How to detect all Wi-Fi devices in the area?

Using the airodump-ng tool, you can see information about wireless access points and clients. If there are several access points, then everything is simple and convenient, and what if the total number of APs and stations within the range is measured in hundreds? This amount does not fit into any screen.

With airodump-ng also it is inconvenient to collate connections between stations and APs.

When using the -w option with the awdump-ng option, the captured packets are written to a file, a file with the extension .csv is created, which can be opened by the program for working with tables or a text editor. This file contains information about the devices seen:

The advantage of this file is that, at least you can see all the detected devices. Disadvantage is the inconvenience of data analysis.

As a result, I decided to write a small script for analyzing the .csv file created by the airodump-ng program for my own needs.

The script can do the following:

  • shows the total number of seen Access Points, Stations and Stations not connected to any AP;
  • for each network determines the manufacturer of the device;
  • allocates networks operating at 5 GHz;
  • for each network shows the clients connected to it;
  • for each client determines the device manufacturer, based on this data, assumes whether the device is a mobile phone, whether it can support the monitor mode;
  • shows the networks that each client tried to connect to;
  • shows all clients that are not connected to any network, and displays for them the networks they were looking for.

An example of data that displays a script (data received from one location without moving, for 1+ hour):

To analyze the .csv file, it is necessary that airodump-ng create it. To do this, enable monitor mode for wireless interface. I always start with the following two commands, they make me sure that no processes interfere:

sudo systemctl stop NetworkManager
sudo airmon-ng check kill

Next enable monitor mode for wireless interface:

sudo ip link set wlan0 down
sudo iw wlan0 set monitor control
sudo ip link set wlan0 up

Now run airodump-ng with the following command:

sudo airodump-ng --berlin 60000 -w /tmp/test wlan0

If you are also interested in a 5 GHz band and if your wireless adapter supports it, you can add –channel 1-13,36-165:

sudo airodump-ng --channel 1-13,36-165 --berlin 60000 -w /tmp/test wlan0

Here:

  • –berlin 60000 is used to ensure that APs and Stations that have left the view are not excluded from the list
  • -w /tmp/test is used to save files to the /tmp/ directory with the prefix test
  • –channel 1-13,36-165 tells wireless to switch over all possible channels, including 5 GHz.

Now create the file wfw.sh:

gedit wfw.sh

and copy the following to it

Also we need a file with a database of MAC-addresses and the corresponding manufacturers, download it to the same directory where the wfw.sh file was placed

wget http://standards-oui.ieee.org/oui/oui.txt

Run the script like this:

bash wfw.sh path/to/file.csv

Note that if you run airodump-ng several times, it creates new files each time, without deleting the old ones. I used the prefix test, so when I first started, the file test-01.csv was created in the /tmp/ folder. This is what I will analyze. By the way, the script can be run simultaneously while airodump-ng is running. Example:

bash wfw.sh /tmp/test-01.csv

Pay attention to the data:

Total Access Points: 135
Total Stations: 519
Total Stations without association: 406

The total number of access points (135) – this is how much my wireless adapter saw Wi-Fi networks in the district (without moving). The total number of Stations (519) is all devices that are connected or not connected to APs. Stations without association (406) are those who are not connected to any of the Wi-Fi networks (for example, they passed by my house with a phone on which Wi-Fi is turned on).

For this AP, the network name was not received, however, one of the clients connected to it searched for a network named RT-727451. It is possible that this is the name of this network:

Similarly for networks on the following screenshots:

Using the script, you can search for different artifacts in the wireless space, for example, not only I have a Wi-Fi adapter with a monitor mode:

A lot of devices where the MAC address starts with DA:A1:19 and is not present in the database:

Although if you google, you can find information that this range belongs to Google itself:

Also, I found mention that a random MAC-address with such a prefix create Android and iOS for privacy.

Conclusion

Let airodump-ng work longer, at least 5-10 minutes, to collect more information.

Depending on the purpose, you can use the data obtained during the movement.

Whether the device is a mobile phone and whether the monitor mode is supported solely on the basis of the manufacturer's name, i.e. the data may be incorrect.

Recommended for you:

Leave a Reply

Your email address will not be published.