1
00:00:00,180 --> 00:00:07,380
Hello, everyone, welcome to a new video of our life I spent six years last time we learned how to

2
00:00:07,380 --> 00:00:11,870
write our first Python tool to scan for access points using raw stock hitting.

3
00:00:12,980 --> 00:00:19,560
Today, we will talk about other frames and how to detect connected clients using raw sockets as well.

4
00:00:21,180 --> 00:00:27,000
First, do you remember the steps the client or mobile device has taken to to take to connect to an

5
00:00:27,000 --> 00:00:27,630
access point?

6
00:00:28,380 --> 00:00:29,430
Well, don't worry.

7
00:00:29,700 --> 00:00:30,480
I'll remind you.

8
00:00:31,710 --> 00:00:34,110
Supernet department from before.

9
00:00:34,460 --> 00:00:34,910
Here you go.

10
00:00:36,030 --> 00:00:43,620
First, the client scans for the access for the Wi-Fi access points, then send probe requests, then

11
00:00:43,620 --> 00:00:47,700
authenticate with the access point and finally associate with it.

12
00:00:48,930 --> 00:00:54,840
You might find in Google or in some books, people use probe requests to detect connected clients.

13
00:00:55,390 --> 00:00:56,610
That's not correct.

14
00:00:57,450 --> 00:01:03,600
Probe requests are not sent only when a device is connected to an access point because your device might

15
00:01:03,600 --> 00:01:04,950
be sending those frames.

16
00:01:04,950 --> 00:01:10,800
Even if the access point is out of range and your device is looking for previously connected ones,

17
00:01:11,910 --> 00:01:17,820
even if you get probe response still doesn't mean that your device is connected to this access.

18
00:01:17,820 --> 00:01:23,160
Find these scripts that you might find in Google are just copying from each other.

19
00:01:23,220 --> 00:01:28,920
I mean, so how do we know if a device is really connected to an access point?

20
00:01:29,820 --> 00:01:37,050
Well, we can check for any association response or we could check the data exchange itself like request

21
00:01:37,050 --> 00:01:39,030
to send and clear to send.

22
00:01:40,290 --> 00:01:45,930
These two frames are usually sent from a device using wireless network to avoid collision.

23
00:01:47,190 --> 00:01:55,020
So if your device wants to send data, it will send a request to send first and wait for clear to send

24
00:01:55,170 --> 00:02:01,620
once received it then sends the data so we can check for these frames as well to verify if a client

25
00:02:01,620 --> 00:02:04,730
is already connected to network or not.

26
00:02:05,790 --> 00:02:07,230
So let's do that.

27
00:02:08,070 --> 00:02:12,200
Let's check for both clear to send frames and association response frames.

28
00:02:12,780 --> 00:02:15,600
Let's start with the association response frames first.

29
00:02:19,980 --> 00:02:26,610
First, we need to check what's a subtype of the association response request to send and clear to send,

30
00:02:27,370 --> 00:02:27,890
it's easy.

31
00:02:27,900 --> 00:02:29,090
You can look it up and go.

32
00:02:29,310 --> 00:02:32,190
But the subtype for association response is one.

33
00:02:33,810 --> 00:02:36,000
Let's confirm that using Wireshark.

34
00:02:38,420 --> 00:02:39,500
So my shirt.

35
00:03:13,690 --> 00:03:14,940
What sort of scan?

36
00:03:18,400 --> 00:03:21,700
All right, I think we're just stop here for now.

37
00:03:24,870 --> 00:03:34,100
Let's start started over so without setting and then I'm going to do now is turn off wi fi from my phone

38
00:03:34,110 --> 00:03:39,880
since my phone is already connected to this two point four gigahertz access point.

39
00:03:39,900 --> 00:03:44,510
I'm going to turn off the Wi-Fi from my phone and turn it back on.

40
00:03:44,700 --> 00:03:47,940
So I'm making my phone to reconnect to this access point.

41
00:03:48,930 --> 00:03:50,430
All right, turn it off.

42
00:03:50,580 --> 00:03:53,260
WI fi disconnected.

43
00:03:53,290 --> 00:03:56,270
OK, I'm going to turn around back and turn off.

44
00:03:56,850 --> 00:03:59,270
Turn on the Wi-Fi again, OK?

45
00:03:59,280 --> 00:04:01,980
I think we should have captured the friendly.

46
00:04:01,990 --> 00:04:05,520
Let's stop this now.

47
00:04:05,520 --> 00:04:08,130
Let's use the filters here to look for it.

48
00:04:09,720 --> 00:04:12,540
I believe, like I said before, it was number one.

49
00:04:12,540 --> 00:04:14,910
So I just type one here.

50
00:04:16,410 --> 00:04:20,730
Oh, nothing here.

51
00:04:22,830 --> 00:04:24,060
Well, they didn't capture anything.

52
00:04:24,060 --> 00:04:24,750
Let's try again.

53
00:04:24,750 --> 00:04:29,400
I'm going to disconnect my phone from the Wi-Fi.

54
00:04:31,020 --> 00:04:32,100
Uh, OK.

55
00:04:32,520 --> 00:04:34,290
Connected back again.

56
00:04:37,620 --> 00:04:39,210
Oh, I forgot to capture.

57
00:04:39,240 --> 00:04:43,180
OK, let's do it again one more time.

58
00:04:44,910 --> 00:04:45,530
Disconnect.

59
00:04:45,690 --> 00:04:46,800
OK, let's continue again.

60
00:04:55,110 --> 00:04:55,990
Nothing yet.

61
00:04:56,010 --> 00:05:04,230
I think I've figured out why it's because the channel is not number one.

62
00:05:04,260 --> 00:05:10,020
It's 11, so it's changed channel to 11.

63
00:05:11,250 --> 00:05:15,680
Let's try one more time to you.

64
00:05:17,190 --> 00:05:19,770
I'm going to disconnect my phone real quick.

65
00:05:21,390 --> 00:05:22,700
Connected again.

66
00:05:25,780 --> 00:05:28,780
We got it nice it started here now.

67
00:05:30,340 --> 00:05:33,250
Now let's check the type, the subtyping tax.

68
00:05:38,570 --> 00:05:40,760
Subtype is 10, right?

69
00:05:40,790 --> 00:05:42,860
Can you see it here?

70
00:05:45,540 --> 00:05:50,520
So let's add to add that to our code of case.

71
00:05:59,930 --> 00:06:00,830
I'm going to stop there.

72
00:06:00,850 --> 00:06:03,950
Very well, I'm typing because I don't want this video to be long.

73
00:06:05,140 --> 00:06:11,800
So let's check for the frame type and then print something to the screen confirming that we received

74
00:06:11,800 --> 00:06:13,450
it like this.

75
00:06:13,450 --> 00:06:14,590
Like just print.

76
00:06:16,530 --> 00:06:18,160
Oh, got

77
00:06:21,190 --> 00:06:21,930
response.

78
00:06:24,630 --> 00:06:24,920
OK.

79
00:06:38,670 --> 00:06:41,610
Now, let's try to disconnect my phone again.

80
00:06:45,630 --> 00:06:46,740
Connected back.

81
00:06:48,890 --> 00:06:52,630
Nice, we got it, got association response.

82
00:06:56,140 --> 00:06:57,040
So far, so good.

83
00:06:57,070 --> 00:07:04,390
Now let's fund the Mac address of that client means get the Mac out of my palm again.

84
00:07:04,390 --> 00:07:09,670
We open the frame and go to Tripoli to 11 here.

85
00:07:12,020 --> 00:07:12,940
OK.

86
00:07:16,650 --> 00:07:18,970
Let's check the receiver address here.

87
00:07:20,730 --> 00:07:25,930
It starts from bite number 40 to 45.

88
00:07:26,340 --> 00:07:28,070
This is the receiver Mac address.

89
00:07:29,550 --> 00:07:36,280
So that means we need to do it in Python two to be from bite number three to four or five.

90
00:07:37,410 --> 00:07:38,970
Sorry, but no free text.

91
00:07:39,450 --> 00:07:41,670
So it's due to just in.

92
00:07:44,390 --> 00:07:45,170
Come here.

93
00:07:49,140 --> 00:08:06,570
Receive an equal pay packet from 40 to provide 40 to 46, the PIN code as eggs now printed.

94
00:08:17,810 --> 00:08:20,160
Let's try again.

95
00:08:23,710 --> 00:08:24,130
Justin.

96
00:08:27,210 --> 00:08:28,120
Do one more time.

97
00:08:30,800 --> 00:08:32,000
Disconnect the phone.

98
00:08:34,280 --> 00:08:36,950
Connected back, got it.

99
00:08:38,630 --> 00:08:51,500
OK, so let's fix the McAdoo's format a little bit from before we do this, just copy this one here

100
00:08:52,970 --> 00:08:53,780
and.

101
00:09:03,120 --> 00:09:04,520
Oh, my.

102
00:09:06,870 --> 00:09:07,830
And this is.

103
00:09:17,350 --> 00:09:20,880
Can use the this time because I'm bored.

104
00:09:26,170 --> 00:09:26,830
OK.

105
00:09:32,390 --> 00:09:33,350
One more time.

106
00:09:37,170 --> 00:09:40,330
Connect, connect again, nice.

107
00:09:40,590 --> 00:09:43,330
Oh, still the same.

108
00:09:44,730 --> 00:09:45,700
I'll see what happens.

109
00:09:55,330 --> 00:10:03,390
Oh, my pet, I used the plus signs instead of equal time here, so OK.

110
00:10:11,850 --> 00:10:12,710
I mean.

111
00:10:15,340 --> 00:10:18,130
One last time disconnect.

112
00:10:20,210 --> 00:10:21,260
OK, it's fixed now.

113
00:10:21,300 --> 00:10:21,730
That's good.

114
00:10:26,790 --> 00:10:27,460
That was it.

115
00:10:27,660 --> 00:10:34,110
Now you know how to detect a new connected client, but if you want to detect an already connected client,

116
00:10:34,110 --> 00:10:39,260
then check for the request to send in the clear to send friends the same way we did this.

117
00:10:39,960 --> 00:10:42,150
I'll leave that to you as an exercise.

118
00:10:43,680 --> 00:10:45,150
Thank you for watching this video.

119
00:10:45,180 --> 00:10:46,110
See you in the next one.