@gnothiseauton said:
The “threat” from group 2 largely depends on how the wifi is set up. If it is firewalled then there is a good chance an entirely internet-based attacker will never know your device exists. Simply hosting a webserver isn’t enough, you’d need to modify the firewall to route port 80 to your device.
Yeah. That’s the basic assumption I took myself: no port forwarding, device not visible… but then I started questioning that. Hence this ‘experiment’ to see if I’m overlooking something.
Nope. No forwarding (or public IPv6 assignment, but IPv6 is pretty rare for public WiFis), no exposure to/from the interwebs.
Threat group 1, however, are different - but it still depends on how the WLAN is configured. It may be possible to do an nmap scan and find every device connected but that WiFi config is becoming rare.
Yeah, I was wondering about that. My networking s*xx donkeyballs to know enough about that.
Based on my own IP, how would I know what range to scan to see other devices connected to that public network?
You get an IP and subnet mask assigned from the DHCP. Based on those 2, you can calculate the network range. As an example, getting IP 192.168.1.200 and subnet mask 255.255.0.0 means that possible IP addresses are in the range of 192.168.0.1 to 192.168.255.254 For more uncommon subnet masks (e.g. 255.255.240.0), I’d recommend using a subnet calculator, since things can get “difficult” quite easily
You say there are mechanisms to prevent scanning devices on the same (public) network. Can you say something about that?
This is often called “guest isolation”. Basically, the access point/router creates a small network for each guest with only 2 IP addresses in it’s range: the router and the client. Each client gets the same IP address and the router routes traffic based on MAC addresses. That way, no client can communicate with other clients, because all traffic destined to the “client IP” will always be consumed by your own system. (this is probably not 100% accurate, but should give a rough idea ).
It if is an entirely passive device it is harder to spot but WiFi is noisy. So if someone is simply sniffing wireless packets, they have a very good chance of inferring the device’s existence and then, with its IP address known, scanning becomes easier.
That’s actually a very interesting remark you make… I never took the beakons into account.
What you are saying is that even if some can’t scan the devices on the public network, someone within range could find my ip by monitoring the beakoning traffic, right?
Would my IP then be of use, as in reachable, to anyone on that same public network?
…I guess I really need some networking course sometime soon. So much to learn, though…
Well, it’s not just beaconing, but a “passive attacker” who just monitors WiFi traffic from the outside can see MAC addresses communicate with each other. When the WiFi is unencrypted, the attacker can also see/learn the associated IP addresses. In order to communicate with your device, the attacker would still need to join the same network, since the WiFi frames also contain necessary meta data that all communicating parties have to deal with.