Jump to content

Collecting probe requests


Recommended Posts

Hey all,

Wanna start by saying that I am not a professional pentester. I have studied computer science as an undergraduate degree but I work in film/television sound post production since a long time and now treat infosec and pentesting as a hobby.

I want to create a script that can collect probe requests from devices around me along with information such as the MAC address, SSID being probed and timestamp. If also possible, I would like to resolve MAC addresses to their host names. Would it be possible for me to be able to do OS fingerprinting on the devices?

For my purposes, I am using a perl script called hoover. Right now it collects the SSID, MAC address, probe count and timestamp. It gives me an output like below:

MAC Address          SSID                         
-------------------- ------------------------------ 

14:5a:05:ef:2a:78    Churchstyle                                 
14:5a:05:ef:2a:78    BTHub5-TNX9                                            
14:5a:05:ef:2a:78    BTHub3-GWNF                                                
14:5a:05:ef:2a:78    Apple Store                                         
14:5a:05:ef:2a:78    BTBusinessHub-333                                          
14:5a:05:ef:2a:78    Wilda                                                  
00:17:c4:17:cf:1a    ASK4 Wireless                                       
14:5a:05:ef:2a:78    Andy Home                                             

!! Total unique SSID: 8

As you can see, half of the work I want to accomplish is done by the script, I just need to now implement MAC address resolver and OS fingerprinting (if possible). This is the code for the script:

#!/usr/bin/perl
#
# hoover.pl - Wi-Fi probe requests sniffer
#
# Original idea by David Nelissen (twitter.com/davidnelissen)
# Thank to him for allowing me to reuse the idea!
#
# 
#
# This script scans for wireless probe requests and prints them out.
# Hereby you can see for which SSID's devices nearby are searching.
#
# Copyright (c) 2012 David Nelissen & Xavier Mertens
# All rights reserved.
# 
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 3. Neither the name of copyright holders nor the names of its
#    contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
# 
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL COPYRIGHT HOLDERS OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
# History
# -------
# 2012/01/11	Created
#

use strict;
use Getopt::Long;

$SIG{USR1}	= \&dumpNetworks; # Catch SIGINT to dump the detected networks
$SIG{INT}	= \&cleanKill;
$SIG{KILL}	= \&cleanKill;
$SIG{TERM}	= \&cleanKill;

my $uniqueSSID = 0;		#uniq ssid counter
my %detectedSSID;	# Detected network will be stored in a hash table
			# SSID, Seen packets, Last timestamp
my $pid;
my $help;
my $verbose;
my $interface = "mon0";
my $d;
my $ifconfigPath = "/sbin/ifconfig";
my $iwconfigPath = "/sbin/iwconfig";
my $tsharkPath   = "/usr/bin/tshark";
# my $d   = "/root/probefilter.txt";
my $options = GetOptions(
	"verbose"		=> \$verbose,
	"help"			=> \$help,
	"interface=s"		=> \$interface,
	"ifconfig-path=s"	=> \$ifconfigPath,
	"iwconfig-path=s"	=> \$iwconfigPath,
	"tsharkPath=s"		=> \$tsharkPath,
	"d=s"		=> \$d,
);

if ($help) {
	print <<_HELP_;
Usage: $0 --interface=wlan0 [--help] [--verbose] [--iwconfig-path=/sbin/iwconfig] [--ipconfig-path=/sbin/ifconfig]
		[--dumpfile=result.txt]
Where:
--interface		: Specify the wireless interface to use
--help			: This help
--verbose		: Verbose output to STDOUT
--ifconfig-path		: Path to your ifconfig binary
--iwconfig-path		: Path to your iwconfig binary
--tshark-path		: Path to your tshark binary
--d    		        : Save found SSID's/MAC addresses in a flat file (SIGUSR1)
_HELP_
	exit 0;
}

print "------------------------------------------\n";
print "------------------------------------------\n";
print "\nhoover.pl - Wi-Fi probe requests sniffer.\n";
print "Original idea by David Nelissen (twitter.com/davidnelissen)\n";
print "Modified by localtoast.\nInterface default set to mon0, specify file output by using the -d argument.\n";
print "\n------------------------------------------\n";
print "------------------------------------------\n";

# We must be run by root
(getlogin() ne "root") && die "$0 must be run by root!\n";

# We must have an interface to listen to
(!$interface) && die "No wireless interface speficied!\n";

# Check ifconfig availability
( ! -x $ifconfigPath) && die "ifconfig tool not found!\n";

# Check iwconfig availability
( ! -x $iwconfigPath) && die "iwconfig tool not found!\n";

# Check tshark availability
( ! -x $tsharkPath) && die "tshark tool not available!\n";

# Configure wireless interface
(system("$ifconfigPath $interface up")) && "Cannot initialize interface $interface!\n";

# Set interface in monitor mode
(system("$iwconfigPath $interface mode monitor")) && die "Cannot set interface $interface in monitoring mode!\n";

# Create the child process to change wireless channels
(!defined($pid = fork)) && die "Cannot fork child process!\n";

if ($pid) {
	# ---------------------------------
	# Parent process: run the main loop
	# ---------------------------------
	($verbose) && print "!! Running with PID: $$ (child: $pid)\n";
	open(TSHARK, "$tsharkPath -i $interface -n -l subtype probereq |") || die "Cannot spawn tshark process!\n";
	while (<TSHARK>) {
		chomp;
		my $line = $_;
		chomp($line = $_); 
		# Everything exept backslash (some probes contains the ssid in ascii, not usable)
		#if($line = m/\d+\.\d+ ([a-zA-Z0-9:]+).+SSID=([a-zA-ZÀ-ÿ0-9"\s\!\@\$\%\^\&\*\(\)\_\-\+\=\[\]\{\}\,\.\?\>\<]+)/) { 
		if($line = m/\d+\.\d+ ([a-zA-Z0-9:_]+).+SSID=([a-zA-ZÀ-ÿ0-9"\s\!\@\$\%\^\&\*\(\)\_\-\+\=\[\]\{\}\,\.\?\>\<]+)/) { 
			if($2 ne "Broadcast") {	# Ignore broadcasts
				my $macAddress = $1;
				my $newKey = $2;
				print DEBUG "$macAddress : $newKey\n";
				if (! $detectedSSID{$newKey})
				{
					# New network found!
					my @newSSID = ( $newKey,		# SSID
							1,			# First packet
							$macAddress,		# MAC Address
							time());		# Seen now
					$detectedSSID{$newKey} = [ @newSSID ];
					$uniqueSSID++;
					print "++ New probe request from $macAddress with SSID: $newKey [$uniqueSSID]\n";
				}
				else
				{
					# Existing SSID found!
					$detectedSSID{$newKey}[1]++;			# Increase packets counter
					$detectedSSID{$newKey}[2] = $macAddress;	# MAC Address
					$detectedSSID{$newKey}[3] = time();		# Now
					($verbose) && print "-- Probe seen before: $newKey [$uniqueSSID]\n";
				}
			}
		}	
	}
}
else {
	# --------------------------------------------------
	# Child process: Switch channels at regular interval
	# --------------------------------------------------
	($verbose) && print STDOUT "!! Switching wireless channel every 5\".\n";
	while (1) {
		for (my $channel = 1; $channel <= 12; $channel++) {
			(system("$iwconfigPath $interface channel $channel")) &&
				die "Cannot set interface channel.\n";
			sleep(5);
		}
	}
	
}

sub dumpNetworks {
	my $i;
	my $key;
	print STDOUT "!! Dumping detected networks:\n";
	print STDOUT "!! MAC Address          SSID                           Count      Last Seen\n";
	print STDOUT "!! -------------------- ------------------------------ ---------- -------------------\n";
	if ($d) {
		open(DUMP, ">/root/$d.txt") || die "Cannot write to $d (Error: $?)";
		print DUMP "MAC Address          SSID                           Count      Last Seen\n";
		print DUMP "-------------------- ------------------------------ ---------- -------------------\n";
	}
	for $key ( keys %detectedSSID)
	{
		my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($detectedSSID{$key}[2]);
		my $lastSeen = sprintf("%04d/%02d/%02d %02d:%02d:%02d", $year+1900, $mon+1, $mday, $hour, $min, $sec);
		print STDOUT sprintf("!! %-20s %-30s %10s %-20s\n", $detectedSSID{$key}[2],
		 				 $detectedSSID{$key}[0], $detectedSSID{$key}[1], $lastSeen);
		($d) && print DUMP sprintf("%-20s %-30s %10s %-20s\n", 
						 $detectedSSID{$key}[2], $detectedSSID{$key}[0],
						 $detectedSSID{$key}[1], $lastSeen); 
	}
	print STDOUT "!! Total unique SSID: $uniqueSSID\n";
	($d) && print DUMP "Total unique SSID: $uniqueSSID\n";
	close(DUMP);
	return;
}

sub cleanKill {
	if ($pid) {
		# Parent process: display information
		print "!! Received kill signal!\n";
		kill 1, $pid;
		dumpNetworks;
	}
	exit 0;
}

Any help is appreciated.

Link to comment
Share on other sites

hey thanks for responding cooper. My purpose is a bit different from the linked thread. I can already capture probes using wireshark but I need to be able to resolve these address, fingerprint OS and arrange the final data to reflect which networks are being searched by multiple devices.

Link to comment
Share on other sites

When you say you want to 'resolve' a MAC address, what do you mean?

You see, you resolve a MAC address to a name the device is known as to the network. Since it's just probing, there is no network just yet. There's not even an IP at this stage. So what are you hoping to get?

One thing that might work is to start the dhcp process to give it an IP (which assumes the device accepts you as an AP) and in that process the device identifies itself, but you won't get that from just the probe.

Similarly with the fingerprinting - I'm fairly certain you'd need to get a network connection with the device. Can't really say if, say, nmap is able to discover if my phone is the shitty iPhone that it is, or starts to wonder if it's a Mac OSX box or whatever. I'm sure people have tried this though. Anybody willing to comment?

Link to comment
Share on other sites

Ok I thought as much about resolving the mac to a host name as theres no connection yet. Thanks for confirming that issue. But, if I can't do that then I am sure I can atleast resolve the MAC address to a manufacturer. Once I have the mac address, I can cross reference them with airodump's airodump-ng-oui.txt. Now the problem is that I don't know how to crawl the textfile and extract the results, i've never worked with perl. any help?

??

Link to comment
Share on other sites

I reached in my research at a stage whereby I see the output of all devices in range probing for an SSID, using scapy for python. Now I need help with 2 things that I am not able to achieve.. writing the data to a file in a table which shows MAC and SSID being probed for, but each MAC should only be listed once and next to it should be a list of SSID's that it probed for and next to it the manufacturer that can verified from airodump's oui text file. So the sample out put in a text file would be:

MAC MANUFACTURER SSID 1

SSID 2

SSID 3

MAC MANUFACTURER SSID 1

and so on... when executing the script the last 3 lines give an error:

#!/usr/bin/env python

import os, os.path
import sys, curses
from scapy.all import *

# interface should be first variable given on the command line
if len(sys.argv) < 2:
  print 'Must define a sniffing interface.\nExiting...'
  sys.exit()
else:
  interface = sys.argv[1]

clients = {}
pcount = 0
mgmtcount = 0

def sniffmgmt(p):
  global pcount, mgmtcount
  pcount += 1
  if p.haslayer(Dot11):
    if p.type == 0 and p.subtype ==4 and p.getfieldval('info') != '':
      mgmtcount += 1
      if p.addr2 not in clients.keys():
        clients[p.addr2] = [p.getfieldval('info')]
      else:
        if not p.getfieldval('info') in clients[p.addr2]:
          clients[p.addr2].append(p.getfieldval('info'))
  output()

def output():
  output = ''
  output += 'Total Packets:  %s\nProbe Requests: %s\n' % (str(pcount), str(mgmtcount))
  output += '=========================\n'
  for key in clients.keys():
      output += '%s - %s\n' % (key, clients[key])
  window.addstr(1, 0, output)
  window.refresh()
 
try:
  window = curses.initscr()
  sniff(iface=interface, prn=sniffmgmt, store=0)
  curses.echo()
  curses.nocbreak()
  curses.endwin()
  print 'Exiting...'
except:
  curses.echo()
  curses.nocbreak()
  curses.endwin()
  traceback.print_exc()
  print 'Exiting...'

#packets = rdpcap('traffic.pcap')
#for packet in packets:
# sniffmgmt(packet)

I hope you can help!

Link to comment
Share on other sites

Well, let's try it with simple shell scripting as I suspect that's easier.

for mac in `awk '{print $1}' < YOUR_MAC_THEN_SSID_INPUT_FILE | sort | uniq`
do
    oui_hex = `echo $mac | sed -e 's/:/-/g' -e 's/\(..-..-..\).*/\1/'`
    manufacturer = `grep $oui_hex airodump-ng-oui.txt | sed 's/.*(hex)[^A-Z]*//`
    echo -e "$mac ($manufacturer)"
    grep $mac YOUR_MAC_THEN_SSID_INPUT_FILE | sed s/$mac/\t/ | sort | uniq
done

This is probably really close to what you're looking for.

P.S. If you want SSID1 to not be on the same line as the mac and the manufacturer, remove the '-e' to the echo command.

Edited by Cooper
Link to comment
Share on other sites

yep that helped,thanks cooper!.. I've added the functionality to look for SSID's on wigle.net and report back the location and now just trying one last thing which is to create a wifi network on mon0 without a dhcp, then try and get the ARP requests from the majority of apple devices around and find the computer name for those devices.

Link to comment
Share on other sites

  • 11 months later...
  • 3 months later...
On ‎26‎/‎04‎/‎2015 at 7:06 PM, localtracker said:

yep that helped,thanks cooper!.. I've added the functionality to look for SSID's on wigle.net and report back the location and now just trying one last thing which is to create a wifi network on mon0 without a dhcp, then try and get the ARP requests from the majority of apple devices around and find the computer name for those devices.

Be interested to see how you established the lookup on Wigle.net and returned the results.

Are you able to post the code.

Many thanks.

Link to comment
Share on other sites

  • 4 months later...

I don't know if this had been covered. It's early in the morning and I'm always fully attentive until I've had coffee.

There are 14 channels on wifi. Not sure which are used. Usually only 1-11 are used. But you can set your router differently. Not legal in all juristictions.

 

airodump-ng has a --manufacturer option that will create it's own column in the csv file you can grep out the station MAC and manufacturer from the OUI list

you'll need to run airodump-ng-oui-update


Link to comment
Share on other sites

I was reading though this post on the old backtrack forum: http://www.backtrack-linux.org/forums/showthread.php?t=25343

There's some useful BASH there that will output the stations

#/bin/bash
wlaninterface=eth1
outputprefix=output
sleeptime=30s
maxclients=20
rm $outputfileprefix*.csv &> /dev/null
airodump-ng -w $outputprefix --output-format csv $wlaninterface  &> /dev/null & 
sleep $sleeptime
kill $!
grep -aA $maxclients 'MAC' `ls $outputprefix*.csv` \
 | grep "$1"                                  \
 | sed -e '/Station/d' -e 's/,//'        \
 | awk '{print $1}' > list_of_station
cat list_of_station

You can just use something like sed to replace the : with - and cut the second half of the mac off then loop the csv file clients and output the oui from

/var/lib/ieee-data/oui.txt
for each client

I'd write the whole function but I gotta go to work. Hope this helps. It's a little simple than all of the code that was up there.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...