localtracker Posted April 25, 2015 Share Posted April 25, 2015 Hey all, Wanna start by saying that I am not a professional pentester. I have studied computer science as an undergraduate degree but I work in film/television sound post production since a long time and now treat infosec and pentesting as a hobby. I want to create a script that can collect probe requests from devices around me along with information such as the MAC address, SSID being probed and timestamp. If also possible, I would like to resolve MAC addresses to their host names. Would it be possible for me to be able to do OS fingerprinting on the devices? For my purposes, I am using a perl script called hoover. Right now it collects the SSID, MAC address, probe count and timestamp. It gives me an output like below: MAC Address SSID -------------------- ------------------------------ 14:5a:05:ef:2a:78 Churchstyle 14:5a:05:ef:2a:78 BTHub5-TNX9 14:5a:05:ef:2a:78 BTHub3-GWNF 14:5a:05:ef:2a:78 Apple Store 14:5a:05:ef:2a:78 BTBusinessHub-333 14:5a:05:ef:2a:78 Wilda 00:17:c4:17:cf:1a ASK4 Wireless 14:5a:05:ef:2a:78 Andy Home !! Total unique SSID: 8 As you can see, half of the work I want to accomplish is done by the script, I just need to now implement MAC address resolver and OS fingerprinting (if possible). This is the code for the script: #!/usr/bin/perl # # hoover.pl - Wi-Fi probe requests sniffer # # Original idea by David Nelissen (twitter.com/davidnelissen) # Thank to him for allowing me to reuse the idea! # # # # This script scans for wireless probe requests and prints them out. # Hereby you can see for which SSID's devices nearby are searching. # # Copyright (c) 2012 David Nelissen & Xavier Mertens # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. Neither the name of copyright holders nor the names of its # contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDERS OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # # History # ------- # 2012/01/11 Created # use strict; use Getopt::Long; $SIG{USR1} = \&dumpNetworks; # Catch SIGINT to dump the detected networks $SIG{INT} = \&cleanKill; $SIG{KILL} = \&cleanKill; $SIG{TERM} = \&cleanKill; my $uniqueSSID = 0; #uniq ssid counter my %detectedSSID; # Detected network will be stored in a hash table # SSID, Seen packets, Last timestamp my $pid; my $help; my $verbose; my $interface = "mon0"; my $d; my $ifconfigPath = "/sbin/ifconfig"; my $iwconfigPath = "/sbin/iwconfig"; my $tsharkPath = "/usr/bin/tshark"; # my $d = "/root/probefilter.txt"; my $options = GetOptions( "verbose" => \$verbose, "help" => \$help, "interface=s" => \$interface, "ifconfig-path=s" => \$ifconfigPath, "iwconfig-path=s" => \$iwconfigPath, "tsharkPath=s" => \$tsharkPath, "d=s" => \$d, ); if ($help) { print <<_HELP_; Usage: $0 --interface=wlan0 [--help] [--verbose] [--iwconfig-path=/sbin/iwconfig] [--ipconfig-path=/sbin/ifconfig] [--dumpfile=result.txt] Where: --interface : Specify the wireless interface to use --help : This help --verbose : Verbose output to STDOUT --ifconfig-path : Path to your ifconfig binary --iwconfig-path : Path to your iwconfig binary --tshark-path : Path to your tshark binary --d : Save found SSID's/MAC addresses in a flat file (SIGUSR1) _HELP_ exit 0; } print "------------------------------------------\n"; print "------------------------------------------\n"; print "\nhoover.pl - Wi-Fi probe requests sniffer.\n"; print "Original idea by David Nelissen (twitter.com/davidnelissen)\n"; print "Modified by localtoast.\nInterface default set to mon0, specify file output by using the -d argument.\n"; print "\n------------------------------------------\n"; print "------------------------------------------\n"; # We must be run by root (getlogin() ne "root") && die "$0 must be run by root!\n"; # We must have an interface to listen to (!$interface) && die "No wireless interface speficied!\n"; # Check ifconfig availability ( ! -x $ifconfigPath) && die "ifconfig tool not found!\n"; # Check iwconfig availability ( ! -x $iwconfigPath) && die "iwconfig tool not found!\n"; # Check tshark availability ( ! -x $tsharkPath) && die "tshark tool not available!\n"; # Configure wireless interface (system("$ifconfigPath $interface up")) && "Cannot initialize interface $interface!\n"; # Set interface in monitor mode (system("$iwconfigPath $interface mode monitor")) && die "Cannot set interface $interface in monitoring mode!\n"; # Create the child process to change wireless channels (!defined($pid = fork)) && die "Cannot fork child process!\n"; if ($pid) { # --------------------------------- # Parent process: run the main loop # --------------------------------- ($verbose) && print "!! Running with PID: $$ (child: $pid)\n"; open(TSHARK, "$tsharkPath -i $interface -n -l subtype probereq |") || die "Cannot spawn tshark process!\n"; while (<TSHARK>) { chomp; my $line = $_; chomp($line = $_); # Everything exept backslash (some probes contains the ssid in ascii, not usable) #if($line = m/\d+\.\d+ ([a-zA-Z0-9:]+).+SSID=([a-zA-ZÀ-ÿ0-9"\s\!\@\$\%\^\&\*\(\)\_\-\+\=\[\]\{\}\,\.\?\>\<]+)/) { if($line = m/\d+\.\d+ ([a-zA-Z0-9:_]+).+SSID=([a-zA-ZÀ-ÿ0-9"\s\!\@\$\%\^\&\*\(\)\_\-\+\=\[\]\{\}\,\.\?\>\<]+)/) { if($2 ne "Broadcast") { # Ignore broadcasts my $macAddress = $1; my $newKey = $2; print DEBUG "$macAddress : $newKey\n"; if (! $detectedSSID{$newKey}) { # New network found! my @newSSID = ( $newKey, # SSID 1, # First packet $macAddress, # MAC Address time()); # Seen now $detectedSSID{$newKey} = [ @newSSID ]; $uniqueSSID++; print "++ New probe request from $macAddress with SSID: $newKey [$uniqueSSID]\n"; } else { # Existing SSID found! $detectedSSID{$newKey}[1]++; # Increase packets counter $detectedSSID{$newKey}[2] = $macAddress; # MAC Address $detectedSSID{$newKey}[3] = time(); # Now ($verbose) && print "-- Probe seen before: $newKey [$uniqueSSID]\n"; } } } } } else { # -------------------------------------------------- # Child process: Switch channels at regular interval # -------------------------------------------------- ($verbose) && print STDOUT "!! Switching wireless channel every 5\".\n"; while (1) { for (my $channel = 1; $channel <= 12; $channel++) { (system("$iwconfigPath $interface channel $channel")) && die "Cannot set interface channel.\n"; sleep(5); } } } sub dumpNetworks { my $i; my $key; print STDOUT "!! Dumping detected networks:\n"; print STDOUT "!! MAC Address SSID Count Last Seen\n"; print STDOUT "!! -------------------- ------------------------------ ---------- -------------------\n"; if ($d) { open(DUMP, ">/root/$d.txt") || die "Cannot write to $d (Error: $?)"; print DUMP "MAC Address SSID Count Last Seen\n"; print DUMP "-------------------- ------------------------------ ---------- -------------------\n"; } for $key ( keys %detectedSSID) { my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($detectedSSID{$key}[2]); my $lastSeen = sprintf("%04d/%02d/%02d %02d:%02d:%02d", $year+1900, $mon+1, $mday, $hour, $min, $sec); print STDOUT sprintf("!! %-20s %-30s %10s %-20s\n", $detectedSSID{$key}[2], $detectedSSID{$key}[0], $detectedSSID{$key}[1], $lastSeen); ($d) && print DUMP sprintf("%-20s %-30s %10s %-20s\n", $detectedSSID{$key}[2], $detectedSSID{$key}[0], $detectedSSID{$key}[1], $lastSeen); } print STDOUT "!! Total unique SSID: $uniqueSSID\n"; ($d) && print DUMP "Total unique SSID: $uniqueSSID\n"; close(DUMP); return; } sub cleanKill { if ($pid) { # Parent process: display information print "!! Received kill signal!\n"; kill 1, $pid; dumpNetworks; } exit 0; } Any help is appreciated. Quote Link to comment Share on other sites More sharing options...
cooper Posted April 25, 2015 Share Posted April 25, 2015 Your timing's spot-on. Check out this topic. Someone else is trying to do the exact same thing. Quote Link to comment Share on other sites More sharing options...
localtracker Posted April 25, 2015 Author Share Posted April 25, 2015 hey thanks for responding cooper. My purpose is a bit different from the linked thread. I can already capture probes using wireshark but I need to be able to resolve these address, fingerprint OS and arrange the final data to reflect which networks are being searched by multiple devices. Quote Link to comment Share on other sites More sharing options...
cooper Posted April 25, 2015 Share Posted April 25, 2015 When you say you want to 'resolve' a MAC address, what do you mean? You see, you resolve a MAC address to a name the device is known as to the network. Since it's just probing, there is no network just yet. There's not even an IP at this stage. So what are you hoping to get? One thing that might work is to start the dhcp process to give it an IP (which assumes the device accepts you as an AP) and in that process the device identifies itself, but you won't get that from just the probe. Similarly with the fingerprinting - I'm fairly certain you'd need to get a network connection with the device. Can't really say if, say, nmap is able to discover if my phone is the shitty iPhone that it is, or starts to wonder if it's a Mac OSX box or whatever. I'm sure people have tried this though. Anybody willing to comment? Quote Link to comment Share on other sites More sharing options...
localtracker Posted April 26, 2015 Author Share Posted April 26, 2015 Ok I thought as much about resolving the mac to a host name as theres no connection yet. Thanks for confirming that issue. But, if I can't do that then I am sure I can atleast resolve the MAC address to a manufacturer. Once I have the mac address, I can cross reference them with airodump's airodump-ng-oui.txt. Now the problem is that I don't know how to crawl the textfile and extract the results, i've never worked with perl. any help? ?? Quote Link to comment Share on other sites More sharing options...
localtracker Posted April 26, 2015 Author Share Posted April 26, 2015 I reached in my research at a stage whereby I see the output of all devices in range probing for an SSID, using scapy for python. Now I need help with 2 things that I am not able to achieve.. writing the data to a file in a table which shows MAC and SSID being probed for, but each MAC should only be listed once and next to it should be a list of SSID's that it probed for and next to it the manufacturer that can verified from airodump's oui text file. So the sample out put in a text file would be: MAC MANUFACTURER SSID 1 SSID 2 SSID 3 MAC MANUFACTURER SSID 1 and so on... when executing the script the last 3 lines give an error: #!/usr/bin/env python import os, os.path import sys, curses from scapy.all import * # interface should be first variable given on the command line if len(sys.argv) < 2: print 'Must define a sniffing interface.\nExiting...' sys.exit() else: interface = sys.argv[1] clients = {} pcount = 0 mgmtcount = 0 def sniffmgmt(p): global pcount, mgmtcount pcount += 1 if p.haslayer(Dot11): if p.type == 0 and p.subtype ==4 and p.getfieldval('info') != '': mgmtcount += 1 if p.addr2 not in clients.keys(): clients[p.addr2] = [p.getfieldval('info')] else: if not p.getfieldval('info') in clients[p.addr2]: clients[p.addr2].append(p.getfieldval('info')) output() def output(): output = '' output += 'Total Packets: %s\nProbe Requests: %s\n' % (str(pcount), str(mgmtcount)) output += '=========================\n' for key in clients.keys(): output += '%s - %s\n' % (key, clients[key]) window.addstr(1, 0, output) window.refresh() try: window = curses.initscr() sniff(iface=interface, prn=sniffmgmt, store=0) curses.echo() curses.nocbreak() curses.endwin() print 'Exiting...' except: curses.echo() curses.nocbreak() curses.endwin() traceback.print_exc() print 'Exiting...' #packets = rdpcap('traffic.pcap') #for packet in packets: # sniffmgmt(packet) I hope you can help! Quote Link to comment Share on other sites More sharing options...
cooper Posted April 26, 2015 Share Posted April 26, 2015 (edited) Well, let's try it with simple shell scripting as I suspect that's easier. for mac in `awk '{print $1}' < YOUR_MAC_THEN_SSID_INPUT_FILE | sort | uniq` do oui_hex = `echo $mac | sed -e 's/:/-/g' -e 's/\(..-..-..\).*/\1/'` manufacturer = `grep $oui_hex airodump-ng-oui.txt | sed 's/.*(hex)[^A-Z]*//` echo -e "$mac ($manufacturer)" grep $mac YOUR_MAC_THEN_SSID_INPUT_FILE | sed s/$mac/\t/ | sort | uniq done This is probably really close to what you're looking for. P.S. If you want SSID1 to not be on the same line as the mac and the manufacturer, remove the '-e' to the echo command. Edited April 26, 2015 by Cooper Quote Link to comment Share on other sites More sharing options...
localtracker Posted April 26, 2015 Author Share Posted April 26, 2015 yep that helped,thanks cooper!.. I've added the functionality to look for SSID's on wigle.net and report back the location and now just trying one last thing which is to create a wifi network on mon0 without a dhcp, then try and get the ARP requests from the majority of apple devices around and find the computer name for those devices. Quote Link to comment Share on other sites More sharing options...
elroto07 Posted March 28, 2016 Share Posted March 28, 2016 Hi, I've been testing with hoover.pl and it's awesome. Does anyone know if there is a tool to collect hidden bluetooth devices similar to hoover? Thanks, best regards. Quote Link to comment Share on other sites More sharing options...
Tissy Posted July 12, 2016 Share Posted July 12, 2016 On 26/04/2015 at 7:06 PM, localtracker said: yep that helped,thanks cooper!.. I've added the functionality to look for SSID's on wigle.net and report back the location and now just trying one last thing which is to create a wifi network on mon0 without a dhcp, then try and get the ARP requests from the majority of apple devices around and find the computer name for those devices. Be interested to see how you established the lookup on Wigle.net and returned the results. Are you able to post the code. Many thanks. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted July 18, 2016 Share Posted July 18, 2016 (edited) Why re-invent the wheel? Doesn't NetDiscover do this? *edit* Also, nmap! Edited July 18, 2016 by haze1434 Quote Link to comment Share on other sites More sharing options...
vailixi Posted November 22, 2016 Share Posted November 22, 2016 I don't know if this had been covered. It's early in the morning and I'm always fully attentive until I've had coffee. There are 14 channels on wifi. Not sure which are used. Usually only 1-11 are used. But you can set your router differently. Not legal in all juristictions. airodump-ng has a --manufacturer option that will create it's own column in the csv file you can grep out the station MAC and manufacturer from the OUI list you'll need to run airodump-ng-oui-update Quote Link to comment Share on other sites More sharing options...
vailixi Posted November 22, 2016 Share Posted November 22, 2016 I was reading though this post on the old backtrack forum: http://www.backtrack-linux.org/forums/showthread.php?t=25343 There's some useful BASH there that will output the stations #/bin/bash wlaninterface=eth1 outputprefix=output sleeptime=30s maxclients=20 rm $outputfileprefix*.csv &> /dev/null airodump-ng -w $outputprefix --output-format csv $wlaninterface &> /dev/null & sleep $sleeptime kill $! grep -aA $maxclients 'MAC' `ls $outputprefix*.csv` \ | grep "$1" \ | sed -e '/Station/d' -e 's/,//' \ | awk '{print $1}' > list_of_station cat list_of_station You can just use something like sed to replace the : with - and cut the second half of the mac off then loop the csv file clients and output the oui from /var/lib/ieee-data/oui.txt for each client I'd write the whole function but I gotta go to work. Hope this helps. It's a little simple than all of the code that was up there. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.