Information Security

How To Tell Exactly How Many Spaces A ESSID Includes Using airodump-ng Or Wireshark

The other day I had a wireless network packet capture file saved as a .cap file. The ESSID that was displaying via normal aircrack-ng output of the WPA/WPA2 wireless packet capture lead me to believe there was at least one space included in the beginning of the ESSID and likely after the ESSID since it was not processing properly using oclHashcat-plus. I had never run into this before so wasn’t exactly sure the easiest way to figure out the number of spaces so I posed the question in the Freenode aircrack-ng IRC channel and got a couple responses which are noted below as well as instructions following the clearest solution.

Information Security

Strip WPA Capture File Down To EAPOL Packets Based On BSSID Instead Of ESSID

In the past we have written a couple articles on using tshark to strip WPA capture files down to a specific ESSID or SSID but in some cases it can be more useful to strip the capture down by BSSID or MAC address of the WAP. Isolating packets by BSSID or WAP MAC address is useful in a scenario where a wireless deployment has numerous WAP’s and you have captured a specific SSID’s traffic from more than one WAP. Below is information on how to strip down a capture file based on BSSID and information on capture size before stripping the file down.

Information Security

Filter Wireless Network Captures By SSID Using TShark

It is very common when obtaining wireless network handshakes to end up with a huge capture(.cap or .pcap typically) file. Previously purehate wrote this article on filtering out SSID specific EAPOL packets from a capture file but if you wanted to keep any and all packets related to a specific SSID including data packets, beacon frames, etc. the below tshark command will accomplish that. This is very similar to the previous article but will provide more data for the user and still slim down a capture file if you had packets from multiple SSID’s.

Information Security

CentOS Linux: pyrit: pckttools.py:418: UserWarning: Failed to compile BPF-filter

Pyrit was recently upgraded on a server that I use and when I logged in to run it manually from the CLI I noticed an error. The error, which is explained in more detail below, complains that the libpcap is to old. The server that this pyrit installation is installed on is CentOS 5.4. CentOS 5.X only provides libpcap version 0.9.4-14 as the latest available libpcap version in the yum repositories. At first I searched for a newer libpcap in third party repos though I was unsuccessful so I upgraded libpcap using the source. Below is more information regarding the error and how it was resolved.