Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: handshakeharvest2-5.sh an automatic WPA handshake collector released for general use

  1. #11
    Junior Member
    Join Date
    Jun 2016
    Posts
    12
    mmusket33

    Turns out RSN=WPA2, so if AP has only WPA2 enabled, there won't be WPA section in iw scan.

    HT operation (and hence primary channel) only present for 802.11n APs, so your script fails to determine channel for b/g-only APs. Use "DS Parameter set: channel" instead.

    I rewrote the part of script parsing iw scan to handle the above as well as hidden ssids. If you want to try replace the code in prepare_fn() between
    Code:
    #read
    #Debug
    and
    Code:
    numi1=$number1 # important for the loop
    with this
    Code:
    # Insert newline at the beginning of file
    awk 'BEGIN {print "\n"} {print}' /tmp/HANDTEST/iwscan01.txt > /tmp/HANDTEST/iwscan02.txt
    
    # Make one line per AP, replace newlines with tabs, put tab after BSSID
    awk 'BEGIN {RS="\nBSS "} NR>1 {gsub(/\n/,"\t"); gsub(/\(on /,"\t"); print}' /tmp/HANDTEST/iwscan02.txt > /tmp/HANDTEST/iwscan03.txt
    
    # Remove non WPA APs
    awk '/(WPA:|RSN:)/' /tmp/HANDTEST/iwscan03.txt > /tmp/HANDTEST/iwscan04.txt
    
    # Make a CSV file consisting of BSSID (capitalized), Channel and SSID
    sed -r 's/([^\t]*).*SSID: ([^\t]*).*DS Parameter set: channel ([^\t]*).*/\U\1\E,\3,\2/
    # Replace spaces with undescores (in SSIDs)
    s/ /_/g
    # Replace empty SSIDs with [hidden]
    s/(,$)/,[hidden]/' /tmp/HANDTEST/iwscan04.txt > /tmp/HANDTEST/iwscan05.txt
    
    # Sort by SSID descending
    sort -t, -k3 -r /tmp/HANDTEST/iwscan05.txt > /tmp/HANDTEST/iwscan06.txt
    
    SSIDS=$(awk -F, '{print $3}' /tmp/HANDTEST/iwscan06.txt)
    BSSIDS=$(awk -F, '{print $1}' /tmp/HANDTEST/iwscan06.txt)
    CHANN=$(awk -F, '{print $2}' /tmp/HANDTEST/iwscan06.txt)
    
    number1=$(wc -l <<< "$SSIDS")
    number2=$(wc -l <<< "$BSSIDS")
    number3=$(wc -l <<< "$CHANN")
    I'm sure the code can be further shortened with some elaborate awk or sed processing, but I didn't want to invest more time in learning them

    I also added these lines to save scan results to /root/scans folder
    Code:
    if [ ! -d "/root/scans" ]; then mkdir -m 700 /root/scans; fi
    TS=$(date +%y%m%d-%H%M)
    cp -f /tmp/HANDTEST/iwscan01.txt /root/scans/hsh-$TS.txt
    cp -f /tmp/HANDTEST/iwscan06.txt /root/scans/hsh-$TS.csv
    Feel free to use this in your next release.

    Airodump still lists more WPA APs than iw scan, but I'm not actually sure whether it's practical to include those extra APs. They are remote with weak signal and may not hear our injections. And I think for this reason script doesn't work on all WPA APs - as it might be that rapidly incrementing numbers in airodump window do not necessarily mean injections reach the AP under attack.

    And I suggest you google for "Useless use of echo" and "Useless use of cat award"

    Also found another small bug - this line
    Code:
    	echo "[+] Checking /root/HANDSHAKEHOLD for $bssid.cap files."
    should be
    Code:
    	echo "[+] Checking /root/HANDSHAKEHOLD for $macadd.cap files."
    otherwise it always prints bssid of previous AP

  2. #12
    Senior Member
    Join Date
    Jul 2013
    Posts
    770
    To MajorTom

    As MTeams has stated in these forums, Any script released by us is considered property of the community not MTeams.

    MTeams has no objection to you improving, altering and republishing any work by us.

    For example we have no bgn receivers therefore we cannot test. Your work here is a step forward.

    So please release your newer script for community use.

    Musket Teams
    Last edited by mmusket33; 2016-06-28 at 03:08 AM.

  3. #13
    Junior Member
    Join Date
    Jun 2016
    Posts
    12
    You don't need a bgn card to test. My built in VIA is bg only and produces scans very similar to Alfa NHA, just doesn't see as many APs, and the code I posted works for it equally well.

    Anyone is free to use that code snippet, otherwise it wouldn't be posted

    I see no point in me publishing a copy of your script just with my changes. And I think instructions on how to replace the code are pretty straightforward, so if you won't include it, ppl can do themselves.

  4. #14
    Senior Member
    Join Date
    Jul 2013
    Posts
    770
    To MajorTom

    MTeams attempted to make the alterations and test for release.

    You state you have added the following lines of code.

    For clarity could you identify where you have placed the following lines of code?


    if [ ! -d "/root/scans" ]; then mkdir -m 700 /root/scans; fi
    TS=$(date +%y%m%d-%H%M)
    cp -f /tmp/HANDTEST/iwscan01.txt /root/scans/hsh-$TS.txt
    cp -f /tmp/HANDTEST/iwscan06.txt /root/scans/hsh-$TS.csv

    MTeams

  5. #15
    Junior Member
    Join Date
    Jun 2016
    Posts
    12
    You can place them right after the fist code snippet (the parsing code) or a bit further down the code, doesn't really matter as long as it's done before temp scan files are removed from /tmp/HANDTEST folder.

  6. #16
    Senior Member
    Join Date
    Jul 2013
    Posts
    770
    MTeam has done preliminary tests on the suggested mods listed above by MajorTom. These mods appear to function in 2016R. However they do not work in Kali 1.10a. We are still testing kali 2.0

    MTeams

  7. #17
    Senior Member
    Join Date
    Jul 2013
    Posts
    770
    Musket Teams have voted to release an updated handshakeharvest for community use as of 6 July 2016. Program supports kali 1.10a 2.0 and 2016R. See beginning of this thread for download details.

    Musket Teams

  8. #18
    Junior Member
    Join Date
    Jan 2017
    Posts
    4
    1. How can i see, which handshake/s are in the passivescan-timestamp.cap files (folder HANDSHAKEHOLD)?

    2. Are this other handshake/s compare with handshake/s in BSSID-SSID-timestamp.cap files (folder HANDSHAKEHOLD)?

  9. #19
    Senior Member
    Join Date
    Jul 2013
    Posts
    770
    To fuscher

    First your question 2.

    There is no difference in the essential data. These passive scans may have many handshakes and are collected passively in that no DEAUTH process was used to induce handshake production by the handshakeharvest program. The handshake was produced by a third party like a client logging into the router.


    Now your question 1.

    You can use aircrack-ng to display handshakes.

    aircrack-ng /root/HANDSHAKEHOLD/??FILENAME??.cap

    You can list all .cap files

    ls /root/HANDSHAKEHOLD/*.cap

    You can clean handshakes with wpaclean

    wpaclean /root/HANDSHAKEHOLD/Cleaned-FILENAME.cap /root/HANDSHAKEHOLD/FILENAME.cap

    Note the new file name after cleaning is placed first while the original file to be cleamed is second in commandline sequence

    WARNING DO not use cleaned handshake cap files with Elcomsoft as the program does not work well with these cleaned handshakes.

    It has been our experience that if aircrack-ng says a handshake exists while Elcomosft says the handshake is incomplete, Elcomsoft can still usually crack the password. Aircrack-ng on the other hand many times tells you a handshake exists but cannot crack it even when the handshake is known while Elcomsoft easily cracks the WPA Key in the same file. In other words aircrack-ng is probably NOT your tool of choice except for identifying the existence of handshakes within a file.

    Musket Teams

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •