Users on public wif...
 
Notifications
Clear all

Users on public wifi

wotsits
(@wotsits)
Active Member

In a hypothetical but very real scenario, if an IP address is identified as being responsible for some illegal activity, and that IP leads to some open public wifi being shared among residents of a hotel or say a serviced apartment building, is it possible to narrow down any further which exact computer was at a specific time that was responsible for the activity being investigated?

Of course public wifi is wide open to interception so if you started investigating after the incident was identified you could start looking at what users online were doing, but let's assume the offense is not a continuing one and we are trying to identify a user at a specific time post the event.

Is there any identifiable information like a MAC address or a user name that is recorded that could be used to identify further?

It seems to me that if there are a high number of users on a wifi network this would be far too broad to justify seizing everyone's devices to examine, so unless you could narrow it down then the only hope is that this is a repeat user who can be identified when they sign on.

Quote
Topic starter Posted : 09/07/2017 11:06 pm
jaclaz
(@jaclaz)
Community Legend

Is there any identifiable information like a MAC address or a user name that is recorded that could be used to identify further?

IF it is recorded, maybe there is the MAC.

Good luck pairing a MAC to a given device[1], the MAC can be usually spoofed just fine, and in any case it is not like - say - a cellular phone number/sim, it is not connected to a user.

It seems to me that if there are a high number of users on a wifi network this would be far too broad to justify seizing everyone's devices to examine, so unless you could narrow it down then the only hope is that this is a repeat user who can be identified when they sign on.

So, let's say that you have a "real" MAC and that you wait patiently until it connects "again", while you have some 150 other users connected.

What would be the idea to find which one among the connected customers has that MAC?

Checking one by one all the rooms? (and the people in the lobby and the people in the bar, etc.)

And, given the size of such devices, this would also equate to a personal search.

I mean, you knock on the door of the hotel room, after an understandable small delay the door opens and you ask to see all electronic devices, the person in the room shows you a smartphone (with a different MAC), how do you know he hasn't another one? ?

jaclaz

[1] Which in this case it is not given.

ReplyQuote
Posted : 10/07/2017 12:35 am
MDCR
 MDCR
(@mdcr)
Active Member

Apart from social media you can ID with

* HTTP headers Cookies and Version strings. Cookies are versatile.
* Specific installed software asking for updates
* DNS to visited sites vs Brower visited history
* Footprints/OSINT google the IP and see what pops up in specific time period.
* DHCP leases from router (if logged with IP/Mac)
* Time of incident vs Auth ID from capture portals
* Beaconing or communications from malware infections.
* Some places like hotels can have access cards and video cameras.

All this entropy can help you to pinpoint and/or eliminate possible matches.

There are rarely a "high number" of users on a wifi network, since most access points support few users, maby 100's. That also helps singling out the source of the incident.

(everything is open to interception)

ReplyQuote
Posted : 11/07/2017 3:52 pm
hcso1510
(@hcso1510)
Active Member

One of the things that comes up these days are NAT'd IP's. Without a Port assignment, identifying a specific user can be one heck of a task. If you happen to have what you believe is the same, or similar activity on multiple NAT's you might try the following.

Ask the ISP for account identifiers for all parties on the NAT for each occurrence. You can then use software to search out the common identifier and then ask for the subscriber information for the suspect account.

A word of caution! In working a case like this, let's say the NAT had 500 subscribers on it. You would likely be obtaining the identifiers for 1 suspect and 499 innocent parties. In seeking this information it is likely that you will receive pushback from X companies legal department.

If possible I would be seeking account identifiers that do not allow you to identify the subscribers themselves. As an example IF the account number was a standard 10 digit phone number I would try to get something else. That way, hopefully, you're essentially just looking at numbers. Identify the common one and then obtain the subscriber information.

I may not have done it well, but what I'm trying to explain is that you should do everything you can do to protect the data of innocent people, but you should also be able to conduct a criminal investigation as well.

Let me know if you need more info on this.

ReplyQuote
Posted : 11/07/2017 8:28 pm
TinyBrain
(@tinybrain)
Active Member

VPN handshake and key exchange, UAS of browser can be spoofed but give it a try

ReplyQuote
Posted : 11/07/2017 9:44 pm
Viacheslav78
(@viacheslav78)
New Member
RolfGutmann
(@rolfgutmann)
Community Legend

Is there a stronger encryption than WPA2 (-PSK/TKIP or -AES)?

ReplyQuote
Posted : 12/07/2017 10:23 pm
Share:
Share to...