How Wardriving Contributes to OSINT Investigations đź”—︎
If you have been around long enough, you have probably participated in, or at least heard about Wireless Communities. These consisted mainly of enthusiastic local groups who built wireless networks by deploying wireless access points (APs) with customized versions of well-known, open-source router software such as DD-WRT and OpenWrt.
It was also during this time that a collecting practice known as wardriving became popular. It challenged individuals, called stumblers or wardrivers, to collect wireless data information across different regions.
Wardrivers used cars, bikes, or other means of transportation to listen around and identify APs based on beaconing data, storing that info with the corresponding GPS location. The popularity of wardriving steadily decreased as wireless networks began to be widely deployed, and many people no longer found it useful to map or track this kind of information.
Many devices and applications were designed to passively and actively collect it from smartphones or other portable Wi-Fi-enabled devices. The collection and aggregation of this data on a global scale over time has provided a significant source of Signals Intelligence (SIGINT) that can support various types of investigations.
Investigators and forensicators use this data to find or extract artifacts related to the victim’s or offenders’ system, matching one or more wireless network identifiers known as service set identifiers (SSIDs) or the corresponding wireless radio network card identifier called basic service set identifiers (BSSIDs). Every individual computer or mobile device has a preferred network list (PNL) to reconnect to common wireless networks at home or work.
That is the background story of how Wireless Geographic Logging Engine (WiGLE) came about and evolved into a valuable OSINT resource. In this article, we will explain what WiGLE is and show you how to integrate it into Maltego so that you can use it in your OSINT investigations.
What Is Wireless Geographic Logging Engine (WiGLE) đź”—︎
WiGLE is an online service that houses a vast database of aggregated data on the location and information of wireless networks. The information is collected collaboratively by many individuals worldwide.
WiGLE has impressive numbers with around 430k stumblers, and over a billion wireless networks collected. This data source has evolved to encompass not only Wireless Area Networks (WLANs) but also other valuable wireless data, such as Bluetooth devices (wireless personal area networks or WPANs). It has even introduced cellular 3G/4G Radio Towers in the beta stage.
Once you open a free account on WiGLE, you can start exploring the dataset in a global geographical map and apply different filters to search through its user interface (UI) using GPS/Location or Wireless AP data.
This includes searching by SSID (the logical name of the network set by its administrator) or BSSID (the MAC address of the AP that broadcasts that network).
Integrate WiGLE into Maltego in Five Steps đź”—︎
WiGLE provides a wealth of data that can be used in various OSINT investigations. In the next part of this article, we will demonstrate how to benefit from it in Maltego.
Within the tool, analysts can integrate their favorite data sources and tools by building custom Transforms and combining information into one graph.
To integrate WiGLE into Maltego, we will follow five steps :
We recommend that you open your Maltego Desktop Client now and get ready to follow along.
Preparation đź”—︎
WiGLE has its own application programming interface (API) for automated data collection by machines using tools or scripts. For more details, check out their web interface here.
One of the first things to consider when you want to write a new integration is authentication.
In order to query the API, you will need to generate an API token in your WiGLE account menu while logged in.
That allows you to connect the WiGLE data source to your Maltego Client with pieces of code that query that interface and use it through the local Transform feature.
Design đź”—︎
Before we start coding, let us first mock up the WiGLE integration by dragging three Entities into a new graph in Maltego.
- Phrase Entity: to pivot to SSIDs in order to search APs beaconing them
- Location Entity: to pivot to location regions to search all the contained APs
- MAC Address Entity: to pivot to APs having this attribute on its BSSID
Some of the elements needed for this integration do not exist in the tool by default. That is why we will first need to create some Custom Entities for:
- SSID: a wireless network identifier
- Wireless AP: a device that broadcasts an SSID and has a unique BSSID
- Location Square/Circle: two GPS coordinates or a GPS coordinate with a radius that defines a physical area
SSID and Location are quite self-explanatory but Wireless AP is a more complex Entity that needs to be created as an advanced custom Entity.
It has to include all relevant properties provided by WiGLE that might be useful for an investigator. We might consider using the inheritance from a Maltego.MACAddress for the Wireless Access Point Entity, as a MAC Address is an existing Entity and can be used as a unique key identifier for the device.
To better facilitate the analysis process, make use of the Overlay function to customize the visual aspect of your Entities.
For instance, it is useful to visualize not only the SSID and BSSID but also the country of the AP and whether it is public or protected.
Considering the logical connection between the mentioned Entities, we can identify the pivoting points that will serve as Maltego Transforms in an investigation using the WiGLE dataset. These Transforms include:
- Phrase2SSID: generate an SSID based on a specified string
- SSID2WirelessAP: find wireless access points matching a specific SSID
- Location2Square: generate a square region from a specific location point
- Square2WirelessAP: find all wireless access points located in a specific region
- WirelessAP2Location: extract location data where the access point is located
We can now create a manual mock-up in the Maltego graph to visualize the investigative pivoting that will be matched by the corresponding Maltego Transforms:
As you can see, we have illustrated a common investigative workflow that can begin with searching the name of a network with the generate SSIDs Transform to identify Wireless APs. Alternatively, you can start with a location to find devices within a defined region using the To Square Location Transform.
Coding đź”—︎
To connect to a data source, we can use some core libraries, such as the requests library in Python, which allows us to establish connections to HTTP interfaces and parse the incoming HTML/JSON content.
However, it is always advisable to explore existing custom libraries that offer functionalities aligned with our requirements. By doing so, we can benefit from the work of people who have already implemented that logic and built an API wrapper.
One such example is pygle, a WiGLE API wrapper available since 2017. It provides various functions to query specific endpoints within the API.
To code our own Transforms, we will use our maltego-trx library and follow a couple of steps:
Create a Python virtual environment to self-contain the project Install necessary libraries Generate skeleton files
You can start developing your own Transform by using one of the existing Transform templates, such as GreetPerson.py, as a starting point.
Many users simply make use of the copy function within an integrated development environment (IDE), such as Microsoft Visual Studio or Jetbrains PyCharm, to duplicate the template.
If you do not want to start from scratch, you may reuse pieces of code created by other individuals who already matched WiGLE data in their code. Here’s an example.
You can also make a copy of the sample Transform implementation available in Maltego’s GitHub repository.
Connecting đź”—︎
In order to use your newly created local custom Transforms, navigate to the Transforms Menu in Maltego. From there, select the New Local Transform option to open the Local Transform Wizard.
At this point, it is necessary to create a unique Transform ID, such as “mytransforms.SSID2WirelessAP,” so that you can use it later in automation through the existing Machines capability. Also, make sure you choose the right Input Entity type so that the Transform appears when selected.
Lastly, provide the following information by customizing the local folder (PATH) where your development project is located in your file system:
Command Line Parameters Working directory:
Testing đź”—︎
Now it is time to test your new code by dragging a Phrase Entity with your favorite wireless network target onto the graph. You should then see the newly mapped Transforms in the Local Transforms section.
Once you have the new SSID Entity in the graph, you can use the combination of Maltego and the WiGLE data sources to obtain a full list of existing wireless APs matching that specific target.
Now it is possible to continue your investigation with the existing Transforms available in the Transform Hub to take maximum advantage of location data, such as Google Maps Geocoding.
This will enable you to thoroughly explore and investigate your target, aiming to identify individuals, companies, or other relevant Entities associated with those locations.
We’re already excited for you to start experimenting with them!
Start Using Your Custom WiGLE Integration đź”—︎
We hope you enjoyed this new custom integration, and that it inspires you to build your own. If you prefer to try it out without coding it yourself, you can simply download it from our Maltego Local Community Transform (LTC) repository.
To learn more about other data integrations available in Maltego, check out the updated list here.
Don’t forget to follow us on Twitter and LinkedIn, or subscribe to our email newsletter for more information on advancing your investigations with Maltego.
About the Author đź”—︎
Carlos Fragoso
Carlos is the Principal Subject Matter Expert and Lead Instructor at Maltego with over 20 years of professional experience in information security: Incident response, digital forensics, threat intelligence, and threat hunting. A curious and passionate investigator working with big companies and LEAs to tackle cybercrime around the world (Europe, Middle East, LATAM) SANS Institute Instructor.