Ive been playing with some 802.11 packet sniffing tools, and have made a crude program that captures client and AP MAC addresses (amongst other things) as theyre received by the WiFi card. Nothing particularly new there I know.
But one thing that's been bugging me is that I’m only able to capture client/station MACs as and when they choose to transmit, probe etc. Ive observed that for many mobile devices this is relatively infrequent.
So my question to the community is - Is it possible to solicit a response from a station at will?
To make things a little easier, please use the following scenario, as an example:
A friend has taken my phone and hidden it somewhere in the woods (sorry, bit random!) because hes a douche. The WiFi is enabled, although it’s probably gone into sleep state by now. There is no cellular service.
lets say Ive gone to look for it, and happen to be in range of it. If I sniff for probes and other frames I will eventually detect it, get an rssi and pin it down. However this could take ages - hours.
if I were to take my home router, that it’s previously assosciated with, into the woods and power it up would my phone attempt to connect and in doing so give me an instant detection?.. I don’t think it would if it were in sleep mode - I’ve tried it and it doesn’t!
So what else could I do to force a transmission from it? Could I manipulate a beacon frame from the router with a DTIM making the device think it has data waiting for it, and thus waking it up?...
I’ve exhausted all my resources for the solution to this problem. Perhaps it’s simply not possible.
if any of you guys can contribute your thoughts I’d be most grateful.
If you had had your phone connected to a Win-10, or similar OS, laptop-pseudo AP, you could go into the forest with it beaconning and see if it connected.
But I think a more straightforward approach would be to have one of the lost/stolen phone Apps installed, and use it to find your phone.
The other way would be to use one of the many Bluetooth Apps on the market.
I love Wi-Fi, but I think I'd try the easiest, most likely to succeed, approach first.
Hello Howard, thanks for your reply.
yes that’s a great suggestion and that would obviously be a solution, but what I’m trying to do is actually drill down into the 802.11 side of things to see if it’s technically possible to do by another means.
so let’s just say the phone has been hidden and it didn’t have any locate apps on it.
or perhaps I should have worded my question - how do you forcefully wake a WiFi station from sleep/doze state?
Thanks again all
If the device is associated with an AP and you send an unicast frame to the device you will get an ACK back. Broadcasts and multicasts are not acknowledged. But then you would need to know the MAC address so we are back to square one. If you know the IP address you could send and ARP request and the device will reply with the MAC. You could also use ping (i.e. ICMP) but some clients have a firewall blocking ping.
If the device is not associated and you bring an AP nearby (hostapd will do) announcing a familiar SSID, the device may eventually connect to it. If the device has some process that requires connectivity during sleep – checking mail for example. iOS devices will periodically try to contact Apple services (Find my iPhone relies on this), but I haven't checked whether iOS devices will associate with a new AP during sleep.
The problem is that in TCP/IP the initiative is on the client. You can turn a client into a server by installing some server program that will accept connections, but even then the "accepting connections" is an initiative by the client that turned it into a server. If the client is passive and there is no server software to accept connections the client is unreachable. This is also security design. ARP is a service that is on every device. That's why I suggested using it.
Some special tools you could look into are arping, ether-wake and arp-scan. One of them could help you to the solution you are looking for.
All of this is untested, off the top of my head.
thank you for your thoughts.
these are all things that I will now research and experiment with.
if I can add - for my scenario I will be aware of the MAC address of the ”target” station. I don’t know if this makes a solution easier?
arp scanning is a good idea, but if the station is sleeping and not assosciated with the AP then will it respond?... I’m guessing not.
Remember, Wi-Fi works on MAC addresses without necessarily needing an IP address.
If your phone were constantly probing, you would probably find a MetaGeek Chanalyzer to be handy.
An AirCheck (I/II) is especially good at locating client devices if you can ping it, or it is otherwise busy.
@stealthMatt: Yes, knowing the MAC will make it easier.
Mobile device sleep is different from workstation or laptop sleep. Mobile devices keep waking up. They'll just turn on the radio once in a while. I think that design comes from the cell phone radio. You need to be able to accept calls even when sleeping.
If the device is associated with an AP then it should be quite straightforward to send frames to it. That's what all the Power Save extensions are about. Mobile devices seem to stay associated even in sleep. I haven't tested whether a device will associate with a "familiar" AP during sleep when it is not associated.
In my experience, cell phones have always been more sophisticated with their power save algorithms and methods. Just because early 802.11 had a PS mode, does not mean it was implemented well in a particular device. In some cases, and only after years of use, was it admitted that they didn't really do much from a networking standpoint. Yes, they made your battery last longer, but staying connected was really a secondary consideration. Device latency was an even lower priority.
Newer Wi-Fi devices are usually much better, due mostly to the demands of an increasingly aware customer base, and based on peoples experience with their cell phones.
Don't get me wrong. I'm not saying phone companies have it all correct. Look at LTE, a potential disaster for Wi-Fi.
In my experience guys, phones seldom transmit probes. I think they must passive scan for the majority of the time and occasionally flick to active scanning. Despite all of the scare stories online saying how your phone is constantly giving away your connection history by probing for known networks - I have monitored my iPhone on several occasions over long periods of time, and as an example, over a period of 8 hours it may only probe two or three times. Therefore, in my particular scenario of trying to locate it in the "woods" it could take a very long time.
This is why I would like to find a solution to send it "something" in an attempt to provoke a response, regardless of its connection or sleep state.