the network it connects to, but either way someone who has some relation to this individual passed by where I could see this.

Bust out the stronger antenna? Maybe wifi pinapple? yardstick?  Nah, screw all that we still want to be able to study things cheap. So my little tplink usb I found in a discarded laptop should do nicely (re: check local laws before attempting to acquire parts from the trash). I set the scan to run for a while and write to pcap. While it was running I saw numerous probes from nintendo_3ds (they all constantly probe for eachother mind you),  was able to catch all my neighbor's wifi, a few wireless print servers, a couple open wifi (one with network access), one hidden wifi (looks from scapy like beacon failed to receive in full), and several weirdness from down the street. With enough time monitoring, I could see when this happened.

So, lets see what happens over time? Well first, while that was loading, I wanted to be able to track this myself real time as well. So I decided scapy would be the ideal route to go. My first attempt was to just print what I knew, such as the essid info, the bssid, etc..

def printing(pkt): if pkt.haslayer(Dot11):
  if pkt.haslayer(Dot11Beacon):
   if pkt.haslayer(Dot11Elt):
    if pkt.addr2 and pkt.addr1:
     if pkt[Dot11Elt].info:
      print pkt.addr2+" <--> "+pkt.addr2+": "+pkt[Dot11Elt].info+" "+str(time.time())
sniff(iface="wlan0", prn=printing)


 But then, I realized it wasn't catching all of the ones I was seeing with airodump, such as the nintendo frames, or certain phone frames. Dang, back to the drawing board I guess. Well mostly. Just need to figure out where that data is on those frames. So lets just sniff for a while then do an if loop to try to see where those nintendo ones are held (just in the scapy interactive shell, because why not)

sniff(iface="wlan0") 
>>> for i in a:
...  if i.haslayer(Dot11Elt):
...   if "Nintendo" in str(i[Dot11Elt]):
...    i[Dot11Elt].info
... 
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
'Nintendo_3DS_continuous_scan_000'
From this, I found  a weird situation where it wasn't working until I removed the prior requirement for Dot11Beacon (maybe someone can explain why this is, haven't really found it yet?). Anyway so my updated cheap script:
import time
from scapy import *
from scapy.all import *

def printing(pkt):
 try:
  if pkt.haslayer(Dot11):
   if pkt.haslayer(Dot11Elt):
    if pkt.addr2 and pkt.addr1:
     if pkt[Dot11Elt].info:
      print pkt.addr2+" <--> "+pkt.addr2+": "+pkt[Dot11Elt].info+" "+str(time.time())
 except:
  pass
sniff(iface="wlan0", prn=printing)

 From this, we can rule out the ones we don't care about with grep -iv such as: grep -iv "mysupersecretwifi\|netgear\|att\|spectrum" Worth mentioning, yes yes, you need to put the device being used in monitor mode before hand. if you cant, try making a monitoring interface for it (airmon or similar). For the record, I'm using the time module cause I don't realy mind slight inaccuracies, change this to use the beacon/pkt times instead if you want better results. Either way, this is sort of just hacked together last minute.

___________________________________________________

Now that I have that nonsense out of the way to make this easier to track, we leave this sitting and find some interesting things.

  • One network, we'll say from family x, has a network called x4Ever. Using their last name and a quick search, I found that they live 3 houses to one side of me. I found their peek probe times I collected were between 11am and 4 pm with hour break between 12:30 and 2, then again at 8pm until 10pm. This tells me the network patterns of my neighbors seems consistent with what I would expect from a retiree or in some cases, teens with min wage jobs. After 3 days monitoring, it seems consistent enough to say this is unlikely to be a teen. Slight bit of home owner lookup and their family tells me this pattern is largely consistent with public data about them. 
    • The neat part about this is that with no interaction with them, and some practical statistics, we can identify trends of our neighbors based on probes they may or may not actually intend to send. 
  • Nintendo 3ds, a video game system, will send enough probes to be monitored by distance over time. Use this along with a heatmap (hell use wigiwifi on a phone) and you'll be able to see movements inside your neighbor's home for whoever is playing these games. Overlay your monitoring with the googlemaps of their home and you're looking at some mighty fine spy work. Do multiple monitors from distances within your own home to allude to exact positioning in their home with less data.
  • My friend I know who's home all day and their family uses their network all day, I just built stats engine around frequency of probes to see when more people are home and compared that with physically looking outside. The results are remarkable in that I can time when different people enter or leave throughout the week based on timelines that their devices are used. 
    • went a step further and setup a monitor just for these and found potential work schedules of two different individuals. 
  • The original idea was because of someone passing by, I monitored when they returned and their schedule appeared to be around 10am leaving and around 4pm ariving home on half the week, then 8am to 2pm the rest of the week. This is consistent with a college schedule. 
    • Neat, didn't know they were in college. haha
End results:
After now 2 weeks of study I found (approx and based on assumptions obviously):
- 10 people's work/school schedule
- 3 people's sleep schedule
- 7 game devices that show patterns of movement through the homes nearest me, these indicate that some portions of the home are off limits to kids or adults playing these devices, based on similar housing styles it would be a safe assumption to say these are closets, masterbedroom, and nearby the fireplace (maybe tv around here too? but that's really just an arbitrary guess).

Now remember, stalking your neighbors is probably against the law. But passively researching signals your device receives is probably not. Consult a lawyer.

Edit:
Reasons I did not include dataset, or the analysis of the data itself is because frankly I don't trust the  internet having that information. But you can do the same things yourself and save on some stats engine development by just using excel or keras.


-Ferasdour
https://keybase.io/ferasdour
https://www.facebook.com/help.ferasdour


No comments:

Post a Comment

2am rant