vailixi Posted March 22, 2015 Share Posted March 22, 2015 Does Pineapple do this already?I'm looking for an easy way to get the BSSID, ESSID, Channel, encyrption, cypher, auth, etc. Just the info I need to create a rogue access point. The end game here is to create a scripted way of capturing the access point information and creating a rouge access point on the fly. So you could walk around a given place and create a clone of each access point and test wireless client security settings in mass. Basically check any of the clients to see if the connect automatically box is unchecked. That or obviously you could use it to get a lot of WPA keys quickly if provided the clients and access points are within the scope of a given test network. Obviously you could filter the MAC addresses or MAC prefixes to make sure. I was looking for an easy way to get an ESSID list from a capture file. Open up the pcap in wireshark and convert it to plain text then mess around with some bash. Sorry in advance for my grep statement. I suck at regular expressions. grep -hiro "\b[S|s]\+[S|s]\+[I|i]\+[D|d]\+[=]\+.\{2,37\}\\b" handshakes.txt | sort -i | uniq -u | sed -e "s/SSID=//g" > essidlist.txt Quote Link to comment Share on other sites More sharing options...
i8igmac Posted March 22, 2015 Share Posted March 22, 2015 Is the capture file necessary. Airodump-ng creates a csv file in plain text, it will hold all the data you need, access points, clients, channels. Choose your scripting language, sort threw this data how ever you like... Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted March 22, 2015 Share Posted March 22, 2015 Yes, the pineapple already can make a list of nearby access points. Quote Link to comment Share on other sites More sharing options...
digip Posted March 22, 2015 Share Posted March 22, 2015 if loading from existing pcap file after the fact, try tshark and some bash fu to create your own list, but as mentioned there are tools that do what you ask. http://blog.rootshell.be/2012/01/12/show-me-your-ssids-ill-tell-who-you-are/ Quote Link to comment Share on other sites More sharing options...
i8igmac Posted March 22, 2015 Share Posted March 22, 2015 you want to create identical access points ? I suppose death is also wanted here? deauthenticate all clients and force them to connect to your fake essid? Once these clients connect to your rogue ap, then you would need to safe list these client's from being deauthenticated? does the channel/bssid/encryption matter with this kind of exploit... will you increase your success rate if you fully duplicate essid/bssid/channel/encryption? I don't think it matters but I don't have proof... Quote Link to comment Share on other sites More sharing options...
vailixi Posted March 22, 2015 Author Share Posted March 22, 2015 I don't really plan to use deauthentication. I'm going for something a little more covert. If the client is out of antenna range of the AP and my AP is within range the client will attemp to authenticate if it is set up to automatically authenticate to known access points. Once again I just want them to authenticate to the AP so I have the WPA key. I'm not doing MITM or exploitation beyond that. At least for the time being. Also I'm getting some errors with tshark about wireshark permissions. Anybody know how to fix that? Quote Link to comment Share on other sites More sharing options...
i8igmac Posted March 22, 2015 Share Posted March 22, 2015 (edited) Show me how you plan to create the access point? And how you plan to get the key? Edited March 22, 2015 by i8igmac Quote Link to comment Share on other sites More sharing options...
digip Posted March 23, 2015 Share Posted March 23, 2015 @vailixi I think you fail to understand how this works. With a saved AP in your system, sure, your machine will probe for it, but its going to look for the same information it has saved, from the SSID to the Authentication to the MAC address of the AP. Even if you force it to try and do the handshake, that handshake is a four way process by which you need to capture all handshakes between the Client and the AP, at which point all you'll have, is a handshake you can brute force against. You're not going to get a password for the other AP's sent to you in the clear if that is what you are expecting. Read up on WPA/WPA2 authentication. Also, your Pineapple(if using it) automatically accepts all probes and replies "yes, I am the AP you are looking for.." which if they try to connect, all they'll do is try regardless of what authentication is in use. If WPA is enabled they'll try the handshake, for which it will fail, since you will not be able to reply what it is the client is looking for. If you leave it set to Open, then they will connect through you and should drop the WPA in their settings to dumb down to an Open AP, but not 100% sure if it works in this manner on all clients. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.