[Chicago] Python traffic analysis idea

Nick Bennett nick at goggl.es
Tue Jan 28 22:09:19 CET 2014


Adrian,

I highly recommend you check out
scapy<http://www.secdev.org/projects/scapy/>and this
post about using
it<http://hackoftheday.securitytube.net/2013/03/wi-fi-sniffer-in-10-lines-of-python.html>.
Apparently this is all you need to get a list of access points and their
MAC addresses:

#!/usr/bin/env python
>
> from scapy.all import *
>
> ap_list = []
>
> def PacketHandler(pkt):
>
>   if pkt.haslayer(Dot11) :
> 		if pkt.type == 0 and pkt.subtype == 8 :
> 			if pkt.addr2 not in ap_list :
> 				ap_list.append(pkt.addr2)
> 				print "AP MAC: %s with SSID: %s " %(pkt.addr2, pkt.info)
>
>
> sniff(iface="mon0", prn = PacketHandler)
>
> (gist<https://gist.github.com/securitytube/5291959#file-ssid-sniffer-scapy-python-py>
)

Related to scapy, check out this O'Reilly book Security Power
Tools<http://shop.oreilly.com/product/9780596009632.do>that has a
chapter about scapy (written by the project author).

For the logging component, there's already the logging module in the Python
standard library. For an idea of how to use it, try Victor Lin's guide on
good logging practice in
Python<http://victorlin.me/posts/2012/08/26/good-logging-practice-in-python>
.

All of this hinges on you having a wireless device that can run in monitor
mode (I would test this all now but I don't have that kind of wifi card).
In the scapy tutorial the author recommends one in particular. Whatever
platform you're on, look for a list of recommended WiFi hardware good for
wardriving.



Nick Bennett
nick at goggl.es


On Tue, Jan 28, 2014 at 2:29 PM, Nick Bennett <nick at goggl.es> wrote:

> Steve,
>
> Your idea makes sense when you're the owner of the network and have
> control over the access points. I think what Adrian is talking about is
> more along the lines of network surveys of all WLAN access points whether
> they're in your control or not, and specifically with the goal of using
> Python to get access to pertinent details and log them in any way.
>
> Nick Bennett
> nick at goggl.es
>
>
> On Tue, Jan 28, 2014 at 2:20 PM, Steve Schwarz <steve at agilitynerd.com>wrote:
>
>> Maybe I'm missing something but why not a basic web app (even a CGI
>> script) that the "Points" HTTP POST to? Then you can process the data at
>> post or store centrally for further processing. You can use urllib2 or
>> python-requests to do the POST with authentication. HTTP(S) is async and
>> sufficiently secure for this data - unless you are sending a real lot of
>> data/packets.
>>
>> Best Regards,
>> Steve
>>
>>
>> On Tue, Jan 28, 2014 at 11:28 AM, Adrian Buford <
>> technicallydebatable at gmail.com> wrote:
>>
>>> The issue isn't finding code to perform the task. The issue is getting
>>> the results to a log. I cannot find anything in that direction. I would put
>>> the idea in the same category as wardriving but with an added purpose. I am
>>> a daily user of kali and pentoo  I even went as far as reading the man
>>> pages on the Aircrack-ng suite to see if there was anything I overlooked.
>>> I've looked at Fern also. You are probably right. This is something I may
>>> need to hash out with my own code completely
>>>  On Jan 28, 2014 10:38 AM, "Nick Bennett" <nick at goggl.es> wrote:
>>>
>>>> What you're talking about, logging information about WiFi access
>>>> points, sounds a lot like wardriving<http://en.wikipedia.org/wiki/Wardriving>.
>>>> Even if that's not exactly what you mean, it should point you in some
>>>> directions for how to do such things with Python.
>>>>
>>>> I think that one of the most important part of problem solving and
>>>> research in this day and age is to get relevant keywords. Searching
>>>> for "wardriving python" on DuckDuckGo<https://duckduckgo.com/?q=wardriving+python>produces a lot of seemingly relevant results, including:
>>>>
>>>> - a metric tonne of instructions on creating a mobile wardriving device
>>>> using RaspberryPi and other low power (consuming) hardware, which reminds
>>>> me of Paul Ebreo's talk at the ChiPy meeting<http://www.chipy.org/meetings/past/>November 2013 at Spartz "Python <3 Open Source Hardware"
>>>> - a ton of stuff related to computer security and penetration testing
>>>>
>>>> What I didn't see in that search was much about writing Python code or
>>>> particular modules. I imagine this might be because wardriving is a very
>>>> common term I'd associate with non-programmers who want to perform a
>>>> complex task without needing to write code. I refined the search on DuckDuckGo
>>>> to "python penetration testing wifi"<https://duckduckgo.com/?q=python+penetration+testing+wifi>and got some promising directions:
>>>>
>>>> - Fern <http://code.google.com/p/fern-wifi-cracker/> - "a Wireless
>>>> security auditing and attack software program written using the Python
>>>> Programming Language <http://www.python.org/> and the Python Qt GUI
>>>> library <http://www.riverbankcomputing.co.uk/software/pyqt/intro>, the
>>>> program is able to crack and recover WEP/WPA/WPS keys and also run other
>>>> network based attacks on wireless or ethernet based networks"
>>>> - Video: WLAN SSID Sniffer Using Raw Sockets in [10 Lines of] Python<http://www.securitytube.net/video/7275>
>>>>
>>>> If you don't want to go that far down the rabbit hole, you could watch this
>>>> shaky video of a monitor <https://www.youtube.com/watch?v=RVVaWoxHKJo>of a fellow describing, very amiably and I think very understandably, how
>>>> to use Python very simply to get information from kismet on a Raspberry Pi
>>>> (for your viewers, pleease use a tripod and share your code somewhere other
>>>> than Google Docs<https://docs.google.com/file/d/0B1i26IugaGQbZmJBb2pwT2JJSjg/edit>
>>>> ).
>>>>
>>>> As with all things, please use this information responsibly and write
>>>> tests for your code.
>>>>
>>>> Nick Bennett
>>>> nick at goggl.es
>>>>
>>>>
>>>> On Tue, Jan 28, 2014 at 10:02 AM, Adrian Buford <
>>>> technicallydebatable at gmail.com> wrote:
>>>>
>>>>> They collect the data but don't have options for export. I looked at
>>>>> the man pages for both. One had an export Option I couldn't get to work
>>>>>  On Jan 27, 2014 9:59 PM, "Adrian Buford" <
>>>>> technicallydebatable at gmail.com> wrote:
>>>>>
>>>>>> I'll research tonight and post how I branch off. Thank you.
>>>>>> On Jan 27, 2014 8:55 PM, "Daniel Peters" <danieltpeters at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> So, are you looking for how to implement this?  There's a few wifi
>>>>>>> sniffing tools on Linux, things like (off the top of my head...) wifilist
>>>>>>> and wavemon. wavemon in particular does all of that, you could see if any
>>>>>>> of these kinds of tools output in some kind of text format, and then do
>>>>>>> what you want with that?
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Jan 27, 2014 at 6:58 PM, Adrian Buford <
>>>>>>> technicallydebatable at gmail.com> wrote:
>>>>>>>
>>>>>>>> Looking for assist on writing a Python based traffic analysis
>>>>>>>> script(s). I have the concept drawn but just started digging into coding.
>>>>>>>> Any help is appreciated.
>>>>>>>>
>>>>>>>> Point A > captures bssid,  mac, said, signal strength of AP(x) and
>>>>>>>> appends time stamp to logA
>>>>>>>>
>>>>>>>> Point B > does same and appends to logB
>>>>>>>>
>>>>>>>> Information is compared between logs and average Point A to Point B
>>>>>>>> time is generated based on signal threshold. AP(x) being any device that
>>>>>>>> can broadcast such signal. Cellular, mobile hot spot, CTA train (yes they
>>>>>>>> do). Idea came from using WigleWiFi this weekend. Was thinking of logging
>>>>>>>> via ssh connection to home server. I'm sure accuracy can be improved via
>>>>>>>> the great minds here. This idea isn't limited to two points. More points
>>>>>>>> will yield better accuracy.
>>>>>>>>
>>>>>>>> Enough ranting. Thank you. Any help is appreciated.
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Chicago mailing list
>>>>>>>> Chicago at python.org
>>>>>>>> https://mail.python.org/mailman/listinfo/chicago
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Chicago mailing list
>>>>>>> Chicago at python.org
>>>>>>> https://mail.python.org/mailman/listinfo/chicago
>>>>>>>
>>>>>>>
>>>>> _______________________________________________
>>>>> Chicago mailing list
>>>>> Chicago at python.org
>>>>> https://mail.python.org/mailman/listinfo/chicago
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Chicago mailing list
>>>> Chicago at python.org
>>>> https://mail.python.org/mailman/listinfo/chicago
>>>>
>>>>
>>> _______________________________________________
>>> Chicago mailing list
>>> Chicago at python.org
>>> https://mail.python.org/mailman/listinfo/chicago
>>>
>>>
>>
>>
>> --
>> Best Regards,
>> Steve
>> Blogs: http://agilitynerd.com/  http://tech.agilitynerd.com/
>> Dog Agility Search: http://googility.com/
>> Dog Agility Courses: http://agilitycourses.com/
>> http://www.facebook.com/AgilityNerd
>>
>> _______________________________________________
>> Chicago mailing list
>> Chicago at python.org
>> https://mail.python.org/mailman/listinfo/chicago
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/chicago/attachments/20140128/7bf1023b/attachment.html>


More information about the Chicago mailing list