ESSIDPROBEWPA3-21.sh has been release for general use.
The bug when used with kali2.0 and the newer versions of aircrack-ng has been corrected.
Additions:
When MTeams associated C-Programmer found essidprobes that were incomplete strings for WPA keys like 7 characters in length - an extensive rewrite of this program resulted. To find the missing characters, crunch was used to fill in the blanks as follows:
Menu based crunch modules have been included to allow the user to expand ESSIDPROBES using ESSIDPROBE strings as the base words to find any missing characters.
Specific words can be randomized thru menu driven selections by the user.
Random characters can be Crunch Character Groups like [0123456789] or selected specific characters like 12Dc just as examples.
This program can produce large file sizes so care should be used if employed with operating systems having small amounts of storage space such as persistent usb installs of kali2.0.
To see how the program functions try writing only one(1) character or a specific text string and play with the selections before you make large files based on Crunch Character Groups or large essidprobe text files.
Users should feel free to suggest other crunch permutations be included. They will be added if possible into latter versions. Any bugs found please advise.
You can download here with kali or at:
http://www.datafilehost.com/d/3fb327e4
Overview
The most sophisticated ciphers are many times defeated by simple operator error. The German Army High Command(OKW) used enigma in WWII to encrypt messages. The cipher was finally broken when a radio operator sent the same message twice without changing the key settings.
Wi-Fi managing systems are also prone to operator errors. Musket Teams began seeing WPA keys broadcast in clear text paired with the ESSID name when running airodump-ng. MTeams knew the data pair sent was the WPA key and the station as the code had previously been broken thru other means such as Reaver or brute force. It soon became apparent that two(2) events were occurring. The wifi user was loading the WPA key into the ESSID(AP Name) block of the wifi managing software, The software began probing for a station using the WPA Key as the ESSID(AP Name). Later, when the connection did not work, the user corrected the error by setting up a new connection and leaving the old connection in place. The software then probed the BSSID using both the WPA Key and the ESSID.
In airodump-ng you might see something like this at the bottom;
BSSID STATION PROBE
55:44:33:22:11:00 00:11:22:33:44:55 12345678,Wifi_Home
or
BSSID STATION PROBE
55:44:33:22:11:00 00:11:22:33:44:55 12345678
Using the screen to collect this data is not practical. The best way is to access the two(2) .csv files made by airodump-ng when using the -w filename (write a dump file) in the airodump-ng command line. Musket Teams then wrote a small program to strip the kismet.csv file and .csv file of relevant data. The script has a commented help file embedded at the top of the script. It gives you a text file suitable for aircrack-ng, pyrit and elcomsoft. And it produces two(2) reference files to help determine ESSID,BSSID,PROBE pairing. This wordlist file has other uses. Sometimes the user loads the ESSID name into the WPA key block. Hence the WPA key is the AP name. This cannot be determined by the scan BUT the wordlist has all the ESSIDs seen therefore it can quickly determine if the WPA key is the ESSID when run against a handshake using aircrack-ng pyrit or elcomsoft.
For example:
aircrack-ng wifi.cap -w essidprobesdic,txt
Musket Teams
