Wifi based heuristics#1042
Conversation
jacklund
force-pushed
the
wifi-based-heuristics
branch
from
b981cc8 to
08f07b6
Compare
|
Rebased against upstream main |
jacklund
force-pushed
the
wifi-based-heuristics
branch
from
08f07b6 to
2233390
Compare
EFForg#1000 Added ability to scan wifi networks (with a change to the wifi-station library, which I will PR once I get this working). Trying to integrate it into the analysis setup didn't work well, because that's pretty much only set up for packet analysis, so I'm instead sending the change to the display state directly from the wifi analysis function, which probably isn't really what's needed.
jacklund
force-pushed
the
wifi-based-heuristics
branch
from
4be8c5b to
4eabcd7
Compare
|
@jacklund sorry for the delay on reviewing this I'm having a look at it now |
|
I like the direction of your approach here. A few issues:
|
|
One of the main imsi catcher manufacturers is keyw corporation who has an unusual OUI of https://maclookup.app/macaddress/70b3d57cb 70:b3:d5:7c:b It would be cool to be able to match against an oui like this that is >3 bytes but also the half byte at the end (crazy stuff I know) Also we should have a sane default list of OUIs. I can provide this. |
cooperq
left a comment
cooperq
left a comment
There was a problem hiding this comment.
please address the changes in my above comments.
No worries, I know y'all are slammed. |
Wow, that's crazy.
Well, right now I do a
👍 |
Sounds good. I'm going to have to use a separate logger in that case, not a big deal, since y'all redirect the default logging from stdout to the rayhunter logs. I'll probably use whatever's simplest for now, although if you have a preference for a particular logger, I can use that. I'll also add something to be able to look at the wifi logs similar to what's done in the web UI for the rayhunter logs. I think to be really useful, we'd need to include both the OUI and the manufacturer in the alert, which means we'd need to configure it with both (i.e. my simple config of a list of OUIs probably won't cut it). I'll probably change that to a list of manufacturer => list of OUIs, unless you think that's overkill.
Hadn't noticed that. I can look at that as well.
Yep, I figured I'd wait until we settled on a set of stable features before tackling documenting it, but I can probably start with some of what we've got now. I'll also change the alert level. Thanks for the feedback! |
2 participants
First pass at a solution for issue #1000.
Some notes:
I've managed to shoehorn my code into the analysis flow, although whether it's in the best place I'll leave up to y'all. I've added a
WifiOUIAnalyzertype, which implementsAnalyzer, and which gets added to the analyzer harness by default (and is configurable). I've also added the configured OUIs to theAnalyzerConfigwhich felt weird, since everything else on that are booleans, but there didn't seem to be a better place to put that and still have it available in the Harness code.I've added a config line to specify the target OUIs as a comma-separated list of strings. I don't currently validate the OUIs (which should be done), because I'm not certain that's the best way to specify them. At some point there should probably be lists of well-known OUIs for specific types of target devices (similar to what Colonel Panic does in his OUI-spy apps), but until we have those lists, this might have to do.
I've also marked a OUI match as a
HIGHevent type, which might not be what is wanted here, it just seemed like a good place to start.There's some code duplicated from
DiagTask::process_containerwhere I send the information to the notification channel and the display, which is not great, but I figured that some refactoring of the analysis flow to make this code fit better might make that go away anyway.Also, I'm using my fork of
wifi-stationfor this PR - I have a PR pending on that repo which will add the BSSID to the list of items returned when scanning. Hopefully when/if that PR is merged, we can put that back.Pull Request Checklist
cargo fmt.You must check one of: