Geolocation of Mac OS assets with wifi_survey in Osquery.

Using wifi_survey to get an assets geolocation.
osquery> SELECT interface, channel, country_code FROM wifi_status;+-----------+---------+--------------+
| interface | channel | country_code |
+-----------+---------+--------------+
| en0 | 36 | GB |
+-----------+---------+--------------+
  • rssi (signal strength)
    The current received signal strength indication (dbm). The rssi is a measure of power level that an asset is receiving from the access point. At larger distances, the signal gets weaker. The smaller the value the closer the asset is to the device.
  • noise (signal to noise ratio)
    The current noise measurement — desired signal to the level of background noise. (dBm).
osquery> SELECT bssid, rssi, noise FROM wifi_survey;
+-------------------+------+-------+
| bssid | rssi | noise |
+-------------------+------+-------+
| 5e:b1:3e:00:00:00 | -64 | -90 |
| 5c:b1:3e:00:00:00 | -62 | 0 |
| 5c:b1:3e:00:00:00 | -64 | -90 |
| 24:20:c7:00:00:00 | -88 | -90 |
| c4:41:1e:00:00:00 | -39 | 0 |
| 5e:b1:3e:00:00:00 | -64 | -90 |
+-------------------+------+-------+
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import requests
url = 'https://www.googleapis.com/geolocation/v1/geolocate'
params = {
'key': GOOGLE_CLOUD_API_KEY
}
return requests.post(url, params=params, json={
'considerIp': False,
'wifiAccessPoints': [{ # Provide your array of access points
'macAddress': bssid,
'signalStrength': rssi,
'signalToNoiseRatio': noise
}]
}).json()
{
"location": {
"lat": 37.421925,
"lng": -122.0841293
},
"accuracy": 30
}
url = 'https://maps.googleapis.com/maps/api/geocode/json'
params = {
'latlng': '{},{}'.format(lat, lng),
'key': GOOGLE_CLOUD_API_KEY
}
return requests.post(url, params=params).json()
{
"results" : [
{
"address_components" : [ .. ],
"formatted_address" : "145 City Rd, Hoxton, London EC1V 1AZ",
"geometry" : {
"location" : {
"lat" : 37.4224764,
"lng" : -122.0842499
},
..
},
"place_id" : "ChIJ2eUgeAK6j4ARbn5u_wAGqWA",
"plus_code": {
"compound_code": "CWC8+W5 Hoxton, London EC1V 1AZ",
"global_code": "849VCWC8+W5"
},
"types" : [ "street_address" ]
}
],
"status" : "OK"
}
Using the wifi_survey table to geolocate assets with Osquery

Its all over!

Hopefully you’ve enjoyed that short post on how the wifi_survey table can be used to geolocate Mac assets. However, that’s all for now. Please feel free to get in touch if you have any questions.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Zercurity

Zercurity

Real-time security and compliance delivered.