Finding a stolen laptop via wireless

**TheErk** · 04-18-2007, 07:25 PM

Here's hoping this doesn't end up in the idiot's corner

I'm relatively new to the whole linux/security scene, but I'm learning.

Here's my problem. I've got a stolen laptop on my campus that's still functioning. I know its MAC and I know the general vicinity of where it's at. I'm using Kismet to see its signal strength and I've even made a "dish" to help my PCMCIA card be more directional. In other words, I'm REALLY close to finding where this laptop is.

Unfortunately, kismet will only report back signal strength when there's real data coming FROM the client and it's often just sitting there. It's a windows box with its firewall turned on so it won't respond to ping, etc.

Is there anyway to make the client send out data packets short of deauthing it?

A Backtrack app and/or windows app would acceptable.

Thanks in advance,
TheErk

**theprez98** · 04-18-2007, 07:30 PM

Originally Posted by TheErk

Here's hoping this doesn't end up in the idiot's corner

I'm relatively new to the whole linux/security scene, but I'm learning.

Here's my problem. I've got a stolen laptop on my campus that's still functioning. I know its MAC and I know the general vicinity of where it's at. I'm using Kismet to see its signal strength and I've even made a "dish" to help my PCMCIA card be more directional. In other words, I'm REALLY close to finding where this laptop is.

Unfortunately, kismet will only report back signal strength when there's real data coming FROM the client and it's often just sitting there. It's a windows box with its firewall turned on so it won't respond to ping, etc.

Is there anyway to make the client send out data packets short of deauthing it?

A Backtrack app and/or windows app would acceptable.

Thanks in advance,
TheErk

Have you considered reporting the theft to the police?

**TheErk** · 04-18-2007, 07:31 PM

Not my laptop. And I'm working with the police. Our campus police isn't exactly tech savvy.

--TheErk

**theprez98** · 04-18-2007, 07:38 PM

Originally Posted by TheErk

Not my laptop. And I'm working with the police. Our campus police isn't exactly tech savvy.

--TheErk

If you're working with the police, then there shouldn't be any problem creating traffic by deauthing the client. Explain what you're doing.

Unless there is a specific reason you don't want to deauth it?

**TheErk** · 04-18-2007, 07:44 PM

I don't really want to deauth it as there are lots of AP's in that area, don't want it bouncing around from AP to AP as Kismet is AP specific when your looking at client info. Also, I really don't want it to be noticeable if the user gets back on.

--TheErk

**rooster** · 04-18-2007, 07:54 PM

this story really sounds a bit far fetched.
why dont you get a search warrant and search the building. apparently you are spending massive amounts of time on one laptop theft anyway..

**theprez98** · 04-18-2007, 08:38 PM

Originally Posted by rooster

this story really sounds a bit far fetched.
why dont you get a search warrant and search the building. apparently you are spending massive amounts of time on one laptop theft anyway..

I was thinking the same thing.

**TheErk** · 04-18-2007, 08:39 PM

Geez. What do I have to do, give a DNA sample?

Ok, full story, I work for IT at a university. There's a stolen laptop that the thief is still using (moron) in a 5 story dorm building. I've been able to narrow it down to a wing and three floors due to relative signal strength from the AP's, but can't get any closer.

By using Kismet and an Atheros card, I can get relative Signal strength from a client to my tablet PC, BUT the client has to be "chatty". And evidentially ARP requests isn't enough for it to show up. If I can force the client to send out some real information, then I can easily get a warrant for a particular room (can't do it for the ENTIRE building) and then I've got 'em. I've been able to find pinging IPAQ in my own building that someone hid for me. So I know this will work. But an IPAQ and a windows firewall are two totally different animals.

Is that enough info to stop the naysayers? Sheesh. I'm not trying to steal information or even hack this guy (although I'm getting to the point of trying that), I'm just trying to get the computer to talk to me a bit so Kismet will give me a reading.

Thanks,
TheErk

**theprez98** · 04-18-2007, 08:44 PM

Originally Posted by TheErk

Geez. What do I have to do, give a DNA sample?

Ok, full story, I work for IT at a university. There's a stolen laptop that the thief is still using (moron) in a 5 story dorm building. I've been able to narrow it down to a wing and three floors due to relative signal strength from the AP's, but can't get any closer.

By using Kismet and an Atheros card, I can get relative Signal strength from a client to my tablet PC, BUT the client has to be "chatty". And evidentially ARP requests isn't enough for it to show up. If I can force the client to send out some real information, then I can easily get a warrant for a particular room (can't do it for the ENTIRE building) and then I've got 'em. I've been able to find pinging IPAQ in my own building that someone hid for me. So I know this will work. But an IPAQ and a windows firewall are two totally different animals.

Is that enough info to stop the naysayers? Sheesh. I'm not trying to steal information or even hack this guy (although I'm getting to the point of trying that), I'm just trying to get the computer to talk to me a bit so Kismet will give me a reading.

Thanks,
TheErk

Depending on your school, you may not even need a search warrant.

Also, despite the fact that a firewall is running, this does not mean there aren't ports configured to be open...

**TheErk** · 04-18-2007, 08:52 PM

No we actually don't need a warrant, but in that situation we can't press criminal charges, however we just don't have the manpower in UPD to go room to room and search. This is a pretty good sized dorm and our antennas are pretty powerful on our AP's so while I have a general idea on where he is, still think needle in haystack.

I've been in networking for a while, but security tools is all something rather new to me. Heck, I've worked with Linux more in the last week than I have in the last year. My main problem is that I just can't figure out how to make it reply to something, and to be honest I'm not sure where to start even if there were ports open.

It doesn't respond to pings, nbtstats, traces, ftp, remote desktop. It doesn't send anything back at all. I can get it to respond to ARPs a lot but that doesn't seem to be enough information for Kismet to pick up.

My IPAQ sang like a canary when I hit it with a port scanner, but this doesn't do that either. Any ideas for a newb?

--TheErk

PS Yes this is a lot of work for a laptop, but it's been slow here recently and I'd REALLY like to catch this guy. Besides if it was your laptop, wouldn't you want someone looking for it if they knew it was still around??

BackTrack Linux - Penetration Testing Distribution

Thread: Finding a stolen laptop via wireless

Thread Tools

Search Thread

Display

Finding a stolen laptop via wireless

Posting Permissions