A short guide to harvesting information about the wireless networks all around you.

The quieter you become, the mosre you are able to hear.

You can learn a ton by listening to what the many devices around you are saying. You can discover wireless networks, find clients on them, figure out the router make and model, learn the make and model of a router's clients, and see how much traffic is happening on each network.

The Tools

Aircrack

The primary tool for any wireless listening is Aircrack and its airodump-ng command. Most tools that do wireless stuff are using aircrack under the hood.

When you first learn how wireless networks are cracked, there are many steps involved. You are using aircrack in one terminal to listen to all networks, then you identify a network, then you switch to another terminal, copy and paste its mac address, construct your new listening command, switch to the first window, stop the listening process, switch back, run your new listening process, open a third window, copy and paste the mac of clients, etc.

The problem is mainly that aircrack's default mode is user-intensive, display-oriented, and only useful for generating information to be parsed - not for doing any parsing of that information itself. So the power of aircrack comes when you start building tools around aircrack, and start to use aircrack as an ENGINE.

Besside

Besside is part of the Aircrack experimental build branch. If you are building Aircrack yourself, make aircrack with the command make experimental=true to enable this tool to be built. If you aren't building Aircrack yourself......... what are you doing?!?

If you think of Aircrack as a quiet awkward person who isn't sure what information you want and fumbles in actually transferring any of it to you, you can think of Besside as the insane Tazmanian devil that hoovers up information and pounds routers with brass knuckles to get the handshakes it needs.

Python

I strive to keep all my Python tools "fat free," meaning, minimizing the use of non-stock libraries. Not regularly using 900-pound gorillas like Pandas or Numpy. Sticking to simple CSV parsing, etc.

Doing It

Put Card In Monitor Mode

Start by finding your wireless card:

$ iwconfig
$ ifconfig

Now put your wireless card into monitor mode:

$ ifconfig wlan0 down
$ macchanger -r wlan0
$ iwconfig wlan0 mode monitor
$ ifconfig wlan0 up

Gathering Info with Airodump

The easiest way to see what's going on in the airwaves around you is to just monitor things with airodump:

$ airodump-ng wlan0

But to make use of this stuff, instead of just watching it fly across your screen, you'll want to dump that information out somewhere, using the -w flag:

$ airdump-ng -w everything wlan0

Now Aircrack will create a file called everything-01.cap, which will be a pcap file containing all the packets it hears, plus a CSV file called everything-01.csv, which is a CSV file containing all of the information about MAC addresses, network names, power, data, beacons, clients, and traffic. This information can be split up and parsed with Python scripts, so long as you capture it to a file!

Parsing with Python

Splitting the Aircrack File

To create a Python script for parsing Aircrack CSV files, the first thing you need to do is to open up the CSV file into a string, and split it down the middle.

Aircrack CSV files are divided into two parts, one for access points and one for clients, with different columns and data in each part. These are split by one empty line, which, if the file is read into a string, appears as \r\n\r\n (one new line is \r\n so two new lines are \r\n\r\n).

So we can load the CSV file into a string, and split it at that empty line.

Then we can feed the two resulting strings to CSV parsers, and turn the string into a list with our data in it.

Here's what that splitting script looks like:

A Python script for parsing Aircrack CSV files: https://gist.github.com/charlesreid1/d6736897b0c7f3bc69d3

import csv

def csv2blob(filename):

    with open(filename,'rb') as f:
        z = f.read()

    # Split into two parts: stations (APs) and clients

    parts = z.split('\r\n\r\n')
    
    stations = parts[0]
    
    clients = parts[1]

    import sys
    if sys.version_info[0] < 3:
        from StringIO import StringIO
    else:
        from io import StringIO

    stations_str = StringIO(stations)
    clients_str  = StringIO(clients)

    r = csv.reader(stations_str)
    i = list(r)
    z = [k for k in i if k <> []]

    stations_list = z

    r = csv.reader(clients_str)
    i = list(r)
    z = [k for k in i if k <> []]

    clients_list = z
    
    return stations_list, clients_list

Now we have a list of stations data, and a list of clients data, which are returned by the function.

Extracting/Printing Data

Now we can use the station and client data obtained in the prior section to print it all out in a nice format, and use it to construct some handy commands for listening/monitoring specific networks.

First things first, call the function we just defined.

Then, go from there. Parse the station data first, then parse the client data.

from lookup_hardware import lookup_hardware
from read_airodump import csv2blob
import re

csvfile='/path/to/everything-01.csv'

stations_list, clients_list = csv2blob(csvfile)


#################################
# Data for 
# Stations 
# (Access Points)
#################################

nstations = len(stations_list)

sthead = stations_list[0]

stations_head = [j.strip() for j in sthead]

stations_data = [stations_list[i] for i in range(1,nstations)]

for i,row in enumerate(stations_data):

    # get indices
    ap_mac_ix  = stations_head.index('BSSID')
    ap_name_ix = stations_head.index('ESSID')
    ap_sec_ix  = stations_head.index('Privacy')
    ap_pow_ix  = stations_head.index('Power')
    ap_ch_ix   = stations_head.index('channel')

    # get values
    ap_mac = row[ap_mac_ix].strip()
    ap_name = row[ap_name_ix].strip()
    ap_sec = row[ap_sec_ix].strip()
    ap_pow = row[ap_pow_ix].strip()
    ap_ch = row[ap_ch_ix].strip()

    # other stuff
    mac_prefix = ap_mac[0:8]
    ap_mfg = lookup_hardware(mac_prefix)

    if ap_name=='':
        ap_name="unlabeled"

    mac_name = re.sub('\:','_',ap_mac)

    ######################
    # Print out some information
    print "="*40
    print "Name:",ap_name
    print "Channel:",ap_ch
    print "MAC:",ap_mac
    print "Manufacturer:",ap_mfg
    print "Encryption:",ap_sec
    print "Power:",ap_pow
    print ""

    # ##########################
    # # Print out an airodump command
    print ""
    print "Listen to this network:"
    print "airodump-ng","-d",ap_mac,"-c",ap_ch,"-w","'"+mac_name+"'","wlan1"
    print "airodump-ng","-d",ap_mac,"-c",ap_ch,"-w","'"+ap_name+"'","wlan1"
    print ""


#################################
# Data for 
# Clients
#
#################################

nclients = len(clients_list)

clhead = clients_list[0]

clients_head = [j.strip() for j in clhead]

clients_data = [clients_list[i] for i in range(1,nclients)]

for i,row in enumerate(clients_data):

    c_mac_ix = clients_head.index('BSSID')
    c_pow_ix = clients_head.index('Power')

    c_mac = row[c_mac_ix].strip()
    c_pow = row[c_pow_ix].strip()

    if c_mac=='(not associated)':
        continue

    mac_prefix = c_mac[0:8]
    c_mfg = lookup_hardware(mac_prefix)

    ######################
    # Print out some information
    print "="*40
    print "Client MAC:",c_mac
    print "Manufacturer:",c_mfg
    print "Power:",c_pow
    print ""

Harvesting Wireless Network Information

From charlesreid1

Contents