Why NOT to use password managers?

Hey, it's been years I hadn't posted anything, but there were reasons, OK? So hopefully I would be able to post more often. Now, the title might be a bit bold, but the point is to demonstrate why password managers are not as good as they claim and why some trivial solutions, like browsers are actually not that bad as portrayed. So for this article, I propose to debunk and analyze common misconceptions, regarding password managers, spread by marketing and sales to scare you and make some profit.

 

"browser password managers are limited to that specific browser"

 

OK,  we can just say that it's not true and go on. Not only password storage can be converted from one browser to another, not only browser data can be synchronized on multiple devices, but different browsers can also access your single keyring/keychain. But, what about sharing the password?

"you can't securely share yor passwords with someone else"

 

Despite the fact that there is no integrated solution for such purpose in browsers, I wouldn't say that the stand-alone managers are actually better: you have to use same password manager, have an account and probably pay for it. However, you can always use existing solutions, like free E2E messaging (which you suppose to use for a secure communication anyway), web-based crypto bin/pastes or even (self-made) anonymous token sharing. Granted your password is secure...

"there is no security check for password strength"

 

Not a valid point, browsers are capable of generating "random" passwords, which can be further tuned with an extension. An etropy check is, however, always advised. Nonetheless, sites nowadays will often enforce their own password policy and some services can even provide static passwords that can't be changed, although you're supposed to have different password for different case and change them from time to time (especially if the platform got a leak). Anyway, about the passwords...

"you can only store passwords"

 

It is true that browser password managers storage capabilities are somehow limited, but this is very true for stand-alone password managers as well, thus the existence of disk encryption and cryptographic containers, which brings us to...

 

"browser passwords aren't stored encrypted"

Well, not if you're using a primary/master password and cloud solutions are also possible for browsers. Now, I would like to address a case when you're not storing your passwords encrypted and the first thing that I want to say is that until your hard disk is encrypted, it is actually not that crucial. With disk encryption it's pretty self-explanatory, if your disk/partition isn't encrypted, anyone with physical access to your pc can have your data, which is of course not good. If you use disk encryption (and it's well used), the only way to access your data is to compromise your software and if someone is able to access your pc that way, fewer things could stop the attacker from getting your password to decrypt something that is locked - if you can't trust your system, you can't trust your data. Now, I would always recommend to encrypt, rather than not and to use multiple security layers, also speaking about security...

 

 "your browser isn't a security product and may be compromised"

 

This is, unfortunately, very true, but this is the most used product to access the internet regardless and other password managers aren't perfect either. In fact, nothing is perfect, some browsers are better than the others, some hardening is possible, some password managers have browser extensions (perhaps they aren't sure about their own security either) and even if our software was perfect, there is still the kernel, the hardware and the user ... At this point you could even say that it's more secure to write your password on a post-it, so it can't be hacked on your pc and in fact, hardware password managers, crypto wallets and authentication tokens do exist, not even speaking about biometric and multi-factor strong authentication. By the way, I made a research thesis on this subject some time ago. Furthermore, I also made a password generator (deterministic password manager), which might be somewhat useful in some cases for someone.

 

 Now what?

 

Now, all that we are left with are questions: why should we use password managers in the end? Why use passwords altogether? What is authentication? What is identity? Can it all be secure enough? With all my regret, I must say that I don't have definite answers and in fact, answering this is not the point of the article. What I wanted to show is that browser password storage is actually a pretty viable solution and that the password managers have some limitations to consider. I'm not saying that anyone mustn't use password managers, this is a security solution after all, but I'm saying that there are alternatives and every solution has to be considered from case by case, depending on what you need. Thus, you shouldn't be easily persuaded on what your vendor says, or any "security expert". This article isn't a holy Bible either, I only express my opinion by providing some information to back it up, nothing more, nothing less, it's always up to you to decide what you will use and this is the only thing that I want my reader to keep in mind. That said, stay safe, stay secure.

 

GhostInTheChaos - Chaotic Crypto Stealth VPN for Anonymity and Untraceable Hacking Attacks with Linux and Android

13.07 - as you may have seen in the past, at this date, I publish some pretty decent projects, this one isn't an exception and probably will become a subject of a controversy, like it happened already.

Anyway, the following research (and code) is about the eternal confrontation between order and chaos, specifically between network censorship/filtering and freedom of access, as well as traceability, but also about security.

In order not to complexify an already pretty complex system, let's start from simple things and improve them step by step.

CAN I HAZ ACCEZ?

A simple situation, you're accessing the internet directly (with a router and/or switch) from your device (laptop, PC, tablet, smartphone, etc.) :

This is how the majority of you (unfortunately) access the internet. Well, there are certain advantages, like speed (since no traffic is intentionally modified), simplicity (plug&play) and price (can even be free in some cases). However, there are some obvious disadvantages, like a complete lack of security and privacy. Of course, you still can access some sites over HTTPS, which will provide security (authenticity, confidentiality and integrity), but your ISP or some other attackers  or a corporate firewall can see what site you're visiting, for how long and how much data is going (aka metadata), don't even mentioning that if your country/enterprise will decide to block some sites or/and services, you can't access them anymore (using the described schema) :

You still can use another DNS server and even go over DNSCrypt, but your ISP can still block IPv4 as well as IPv6 addresses and a corporate firewall can force local DNS.

PROXYZ

Some of you might use so-called proxy server, free or paid, which basically routes your web traffic over another server in such a way that your ISP don't handle the packets itself :

This is a pretty common way to bypass censorship and some filtering, although filtering might be problematic since, proxy can force local authentication and redirection, without even speaking about security, especially for "free" proxy servers since, you can't trust them and the traffic still can be unencrypted.

But some of you might have their own servers, in a country with not too many restrictions, which can be used as an encrypted and authenticated proxy server with the help of SSH Dynamic Port Forwarding :

Putting it to port 443 (HTTPS) will even bypass network filtering and censorship, however, it's only a proxy and not a complete VPN and it can and will be blocked by a majority of corporate WAFs or government DPI since, SSL (used by HTTPS) and SSH are different protocols.

VPNZ

Speaking about VPN, some of you might also have it :

Which allows to redirect all network traffic transparently through such server, but there is still the problem of protocol difference, although OpenVPN is based on SSL/TLS and support certificates, the traffic order and packets are still different (depending on configuration), thus can be blocked :

So, a solution is to use another software to simulate HTTPS and encapsulate the VPN traffic inside, one of them is stunnel:

With a proper domain name and certificate, this should work, but you still have to take in count traceability, if you're going to do some stuff that will spark up an interest in your activity since, your VPN provider will store logs at least on IP level that will lead to you.

H4X0RZ

What hackers commonly do is that they have a "bulletproof" VPN, a server that they buy anonymously (usable cards, crypto, etc.) or just hack and use anonymously (Tor, neighbour WiFi, etc.) :

This is very nice, except that you still have to prevent correlation and don't access Tor directly (which will require another technique), plus you will lose some speed. An actual VPN isn't required though, you still can have a simple shell, but you suppose to have a server in order to hack properly (like reverse shell) and store loot.

FORGET EVERYTHING YOU JUST READ

Nothing new so far, right? Well, now we will begin the fun part, in short I will do all of the above in a better way without OpenVPN, stunnel and Tor. Moreover, I will secure servers on network perspective, so let's start with this.

First of all, the whole technical configuration can be automated and found on my GitHub.

Now, we will need iptables on our server to... block all the traffic. Yes, we will block everything which enters the servers (leaving the state-full connections and output/transfer) and yes, this will completely lock it down and make completely invisible on the network. No, I'm not joking. This will ultimately protect from scanning and exploiting the server, "you can't fight what you can't see", the stealth element. I know that you're still wondering, how then we will access the server, except the debug TTY which we may not have in the first place? Well, the answer is knockd, Port Knocking utility, which will allow a specific IP to connect after a special sequence of ports has been sent to server. This is kind of "security by obscurity", I do agree, but since we will secure everything else, this is an optimal solution InMyHakishOpinion since, you don't waste your resources for fail2ban or other stuff like that. I prefer to use only 80 and 443 ports, which is the minimum network filtering nowadays, and then redirect 443 port to our service.

One of them will be SSH, that should still be on its default 22 port, but I would advise to use only ed25519 asymmetric cryptography for key exchange, public key authentication, and ChaCha20/AES256-GCM symmetric ciphers with Poly1305/SHA256 hashes as those are defacto standards at the moment.

You might think that we will redirect 443 to 22 and you will be right, except that we need our SSL/TLS tunnel, which we will create using... socat (crypto element), with a custom certificate of course and if you want, you can even generate one using LetsEncrypt.

At this point, we can freely use our SSH which will bypass WAFs and even switch DPF for proxy effect, but it will be cooler if it was a VPN, right? Well, we will create a VPN using... SSH. No, I'm not joking once again, you can create a virtual remote tunnel (what is VPN basically all about) using SSH. So with SSH you can have both shell and all your traffic routing through it, cool (with some ipv4_forwarding and NAT post-routing). Right now, our setup looks like this and fully functional :

But we are still missing the "anonymity" part and here's where the "chaos element" comes into place. Well, by  chaos I mean I2P, which we will use to make the connection to a second "bulletproof" server almost untraceable from our first server by simply creating an indirect tunnel (kind of hidden service) between them :

And yes, the CHAOS server will also have iptables for blocking, but without knockd since we will only allow input for UDP and maybe IPv6 for tunnelling. Such solution will always participate to I2P internal networking and thus making correlation very difficult (which suppose to be the case for VPN as well). We will still need SSH for the very same purpose in proxy mode (shell/VNC/VPN), so basically we are replacing socat with I2P and doing SSH bounce. The main difference is that I2P is made for internal networking, it's like a mini internet with its own crypto and protocols, which is IMHO can be more secure, more reliable and faster than Tor.

Great, the last thing we need to do is to configure all this for our device, in order we can use it and, with some shell scripts and key/certificate sharing everything is done, you can even use it on Android and pretty much any Linux/Unix with some customization, simple and efficient as that (not considering my days of research, problem solving and budget, heh).

As alternative to dropping all the traffic and redirecting using knockd, you can set up your HTTPS web server at the default 443 port and redirect the traffic to SSL:SSH to another port with knockd and socat. Like this, your connection will seem to be legit HTTPS packets with a real HTML site, which will be visible by everyone, whereas it's an encapsulated and prerouted SSH for you.

ALL YOUR DATA ARE BELONG TO US

Wow, amaze haxor, such APT, so hackerish, many pwn, very leet... but can it be defeated? Well, as it is, it can.

First of all, VPN server has to participate in I2P routing in order to make correlation more difficult. Second, you have to store public keys in order to prevent MITM attacks. Third, you shouldn't rely only on knockd and keep your software up-to-date as well as apply "defence in-depth" (like SELinux/grsec/PAX/AppArmor/cgroups). Fourth, even if there is no difference on the protocol level, there will be some regarding packets/bytes/time, so let's do some analysis :

This chart is a simple HTTPS connection to a search engine, for X we have time in seconds and for Y we have the number of packets (red chart) or bytes (black chart). As another example, let's analyze ProtonMail connection :

On the left the ratio of bytes and on the right the ratio of packets, pretty similar characteristics. Now SSH :

As we can see, the SSH connection differs from SSL, both for packets and bytes. Now OpenVPN :

Much more different. How about to compare SSH through socat ?

Well, as you can see, you can change the protocol, but you can't change the data (red - pure SSH, black - over socat). Same goes for VPN :

Note that even if SSH ciphers are better maintained, protocol is more robust and performance is higher, the major bottle-neck is still TCP over TCP, since SSH doesn't support UDP at the moment, which is a bit different topic of discussion, but still a feasible solution.

PHILOSOPHY OF ENTROPY

My point isn't about that order won't ever win versus chaos, or that chaos stands no chance against order, but about the simple fact that none of them can win nor lose. Even if we suppose that the chaos (entropy) is the ultimate destiny of the universe, it will make no sense without order and the fact that the destiny is already determined signifies the presence of order. To put it in the nutshell, nothing is black or white in this world, nothing is determined or uncertain, there is only hope and illusion about either security, either freedom. You can believe me or not, believe that you can believe or not, nothing will matter in the end, but only the fact that you're conscience about your choice at this moment. Entropy is a stable state, so the chaos is order and order is chaos, humans invented it, not universe. Same goes for good/evil, death/life, 0/1 and quantum physics.

Well, I think that I'v kind of leaving my initial topic with such meta-physical-philosophical discussions, without even speaking of all the technical complexity I just explained pretty briefly, so I'll leave you with my "chaos theory" for now.
Remember, the choice doesn't matter, but the fact of choosing does.
Now, think about it all and put my work into the good use :)

Thanks.

SkyrimCrypt - Deniable Encryption and Steganography in Computer Games

Even if TES V Skyrim was released more than 6 years ago, people still play it, people still like it and I found a very interesting and nontrivial way to use it as a decoy to hide information, basically transforming it into a steganographic crypto-container (like TrueCrypt).

You might know from news about MMORPGs espionage, however, this is becoming more than real elsewhere ... I thought that only USA "seek terrorist" in order to do what they want, but it's not a political article.
Perhaps you could use online games in order to have a private chat, it's not a bad idea on a perspective of a decoy, but in a point of security view, there is no encryption and plenty of logs, so if you're going to be under suspicon, it's not going to be private anymore. Nonetheless, how to use offline games as a secure storage? This is what my article is about.

You might wonder - there are already solutions, why bother with another-one? Well, the reason is that I don't agree with the existent. Crypto-containers like TrueCrypt/VeraCrypt/LUKS can be identified and even if you will remove the header (thus adding deniability) you might think that nobody would think that it's an encrypted data, unless you know some mathematics behind cryptology. You see, encrypted data is "random" by nature, a more precise term would be - entropic, and entropy can be calculated, meaning that if you have a huge entropic file (containing "random" data), that would raise a suspicion that may be followed by brute-force that may be followed by cryptanalysis that may be followed by torture. Probably I'm exaggerating for today, but perhaps tomorrow it will be the case.

Anyway, the article suppose to be about games and not about paranoia, so let's do some tests with Skyrim. I have one installed on my Linux with Wine, works not so great, but works. But, do you know what's special about Skryim? Mods, plenty of mods exist for it and if you play Skyrim you probably have dozens of them, but not everybody develop mods, those who do, know their structure, fragmentation and extensions, specifically BSA. Now, let's look at them in the Skyrim's Data folder:

 
Those are classical Skyrim "mods", which may be included right after the purchase (for some editions). BSA is basically a compressed archive, thus "random" by nature, although it has a deterministic header, it can have a very big size too.
Now, let's look at one of them:

I specifically chose the one with textures because, mathematics. So, let me explain you all this. As ent tool shows, 7.97 out of 8 bits in file looks random, which is 99.7% of them, plus it indicates that the file was indeed well compressed, the chi-squared distribution isn't good though. It also showed some more interesting statistics, but they are less important and I'll have to explain what I already said, to begin, here's the file's bytes distribution:

As you can see, it's not so random as the entropy may show us, but how is that calculated after all? Well, when dealing with IT we often will reference to Shannon's entropy, which indicates how "random" are bytes of a file:

 

Basically, you would  perform a negative sum of probability occurred for each byte by multiplying it by the logarithm (necessary power) in base two of itself.
Encrypted file is 8/8 entropic (which is sometimes more than a randomly generated file), just like a ZIP archive and it's chi-squared distribution is about 290 for 95% to be sure, now about that:

Basically, it's the fraction of the square of the difference between the estimated distribution and the observed one to the estimated distribution.
That is very interesting because, it shows us if there is a big difference between what we observe and what we estimate, that our hypothesis is true with a certain probability. And here is where I'm not really agree with the ent tool because, it doesn't really shows the probability of being certain (50% in the best case according to them), but let's just say that the lower this number is, the more you can be sure that the data are "really random" and as you can see from the screenshot, 67 million is way bigger than few hundreds, thus we will reject the random nature of such distribution.
I know that you still may have some questions about all this, so feel free to make some web searches in order to fully understand such useful math.
That was to say that even if our file is entropic, it may not be randomly distributed.

Besides, as you may notice the content of the header isn't that random, but it begins from a couple thousands bytes:

So, we can copy the first non-random bytes and then append out crypto-container to it, claiming that it's just a mod for Skyrim whereas it's not, and to extract, we just specify the offset for dd (or directly) and decrypt :

Nevertheless, mathematics will show the truth behind such decoy, as you can see even if adding thousands of nonrandom bytes to 500Mb that wouldn't affect the entropy, neither the chi square, thus raising the suspicion for that file and uncovering it.
But, I'll assume that it would be enough in the near future to bypass border controls in some countries.

Of course, it will be preferably to have a whole steganographic OS or a disk, but don't worry, R&D in progress :)

By the way, if you're afraid that somebody someday might decrypt your files, instead of encrypting them, just try to decrypt :) that way you will have to encrypt the files in order to receive their original form (with the last block lost however) :

You might ask me why I didn't publish a tool to make such BSA mods? I won't and discourage everyone to do so for the same reason this article is written - stealthing. The existence of that tool may also make you suspicious and if you have logs of using it, it's game over. The point is to have no trace whatsoever. If you want more details about what I just wrote, you can checkout one of my works.

Finally, even if you're not going to use my technique, I still hope that you learned something interesting and perhaps useful from my article.
That said, let's make Skyrim sneaking "great again" :)

WiFi danger demystified - scientific truth and practical solution

 Is WiFi dangerous?
 You can find so much information about how cancerous it is, but on my opinion, it's far to be logical and structurally substantiated and, almost no one proposes a practical solution.
In this article I'll try to simply explain the nature of radio-telecommunication using science and propose simple, but effective solutions.

First of all, what is WiFi? Many of you know that it's radio waves, thus electromagnetic emissions, which are caused by the induction phenomenon, transforming electronic current (electrons flow) into radio waves (electricity is tightly linked to magnetism) and vice-versa. Some of you might even know one of the most common frequencies of such radiation - 2.4 GHz (two billion four hundred million cycles per second), however, fewer knows about the frequency of the microwaves ovens, which is almost the same - 2.45 GHz.

 Let's deal with the microwave at first, why exactly this frequency? You see, the point of the microwave is to make food hot, especially water, and the frequency of its optimal dielectrical heat is exactly 2.45 GHz. Water molecules are polar matters, this means that they have an electrical charge (+ and -) from which depends their position in space, thus, producing a particular electromagnetic radiation will change their charge, molecules will move (change orientation) and from frequency (and wavelength) will depend their speed, and a fast molecule is a hot molecule. In brief, and omitting chemistry and physics details, that's how a microwave oven works.

Now about the WiFi. Why routers, designed for communication, use almost the same frequency that the microwave in the kitchen? Unfortunately, the science won't help much here, except maybe psychology because, the reason lies in legislation (and not conspiracy theory). The thing is that all the radio spectrum, as well as the ground, belongs to the state (government), and nobody has right for any radio emission without an authorization, this is one of the reasons for a quit height cost of mobile communication because, operators rent certain spectrum from the state. Nevertheless, there are frequencies (ISM band) that do not require an authorization and their usage isn't heavily restricted, besides, the antenna can be a simple wire (omnidirectional) with the length of 12.5 cm or 6.25 or even 3.125 (factor of the wavelength). Unfortunately, as history shows, legislation is more pointed towards business, rather than technology and health, especially in the USA, where many standards are adopted.

Turns out that we are all radiated by the microwave, and for the health this is not good since, we are practically boiling out brains ... For that reason, the WiFi signal is less strong while raining or in the forest (vegetation), because water absorbs a part of it. Nonetheless, the reality isn't so terrifying. The signal's power is limited and very far from the microwave's, without even counting the obstacles, the harm is pretty insignificant, but still is (like if there are 50 hot-spots and you're sensitive to EMF).

So, what to do? Change the standard? Wear foil hat? Disable WiFi? Once again, I'll try to propose a realistic solution. Everything is simple: switch the wireless router to 5 GHz frequency, this will not only reduce the harm greatly, but improve the speed as well, even if the distance will be at cost. And please, don't buy any kind of "100% EMF-proof protection talisman", at least if it's not a Faraday cage, as I have already proved, it's a scam. I mean there were some phone shielding, but modern smartphones aren't so radiating at all (by them self, see below for the network).

PC is, however, much more dangerous than a phone, but at a certain distance, waves lose their power and, well, such distance if fully provided by a chair, according to my measurements it's just few tens of centimeters, especially if you use ergonomics to your advance.
But even if you managed somehow to completely shield a PC, you should also do something with cables, like headphones because, they are quite powerful actually and since very close to the head, aren't completely safe, though it isn't still enough for a meaningfull damage.
Ethernet cable (aka RJ45) on the other hand is already shielded in many cases because, network engineers have figured out that by twisting pairs and putting foil will reduce the EMF and so the transmission corruption.

Anyway, don't forget that WiFi isn't the only one working in 2.4 GHz spectrum, Bluetooth for instance, also use it, and a microwave under the ear won't do any good (wireless headset), if of course isn't worn all day long, besides the strength (power) of Bluetooth (especially 4LE) is very weak, thus less harmful.
GSM/GPRS/3G/4G/5G work in different spectrum, although not so far from the microwave, the power is much more higher, as well as the potential harm (while speaking long time), so I'll advice to switch to 5G (12-60 GHz), after it will have at least some security and the operators will implement SDR.

Hope that this article was usefull to you and everyone else in the radius of several tens of meters.
Unless, you already have a "Faraday suit" :)

Practical WiFi hosts triangulation with Kismet, Python and Gimp for de-anonimization

NOTE - I created an independent project in order to automize some math

In this article, I'll try to explain how to (approximately) locate and identify any host on any WiFi hotspot, encrypted or not (link layer frames), using triangulation and some tools.

The purpose is to find an anonymous user who spoofed his MAC and consumes all the bandwidth by downloading Game of Thrones.

The exact mathematical therm is Trilateration actually.

So, let's say that we have a typical setup:

Many devices are connected to a single router, in fact, it also can be done with multiple bridges.

Our task is to estimate the location of a precise host (not only the router it-self), in order we can map it.

For now, we need to see the MAC addresses connected to specific AP (access point) and their RSSI in dBm (Received signal strength indication in decibel-milliWatts).

For that we can use WiFiChannelMonitor for Windows or (in our case) Kismet. One can try AirCrack-NG as well, but there are some tricks to add, like frequency channels, ACK/CTS/RTS frames and BSSID associations.

Just after launching Kismet, you should see a prompt for server starting, just press Tab (for navigation) and Enter (to select) Yes :

Name it like you want and Start :

Then, you will have to specify your network interface for promiscuous mode :

Just select your WiFi card or an already monitored interface (like mon0) :

Finally, just close the Console Window :

Now, you should have a pseudo-gui interface :

So, let's find a WiFi hotspot, by applying ESSID filtering (pressing Esc) and navigating using arrow keys :

Then just select (without Enter) the hotspot and you will see all the clients (MACs) connected to the network.
If you select it (Enter), you will see more details (I'm using 5GHz WiFi and not 2.4GHz like most of you) :

OK, let's see the details for the clients (by pressing Esc) :

Lastly, we will need to see their electromagnetic emission power (signal) level (basically, a decibel (power ration) for milliWatt (electricity consumption)), which is not displayed by default :

Now, we are ready :

Kismet will also show the manufacturer (based on MAC vendor) and you can sort them if you want.
Note that even if you return to main window, you will still see the power level :

OK, as you can see Kismet measured the power of my router (67 dBm) and of my smartphone (30), I'm using cable for my PC, so it's not displayed.
Based on such values, we can estimate the distance, but it will be better if we could calculate an approximation, what I did :

You just have to specify the AP frequency (displayed by Kismet as well) in MHz and the host power level (dBm).
The source code of the script can be found on my GitHub.
The formula that I used isn't the most precise (especially if you would make tests with different frequencies), but it's sufficent for our practical purpose.You can also, calculate logarithm with bc by the way, but I know that some of you are using Windows and not big fans of Cygwin, so I decided to make it as portable as possible, thus writing the code in Python.

So, now we know the distance, my smartphone is on my right (15 cm), so it's pretty easy to locate it in this case, but what about the router (10m)? Here's where triangulation (or trilateration) comes in place.

I'll use Gimp as a graphical editor, but you're free to use what you're more comfortable with (PhotoShop, Paint, etc).
So, let's make a square image of 500x500 pixels, which will correspond to 50x50 meters :

And make a circle with radius of 100 (10 meters), thus a diameter of 200, which is equivalent for a flat (not circle) surface of 200x200 (20 meters), or you can just enter 100x100 for simplification :

Just for better comprehension for the next part, let's color it as well :

 

Alright, we are at the center of the circle (my room), and the host can be anywhere on the end of the circle.
So, let's move like 5 meters backward (half of the radius) and measure the distance again.
From my kitchen, it will be 6.5 meters, so let's trace one more circle :

 

Now we can be sure that the host is located either few meters left, either few meters right.
If we decided to step forward or to the side, the distance will increase, but we will still have the two points of intersection.
So, let's make the final 3rd measurement stepping backward again and right few meters to my guest room, and measure 3.3 meters :

If we decided to step left, the distance would increase once again, but we will still have our unique intersection point (I just don't have that much place in my apartment).
OK, now we know almost the exact position, which was right lower corner from the beginning (my room) :

That's it for my router and since, Kismet will now display the power level of all clients, you can do the same for any connected host.
As you can see, it's quite simple and can be automize, but not easy to develop at large scales considering different antennas, obstacles, etc

I hope that you have learned something about WiFi, physics, radio and math.
Now if someone would say "it's anonymous to spoof MAC and connect to WiFI", you should have a smile and remember my article.