Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] mac-geolocation : BSSID (MAC) address based geolocation of WiFi access points
From: Gorjan Petrovski <mogi57 () gmail com>
Date: Fri, 17 Jun 2011 02:41:07 +0200

I personally indeed ran into this. This script was originally meant as
a snmp-bssid-geolocation script, so we'd get all the MAC addresses
through snmp, which lists them fine. While I was in the middle of
exploring SNMP and how to gather the MAC addresses, David noticed that
the snmp-interfaces already gathers all the MAC addresses, so I just
made a patch for it in order to save the MAC addresses to the
nmap.registry. Later we decided to add a script argument so for user
friendliness.


On Thu, Jun 16, 2011 at 11:57 PM, Ron <ron () skullsecurity net> wrote:
Hey,

Me and Tom Sellers both attempted to write this script awhile back and ran into a serious issue: on the majority of 
routers I tested, the BSSID wasn't equal the to the Mac Address. Therefore, the geolocation lookup was almost always 
wrong. I found that certain routers, such as Linksys, had a mathematical relationship between the BSSID and Mac 
address (one was 2 higher than the other, I think), but that was anything but consistent.

Just wondering if you've run into this?

Ron

On Sun, 22 May 2011 09:52:50 +0200 Gorjan Petrovski <mogi57 () gmail com> wrote:
Hello,

Here is the mac-geolocation script which queries the Google and
Skyhook geolocation services for a location, using the BSSID (MAC)
address of a WiFi access point.

  Google Geolocation lookup related information:
When given a wrong MAC address, or a nonexistant MAC the Google API
for geolocation of MAC addresses makes an IP geolocation of the host
which is making the geolookup request (which is us). This IP based
geolookup generates a response which has an accuracy field containing
a high value (meaning low accuracy). So, in order to separate the
MAC-based responses from the IP-based ones, we do a lookup of a
non-valid MAC address "00", and compare all the results with that
one: if the results match, and the accuracy is larger than 2000
(meters?) than it's probably safe to say that the geolookup was made
based on our IP address. Google Geolocation API Protocol:
http://code.google.com/apis/gears/geolocation_network_protocol.html

  Skyhook Geolocation lookup related information:
The Skyhook API used here is not officially documented by Skyhook.
Skyhook API does not return results for a MAC lookup if the country
containing the results is different from our country (country of the
host querying the API)

Because of this, and the slow process of updating the Skyhook
database, I've not yet been able to test the Skyhook-based lookup, so
would someone living in the US please test it against a MAC address
which he knows that is in the Skyhook database?
Thanks!

Should I shorten the output, or add a Google Maps link?
The output currently looks like this:
| mac-geolocation:
|   00:24:B2:1E:24:FE
|     Google
|       longitude: -93.100682
|       latitude: 44.9507415
|       accuracy: 1025
|       address:
|         city: "St Paul"
|         country: "United States"
|         county: "Ramsey"
|         country_code: "US"
|         region: "Minnesota"
|     SkyHook
|       longitude: -93.100682
|       latitude: 44.9507415
|       address:
|         street-number:
|         address-line:
|         city: "St Paul"
|         postal-code:
|         county: "Ramsey"
|_        state: "Minnesota"

All comments are welcomed :-)

Cheers,
Gorjan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/




-- 
Gorjan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault