Jump to content

Fruit-Fi Scan - Scan and parse iw scan


Mr-Protocol
 Share

Recommended Posts

I made this script that does quick scan of nearby access points using iw wlan1 scan, and then parses the information into an easier format. Hopefully this is useful to someone for maybe a module development or whatever you can think of. This does NOT use airodump-ng.

It turns this:

root@Pineapple:~# iw wlan1 scan
BSS AA:AA:AA:AA:AA:AA (on wlan1) -- associated
	TSF: 494637657085 usec (5d, 17:23:57)
	freq: 2412
	beacon interval: 100
	capability: ESS Privacy ShortSlotTime (0x0411)
	signal: -40.00 dBm
	last seen: 180 ms ago
	Information elements from Probe Response frame:
	SSID: MRPROTOCOL
	Supported rates: 1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 
	DS Parameter set: channel 1
	ERP: <no flags>
	RSN:	 * Version: 1
		 * Group cipher: CCMP
		 * Pairwise ciphers: CCMP
		 * Authentication suites: PSK
		 * Capabilities: 16-PTKSA-RC (0x000c)
	Extended supported rates: 6.0 9.0 12.0 48.0 
	HT capabilities:
		Capabilities: 0x18fe
			HT20/HT40
			SM Power Save disabled
			RX Greenfield
			RX HT20 SGI
			RX HT40 SGI
			TX STBC
			No RX STBC
			Max AMSDU length: 7935 bytes
			DSSS/CCK HT40
		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
		Minimum RX AMPDU time spacing: 8 usec (0x06)
		HT RX MCS rate indexes supported: 0-15, 32
		HT TX MCS rate indexes are undefined
	HT operation:
		 * primary channel: 1
		 * secondary channel offset: above
		 * STA channel width: any
		 * RIFS: 0
		 * HT protection: non-HT mixed
		 * non-GF present: 1
		 * OBSS non-GF present: 1
		 * dual beacon: 0
		 * dual CTS protection: 0
		 * STBC beacon: 0
		 * L-SIG TXOP Prot: 0
		 * PCO active: 0
		 * PCO phase: 0
	Extended capabilities: HT Information Exchange Supported
	WPS:	 * Version: 1.0
		 * Wi-Fi Protected Setup State: 2 (Configured)
		 * Selected Registrar: 0x0
		 * Response Type: 3 (AP)
		 * UUID: Blah
		 * Manufacturer: Linksys Inc.
		 * Model: Linksys E2000
		 * Model Number: v1.0.03
		 * Serial Number: 42
		 * Primary Device Type: 6-0050f204-1
		 * Device name: Linksys E2000
		 * Config methods: Label, PBC
	WMM:	 * Parameter version 1
		 * u-APSD
		 * BE: CW 15-1023, AIFSN 3
		 * BK: CW 15-1023, AIFSN 7
		 * VI: CW 7-15, AIFSN 2, TXOP 3008 usec
		 * VO: CW 3-7, AIFSN 2, TXOP 1504 usec
BSS BB:BB:BB:BB:BB:BB (on wlan1)
	TSF: 1108801215 usec (0d, 00:18:28)
	freq: 2462
	beacon interval: 100
	capability: ESS ShortSlotTime (0x0401)
	signal: -52.00 dBm
	last seen: 30 ms ago
	Information elements from Probe Response frame:
	SSID: Pineapple5_BBBB
	Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 
	DS Parameter set: channel 11
	ERP: Barker_Preamble_Mode
	Extended supported rates: 24.0 36.0 48.0 54.0 
	HT capabilities:
		Capabilities: 0x116c
			HT20
			SM Power Save disabled
			RX HT20 SGI
			RX HT40 SGI
			RX STBC 1-stream
			Max AMSDU length: 3839 bytes
			DSSS/CCK HT40
		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
		Minimum RX AMPDU time spacing: 8 usec (0x06)
		HT TX/RX MCS rate indexes supported: 0-7
	HT operation:
		 * primary channel: 11
		 * secondary channel offset: no secondary
		 * STA channel width: 20 MHz
		 * RIFS: 0
		 * HT protection: no
		 * non-GF present: 0
		 * OBSS non-GF present: 0
		 * dual beacon: 0
		 * dual CTS protection: 0
		 * STBC beacon: 0
		 * L-SIG TXOP Prot: 0
		 * PCO active: 0
		 * PCO phase: 0
	WMM:	 * Parameter version 1
		 * BE: CW 15-1023, AIFSN 3
		 * BK: CW 15-1023, AIFSN 7
		 * VI: CW 7-15, AIFSN 2, TXOP 3008 usec
		 * VO: CW 3-7, AIFSN 2, TXOP 1504 usec
BSS CC:CC:CC:CC:CC:CC (on wlan1)
	TSF: 1098785298 usec (0d, 00:18:18)
	freq: 2462
	beacon interval: 100
	capability: ESS ShortSlotTime (0x0401)
	signal: -5.00 dBm
	last seen: 30 ms ago
	SSID: Pineapple5_CCCC
	Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 
	DS Parameter set: channel 11
	ERP: Barker_Preamble_Mode
	Extended supported rates: 24.0 36.0 48.0 54.0 
	HT capabilities:
		Capabilities: 0x116c
			HT20
			SM Power Save disabled
			RX HT20 SGI
			RX HT40 SGI
			RX STBC 1-stream
			Max AMSDU length: 3839 bytes
			DSSS/CCK HT40
		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
		Minimum RX AMPDU time spacing: 8 usec (0x06)
		HT TX/RX MCS rate indexes supported: 0-7
	HT operation:
		 * primary channel: 11
		 * secondary channel offset: no secondary
		 * STA channel width: 20 MHz
		 * RIFS: 0
		 * HT protection: no
		 * non-GF present: 0
		 * OBSS non-GF present: 0
		 * dual beacon: 0
		 * dual CTS protection: 0
		 * STBC beacon: 0
		 * L-SIG TXOP Prot: 0
		 * PCO active: 0
		 * PCO phase: 0
	WMM:	 * Parameter version 1
		 * BE: CW 15-1023, AIFSN 3
		 * BK: CW 15-1023, AIFSN 7
		 * VI: CW 7-15, AIFSN 2, TXOP 3008 usec
		 * VO: CW 3-7, AIFSN 2, TXOP 1504 usec

Into this:

AA:AA:AA:AA:AA:AA MRPROTOCOL 1
BB:BB:BB:BB:BB:BB Pineapple_BB 11
CC:CC:CC:CC:CC:CC Pineapple_CC 11

Which is much easier to parse though for doing things. If you would like to see more stats from iw scan feature, let me know.

Here is the script:

#!/bin/bash
# Fruit-FiScan.sh
# Made by Mr-Protocol
# 2013-12-12

#### Scan area for networks and parse into a file in the format: BSS SSID CHAN ####
if [ -e /tmp/ScannedAPs_Parsed.MP ]; then
echo "Removed old scanned AP list"
rm /tmp/ScannedAPs_Parsed.MP
fi

iw wlan1 scan | grep -v OBSS | grep 'SSID\|BSS\|DS\ Parameter\ set' > /tmp/ScannedAPs.MP

BSS=()
SSID=()
CHAN=()

grep BSS /tmp/ScannedAPs.MP | awk '{print $2}' | tr 'a-f' 'A-F' > /tmp/BSS.MP
grep SSID /tmp/ScannedAPs.MP | awk '{print $2}' > /tmp/SSID.MP
grep channel /tmp/ScannedAPs.MP | awk '{print $5}' > /tmp/CHAN.MP

while read LINE
do
    BSS+=("$LINE")
done < /tmp/BSS.MP

while read LINE
do
    SSID+=("$LINE")
done < /tmp/SSID.MP 

while read LINE
do
    CHAN+=("$LINE")
done < /tmp/CHAN.MP

count=$(( $(grep -c BSS /tmp/ScannedAPs.MP) - 1 ))

for index in $(seq 0 $count)
do
echo "${BSS[index]} ${SSID[index]} ${CHAN[index]}" >> /tmp/ScannedAPs_Parsed.MP
done 
Link to comment
Share on other sites

This is nice! Could use it on the Pineapple and the Pi. (kali linux) Looks easy enough to change to wlan2 or 0 also.

Could it also display the channel of the network? Maybe signal strength?

Link to comment
Share on other sites

This is nice! Could use it on the Pineapple and the Pi. (kali linux) Looks easy enough to change to wlan2 or 0 also.

Could it also display the channel of the network? Maybe signal strength?

The channel is the last number in the output, 1 or 11 in this case. I thought about adding signal strength, maybe when I get some time to play with it a bit.

Nice script Mr-Protocol!, Would be cool to have say fruit-fi.sh --radio wlanX :D

Yes, I think I will add that feature in the future. I'm not sure if running it on wlan0 would kick karma clients or what that would do. Some testing would be needed.

Thanks for the replies! This was NOT an easy task in bash lol.

Link to comment
Share on other sites

The channel is the last number in the output, 1 or 11 in this case. .

Ahhh didn't even see it. Oops.

I can do testing also if needed, on the Pineapple and Pi.

Link to comment
Share on other sites

Okay, I can't get it to work, I'm probably doing something wrong. What I did:

nano scan.sh

paste script text

change wlan1 to wlan2

save and close

chmod +x

./scan.sh

Made sure wlan2 was up, and did an iw scan to be sure, then ran the script. It runs, because it will tell me "removed old scanned AP list" pause for a second, then just return to the command line. Ideas?

Link to comment
Share on other sites

It does not put the results to stdout, /tmp/ScannedAPs_Parsed.MP

Easy enough to add to stdout, I'll do that sometime.

Yep, that would be where I went wrong. The file was there just fine.

Link to comment
Share on other sites

Here's a one liner:

iwlist wlan0 scan | awk '/ESSID/ {gsub("ESSID:","",$1); print $1} /Address/ {printf "%s ", $5} /Frequency/ {gsub("\)","",$4); printf "%s ", $4}'

Which will output in the format of:

MAC CHANNEL SSID

Nice, have you tested that on the pineapple? I figured there would be an easier way but I was having enough headache at the time haha.

Works pretty well. Thanks for sharing. I'm not sure how you would edit out the quotes around the SSID, but I will play around with it.

Link to comment
Share on other sites

Works pretty well. Thanks for sharing.

Agreed. I made three, one for each radio. Works great. I also made one on the rPi, worked well there also w/Kali.

Link to comment
Share on other sites

Nice, have you tested that on the pineapple? I figured there would be an easier way but I was having enough headache at the time haha.

Works pretty well. Thanks for sharing. I'm not sure how you would edit out the quotes around the SSID, but I will play around with it.

No worries. I left the quotes in so it's easier to programmatically parse the SSIDs that have spaces in them. You could gsub them out or pipe to tr, like so (un-tested):

| tr -d '"'

p.s. Sorry for hijacking your thread! :)

Edited by eth0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...