SniffAir – A Framework For Wireless Pentesting

SniffAir is an open-source wireless security framework which provides the ability to easily parse passively collected wireless data as well as launch sophisticated wireless attacks. SniffAir takes care of the hassle associated with managing large or multiple pcap files while thoroughly cross-examining and analyzing the traffic, looking for potential security flaws. Along with the prebuilt queries, SniffAir allows users to create custom queries for analyzing the wireless data stored in the backend SQL database. SniffAir is built on the concept of using these queries to extract data for wireless penetration test reports. The data can also be leveraged in setting up sophisticated wireless attacks included in SniffAir as modules.SniffAir is developed by @Tyl0us and @theDarracottInstallSniffAir was developed with Python version 2.7Tested and supported on Kali Linux, Debian and Ubuntu.To install run the setup.sh script$./setup.shUsage % * ., % % ( ,# (..# % /@@@@@&, *@@% &@, @@# /@@@@@@@@@ .@@@@@@@@@. ,/ # # (%%%* % (.(. .@@ &@@@@@@%. .@@& *&@ %@@@@. &@, @@% %@@,,,,,,, ,@@,,,,,,, .( % % %%# # % # ,@@ @@(,,,#@@@. %@% %@@(@@. &@, @@% %@@ ,@@ /* # /*, %.,, ,@@ @@* #@@ ,@@& %@@ ,@@* &@, @@% %@@ ,@@ .# //#(, (, ,@@ @@* &@% .@@@@@. %@@ .@@( &@, @@% %@@%%%%%%* ,@@%%%%%%# (# ##. ,@@ @@&%%%@@@% *@@@@ %@@ .@@/ &@, @@% %@@,,,,,, ,@@,,,,,,. %#####% ,@@ @@(,,%@@% @@% %@@ @@( &@, @@% %@@ ,@@ % (*/ # ,@@ @@* @@@ %@% %@@ @@&&@, @@% %@@ ,@@ % # .# .# ,@@ @@* @@% .@@&/,,#@@@ %@@ &@@@, @@% %@@ ,@@ /(* /(# ,@@ @@* @@# *%@@@&* *%# ,%# #%/ *%# %% #############. .%# #%. .%% (@Tyl0us & @theDarracott) >> [default]# helpCommands========workspace Manages workspaces (create, list, load, delete)live_capture Initiates a valid wireless interface to collect wireless pakcets to be parsed (requires the interface name)offline_capture Begins parsing wireless packets using a pcap file-kismet .pcapdump work best (requires the full path)offline_capture_list Begins parsing wireless packets using a list of pcap file-kismet .pcapdump work best (requires the full path)query Executes a query on the contents of the acitve workspacehelp Displays this help menuclear Clears the screenshow Shows the contents of a table, specific information across all tables or the available modulesinscope Add ESSID to scope. inscope [ESSID]SSID_Info Displays all information (i.e all BSSID, Channels and Encrpytion) related to the inscope SSIDSuse Use a SniffAir moduleinfo Displays all variable information regarding the selected moduleset Sets a variable in moduleexploit Runs the loaded modulerun Runs the loaded moduleexit Exit SniffAir >> [default]# BeginFirst create or load a new or existing workspace using the command workspace create or workspace load <workspace> command. To view all existing workspaces use the workspace list command and workspace delete <workspace> command to delete the desired workspace: >> [default]# workspace Manages workspaces Command Option: workspaces [create|list|load|delete]>> [default]# workspace create demo[+] Workspace demo createdLoad data into a desired workplace from a pcap file using the command offline_capture <the full path to the pcap file>. To load a series of pcap files use the command offline_capture_list <the full path to the file containing the list of pcap name> (this file should contain the full patches to each pcap file). Use the live_capture <interface name> command to capture live wireless traffic using a wireless interface.>> [demo]# offline_capture /root/sniffair/demo.pcapdump[+] Importing /root/sniffair/demo.pcapdump\[+] Completed[+] Cleaning Up Duplicates[+] ESSIDs ObservedShow CommandThe show command displays the contents of a table, specific information across all tables or the available modules, using the following syntax: >> [demo]# show table AP+——+———–+——————-+——————————-+——–+——-+——-+———-+——–+| ID | ESSID | BSSID | VENDOR | CHAN | PWR | ENC | CIPHER | AUTH ||——+———–+——————-+——————————-+——–+——-+——-+———-+——–|| 1 | HoneyPot | c4:6e:1f:##:##:## | TP-LINK TECHNOLOGIES CO. LTD. | 4 | -17 | WPA2 | TKIP | MGT || 2 | Demo | 80:2a:a8:##:##:## | Ubiquiti Networks Inc. | 11 | -19 | WPA2 | CCMP | PSK || 3 | Demo5ghz | 82:2a:a8:##:##:## | Unknown | 36 | -27 | WPA2 | CCMP | PSK || 4 | HoneyPot1 | c4:6e:1f:##:##:## | TP-LINK TECHNOLOGIES CO. LTD. | 36 | -29 | WPA2 | TKIP | PSK || 5 | BELL456 | 44:e9:dd:##:##:## | Sagemcom Broadband SAS | 6 | -73 | WPA2 | CCMP | PSK |+——+———–+——————-+——————————-+——–+——-+——-+———-+——–+ >> [demo]# show SSIDS———HoneyPotDemoHoneyPot1BELL456HiddenDemo5ghz———The query command can be used to display a unique set of data based on the parememters specificed. The query command uses sql syntax.Inscopethe inscope <SSID> command can be used to add a SSID to the inscope tables, loading all related data to the inscope_AP, inscope_proberequests and inscope_proberesponses tables. To view a summary of all inscope SSIDS run the SSID_Info command.ModulesModules can be used to analyze the data contained in the workspaces or perform offensive wireless attacks using the use <module name> command. For some modules additional variables may need to be set. They can be set using the set command set <variable name> <variable value>: >> [demo]# show modulesAvailable Modules=================[+] Auto EAP – Automated Brute-Force Login Attack Against EAP Networks[+] Auto PSK – Automated Brute-Force Passphrase Attack Against PSK Networks[+] AP Hunter – Discover Access Point Within a Certain Range Using a Specific Type of Encrpytion[+] Captive Portal – Web Based Login Portal to Capture User Entered Credentials (Runs as an OPEN Network)[+] Certificate Generator – Generates a Certificate Used by Evil Twin Attacks[+] Exporter – Exports Data Stored in a Workspace to a CSV File[+] Evil Twin – Creates a Fake Access Point, Clients Connect to Divulging MSCHAP Hashes or Cleartext Passwords[+] Handshaker – Parses Database or .pcapdump Files Extracting the Pre-Shared Handshake for Password Guessing (Hashcat or JTR Format)[+] Mac Changer – Changes The Mac Address of an Interface[+] Probe Packet – Sends Out Deauth Packets Targeting SSID(s)[+] Proof Packet – Parses Database or .pcapdump Files Extracting all Packets Related to the Inscope SSDIS[+] Hidden SSID – Discovers the Names of HIDDEN SSIDS[+] Suspicious AP – Looks for Access Points that: Is On Different Channel, use a Different Vendor or Encrpytion Type Then the Rest of The Network[+] Wigle Search SSID – Queries wigle for SSID (i.e. Bob’s wifi)[+] Wigle Search MAC – Queries wigle for all observations of a single mac address >> [demo]# >> [demo]# use Captive Portal >> [demo][Captive Portal]# infoGlobally Set Varibles===================== Module: Captive Portal Interface: SSID: Channel: Template: Cisco (More to be added soon) >> [demo][Captive Portal]# set Interface wlan0 >> [demo][Captive Portal]# set SSID demo >> [demo][Captive Portal]# set Channel 1 >> [demo][Captive Portal]# infoGlobally Set Varibles===================== Module: Captive Portal Interface: wlan0 SSID: demo Channel: 1 Template: Cisco (More to be added soon) >> [demo][Captive Portal]# Once all varibles are set, then execute the exploit or run command to run the desired attack.ExportTo export all information stored in a workspace’s tables using the Exporter module and setting the desired path.AcknowledgmentsSniffiar contains work from the following repoisoties:hostapd-wpejmalinen/hostaplootbootyDownload SniffAir

Link: http://feedproxy.google.com/~r/PentestTools/~3/MbOna5CFG4s/sniffair-framework-for-wireless.html