Mr-Protocol Posted December 13, 2013 Share Posted December 13, 2013 I made this script that does quick scan of nearby access points using iw wlan1 scan, and then parses the information into an easier format. Hopefully this is useful to someone for maybe a module development or whatever you can think of. This does NOT use airodump-ng. It turns this: root@Pineapple:~# iw wlan1 scan BSS AA:AA:AA:AA:AA:AA (on wlan1) -- associated TSF: 494637657085 usec (5d, 17:23:57) freq: 2412 beacon interval: 100 capability: ESS Privacy ShortSlotTime (0x0411) signal: -40.00 dBm last seen: 180 ms ago Information elements from Probe Response frame: SSID: MRPROTOCOL Supported rates: 1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 DS Parameter set: channel 1 ERP: <no flags> RSN: * Version: 1 * Group cipher: CCMP * Pairwise ciphers: CCMP * Authentication suites: PSK * Capabilities: 16-PTKSA-RC (0x000c) Extended supported rates: 6.0 9.0 12.0 48.0 HT capabilities: Capabilities: 0x18fe HT20/HT40 SM Power Save disabled RX Greenfield RX HT20 SGI RX HT40 SGI TX STBC No RX STBC Max AMSDU length: 7935 bytes DSSS/CCK HT40 Maximum RX AMPDU length 65535 bytes (exponent: 0x003) Minimum RX AMPDU time spacing: 8 usec (0x06) HT RX MCS rate indexes supported: 0-15, 32 HT TX MCS rate indexes are undefined HT operation: * primary channel: 1 * secondary channel offset: above * STA channel width: any * RIFS: 0 * HT protection: non-HT mixed * non-GF present: 1 * OBSS non-GF present: 1 * dual beacon: 0 * dual CTS protection: 0 * STBC beacon: 0 * L-SIG TXOP Prot: 0 * PCO active: 0 * PCO phase: 0 Extended capabilities: HT Information Exchange Supported WPS: * Version: 1.0 * Wi-Fi Protected Setup State: 2 (Configured) * Selected Registrar: 0x0 * Response Type: 3 (AP) * UUID: Blah * Manufacturer: Linksys Inc. * Model: Linksys E2000 * Model Number: v1.0.03 * Serial Number: 42 * Primary Device Type: 6-0050f204-1 * Device name: Linksys E2000 * Config methods: Label, PBC WMM: * Parameter version 1 * u-APSD * BE: CW 15-1023, AIFSN 3 * BK: CW 15-1023, AIFSN 7 * VI: CW 7-15, AIFSN 2, TXOP 3008 usec * VO: CW 3-7, AIFSN 2, TXOP 1504 usec BSS BB:BB:BB:BB:BB:BB (on wlan1) TSF: 1108801215 usec (0d, 00:18:28) freq: 2462 beacon interval: 100 capability: ESS ShortSlotTime (0x0401) signal: -52.00 dBm last seen: 30 ms ago Information elements from Probe Response frame: SSID: Pineapple5_BBBB Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 DS Parameter set: channel 11 ERP: Barker_Preamble_Mode Extended supported rates: 24.0 36.0 48.0 54.0 HT capabilities: Capabilities: 0x116c HT20 SM Power Save disabled RX HT20 SGI RX HT40 SGI RX STBC 1-stream Max AMSDU length: 3839 bytes DSSS/CCK HT40 Maximum RX AMPDU length 65535 bytes (exponent: 0x003) Minimum RX AMPDU time spacing: 8 usec (0x06) HT TX/RX MCS rate indexes supported: 0-7 HT operation: * primary channel: 11 * secondary channel offset: no secondary * STA channel width: 20 MHz * RIFS: 0 * HT protection: no * non-GF present: 0 * OBSS non-GF present: 0 * dual beacon: 0 * dual CTS protection: 0 * STBC beacon: 0 * L-SIG TXOP Prot: 0 * PCO active: 0 * PCO phase: 0 WMM: * Parameter version 1 * BE: CW 15-1023, AIFSN 3 * BK: CW 15-1023, AIFSN 7 * VI: CW 7-15, AIFSN 2, TXOP 3008 usec * VO: CW 3-7, AIFSN 2, TXOP 1504 usec BSS CC:CC:CC:CC:CC:CC (on wlan1) TSF: 1098785298 usec (0d, 00:18:18) freq: 2462 beacon interval: 100 capability: ESS ShortSlotTime (0x0401) signal: -5.00 dBm last seen: 30 ms ago SSID: Pineapple5_CCCC Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 DS Parameter set: channel 11 ERP: Barker_Preamble_Mode Extended supported rates: 24.0 36.0 48.0 54.0 HT capabilities: Capabilities: 0x116c HT20 SM Power Save disabled RX HT20 SGI RX HT40 SGI RX STBC 1-stream Max AMSDU length: 3839 bytes DSSS/CCK HT40 Maximum RX AMPDU length 65535 bytes (exponent: 0x003) Minimum RX AMPDU time spacing: 8 usec (0x06) HT TX/RX MCS rate indexes supported: 0-7 HT operation: * primary channel: 11 * secondary channel offset: no secondary * STA channel width: 20 MHz * RIFS: 0 * HT protection: no * non-GF present: 0 * OBSS non-GF present: 0 * dual beacon: 0 * dual CTS protection: 0 * STBC beacon: 0 * L-SIG TXOP Prot: 0 * PCO active: 0 * PCO phase: 0 WMM: * Parameter version 1 * BE: CW 15-1023, AIFSN 3 * BK: CW 15-1023, AIFSN 7 * VI: CW 7-15, AIFSN 2, TXOP 3008 usec * VO: CW 3-7, AIFSN 2, TXOP 1504 usec Into this: AA:AA:AA:AA:AA:AA MRPROTOCOL 1 BB:BB:BB:BB:BB:BB Pineapple_BB 11 CC:CC:CC:CC:CC:CC Pineapple_CC 11 Which is much easier to parse though for doing things. If you would like to see more stats from iw scan feature, let me know. Here is the script: #!/bin/bash # Fruit-FiScan.sh # Made by Mr-Protocol # 2013-12-12 #### Scan area for networks and parse into a file in the format: BSS SSID CHAN #### if [ -e /tmp/ScannedAPs_Parsed.MP ]; then echo "Removed old scanned AP list" rm /tmp/ScannedAPs_Parsed.MP fi iw wlan1 scan | grep -v OBSS | grep 'SSID\|BSS\|DS\ Parameter\ set' > /tmp/ScannedAPs.MP BSS=() SSID=() CHAN=() grep BSS /tmp/ScannedAPs.MP | awk '{print $2}' | tr 'a-f' 'A-F' > /tmp/BSS.MP grep SSID /tmp/ScannedAPs.MP | awk '{print $2}' > /tmp/SSID.MP grep channel /tmp/ScannedAPs.MP | awk '{print $5}' > /tmp/CHAN.MP while read LINE do BSS+=("$LINE") done < /tmp/BSS.MP while read LINE do SSID+=("$LINE") done < /tmp/SSID.MP while read LINE do CHAN+=("$LINE") done < /tmp/CHAN.MP count=$(( $(grep -c BSS /tmp/ScannedAPs.MP) - 1 )) for index in $(seq 0 $count) do echo "${BSS[index]} ${SSID[index]} ${CHAN[index]}" >> /tmp/ScannedAPs_Parsed.MP done Quote Link to comment Share on other sites More sharing options...
Boosted240 Posted December 14, 2013 Share Posted December 14, 2013 This is nice! Could use it on the Pineapple and the Pi. (kali linux) Looks easy enough to change to wlan2 or 0 also. Could it also display the channel of the network? Maybe signal strength? Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted December 14, 2013 Share Posted December 14, 2013 Nice script Mr-Protocol!, Would be cool to have say fruit-fi.sh --radio wlanX :D Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted December 14, 2013 Author Share Posted December 14, 2013 This is nice! Could use it on the Pineapple and the Pi. (kali linux) Looks easy enough to change to wlan2 or 0 also. Could it also display the channel of the network? Maybe signal strength? The channel is the last number in the output, 1 or 11 in this case. I thought about adding signal strength, maybe when I get some time to play with it a bit. Nice script Mr-Protocol!, Would be cool to have say fruit-fi.sh --radio wlanX :D Yes, I think I will add that feature in the future. I'm not sure if running it on wlan0 would kick karma clients or what that would do. Some testing would be needed. Thanks for the replies! This was NOT an easy task in bash lol. Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted December 14, 2013 Share Posted December 14, 2013 I'd have no problem testing for you when you get round to adding it if you like. You know where I mostly am anyway :) Quote Link to comment Share on other sites More sharing options...
Boosted240 Posted December 14, 2013 Share Posted December 14, 2013 The channel is the last number in the output, 1 or 11 in this case. . Ahhh didn't even see it. Oops. I can do testing also if needed, on the Pineapple and Pi. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted December 14, 2013 Author Share Posted December 14, 2013 It works on the Mark V, most likely will not on mark IV (haven't tested). Feel free to give it a try on the rPi. Quote Link to comment Share on other sites More sharing options...
Boosted240 Posted December 15, 2013 Share Posted December 15, 2013 Okay, I can't get it to work, I'm probably doing something wrong. What I did: nano scan.sh paste script text change wlan1 to wlan2 save and close chmod +x ./scan.sh Made sure wlan2 was up, and did an iw scan to be sure, then ran the script. It runs, because it will tell me "removed old scanned AP list" pause for a second, then just return to the command line. Ideas? Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted December 15, 2013 Author Share Posted December 15, 2013 It does not put the results to stdout, /tmp/ScannedAPs_Parsed.MP Easy enough to add to stdout, I'll do that sometime. Quote Link to comment Share on other sites More sharing options...
Boosted240 Posted December 15, 2013 Share Posted December 15, 2013 It does not put the results to stdout, /tmp/ScannedAPs_Parsed.MP Easy enough to add to stdout, I'll do that sometime. Yep, that would be where I went wrong. The file was there just fine. Quote Link to comment Share on other sites More sharing options...
eth0 Posted December 16, 2013 Share Posted December 16, 2013 Here's a one liner: iwlist wlan0 scan | awk '/ESSID/ {gsub("ESSID:","",$1); print $1} /Address/ {printf "%s ", $5} /Frequency/ {gsub("\)","",$4); printf "%s ", $4}' Which will output in the format of: MAC CHANNEL SSID Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted December 17, 2013 Author Share Posted December 17, 2013 Here's a one liner: iwlist wlan0 scan | awk '/ESSID/ {gsub("ESSID:","",$1); print $1} /Address/ {printf "%s ", $5} /Frequency/ {gsub("\)","",$4); printf "%s ", $4}' Which will output in the format of: MAC CHANNEL SSID Nice, have you tested that on the pineapple? I figured there would be an easier way but I was having enough headache at the time haha. Works pretty well. Thanks for sharing. I'm not sure how you would edit out the quotes around the SSID, but I will play around with it. Quote Link to comment Share on other sites More sharing options...
Boosted240 Posted December 17, 2013 Share Posted December 17, 2013 Works pretty well. Thanks for sharing. Agreed. I made three, one for each radio. Works great. I also made one on the rPi, worked well there also w/Kali. Quote Link to comment Share on other sites More sharing options...
eth0 Posted December 17, 2013 Share Posted December 17, 2013 (edited) Nice, have you tested that on the pineapple? I figured there would be an easier way but I was having enough headache at the time haha. Works pretty well. Thanks for sharing. I'm not sure how you would edit out the quotes around the SSID, but I will play around with it. No worries. I left the quotes in so it's easier to programmatically parse the SSIDs that have spaces in them. You could gsub them out or pipe to tr, like so (un-tested): | tr -d '"' p.s. Sorry for hijacking your thread! :) Edited December 17, 2013 by eth0 Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted December 17, 2013 Author Share Posted December 17, 2013 No worries. Good to see one liners. I felt like my arrays were a bit much. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.