Forum Thread: Knowing Only a BSSID, Can an Address Be Found for It?

The title pretty much sums up the gist of it. A longer rundown of the situation might be... Okay, there's about a dozen AP's near enough to me that I can walk to each AP owner's mailbox and see the street address. And, I almost know the majority of people who live around me.

The problem is that I cannot think of any other way to match the detectable SSIDs or BSSIDs to their AP owners, and I need to do exactly that (I'm pretty sure).

See... I've got the handshakes, and I've cracked my own BSSID with Aircrack-ng, using the "Rockyou.txt" wordlist. So I know that the program works, but it was also cheating, because I rigged the wordlist with the already known password.

However, I'm not aware of Aircrack-ng supporting rule based attacks, so I figured I'd get a bit familiar with Hashcat3.3 so that I can use some mangling rules along with just 2 or 3 decent wordlists (like rockyou.txt, etc.) to see what they'll accomplish. However, I ran an error with Hashcat3.3 and the hardware/software setup that I have (* Device #1: Not a native Intel OpenCL runtime, expect massive speed loss). I don't know, but I think I need an OpenCL driver or something (the OS is Kali 2017.1 rolling release, and the machine is a HP Pavilion dv7 with a Centrino Wireless-N 1000 card).

So, I am at a standstill on that part of things, until I get a decent grasp of what I need to do to get Hashcat to run on my setup without throwing an error. In the mean-time, I thought, without twiddling my thumbs and waiting, I thought to try my hand at making some more targeted wordlists with Crunch. After all, I still have a lot to learn about Crunch's syntax, the more commonly used password structures, etc. So, I have the bright idea (yeah, yet to be determined) that I'll just dig around and associate a street address with each network name, and then I can find out some more generic info (names, genders, ages, DOBs, etc.) to make targeted wordlists. Those lists, if used with Hashcat, against the correct BSSID, might yield something. If nothing else, I'd learn alot more about using Crunch.

So, now I'm thinking that I probably need to learn something about Nmap (haven't gotten that far yet), or some other way that I can use the BSSIDs that I have to get some sort of GPS coords or geographical location. After that, Google Maps will fill in the blanks...

So, How would one go about using a BSSID to find out a location or street address? There might even be some online resource that does this sort of thing. If there is then I just didn't see it. I was thinking that there'd probably be something online similar to whois or reverse lookup, but I didn't see anything like that for associating BSSIDs with locations. I do remember glancing at something about finding an AP's physical location but it was when I had just installed Kali and didn't concern me any at the time. How does one usually go about it?

4 Responses

I'm so glad you asked.

I've mapped over a quarter million wireless networks wardriving with Wigle Wifi. The more observations you have of the network, the more accurate the GPS location of the transmitter will be.

This will create a personal database of all the wireless networks in your area with information like encryption type, BSSID, ESSID, and even manufacturer data.

Take a look at and try it out to see if it meets some of your needs. I wrote a tutorial on this that should be released soon.

Wow, that is pretty awesome. I didn't get a chance to browse the forums yet but I hope to get enough free time later on tonight to do so. The area where I am seemed pretty populated with wifi spots, but then I zoomed in and there were only a few ((I guess I'm out in the boondocks)). There are several possibilities that I can think of though, as far as mapping the BSSIDs ((I'm definitely looking into those forums later)).

Earlier, I was looking up something or other online ((I think it was "gpsd")) and happened across the term "Kismet". I hadn't known anything about that program before, even though afterwards I saw that it was included with my OS the whole time. I didn't look into it much yet because I didn't really even know where to start. Like, do you know if most or all wifi routers broadcast GPS info in some packets, and then ((let's say "I")) would just have to install some drivers or something to be able to read that info? Or, should I be able to see that info now in the few dozen *.cap files that I have? I've never really thought to look for that type of info, so I may have just went right over it without noticing. I'm definitely going to look more Kismet, gpsd, and

There was also some other utility name ((part of the Aircrack-ng suite)) that was used for making packets. I just kind of noticed it and didn't think much about it until just now. Maybe I could use something like that to query an AP for its GPS coordinates or something.

One of the things I'm going to look further into while looking more into Wigle and its forums is if I can install it on my android phone and then wardrive ((or warwalk)) the small surrounding neighborhood around me. One thing I'm not certain about though, is if it's necessary for a client to willingly share their location before Wigle maps it? Because you mentioned that you mapped a bunch of networks but there were hardly any mapped where I'm at and the site asked me for permission before mapping my BSSID? I dunno, It may just be a difference between the site and the *.apk version or something like that.

The reason you don't see many networks is you haven't wardrove them yet! Download wigle wifi onto your android phone, walk around downtown wherever you are, and report back. You should find a TON.

Wifle wifi is for casual recon. Your phones GPS data and the signal strength of the wifi networks it finds is recorded. As you observe the same network many times, the location will be refined by the signal strength data and GPS data like triangulation.

For advanced recon, Kismet is choice. Add a GPS reciver like I did to your Raspberry Pi and a high gain wireless network adapter and you'll be able to find and log thousands and thousands of networks. I'm breaking 200,000 unique networks I've observed this way.

Oh and to be more clear, routers do not broadcast their location. You (or someone) must be walking or driving by to capture and log that data so you can query it to find the address of a BSSID.

Share Your Thoughts

  • Hot
  • Active