Monday, 01 February 2016 18:24

Pcap capture : Extract SSID AP names

Written by 
Rate this item
(0 votes)

Pcap capture files : Extracting BSSID/SSID names

Using tcpdump, pyrit, and other tools to dig in and analyze Pcap capture files

Finding out what SSID's were captured by filtering them out using tools such as tcpdump and pyrit.

This is the Second part in a series where we use our network WiFi adapter and capture data using various methods and take the Pcap capture files and methodically pick through them and analyse the different types of useful information we can extract.  All based around Kali and Ubuntu linux computers, multiple access points, and a variety of target devices, we will use a variety of tools available today to complete our analysis of the data we find.  Usually there are multiple ways to accomplish a particular task so I try to experiment with different methods in an attempt to find the best method for the task at hand.

All of these examples shown here are using captures of traffic from my own computers and access points.

In the previous part of the series, Passive packet sniffing on Wifi connections, we used an Alfa USB network card in monitor mode to passively (without associating to any access points) capture local WiFi traffic using tcpdump.  In this part we will see if we can extract any SSID names that we were able to capture.  This information can be useful in different ways, especially when we want to further explore more details on only a specific network.

 

Print all BSSID and its ESSID for all access points found in the capture

There are a wide variety of ways to extract the SSID's from capture files.  First we will explore some basic command line tools for the task at hand.  Using command line tools can be benificial for many reasons over the use of graphical tools such as Wireshark.  Command line tools excel when dealing with very large files as well as having the benifit to piping the data from one tool to another.  Here are some simple 1 line methods using the linux command line with awk and sed to parse the data from tcpdump and pyrit.

 

- Pyrit

  Pyrit is a tool used typically in wpa/wpa2 attacks.  Here in this example though, we are using it to view the SSIDs.

pyrit -r <input-capture-file> analyze | grep AccessPoint | awk '{$1=""; print $0}' | sed "s/[()']//g;s/.$//" | sort

extract ssid pcap 04

We get 13 access points.  I found pyrit to be a little slow for this task.

 

- TCPDump

Using Tcpdump proved to be faster, as well as given us the ability to get a little more information, but it's a little more complex to parse the information properly.  First we need to look at Beacon frames for SSID's which are broadcasted.

To only get SSID's that are broadcasting (transmitting a beacon frame), we can use this

tcpdump -ennr <input-capture-file> '(type mgt subtype beacon)' | awk '{print $13, $17}' | sed "s/[()]//g;s/......//"  | sort | uniq

if the capture file is compressed (*.gz), you can use gzip and pipe it to tcpdump

gzip -cd <input-capture-file> | tcpdump -ennr- '(type mgt subtype beacon)' | awk '{print $13, $17}' | sed "s/[()]//g;s/......//"  | sort | uniq

 

- TCPDump and Python

We may also want to get those AP who may respond to a probe request and are not sending out a beacon (hidden SSIDs).  In the example above using pyrit, it will already do this (but again pyrit is a little slow in processing large files).  So we switch over to python to assist in parsing the data from tcpdump.  I am not by any means a good python programmer, so it maybe ugly, but it did work for me.  Here is a quick and dirty python script I wrote, this will go through the capture file and print out the BSSID, SSID, and channel of either a Beacon frame or a Probe Response Frame.

extract ssid pcap 05

#!/usr/bin/env python
#
# Extract BSSID/SSID/Channel from Beacon and Probe Response frames in a capture file
#
# Requires tcpdump to be installed
# tested with:
# Python 2.7.6
# tcpdump version 4.5.1
# libpcap version 1.5.3
#

import sys, getopt
import subprocess
import re

def usage():
   print "%s -i <capture-file>" % (__file__)

def main(argv):
   try:
      opts, args = getopt.getopt(argv,"hi:",["ifile="])
      if not opts:
         print 'No input file supplied'
         usage()
         sys.exit(2)
   except getopt.GetoptError, e:
      print e
      usage()
      sys.exit(2)
   for opt, arg in opts:
      if opt == '-h':
         usage()
         sys.exit()
      elif opt in ("-i", "--ifile"):
         filename = arg
   return filename

if __name__ == "__main__":
   filename = main(sys.argv[1:])
   list = []
   argv = ["-ennr", filename, "(type mgt subtype beacon) || (type mgt subtype probe-resp)"]
   cmd = subprocess.Popen(["tcpdump"] + argv, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
   print ("BSSID\t-\tSSID\t-\tChannel\n")
   for line in cmd.stdout:
      if 'Beacon' in line:
         bssid = re.search(r'(BSSID:)(\w+\:\w+\:\w+\:\w+\:\w+\:\w+)', line)
         if bssid.group(2) not in list :
            list.append(bssid.group(2))
ssid = re.search(r'(Beacon\s\()(.+?(?=\)))', line)
            channel = re.search(r'(CH:\s)(\w)', line)
            if ssid:
               print "%s\t%s\t%s" %(bssid.group(2), ssid.group(2), channel.group(2))
            else:
               print "%s\t<hidden>\t%s" %(bssid.group(2), channel.group(2))
      elif 'Probe Response' in line:
         bssid = re.search(r'(BSSID:)(\w+\:\w+\:\w+\:\w+\:\w+\:\w+)', line)
         if bssid.group(2) not in list :
            list.append(bssid.group(2))
            ssid = re.search(r'(Probe Response\s\()(.+?(?=\)))', line)
            channel = re.search(r'(CH:\s)(\w)', line)
            if ssid:
               print "%s\t%s\t%s\t*" %(bssid.group(2), ssid.group(2), channel.group(2))
            else:
                  print "%s\t<hidden>\t%s\t*" %(bssid.group(2), channel.group(2))
   print ("\n* = Probe Response\n")

Just copy and paste into a file using your text editor (ie: nano) and make the file executible (chmod +x file-name.py).

 

Troubleshooting

There are times, during the capture process, the Pcap file can become corrupted in various ways.  One of the most common errors I've come accross is truncated dump file or from Wireshark you see The capture file appears to have been cut short in the middle of a packet.  This simple means the last frame in the Pcap file is not complete as the capture process was stopped during this frame.  You can stil usually open up the file in Wireshark, but some of the commmand line tools will fail to read the file correctly.

extract ssid pcap 01

extract ssid pcap 02

To fix this error, the easiest way I found is to use pcapfix.  Pcapfix will go through the entire capture file and attempt to fix all of the issues.  This may or may not work depending on the actually issues, but for this specific error, it seems to works fine.

pcapfix -v -o <output-capture-file> <input-capture-file>

 

If you know the last good frame number in the capture file (which you can scroll down in Wireshark to get this, the first column by default is the frame number), you can also use editcap, which is part of the Wireshark suite.

editcap -r <input-capture-file> <output-prefix-file-name> <frame-number-span>

In our case the last frame we saw when we opened up the capture file in Wireshark was 94946, so we will use that as our last frame

editcap -r capture_20160201.pcap capture_20160201-editcap-fixed.pcap 1-94946

extract ssid pcap 03Now we have removed the last frame in the capture file (which should be the one that was truncated and causing the errors).  Now when we use the fixed capture file instead, tcpdump and similar tools should be able to process the file correctly as shown above.

 

Conclusion

Using tools like tcpdump, can be a fast way to get the results you need.  It can also be installed on many machines, where you may only have command line access so programs like Wireshark won't be of any use.  If you already know what SSID you are looking for and just need the BSSID (MAC address of the access point), or would like to see a general idea of what networks where captured, using the fast response of command line tools maybe the way to go.  You can also create wrappers in python or similar lauguages to parse out specfic data you may need, which can't easily be accomplished with graphical programs such as Wireshark.

 

Previous: Passive packet sniffing on Wifi connections

We use our network WiFi adapter in monitor mode to passively (not associated to any access point) capture data using various methods.

Next: Pcap capture : View SSID AP names in Wireshark

We utilize the power of Wireshark to filter and focus on WLAN management frames, along with some of Wireshark's built in statistical views to see all of the networks captured.

 

References:

Python version 2.7.6
tcpdump version 4.5.1
libpcap version 1.5.3

http://www.packetstan.com/2011/03/extracting-ap-names-from-packet.html

http://hackoftheday.securitytube.net/2013/03/wi-fi-sniffer-in-10-lines-of-python.html

 

 

 

Read 6936 times Last modified on Wednesday, 03 February 2016 22:51
Algis Salys

Creator and owner of algissalys.com.  Linux enthusiast, electronics tinkerer, and likes to spend time in the workshop building and creating new projects.