Wednesday, August 8, 2012

STALKER - Analyzing [Your] Wireless Data

At INFILTRATE 2012 I gave a presentation entitled Secrets In Your Pocket: Analysis of [Your] Wireless Data[1].  I discussed many ways that you or your target can be stalked, profiled and forced to disclose personal information.

Most people tend to store information disclosures away in the cerebral junk drawer where other useless knowledge is archived.  "So what?" is the typical response I get when I discuss personal data disclosures, "What can you do with it?"

That's a great question.

STALKER is a tool that I wrote to reconstruct all captured traffic (wired or wireless alike) and parse out all of the "interesting" information disclosures.  It goes beyond just grabbing passwords and emails out of the air as it attempts to build a complete profile of your target(s).  You would be amazed at how much data you can collect in 15 minutes.

Here is a list of the most obvious and interesting data that can be collected with STALKER.

  • Name(s)
  • Email addresses
  • Phone numbers
  • Billing/Home address
  • Passwords
  • Emails
  • User names/Screen names
  • User-Agent strings
  • Wireless networking probes (Beacons/SSIDs)
  • DNS requests
  • Host names
  • Weblinks
  • Search queries
  • and so much more!

But what I want to focus on are the not-so-obvious information disclosures and how they can be used against you or your target.

ARP Disclosures and GPS Coordinates

At INFILTRATE I released details of a feature of Apple products (iPhones, iPads, Macbooks, etc) that leaks the MAC addresses of the last 3 wireless access points that the device has connected to (lots of Apple fans yelled at me after this.  Feel free to continue yelling at @MarkWuergler).  What does this mean?  It means that your target's device is disclosing where the target lives, works and plays to everywhere within wireless range.  STALKER keeps track of all of this for you and even plots the target's preferred access points on a map.

The blue marker on the above map represents the location of the wireless access point that a target device has connected to and the red marker represents where the actual device was seen by STALKER.  Over the course of a few days this map is populated with all the frequented locations of the target.  

Reconstructed Files

If you target is downloading/uploading files then STALKER will put them back together and lovingly save them on the hard drive for you.  It doesn't matter what the file type is - as long as STALKER can see it - you'll have it.  View web pages as the target viewed them, view their documents, listen to their music and to their VoIP phone calls.  

I will warn you though - there are just some things that can't be unseen (I will leave this to your own imaginations).

Emails and Chats

“Integrity is doing the right thing, even when no one is watching.” - C.S. Lewis

Most people are always on their best behavior ... until they start to share private messages.  Criminal behavior is evident, true personalities and intentions surface and the completely unimaginable take place in digital conversations.  All of which you can browse easily in the STALKER inbox.

Piece by Piece - Building a Profile One Disclosure at a Time

One thing that I look for on penetration tests that I conduct is how to turn a small, seemingly unimportant bit of data into more meaningful data.  For example, a userid from a website could be used to turn into a person's name -> name into email address -> email address into phone number -> phone number into home address -> etc, etc, etc.  STALKER is capable of automating this for you so you don't have to worry about making the connections yourself.  You're welcome.    

Forced Information Disclosures

SILICA can be used to actually force a target user to interact with the applications and services that will disclose the most information about them in the fastest time possible using its Custom Injection module.  This mode will inject custom content into the browser of the target (this can be hidden or obvious depending on your needs).  Typically this is used to actually compromise the wireless device (which is a topic for an entirely new blog post) but it can also be used to aggressively collect the kind of data that you want to feed to STALKER.

Practical Uses

There are many potential audiences for STALKER.  Here are a few that come to mind: 
  1. Those that immediately understand the risks associated with information disclosures.  This is usually the category that victims fall into.
  2. Those who have something to protect.  This is the category that governments and corporations fall into.
  3. Those that are tracking and investigating individuals.  This is the category that law enforcement falls into.
  4. Those that are proactive about security.  If your personal or corporate wireless device's traffic is run through STALKER and anything of interest shows up then you have a leak that needs to be plugged (before it can be abused).
  5. Social engineering.  If employees are profiled by STALKER the likelihood of a successful social engineering attack increase dramatically (as STALKER may contain information that can help answer security questions to validate identity).


Anybody with a wireless card has the ability to collect highly sensitive data on you and those that are associated with your organizations.  Let STALKER show you what you are giving away to your attackers before your credit score, lawyers or CNN have a chance.


Don't talk about this program to girls you just met.  And under no circumstances make the same mistake as I did and tell them that you wrote the program ...

[1] Secrets in Your Pocket: Analysis of [Your] Wireless Data (Prezi or watch the Video)


Mark Wuergler
Twitter: @MarkWuergler


Unknown said...

Me wanti! I could sooo use this for stalk...err... Helping me with enumeration during a Vulnerability Test and uh... you know, legit stuff. (<_<)...(>_>)

h43z said...

sick tool! maybe you can use somehing like this if you know how to get this low hanging fruit. leava a comment if you have an idea ;)

Mark Wuergler said...

SILICA actually has a feature that pulls saved passwords right out of the browser remotely via injection. I talked about the technique at INFILTRATE. Here is a video of SILICA doing the Browser Auto-Complete Password Attack:

Unknown said...

Seems like a great tool, pretty useful and dynamic. Great work!

h43z said...

Thats pretty cool! But i was speaking of all values from the html inputs. Besides passwords and emails there is also stuff like cc,firstname,lastname,adress... and they are not explicit saved