June 24, 2017, 03:33:07 AM
Welcome, Guest. Please login or register.

THS Promising Student Scholarship has been introduced! Full and partial scholarships available. See http://www.top-hat-sec.com/scholarships.html for more details

Author Topic: shee.sh -- script to scan for / alert on - Client MACs -- Testers requested  (Read 2439 times)

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
Hola  Guys !!

So it has been like for- friggin- ever since I contributed, I was even getting semi-hate-mail on my blog for the lack of posts.. :|   wtf..

In any case, the reason of my lack of posts activity is simply;
- Baby (awesome)
- New house (also awesome)
- DIY (daaamn...)

So I read a post here a while ago from Priest asking about the scanning  for Client MACs,. its an interesting one and many  shops / stores / malls already use software that tracks customers movements (based on WiFi/Bluetooth signals), to see what  was most visited, when they were where  etc etc ..

I am sure that is all very sophisticated, and too hard for me, so I decided to make a simple script which can do similar things..

Enter shee.sh 
(we will see where we go with the official name :D)

BETA VERSION!
lemme know  what bugs you  encounter..


shee.sh allows you to monitor and alert for clients in the area an there are a few modes I have in mind ;
(the modes are only shown in the extended help)
Mode  1
-----------
Scan/Monitor for a client with a Specific MAC  address and  alert if desired.

Mode  2
------------
Scan/Monitor for a client probing  a specific ESSID and alert if desired.

Mode 3
-----------
Scan for all clients probing around..

Mode 4
-----------
Scan for clients which are not a part of a white(trusted)list.

Mode  5
------------
Scan for client using an airbase-ng  method (possibly  coming  soon)

Mode  6
------------
Alert on finding clients in a known/trusted list.

 
Now it is  based  on the NEW aircrack-ng...  so  no point in trying to run the script on other systems.
I  suggest  running on the latest KALI with the latest updates on aircrack. 
Otherwise it will not work. 
If the interest is there, then possibly I might be able to find motivation to make it work on more.



Let me know if anyone is interested, and I will get  it from beta to release :)

Linkage to script to follow.

EDIT
------
Found a couple of bugs so removing DL link for now, updating soon !
« Last Edit: May 26, 2015, 12:24:18 AM by TAPE »
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline zerocool

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 223
  • Internets: +26/-3
I just went to try this, but i realized i'm using old aircrack for now, messes with to many scripts.
I will create new VM later and try it thanks for sharing.


ch3rn0byl

  • Guest
I just went to try this, but i realized i'm using old aircrack for now, messes with to many scripts.
I will create new VM later and try it thanks for sharing.

One work around would be to not rely on automation ;) bwahaha!!
I would love to check it out :)

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
I just went to try this, but i realized i'm using old aircrack for now, messes with to many scripts.
I will create new VM later and try it thanks for sharing.


An
Quote
apt-get update && apt-get  dist-upgrade

should  do  the trick  ;)

If really  an issue, then I will have to make the script work with old and new aircrack,but would prefer it to be the  current  version.


Quote
I would love to check it out :)

Would  love to hear what  you think !
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline H4v0K

  • Administrator
  • Elite
  • *****
  • Posts: 1017
  • Internets: +986/-1
Awesome TAPE , thanks for sharing..+1   And don't mind them haters they probably don't have lives :o

Offline Grey-Matter

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 112
  • Internets: +57/-0
Great idea Tape. I'm also using the old aircrack for now. But the reason for that is old scripts not compatible with the new aircrack. I definitely support you coding it to work the new suite. 

We need more tools that work with the future aircrack, not the past aircrack =)

Thanx for sharing the script

One work around would be to not rely on automation ;) bwahaha!!

====|>

I would love to check it out :)
I would love to check out your new automated script :)

Sorry ch3rn, I know i'm still the new kid, but couldn't resist  :P ;D
« Last Edit: May 25, 2015, 08:19:56 PM by Grey-Matter »

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
Hey guys, thanks for the feedback,

The only reason the script is 'needs' the new aircrack, is because I scripted it to use airmon-ng to check for the wireless interfaces.
This simply because the output is the easiest to work with.
 
I could  include a  few extra  checks to see whether it is the new version or not, so that both versions can be used.
Of course now I  have  updated  all my  sheet  to the new  version so will have  to find an  old vm. lol



 

Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
OK,

So I fixed the bugs and made changes to allow the use of the old version of aircrack / airmon as well.

Improved the output and now much better, thanks for the feedback Zerocool, it made me look closer ;)

Thanks !

OK, so since I finally posted the revised version on my blog, might as well edit this post as well ;)
Revised tool and post can be found on my blog as well as in the special access area of this forum.

http://adaywithtape.blogspot.nl/2015/05/scanning-for-alerting-on-client-probes.html
« Last Edit: June 12, 2015, 02:42:12 PM by TAPE »
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
Script now updated  to version 0.2 

http://www.mediafire.com/view/vz2nea6bv1hq779/shee.sh

Best  new  feature really  is  to limit the output to new mac  addresses  only  when scanning for all  Client MACs,
but plenty to look at with the -H  switch ;) 


Would love  any  feedback,  especially  on how  whitelist / blacklist works, the rest seems  pretty OK.


Am  working  on a  few new  ideas  ;
-  implementation of MAC address  lookup from the OUI database
- zenity notification on  alert of MAC



Pleased  to hear  any other ideas !  It has  been fun  scripting  again  after a  long  hiatus :D
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline outofstep

  • Top Hat Member
  • Enthusiast
  • ********
  • Posts: 85
  • Internets: +19/-2
    • Dorkfeast
on linux mint 17.1 with latest aircrack installed i get no results from:

outofstep@supercomputer ~/Documents/Scripts/mac alert $ sudo ./shee.sh -M 3

     _                     _     
    | |      By TAPE      | |   
 ___| |__   ___  ___   ___| |__ 
/ __| '_ \ / _ \/ _ \ / __| '_ \
\__ \ | | |  __/  __/_\__ \ | | |
|___/_| |_|\___|\___(_)___/_| |_|
> Scan & alert on all client probe requests

DATE / TIME             MAC ADDRESS            POWER      ESSID     
-----------             -----------            -----      -----     

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
Oh sheesh... (pun intended :D ) I forgot to include a warning when you do not include the -i switch for interface when running a scan command..

Will see if I can put one in for the next revision. Thanks for the feedback !
anyway commands should always include the monitor interface when scanning ;

Code: [Select]

./shee.sh -i mon0 -M 3

Check for existing interfaces with ;
Code: [Select]

./shee.sh -I

The layout looks  completely fubarred  ?! wtf..   looks fine on  my Kali install, anyone else seeing that on their distro ?
Anyway, full help info (./shee.sh -H) from the script as below & some usage examples ;

FULL HELP
Quote

d --  show details on options chosen before running script
e --  target ESSID probe scan
h --  help information
H --  this extended help
i --  interface to use
I --  information on available wireless interfaces
l --  log all seen MACs
m --  target MAC adddress
M --  mode (1 6)
     MODES
     1  --  Scan for a specific target MAC
     2  --  Scan for a specific target ESSID
     3  --  Scanning and logging all clients/probe requests
     4  --  Scanning and logging of MACs not in a whitelist
     5  --  Alert on presence of MACs from list
     6  --  airbase mode to alert presence of client (not yet included)
r --  resume session of scanning for unique MACs (for -M 3 option)
s --  sound alert on finding of (target) mac/essid.
u --  only show new clients (for -M 3 option).
v --  version information.
     
USAGE EXAMPLES
list all wireless interfaces;
./shee.sh -I 

scan for specific MAC and give sound alert;
./shee.sh -i mon0 -M 1 -m 00:11:22:33:44:55 -s

will scan for specific ESSID with sound and notification;
./shee.sh -i mon0 -M 2 -e ESSID -s -n

will alert on all clients seen, show only new MACs, give sound alert and save to log.
./shee.sh -i mon0 -M 3 -usl

will alert on finding Clients not in a whitelist;
./shee.sh -i mon0 -M 4

will alert on finding Clients in a blacklist;
./shee.sh -i mon0 -M 5




FURTHER USAGE EXAMPLES; 


Show details of input options before starting script (-d), scan/listen for all MAC addresses  (-M 3),
only show new MAC addresses (-u), log results to logfile (-l), give sound alert (-s) on new found MAC address ;
Code: [Select]
./shee.sh -i mon0 -M 3 -duls

Same as above but resuming (-r) from the previous session;
Code: [Select]
./shee-sh -i mon0 -M 3 -dulsr
« Last Edit: June 13, 2015, 11:38:48 PM by TAPE »
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline kinchan

  • Experienced
  • ***
  • Posts: 182
  • Internets: +17/-0
  • Love My Pi and my N900
nice! thank-you TAPE. +1
"Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime."
##### Current project >> otto-gui ##### website #####

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
So suddenly out of nowhere with the release of Kali 2.0 the script stopped working after something was updated..


Basically the tshark capture filters were not being processed as they were before.
After asking for help on the Kali forums, got some feedback that worked !


script is now updated and confirmed to work on Kali 2.0


Download link unchanged, version with this small alteration in the script now 0.4


http://www.mediafire.com/view/vz2nea6bv1hq779/shee.sh

Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline ch3rn0byl

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 186
  • Internets: +1337/-0
  • Grumpy Old Man with Mounds of Salt
So suddenly out of nowhere with the release of Kali 2.0 the script stopped working after something was updated..


Basically the tshark capture filters were not being processed as they were before.
After asking for help on the Kali forums, got some feedback that worked !


script is now updated and confirmed to work on Kali 2.0


Download link unchanged, version with this small alteration in the script now 0.4


http://www.mediafire.com/view/vz2nea6bv1hq779/shee.sh

What was the issue?
Edit: nvm, i read it :)
« Last Edit: October 10, 2015, 10:04:31 AM by ch3rn0byl »
The quieter you become, the more you are unlikely to sound stupid.

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
Just in case this thread pops up on google or whatever ;)


The main part of the script was based on a tshark command which captured wifi client probe requests
and then filtered out certain fields (source address/client mac, SSID, signal strength)
tshark command I was using was ;
Code: [Select]
tshark -i $IFACE -n -l subtype probereq - T fields -e wlan.sa -e radiotap.dbm_antsignal -e wlan_mgt.ssid
this worked fine in Kali 1, and also in the early Kali 2 versions, so possibly certain requirements were less stringently checked by the programs in use until something (gawd knows what) was updated.


The solution was to add the -f switch and put double quotes around the capture filter ;
Code: [Select]
tshark -i $IFACE -n -l -f "subtype probereq" - T fields -e wlan.sa -e radiotap.dbm_antsignal -e wlan_mgt.ssid


Its a handy one-liner to have whether you use the script or not.
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik