This repository is source code for some of the attacks defined in this paper (https://arxiv.org/pdf/1703.02874v1.pdf). Not all attacks will be available. Please read the README.md
Main contribution:
if vMAC broadcast probe req -> probe respond with any SSID-> get rMAC -> confirm desired rMAC -> save vMAC tags from initial probe req -> listen to all vMACs with same tags -> start responding to vMACs with confirmed tags in order to track target.
Using named pipes seems to be inefficient. There is a condition where a packet is being read from the pip while the pipe is trying to be opened by another process.
Should try using a try/except with a very small sleep interval. This would slow everything down considerably and is not the best solution. A reimplementation with mutexes would be better.
Basically title. Upon successful deauth, and passively receiving information there should be enough information to determine the global MAC. The paper does not consider the possibility of a dauth, which makes this attack much more potent, but very active.
"This is particularly useful as all authentication and association frames from iOS and Android devices use the global MAC address."
Use examples from the paper, in earlier sections, to be able to fingerprint devices. Since I'll only really be working with my Nexus 6p, I should be able to pick it out quickly.
Write in scapy the ability to pull the sequence number from probe requests. This should be fed a ESSID/BSSID. Other information might need to be grabbed from probe requests to retrieve the global MAC.
The paper covers the ability to use RTS/CTS to retrieve(maybe confirm?) the global MAC address. More research has to be done by reading the main paper and the one it references.
This can be done with the aircrack suite. However, it would be nice to have everything in python functions so that they can be called to quickly grab what is in the air. The benefit to this approach is the ability to grab and use the SSID/BSSID/ESSID's quickly and interchangeably.
This would be good for larger scale operations. Since I only have one device available, maybe not.
I'm leaning yes since it's not much work. Have to look into a tad more.
@csanders-git What do you think about changing the website to have functionality that lets a user input a MAC address, which gets sent to a listening device that will serve up the attack. It will then respond back to the website with a yes/no and some other info about if the MAC is near the device or not.
Presumably it would keep looking for/tracking the MAC until the user requests it to stop.
According to the paper, additional information needs to be correlated to get to the global MAC.
Paper also implies that you don't need the global MAC as you can follow the generated sequence numbers and connect them to the local MAC. However, this is not as good as getting to the global MAC.
Create script that sniffs traffic and prints found virtual MAC address. Good to separate from devices that don't use virtual MAC addresses from those that do.