Jump to content
Hak5 Forums
Whistle Master

[Official] Site Survey Module

Recommended Posts

Module: Site Survey

Version: 1.2

Features:

  • View APs around with information such as SSID, MAC, Encryption, Cipher, Auth, Channel, Frequency, Signal Quality.
  • View connected Clients
  • Vendor information on AP's MAC
  • Start capture on AP
  • Start deauth on AP
  • Capture history with information such as number of IVS or 4-Way Handshake

Change log:

1.2

  • Add timer to know when the scan will be finished

1.1

  • View connected Clients
  • Bug fixes

bf0yswk213z5d5t4g.jpg

Edited by Whistle Master
  • Upvote 9

Share this post


Link to post
Share on other sites

having problems with the capture files after stopping module and trying to download the results. The download button will not download the files

Share this post


Link to post
Share on other sites

Running deauth mode for length consistently locks the pineapple up. The situation seems to be aggravated when recon wlan1 is active also, resulting in scans being dropped entirely and a situation where factory reset was neeeded to restore. When both worked at once it was pretty awesome.

Some difficulties in viewing successful capture mode files, even appearing. Downloaded fine after reloading tab.

The only thing on my end, that I could think might interfere is client mode. I might see how that works off later...

Share this post


Link to post
Share on other sites

Running deauth mode for length consistently locks the pineapple up. The situation seems to be aggravated when recon wlan1 is active also, resulting in scans being dropped entirely and a situation where factory reset was neeeded to restore. When both worked at once it was pretty awesome.

Some difficulties in viewing successful capture mode files, even appearing. Downloaded fine after reloading tab.

The only thing on my end, that I could think might interfere is client mode. I might see how that works off later...

Why would you be trying to deauth while doing a survey? That makes no sense.

  • Upvote 1

Share this post


Link to post
Share on other sites

Deauth always causes me all sorts of problems for some reason. Besides I don't see any use for it when I'm using Recon Mode.

Share this post


Link to post
Share on other sites

Well.... Deauth will disconnect devices from the AP, forcing them to reconnect and therefore, increasing the chance to capture 4-Way Handshake !

  • Upvote 1

Share this post


Link to post
Share on other sites

Well.... Deauth will disconnect devices from the AP, forcing them to reconnect and therefore, increasing the chance to capture 4-Way Handshake !

I suppose. I saw this as more of a recon type of thing. I know, and my email client knows, when the wifi at my client sites starts acting up, people tell me. Throwing out deauth packets will attract attention.

Share this post


Link to post
Share on other sites

Why would you be trying to deauth while doing a survey? That makes no sense.

Yes! To get the handshake faster. I've resolved a better method of doing this.

Which is to be on the open ap and disable management.

Edited by Kapu Lanai

Share this post


Link to post
Share on other sites

Is there any way to verify that the handshakes are being captured through this? Based on my attempt to submit to OHC they claimed that the .cap's didn't contain them when this capture said it had been done.

Any thoughts or ways to check? I guess I can probably use aircrack-ng from console.

Share this post


Link to post
Share on other sites

The module is already testing if the handshake is present BUT there is no perfect way to check for that... You have the following options:

- Aircrack (used in the module): not 100% accurate, but fast and available for the pineapple.

- Pyrit: more accurate but not available on the pineapple.

- Cowpatty: more accurate but not available on the pineapple.

So you can also download the .pcap file and test on a laptop if you really have the handshake.

  • Upvote 2

Share this post


Link to post
Share on other sites

I've done it this way, but just using the module... making sure one of them has a monitor interface up. Let it run for a bit, accumulate a cap under 10mb, and then manually submit to OHC and no matter what they all result in "Sorry, we are unable to find any valid WPA handshakes in your file. Try another dump or read our tutorial, or contact us for manual checking." even though the module says it's been captured.

I can disconnect and reconnect to my AP like 50 times and it still says nothing was captured according to the website, but the module states YES with only a few IVs. What gives?

  • Upvote 1

Share this post


Link to post
Share on other sites

I've done it this way, but just using the module... making sure one of them has a monitor interface up. Let it run for a bit, accumulate a cap under 10mb, and then manually submit to OHC and no matter what they all result in "Sorry, we are unable to find any valid WPA handshakes in your file. Try another dump or read our tutorial, or contact us for manual checking." even though the module says it's been captured.

I can disconnect and reconnect to my AP like 50 times and it still says nothing was captured according to the website, but the module states YES with only a few IVs. What gives?

Ive had the same problem. Ive downloaded the the file and run the cap through aircrack-ng and it will show no handshake. This doesnt happen every time but a lot.

Edited by b0N3z

Share this post


Link to post
Share on other sites

I've tried many more times sometimes with caps above 50mb and aircrack still tells me there's been no handshake even though the module says so :unsure:

Also the timer is a nice addition, thanks WM

Edited by purrball

Share this post


Link to post
Share on other sites

The module says that the handshake is present but when you try with aircrack directly, it says no ?

Could you please send me a copy of a one of those file so that I can test that ?

Share this post


Link to post
Share on other sites

Thanks for this module. I run into troubles becouse i use my Tetra in a different configuration.

I have taken all the default network configuration out, and just run it with the 2 interfaces turned off. When i use the tetra i basicly put the 2 fysical devices into monitor mode.

I end up with a WLAN0MON and a WLAN1MON. For my use purpose this is perfect. The SiteSurvey Module however doesnt work when running in this config. It SCans but no resuls are returned.

Any easy way to fix this, without altering my adapter config?

PS. The build in Recon mode does work in this configuration, but SSIDS are no longer displayed, only BSSID's and strenght is no longer available.

Share this post


Link to post
Share on other sites

Thanks for this module. I run into troubles becouse i use my Tetra in a different configuration.

I have taken all the default network configuration out, and just run it with the 2 interfaces turned off. When i use the tetra i basicly put the 2 fysical devices into monitor mode.

I end up with a WLAN0MON and a WLAN1MON. For my use purpose this is perfect. The SiteSurvey Module however doesnt work when running in this config. It SCans but no resuls are returned.

Any easy way to fix this, without altering my adapter config?

PS. The build in Recon mode does work in this configuration, but SSIDS are no longer displayed, only BSSID's and strenght is no longer available.

I assume the same goes for Site Survey, but Recon mode will do a normal iw scan. We are about to release a new version of recon mode which will only require a monitor radio to scan.

Best Regards,

Sebkinne

  • Upvote 1

Share this post


Link to post
Share on other sites

That sounds great! If possible, for either module.... a vendor lookup for the AP as wel als connected Clients would be AWESOME and much much much apreciated!!!

Share this post


Link to post
Share on other sites

The scan is done with normal interface. If you have the two interfaces in monitor mode, you can't scan because the module is using iwlist which does not support monitor interface.

Share this post


Link to post
Share on other sites

So I did some more experimenting, ran aircrack on windows. Sometimes it did find the handshake as the module stated, however wpaclean, oclhashcat, and onlinehashcrack.com all said that it was false. wpaclean actually resulted in a "bad file" error. So not sure what the cap files have wrong with them, but not experienced enough at analyzing it line by line, but nothing seems to be able to work with it even though the few times aircrack agreed there was a handshake present. So strange.

I will try to pm you a very small handshake cap to look at if that might help

The module says that the handshake is present but when you try with aircrack directly, it says no ?

Could you please send me a copy of a one of those file so that I can test that ?

Edited by purrball

Share this post


Link to post
Share on other sites

As I said, the problem is with aircrack, which is not 100% accurate. You have two other programs that you can use:

- Pyrit

- Cowpatty

Note: I've managed to run Pyrit on the pineapple. I will integrate it in the next release of the module to provide a more accurate information about handshake. I'll also add the option to "strip" a cap file to only keep the handshake, which will reduce the file size.

Edited by Whistle Master

Share this post


Link to post
Share on other sites

So I have been playing with the site survey module and getting pretty good success with handshake captures. My question is that once I get the handshake I try to delete in the module but it does not delete. Any ideas how to delete old captures?

Share this post


Link to post
Share on other sites

would there be a way to enable the deauth / capture of multiple ap's at a time? like for instance when running airmon-ng one can grab multiple handshakes passively, correct?

Share this post


Link to post
Share on other sites

I dont know if anybody else has had this problem, but when I run a 5min scan it doesnt bring back any results.  I have not tryed a 10min.  2min and under scans work fine.  I dont really need a 5min scan but I got bored and tryed it.  

Share this post


Link to post
Share on other sites

Hi everyone... I just received my Nano lately so I'm new here.  I configured the Nano and updated it to the latest firmware. However I got some issues with two of the modules I've tried so far, namely wps and SiteSurvey. 

With the first, whenever I perform a scan for wps enabled networks (and yes I've tried longer scanning times) it always shows "No" in the wps column. Even my own network and at least 4 or 5 others which have wps enabled. When I try reaver on either of them association always fail. Is there any way or fix to make this module work?

With SiteSurvey things are different... it seems to work. I've managed to get 2-3 cap files apparently containing WPA handshakes. I tried uploading one to wpa-sec.stanev.org and it went OK. But when I try to convert them to hccap at https://hashcat.net/cap2hccap/ it gives me an error "unable to find valid handshakes". I'm attaching one of the handshakes here if someone's interested to validate them : https://www.sendspace.com/file/w6enh0 

Any advice would be highly appreciated... Btw I got an iMac and I'm running it under a Win10 virtual machine.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×