How could WiFi Superman use his knowledge of 802.11 technologies to help apprehend the escapees of the Clinton Correctional Facility? Well first we will need to suspend reality a bit as inmates get very limited access to the Internet and cell phones are strictly forbidden. But in our little story let’s suppose that the accomplice of this love triangle, “Tillie” Mitchell, gave the escaped convicts her smart phone.
So at the Clinton Correctional Facility there is a BYOD network that Tillie uses for her smart phone. Let’s say that law enforcement finds out that she gave her phone to the escapees. There are a couple avenues a crime fighter could take, although a little far-fetched it would be possible. The first thing that could be investigated is what the MAC address of the wireless card was.
This could be determined in several different ways. Most of the WiFi manufacturers have client information that will remain in memory for some time, if we knew the hostname of the device we could correlate this. ClearPass and ISE will have data regarding clients and may allow us to narrow down to a handful of MAC addresses if we only know the make and model of the device. Once we have a MAC or a few MACs then we can proceed to search for these on the airwaves.
Let say Richard Matt has relatives in Albany and police have a strong suspicion that he is on the lam and hunkered down in Albany. WiFi Superman could war-fly (akin to war-driving) until he finds the MAC address and try to pinpoint the building where they are hiding. If Optimum Online was willing to help they could look for the MAC and if they saw it on 3 or more access points we could locate them by triangulation.
Now let’s say we have no idea what the MAC address is. Another plan of attack could theoretically work. Clients discover networks in one of two ways: passive or active. The prison has a specific SSID for its BYOD and we know what it is. When scanning the client is looking for info on available wireless networks. In the passive scan the wireless NIC listens for beacons or probe responses. Beacons will not help us. They could hurt our effort if an access point happened to be broadcasting the same SSID.
In active scanning the wireless client SSID portion of the probe request is NULL or empty. This is also of no use to us. However in an active scan the probe request will request info in one of two manners. The client will either ask “Is anyone there?” (FF:FF:FF:FF:FF:FF). The client’s other option is to ask “Are you there Bill?” this request contain specific SSIDs stored in the clients wireless profiles of the clients software (e.g. Wireless Zero Config). Since we know the SSID from the prison we can snoop for the SSID. By putting a laptop in promiscuous mode and collecting all packets in an area we suspect the duo to be hiding we can later filter packets to show only probe requests and further filter on the SSID.
And there you have it, if we see the SSID in question we could ascertain is the inmates are in the area. It is a little far-fetched, but super hero work always is.