Category Archives: WNMS

Using WiFi to find Someone?

inmates

How could WiFi Superman use his knowledge of 802.11 technologies to help apprehend the escapees of the Clinton Correctional Facility?  Well first we will need to suspend reality a bit as inmates get very limited access to the Internet and cell phones are strictly forbidden.  But in our little story let’s suppose that the accomplice of this love triangle, “Tillie” Mitchell, gave the escaped convicts her smart phone.

So at the Clinton Correctional Facility there is a BYOD network that Tillie uses for her smart phone.  Let’s say that law enforcement finds out that she gave her phone to the escapees.  There are a couple avenues a crime fighter could take, although a little far-fetched it would be possible.  The first thing that could be investigated is what the MAC address of the wireless card was.

This could be determined in several different ways.  Most of the WiFi manufacturers have client information that will remain in memory for some time, if we knew the hostname of the device we could correlate this.  ClearPass and ISE will have data regarding clients and may allow us to narrow down to a handful of MAC addresses if we only know the make and model of the device.  Once we have a MAC or a few MACs then we can proceed to search for these on the airwaves.

Let say Richard Matt has relatives in Albany and police have a strong suspicion that he is on the lam and hunkered down in Albany.  WiFi Superman could war-fly (akin to war-driving) until he finds the MAC address and try to pinpoint the building where they are hiding.  If Optimum Online was willing to help they could look for the MAC and if they saw it on 3 or more access points we could locate them by triangulation.

Now let’s say we have no idea what the MAC address is.  Another plan of attack could theoretically work.  Clients discover networks in one of two ways: passive or active.   The prison has a specific SSID for its BYOD and we know what it is.  When scanning the client is looking for info on available wireless networks.   In the passive scan the wireless NIC listens for beacons or probe responses.   Beacons will not help us.  They could hurt our effort if an access point happened to be broadcasting the same SSID.

In active scanning the wireless client SSID portion of the probe request is NULL or empty.  This is also of no use to us.  However in an active scan the probe request will request info in one of two manners.  The client will either ask “Is anyone there?” (FF:FF:FF:FF:FF:FF).  The client’s other option is to ask “Are you there Bill?” this request contain specific SSIDs stored in the clients wireless profiles of the clients software (e.g. Wireless Zero Config).  Since we know the SSID from the prison we can snoop for the SSID.  By putting a laptop in promiscuous mode and collecting all packets in an area we suspect the duo to be hiding we can later filter packets to show only probe requests and further filter on the SSID.

And there you have it, if we see the SSID in question we could ascertain is the inmates are in the area.  It is a little far-fetched, but super hero work always is.

Heating up Wifi with Heat Maps

sNetworking_wireless_heat_map

Patrick Hubbard of SolarWinds has written an article called “Wi-Fi heat map: Secret weapon for wireless network admins”.

http://searchnetworking.techtarget.com/tip/Wi-Fi-heat-map-Secret-weapon-for-wireless-network-admins?utm_medium=EM&asrc=EM_ERU_43895949&utm_campaign=20150610_ERU%20Transmission%20for%2006/10/2015%20(UserUniverse:%201571981)_myka-reports@techtarget.com&utm_source=ERU&src=5397546

It is an interesting read and I agree with most of the article.  I will present one warning: heat maps are only as good as the information that has been fed to them.  When loading maps into WNMS systems it is critical to calibrate the floor plan accurately otherwise your coverage will be over or under represented.  Some systems allow you to select polarization of antennas this orientation is also critical for keeping the prediction somewhat accurate.  If you do not add attenuation values for objects like walls, doors, and windows then the heat map is just a general estimation.  Adding attenuation will make the prediction more realistic.

So as valuable as it is to see the estimation of your RF coverage, remember it is not a panacea and only as good as the info it has been fed.