Vodmya Posted January 15, 2012 Share Posted January 15, 2012 Might be an easy question but I'll ask anyway. Does anyone know of a way of using an app like airodump to display only probe requests of unassociated clients? airodump-ng -a mon0 doesn't seem to do a heck of alot. I'm not looking for a filter rule for wireshark. What I am attempting to do is run a utility that will monitor the air and display only probe requests with their bssid and previously connected AP essid's. (i.e only the lower half of airodump-ng) No malicious intent just curious about what is happening around me in real time with a nice simple gui. (I get a kick out of some of the AP's essid's, esp those who use apple products. Even after a master reset prev connected machines are still displayed with a 'ginormous' listing. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted January 15, 2012 Share Posted January 15, 2012 The only option I can think of at the moment, is by placing your wireless adapter in monitor mode and then with Wireshark capturing the traffic around you. That should definitely get what you want. However if there is an utility that can do what you are asking, then I really would like to hear about it. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted January 15, 2012 Share Posted January 15, 2012 You can use Wireshark combined with one or more of these filters to review data capture files. The SSID is included within these packets for the AP. wlan.fc.type_subtype == 0 (association request) wlan.fc.type_subtype == 4 (probe request) wlan.fc.type_subtype == 5 (probe response) Quote Link to comment Share on other sites More sharing options...
digip Posted January 15, 2012 Share Posted January 15, 2012 I know you said you didn't want to use wireshark filters, but maybe the command line version of it, tshark, or even tcpdump, can be piped to ngrep for probes only. ngrep might do the trick by itself, but I've never used it before. Quote Link to comment Share on other sites More sharing options...
Vodmya Posted January 15, 2012 Author Share Posted January 15, 2012 (edited) Wireshark is definitely an option but I'm really looking for something quick and dirty without diving into the individual packets. My googling fingers are tired. I believe I'm looking for an app or script that hasn't been written yet. A temp solution would be to set the wireless card to another country (i.e BO) and place it on an "ill-advisable" channel depending on where you live and in theory there would be minor overlapping/no traffic and all of the output would be mostly unassociated probe requests. It would be a nifty tool to have running to be able to see whose wifi enabled mobile devices give them away before entering your vicinity. Safer/legal alternative: airodump-ng -c 1 --encrypt=OPN mon0 (unless you live in stupidville) Edited January 15, 2012 by Vodmya Quote Link to comment Share on other sites More sharing options...
digip Posted January 15, 2012 Share Posted January 15, 2012 (edited) Wireshark is definitely an option but I'm really looking for something quick and dirty without diving into the individual packets. My googling fingers are tired. I believe I'm looking for an app or script that hasn't been written yet. A temp solution would be to set the wireless card to another country (i.e BO) and place it on an "ill-advisable" channel depending on where you live and in theory there would be minor overlapping/no traffic and all of the output would be mostly unassociated probe requests. It would be a nifty tool to have running to be able to see whose wifi enabled mobile devices give them away before entering your vicinity. Safer/legal alternative: airodump-ng -c 1 --encrypt=OPN mon0 (unless you live in stupidville) If you capture on only a specific channel, vs channel hopping, you will only see probes on that specific channel and ones close to it, IE: channel 1, would pick up channel 2 and 3 sometimes. Look into how ngrep works though. Like I said, I haven't used it, but its meant for grepping network trafic vs files on the local system the way normal grep does. Your best bet though, is to save to a pcap and analyze later, although you should be able to pipe it data and then maybe pipe that output to screen or a log file while echoing finds back to screen at the same time. http://link.brightcove.com/services/player/bcpid710694489001?bclid=708670032001&bctid=710381954001 Edited January 15, 2012 by digip Quote Link to comment Share on other sites More sharing options...
Vodmya Posted January 15, 2012 Author Share Posted January 15, 2012 Tks for the tip on ngrep (haven't used it either). Be interesting to see if the specific data could be filtered and piped and then viewed in real time. My next question would be about the unassociated probe requests. Even though I've set my card to ch1 (1-3 overlaps)(my exercises have resulted in "Joe Average" broadcasting on ch 6 or 11 mostly). As well as having an encryption filter to open auth (lowest amount of broadcasters) to cut down on the viewable output using strictly airodump-ng would be: Are the unassociated clients searching on set channels or are they searching on all the bands looking for wifi and prev associated APs? If they are not band specific I should still be viewing the same amount of traffic the same as if I was channel hopping? Quote Link to comment Share on other sites More sharing options...
Vodmya Posted January 15, 2012 Author Share Posted January 15, 2012 (edited) Just found my answer. Running 2 monitor modes at the same time. One set to channel 1 and the other to channel 11. Output is the same for unassociated clients. Just found a script that looks promising as well. https://github.com/xme/hoover Big thanks to this forum and the Hak5 show for all your advice it is appreciated! Edited January 15, 2012 by Vodmya Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted January 15, 2012 Share Posted January 15, 2012 Yeah that uses tshark and some data parsing. I may make a port for python just for fun. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.