Is looking for Wi-Fi access points purely passive?

Say I carry a Wi-Fi enabled phone or laptop through an area where there are WAPs. Assuming that I don't actively try to connect to them or otherwise interact with them, is it possible for the owner of that WAP to know that I was there?

I'm asking this in the context of my earlier question: Looking for MACs on the network

I was talking with a friend about my newfound ability to detect phones (and other devices with MAC addresses) on the network, and he pointed out that it might be useful to detect unknown phones on the network; I could use that data to track down anyone who was in my house and brought a Wi-Fi phone with them.

So, if I set up a logging fake WAP with no security or encryption, can I glean any useful information about the devices that come into the house? Assuming that the thief doesn't actively try to connect...


Solution 1:

No, looking for 802.11 APs is primarily active. When you bring up a list of visible APs in the area, your 802.11 client most likely does what's known as an "active scan", where it tunes its radio to each supported channel in turn, transmits a Probe Request frame, and waits perhaps 20-40ms to gather Probe Response frames from any APs on that channel before moving on to the next channel. This allows it to scan all the channels much faster than a "passive scan".

A "passive scan" is possible, but isn't used very often because it takes longer. To do a passive scan, the client tunes to each channel in turn, and waits a typical Beacon Interval (usually about 100ms, but could be more) to gather Beacons.

Some channels in 5GHz in some regulatory regions require that you scan passively first, until you know that the channel is not in use by nearby radar installations. But most clients, as soon as they see a Beacon on a passive-scan channel, will switch to an active scan to speed up the process.

If your client device is on, and hasn't given up looking for your recently-joined/preferred/remembered networks, it will almost certainly be broadcasting Probe Requests which give away not only your wireless MAC address and some of the capabilities of your card, but often also the name the network it's looking for. This is necessary in case the network is a "hidden" (a.k.a. "non-broadcast SSID", a.k.a. "closed") network.

It's pretty trivial to learn people's wireless client MAC addresses and also the names of their home and work networks just by hanging out at the office or a coffee shop or airport terminal with an 802.11 monitor mode packet sniffer, recording Probe Requests.

Solution 2:

There is a system called Jasager that detects WiFi probes that most clients shout out ("Hello, is linksys there", etc), pretends to be it, lets them automatically connect as if they are 'at home', with that lovely 'public' networking option Windows now has.

Lo and behold, all their public fileshares, web traffic (and there are extensions for it that let you MITM attack SSL sessions) and anything else you can think of.

Enjoy and don't get caught.