Using the airodump-ng tool, you can see information about wireless access points and clients. If there are several access points, then everything is simple and convenient, and what if the total number of APs and stations within the range is measured in hundreds? This amount does not fit into any screen.
With airodump-ng also it is inconvenient to collate connections between stations and APs.
When using the -w option with the awdump-ng option, the captured packets are written to a file, a file with the extension .csv is created, which can be opened by the program for working with tables or a text editor. This file contains information about the devices seen:
The advantage of this file is that, at least you can see all the detected devices. Disadvantage is the inconvenience of data analysis.
As a result, I decided to write a small script for analyzing the .csv file created by the airodump-ng program for my own needs.
The script can do the following:
shows the total number of seen Access Points, Stations and Stations not connected to any AP;
for each network determines the manufacturer of the device;
allocates networks operating at 5 GHz;
for each network shows the clients connected to it;
for each client determines the device manufacturer, based on this data, assumes whether the device is a mobile phone, whether it can support the monitor mode;
shows the networks that each client tried to connect to;
shows all clients that are not connected to any network, and displays for them the networks they were looking for.
An example of data that displays a script (data received from one location without moving, for 1+ hour):
To analyze the .csv file, it is necessary that airodump-ng create it. To do this, enable monitor mode for wireless interface. I always start with the following two commands, they make me sure that no processes interfere:
--berlin 60000 is used to ensure that APs and Stations that have left the view are not excluded from the list
-w /tmp/test is used to save files to the /tmp/ directory with the prefix test
--channel 1-13,36-165 tells wireless to switch over all possible channels, including 5 GHz.
Now create the file wfw.sh:
gedit wfw.sh
and copy the following to it
Expand
#!/bin/bash
if [[ "$1" && -f "$1" ]]; then
FILE="$1"
else
echo 'Specify the .csv file to analyze.';
echo 'Usage:';
echo -e "\tbash wfw.sh /tmp/test-01.csv";
exit
fi
echo -e "\033[1mTotal Access Points: \033[0;31m`grep -E '([A-Za-z0-9._: @\(\)\\=\[\{\}\"%;-]+,){14}' $FILE | wc -l`\e[0m"
echo -e "\033[1mTotal Stations: \033[0;31m`grep -E '([A-Za-z0-9._: @\(\)\\=\[\{\}\"%;-]+,){5} ([A-Z0-9:]{17})|(not associated)' $FILE | wc -l`\e[0m"
echo -e "\033[1mTotal Stations without association: \033[0;31m`grep -E '(not associated)' $FILE | wc -l`\e[0m"
echo -e "\033[0;36m\033[1mAvailable Access Points:\e[0m"
while read -r line ; do
if [ "`echo "$line" | cut -d ',' -f 14`" != " " ]; then
echo -e "\033[1m" `echo -e "$line" | cut -d ',' -f 14` "\e[0m"
else
echo -e " \e[3mcould not get network name (ESSID)\e[0m"
fi
fullMAC=`echo "$line" | cut -d ',' -f 1`
echo -e "\tMAC-address: $fullMAC"
MAC=`echo "$fullMAC" | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6`
result="$(grep -i -A 1 ^$MAC ./oui.txt)";
if [ "$result" ]; then
echo -e "\tVendor: `echo "$result" | cut -f 3`"
else
echo -e "\tVendor: \e[3mInformation not found in the database.\e[0m"
fi
is5ghz=`echo "$line" | cut -d ',' -f 4 | grep -i -E '36|40|44|48|52|56|60|64|100|104|108|112|116|120|124|128|132|136|140'`
if [ "$is5ghz" ]; then
echo -e "\t\033[0;31mIt operates at 5 GHz!\e[0m"
fi
printonce="\tStations:"
while read -r line2 ; do
clientsMAC=`echo $line2 | grep -E "$fullMAC"`
if [ "$clientsMAC" ]; then
if [ "$printonce" ]; then
echo -e $printonce
printonce=''
fi
echo -e "\t\t\033[0;32m" `echo $clientsMAC | cut -d ',' -f 1` "\e[0m"
MAC2=`echo "$clientsMAC" | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6`
result2="$(grep -i -A 1 ^$MAC2 ./oui.txt)";
if [ "$result2" ]; then
echo -e "\t\t\tVendor: `echo "$result2" | cut -f 3`"
ismobile=`echo $result2 | grep -i -E 'Olivetti|Sony|Mobile|Apple|Samsung|HUAWEI|Motorola|TCT|LG|Ragentek|Lenovo|Shenzhen|Intel|Xiaomi|zte'`
warning=`echo $result2 | grep -i -E 'ALFA|Intel'`
if [ "$ismobile" ]; then
echo -e "\t\t\t\033[0;33mThis is probably a mobile device\e[0m"
fi
if [ "$warning" ]; then
echo -e "\t\t\t\033[0;31;5;7mThe device can support the monitor mode\e[0m"
fi
else
echo -e "\t\t\tVendor: \e[3mInformation not found in the database.\e[0m"
fi
probed=`echo $line2 | cut -d ',' -f 7`
if [ "`echo $probed | grep -E [A-Za-z0-9_\\-]+`" ]; then
echo -e "\t\t\tIt probed networks: $probed"
fi
fi
done < <(grep -E '([A-Za-z0-9._: @\(\)\\=\[\{\}\"%;-]+,){5} ([A-Z0-9:]{17})|(not associated)' $FILE)
done < <(grep -E '([A-Za-z0-9._: @\(\)\\=\[\{\}\"%;-]+,){14}' $FILE)
echo -e "\033[0;36m\033[1mNot associated Stations:\e[0m"
while read -r line2 ; do
clientsMAC=`echo $line2 | cut -d ',' -f 1`
echo -e "\033[0;31m" `echo $clientsMAC | cut -d ',' -f 1` "\e[0m"
MAC2=`echo "$clientsMAC" | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6`
result2="$(grep -i -A 1 ^$MAC2 ./oui.txt)";
if [ "$result2" ]; then
echo -e "\tVendor: `echo "$result2" | cut -f 3`"
ismobile=`echo $result2 | grep -i -E 'Olivetti|Sony|Mobile|Apple|Samsung|HUAWEI|Motorola|TCT|LG|Ragentek|Lenovo|Shenzhen|Intel|Xiaomi|zte'`
warning=`echo $result2 | grep -i -E 'ALFA|Intel'`
if [ "$ismobile" ]; then
echo -e "\t\033[0;33mThis is probably a mobile device\e[0m"
fi
if [ "$warning" ]; then
echo -e "\t\033[0;31;5;7mThe device can support the monitor mode\e[0m"
fi
else
echo -e "\tVendor: \e[3mInformation not found in the database.\e[0m"
fi
probed=`echo $line2 | cut -d ',' -f 7`
if [ "`echo $probed | grep -E [A-Za-z0-9_\\-]+`" ]; then
echo -e "\tIt probed networks: $probed"
fi
done < <(grep -E '(not associated)' $FILE)
Also we need a file with a database of MAC-addresses and the corresponding manufacturers, download it to the same directory where the wfw.sh file was placed
wget http://standards-oui.ieee.org/oui/oui.txt
Run the script like this:
bash wfw.sh path/to/file.csv
Note that if you run airodump-ng several times, it creates new files each time, without deleting the old ones. I used the prefix test, so when I first started, the file test-01.csv was created in the /tmp/ folder. This is what I will analyze. By the way, the script can be run simultaneously while airodump-ng is running. Example:
bash wfw.sh /tmp/test-01.csv
Pay attention to the data:
Total Access Points: 135
Total Stations: 519
Total Stations without association: 406
The total number of access points (135) - this is how much my wireless adapter saw Wi-Fi networks in the district (without moving). The total number of Stations (519) is all devices that are connected or not connected to APs. Stations without association (406) are those who are not connected to any of the Wi-Fi networks (for example, they passed by my house with a phone on which Wi-Fi is turned on).
For this AP, the network name was not received, however, one of the clients connected to it searched for a network named RT-727451. It is possible that this is the name of this network:
Similarly for networks on the following screenshots:
Using the script, you can search for different artifacts in the wireless space, for example, not only I have a Wi-Fi adapter with a monitor mode:
A lot of devices where the MAC address starts with DA:A1:19 and is not present in the database:
Although if you google, you can find information that this range belongs to Google itself:
Also, I found mention that a random MAC-address with such a prefix create Android and iOS for privacy.
Conclusion
Let airodump-ng work longer, at least 5-10 minutes, to collect more information.
Depending on the purpose, you can use the data obtained during the movement.
Whether the device is a mobile phone and whether the monitor mode is supported solely on the basis of the manufacturer's name, i.e. the data may be incorrect.
