Harvesting Wireless Network Information
From charlesreid1
A short guide to harvesting information about the wireless networks all around you.
The quieter you become, the mosre you are able to hear.
You can learn a ton by listening to what the many devices around you are saying. You can discover wireless networks, find clients on them, figure out the router make and model, learn the make and model of a router's clients, and see how much traffic is happening on each network.
Contents
The Tools
Aircrack
The primary tool for any wireless listening is Aircrack and its airodump-ng command. Most tools that do wireless stuff are using aircrack under the hood.
When you first learn how wireless networks are cracked, there are many steps involved. You are using aircrack in one terminal to listen to all networks, then you identify a network, then you switch to another terminal, copy and paste its mac address, construct your new listening command, switch to the first window, stop the listening process, switch back, run your new listening process, open a third window, copy and paste the mac of clients, etc.
The problem is mainly that aircrack's default mode is user-intensive, display-oriented, and only useful for generating information to be parsed - not for doing any parsing of that information itself. So the power of aircrack comes when you start building tools around aircrack, and start to use aircrack as an ENGINE.
Besside
Besside is part of the Aircrack experimental build branch. If you are building Aircrack yourself, make aircrack with the command make experimental=true
to enable this tool to be built. If you aren't building Aircrack yourself......... what are you doing?!?
If you think of Aircrack as a quiet awkward person who isn't sure what information you want and fumbles in actually transferring any of it to you, you can think of Besside as the insane Tazmanian devil that hoovers up information and pounds routers with brass knuckles to get the handshakes it needs.
Python
I strive to keep all my Python tools "fat free," meaning, minimizing the use of non-stock libraries. Not regularly using 900-pound gorillas like Pandas or Numpy. Sticking to simple CSV parsing, etc.
Doing It
Put Card In Monitor Mode
Start by finding your wireless card:
$ iwconfig $ ifconfig
Now put your wireless card into monitor mode:
$ ifconfig wlan0 down $ macchanger -r wlan0 $ iwconfig wlan0 mode monitor $ ifconfig wlan0 up
Gathering Info with Airodump
The easiest way to see what's going on in the airwaves around you is to just monitor things with airodump:
$ airodump-ng wlan0
But to make use of this stuff, instead of just watching it fly across your screen, you'll want to dump that information out somewhere, using the -w
flag:
$ airdump-ng -w everything wlan0
Now Aircrack will create a file called everything-01.cap, which will be a pcap file containing all the packets it hears, plus a CSV file called everything-01.csv, which is a CSV file containing all of the information about MAC addresses, network names, power, data, beacons, clients, and traffic. This information can be split up and parsed with Python scripts, so long as you capture it to a file!
Parsing with Python
Splitting the Aircrack File
To create a Python script for parsing Aircrack CSV files, the first thing you need to do is to open up the CSV file into a string, and split it down the middle.
Aircrack CSV files are divided into two parts, one for access points and one for clients, with different columns and data in each part. These are split by one empty line, which, if the file is read into a string, appears as \r\n\r\n
(one new line is \r\n
so two new lines are \r\n\r\n
).
So we can load the CSV file into a string, and split it at that empty line.
Then we can feed the two resulting strings to CSV parsers, and turn the string into a list with our data in it.
Here's what that splitting script looks like:
A Python script for parsing Aircrack CSV files: https://gist.github.com/charlesreid1/d6736897b0c7f3bc69d3
import csv
def csv2blob(filename):
with open(filename,'rb') as f:
z = f.read()
# Split into two parts: stations (APs) and clients
parts = z.split('\r\n\r\n')
stations = parts[0]
clients = parts[1]
import sys
if sys.version_info[0] < 3:
from StringIO import StringIO
else:
from io import StringIO
stations_str = StringIO(stations)
clients_str = StringIO(clients)
r = csv.reader(stations_str)
i = list(r)
z = [k for k in i if k <> []]
stations_list = z
r = csv.reader(clients_str)
i = list(r)
z = [k for k in i if k <> []]
clients_list = z
return stations_list, clients_list
Now we have a list of stations data, and a list of clients data, which are returned by the function.
Extracting/Printing Data
Now we can use the station and client data obtained in the prior section to print it all out in a nice format, and use it to construct some handy commands for listening/monitoring specific networks.
First things first, call the function we just defined.
Then, go from there. Parse the station data first, then parse the client data.
from lookup_hardware import lookup_hardware
from read_airodump import csv2blob
import re
csvfile='/path/to/everything-01.csv'
stations_list, clients_list = csv2blob(csvfile)
#################################
# Data for
# Stations
# (Access Points)
#################################
nstations = len(stations_list)
sthead = stations_list[0]
stations_head = [j.strip() for j in sthead]
stations_data = [stations_list[i] for i in range(1,nstations)]
for i,row in enumerate(stations_data):
# get indices
ap_mac_ix = stations_head.index('BSSID')
ap_name_ix = stations_head.index('ESSID')
ap_sec_ix = stations_head.index('Privacy')
ap_pow_ix = stations_head.index('Power')
ap_ch_ix = stations_head.index('channel')
# get values
ap_mac = row[ap_mac_ix].strip()
ap_name = row[ap_name_ix].strip()
ap_sec = row[ap_sec_ix].strip()
ap_pow = row[ap_pow_ix].strip()
ap_ch = row[ap_ch_ix].strip()
# other stuff
mac_prefix = ap_mac[0:8]
ap_mfg = lookup_hardware(mac_prefix)
if ap_name=='':
ap_name="unlabeled"
mac_name = re.sub('\:','_',ap_mac)
######################
# Print out some information
print "="*40
print "Name:",ap_name
print "Channel:",ap_ch
print "MAC:",ap_mac
print "Manufacturer:",ap_mfg
print "Encryption:",ap_sec
print "Power:",ap_pow
print ""
# ##########################
# # Print out an airodump command
print ""
print "Listen to this network:"
print "airodump-ng","-d",ap_mac,"-c",ap_ch,"-w","'"+mac_name+"'","wlan1"
print "airodump-ng","-d",ap_mac,"-c",ap_ch,"-w","'"+ap_name+"'","wlan1"
print ""
#################################
# Data for
# Clients
#
#################################
nclients = len(clients_list)
clhead = clients_list[0]
clients_head = [j.strip() for j in clhead]
clients_data = [clients_list[i] for i in range(1,nclients)]
for i,row in enumerate(clients_data):
c_mac_ix = clients_head.index('BSSID')
c_pow_ix = clients_head.index('Power')
c_mac = row[c_mac_ix].strip()
c_pow = row[c_pow_ix].strip()
if c_mac=='(not associated)':
continue
mac_prefix = c_mac[0:8]
c_mfg = lookup_hardware(mac_prefix)
######################
# Print out some information
print "="*40
print "Client MAC:",c_mac
print "Manufacturer:",c_mfg
print "Power:",c_pow
print ""
aircrack-ng a suite of tools for wireless cracking.
aircrack-ng Many Ways to Crack a Wifi: Cracking Wifi Aircrack Benchmarking: Aircrack/Benchmarking WEP Attacks with Aircrack: Aircrack/WEP Cracking WPA Attacks with Aircrack: Aircrack/WPA Cracking Aircrack Hardware: Aircrack/Packet Injection Testing Harvesting Wireless Network Information
airodump-ng Basic Usage of Airodump
Category:Security · Category:Wireless · Category:Passwords
|