Full Report
In 2011 Glenn and Daniel released Snoopy, a set of tools for tracking and visualising wireless client activity. However, the Snoopy project is no longer maintained. This blog entry is about how I got Snoopy-like functionality built into Mana. Snoopy’s core functionality was to observe probe requests for remembered networks from wireless clients, although it ended up doing much more. The problem tools like Snoopy face, is that they can’t monitor the whole 2.4Ghz wireless spectrum for probe requests, without the use of multiple wireless cards. So they channel hop to make sure they see probes on multiple channels. In the 2.4Ghz range this wasn’t terrible, because the channels overlap, which means you didn’t have to tune in to all 11 or 14 (depending on location) channels individually to see probes across the spectrum. So while you may have missed a few probe requests, you didn’ t miss many.
Analysis Summary
# Tool/Technique: Snoopy / Mana functionality (Hostapd-Mana modification)
## Overview
Snoopy was a set of tools for tracking and visualising wireless client activity, primarily by observing probe requests for remembered networks. This entry discusses achieving similar functionality by modifying `hostapd-mana` (a fork of `hostapd` used in the Mana Toolkit) to log this wireless client metadata, particularly focusing on capturing Preferred Network List (PNL) information and potentially "decloaking" randomized MAC addresses.
## Technical Details
- Type: Tool (Wireless Monitoring/Attacker Framework extension)
- Platform: Systems running the modified `hostapd-mana` (likely Linux-based due to dependency on `hostapd`).
- Capabilities: Observing and logging wireless client probe requests, recording queried SSIDs, identifying MAC address randomization status, and facilitating integration with Maltego for visualization.
- First Seen: Snoopy was released in 2011. The discussed modification to `hostapd-mana` was detailed around September 2016.
## MITRE ATT&CK Mapping
The described activities primarily relate to reconnaissance and collection of wireless network information.
- T1543 - Interception of Information
- T1543.001 - Other Network Traffic
- *Rationale: Capturing probe requests is a form of passive network sniffing, capturing metadata about client connections.*
- T1046 - Network Service Scanning
- *Rationale: Monitoring the wireless spectrum for client connection attempts.*
## Functionality
### Core Capabilities
- **Probe Request Observation**: Monitoring the 2.4GHz and 5GHz spectrum for wireless clients sending probe requests containing SSIDs of networks they remember.
- **Data Logging**: Logging station MAC address, the network SSID it is probing for, and a flag indicating if the MAC address is locally administered (randomized).
- **Integration with Visualization**: Outputting data in a CSV format suitable for import into Maltego for graphical relationship mapping.
### Advanced Features
- **Hidden Network Probing Trigger**: The `hostapd-mana` configuration can simulate a hidden network (`ignore_broadcast_ssid=1` in beacons) while still responding to probe requests. This manipulates iOS devices to probe for networks on their PNL, increasing capture opportunities.
- **MAC Address Decloaking**: By successfully convincing the client to associate with the impersonated AP, the tool may capture the device's true (non-randomized) MAC address when it attempts to join, especially for non-Windows randomized MAC implementations.
- **Channel Hopping**: Similar to Snoopy, the tool must channel hop across the entire spectrum (2.4GHz and 5GHz) to ensure comprehensive monitoring, though this inherently risks missing probes occurring when not tuned to the correct channel.
## Indicators of Compromise
The output indicators are generated by the logging mechanism enabled via configuration:
- File Hashes: N/A (Source code available on GitHub: `https://github.com/sensepost/hostapd-mana`)
- File Names: `hostapd.conf` (Configuration file for logging)
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on passive capture via MAC/SSID logs)
- Behavioral Indicators:
- A modified `hostapd` instance running with `enable_mana=1` and `mana_outfile=/some/file` enabled.
- CSV output format: `[Station MAC], [ESSID], [Randomized Flag (0 or 1)]`
## Associated Threat Actors
The content discusses tools developed or used by security researchers (SensePost, Glenn and Daniel). No specific criminal or state-sponsored threat actors are explicitly mentioned as using this particular configuration method.
## Detection Methods
Since this process relies on modifying a legitimate service (`hostapd`) and leveraging standard 802.11 frames:
- **Signature-based detection**: Difficult unless specific file hashes of the compiled `hostapd-mana` are known.
- **Behavioral detection**: Monitoring system calls or configuration changes indicating that `hostapd` is logging detailed station/SSID information to a non-standard outfile.
- **YARA rules**: N/A (Focus is on runtime behavior, not static file analysis of the tool itself).
## Mitigation Strategies
- **Wireless Monitoring Mitigation**: Employing Wi-Fi security solutions capable of detecting rogue AP behavior or monitoring for high rates of probe request sniffing across multiple channels.
- **Device Hardening (MAC Randomization)**: Utilizing operating systems or configurations that maintain MAC randomization protection even when associating with known networks, thus thwarting decloaking attempts.
- **Network Segmentation**: Reducing the number of remembered SSIDs (PNL size) on devices, as this limits the data available via probe requests.
## Related Tools/Techniques
- **Snoopy**: The original toolset that provided the inspiration for this functionality.
- **Mana Toolkit / hostapd-mana**: The underlying framework used to implement the new logging features.
- **Maltego**: Used for visualizing the collected MAC/SSID association data.
- **Wigle.net**: Used in conjunction with Maltego to geolocate collected SSIDs.