Login

***HackMaster*** · (This post was last modified: 03-27-2023, 02:02 PM by HackMaster.)

Wifi_Db - Script To Parse Aircrack-ng Captures To A SQLite Database

[Image: AVvXsEhO52gZbQmL_OEzbU412aIPg_SeOmZWvXlq...=w640-h594]

Script to parse Aircrack-ng captures into a SQLite database and extract useful information like handshakes (in 22000 hashcat format), MGT identities, interesting relations between APs, clients and it's Probes, WPS information and a global view of all the APs seen.

Features

Displays if a network is cloaked (hidden) even if you have the ESSID.
Shows a detailed table of connected clients and their respective APs.
Identifies client probes connected to APs, providing insight into potential security risks usin Rogue APs.
Extracts handshakes for use with hashcat, facilitating password cracking.
Displays identity information from enterprise networks, including the EAP method used for authentication.
Generates a summary of each AP group by ESSID and encryption, giving an overview of the security status of nearby networks.
Provides a WPS info table for each AP, detailing information about the Wi-Fi Protected Setup configuration of the network.
Logs all instances when a client or AP has been seen with the GPS data and timestamp, enabling location-based analysis.
Upload files with capture folder or file. This option supports the use of wildcards (*) to select multiple files or folders.
Docker version in Docker Hub to avoid dependencies.
Obfuscated mode for demonstrations and conferences.
Possibility to add static GPS data.

Code:
docker pull r4ulcl/wifi_db

Manual installation

Debian based systems (Ubuntu, Kali, Parrot, etc.)

Dependencies:

python3
python3-pip
tshark
hcxtools

Code:
sudo apt install tshark

sudo apt install python3 python3-pip

git clone https://github.com/ZerBea/hcxtools.git

cd hcxtools

make 

sudo make install

cd ..

Installation

Code:
git clone https://github.com/r4ulcl/wifi_db

cd wifi_db

pip3 install -r requirements.txt

Arch

Dependencies:

python3
python3-pip
tshark
hcxtools

Code:
sudo pacman -S wireshark-qt

sudo pacman -S python-pip python

git clone https://github.com/ZerBea/hcxtools.git

cd hcxtools

make 

sudo make install

cd ..

Installation

Code:
git clone https://github.com/r4ulcl/wifi_db

cd wifi_db

pip3 install -r requirements.txt

Usage

Scan with airodump-ng

Run airodump-ng saving the output with -w:

Code:
sudo airodump-ng wlan0mon -w scan --manufacturer --wps --gpsd

Create the SQLite database using Docker

Code:
#Folder with captures

CAPTURESFOLDER=/home/user/wifi

# Output database

touch db.SQLITE

docker run -t -v $PWD/db.SQLITE:/db.SQLITE -v $CAPTURESFOLDER:/captures/ r4ulcl/wifi_db

To save de output in current folder db.SQLITE file

Code:
-v $PWD/db.SQLITE:/db.SQLITE

To share the folder with the captures with the docker

Code:
-v $CAPTURESFOLDER:/captures/

Create the SQLite database using manual installation
Once the capture is created, we can create the database by importing the capture. To do this, put the name of the capture without format.

Code:
python3 wifi_db.py scan-01

In the event that we have multiple captures we can load the folder in which they are directly. And with -d we can rename the output database.

Code:
python3 wifi_db.py -d database.sqlite scan-folder

[Image: AVvXsEhL-Vaq3y0psRaN7c_eyMvqHukYkNPKRfZP...=w640-h478]

Open database

The database can be open with:

sqlitebrowser

[Image: AVvXsEjPwrhKSOK5BnQ2JmXfkWW4dyotmo1eWC7X...=w640-h420]

Below is an example of a ProbeClientsConnected table.
[Image: AVvXsEgqPKxTR_l4MiEOdb6KlLy7AKeBmK5cYc3q...=w640-h190]

Arguments

usage: wifi_db.py [-h] [-v] [--debug] [-o] [-t LAT] [-n LON] [--source [{aircrack-ng,kismet,wigle}]] [-d DATABASE] capture [capture ...]

positional arguments:
capture capture folder or file with extensions .csv, .kismet.csv, .kismet.netxml, or .log.csv. If no extension is provided, all types will
be added. This option supports the use of wildcards (*) to select multiple files or folders.

options:
-h, --help show this help message and exit
-v, --verbose increase output verbosity
--debug increase output verbosity to debug
-o, --obfuscated Obfuscate MAC and BSSID with AA:BB:CC:XX:XX:XX-defghi (WARNING: replace all database)
-t LAT, --lat LAT insert a fake lat in the new elements
-n LON, --lon LON insert a fake lon i n the new elements
--source [{aircrack-ng,kismet,wigle}]
source from capture data (default: aircrack-ng)
-d DATABASE, --database DATABASE
output database, if exist append to the given database (default name: db.SQLITE)

Database

wifi_db contains several tables to store information related to wireless network traffic captured by airodump-ng. The tables are as follows:

Code:
AP
: This table stores information about the access points (APs) detected during the captures, including their MAC address

Network name bssidssidWhether the network is cloakedcloakedManufacturer manuf Channel channel Frequency frequency Carrier carrier Encryption typeencryption and total packets received from this AP packetsTotalThe table uses the MAC address as a primary key
Code:
Client

This table stores information about the wireless clients detected during the captures, including their MAC address

Code:
mac

Network name

Code:
ssid

Manufacturer

Code:
manuf

Device type

Code:
type

and total packets received from this client

Code:
packetsTotal
The table uses the MAC address as a primary key.
Code:
SeenClient

This table stores information about the clients seen during the captures, including their MAC address

Code:
mac

Time of detection

Code:
time

Tool used to capture the data

Code:
tool

Signal strength

Code:
signal_rssi

Latitude

Code:
lat

Longitude

Code:
lon

Altitude

Code:
alt

The table uses the combination of MAC address and detection time as a primary key, and has a foreign key relationship with the table

Code:
Client

This table stores information about the wireless clients that are connected to an access point, including the MAC address of the access point

Code:
Connected

Code:
bssid

and the client

Code:
mac

The table uses a combination of access point and client MAC addresses as a primary key, and has foreign key relationships with both the

Code:
AP
and

Code:
Client

Tables
Code:
WPS

This table stores information about access points that have Wi-Fi Protected Setup (WPS) enabled, including their MAC address

Code:
bssid

Network name

Code:
wlan_ssid

WPS version

Code:
wps_version

Device name

Code:
wps_device_name

Model name

Code:
wps_model_name

Model number

Code:
wps_model_number

Configuration methods

Code:
wps_config_methods

Keypad configuration methods

Code:
wps_config_methods_keypad

The table uses the MAC address as a primary key, and has a foreign key relationship with the table

Code:
AP
.
Code:
SeenAp

This table stores information about the access points seen during the captures, including their MAC address

Code:
bssid

Time of detection

Code:
time

Tool used to capture the data

Code:
tool

Signal strength

Code:
signal_rssi

Latitude

Code:
lat

Longitude

Code:
lon

Altitude

Code:
alt

and timestamp

Code:
bsstimestamp

The table uses the combination of access point MAC address and detection time as a primary key, and has a foreign key relationship with the table

Code:
AP
.
Code:
Probe

This table stores information about the probes sent by clients, including the client MAC address

Code:
mac

Network name

Code:
ssid

and time of probe

Code:
time

The table uses a combination of client MAC address and network name as a primary key, and has a foreign key relationship with the table

Code:
Client
.

This table stores information about the handshakes captured during the captures, including the MAC address of the access point

Code:
Handshake

Code:
bssid

The client

Code:
mac

File name

Code:
file

The hashcat format

Code:
hashcat
The table uses a combination of access point and client MAC addresses, and file name as a primary key, and has foreign key relationships with both the

Code:
AP
and

Code:
Client
tables.
Code:
Identity
: This table represents EAP (Extensible Authentication Protocol) identities and methods used in wireless authentication. The

Code:
bssid
and

Code:
mac
fields are foreign keys that reference the

Code:
AP
and

Code:
Client
tables, respectively. Other fields include the identity and method used in the authentication process.

Views

Code:
ProbeClients
: This view selects the MAC address of the probe, the manufacturer and type of the client device, the total number of packets transmitted by the client, and the SSID of the probe. It joins the

Code:
Probe
and

Code:
Client
tables on the MAC address and orders the results by SSID.
Code:
ConnectedAP
: This view selects the BSSID of the connected access point, the SSID of the access point, the MAC address of the connected client device, and the manufacturer of the client device. It joins the

Code:
Connected
,

Code:
AP
, and

Code:
Client
tables on the BSSID and MAC address, respectively, and orders the results by BSSID.
Code:
ProbeClientsConnected
: This view selects the BSSID and SSID of the connected access point, the MAC address of the probe, the manufacturer and type of the client device, the total number of packets transmitted by the client, and the SSID of the probe. It joins the

Code:
Probe
,

Code:
Client
, and

Code:
ConnectedAP
tables on the MAC address of the probe, and filters the results to exclude probes that are connected to the same SSID that they are probing. The results are ordered by the SSID of the probe.
Code:
HandshakeAP
: This view selects the BSSID of the access point, the SSID of the access point, the MAC address of the client device that performed the handshake, the manufacturer of the client device, the file containing the handshake, and the hashcat output. It joins the

Code:
Handshake
,

Code:
AP
, and

Code:
Client
tables on the BSSID and MAC address, respectively, and orders the results by BSSID.
Code:
HandshakeAPUnique
: This view selects the BSSID of the access point, the SSID of the access point, the MAC address of the client device that performed the handshake, the manufacturer of the client device, the file containing the handshake, and the hashcat output. It joins the

Code:
Handshake
,

Code:
AP
, and

Code:
Client
tables on the BSSID and MAC address, respectively, and filters the results to exclude handshakes that were not cracked by hashcat. The results are grouped by SSID and ordered by BSSID.
Code:
IdentityAP
: This view selects the BSSID of the access point, the SSID of the access point, the MAC address of the client device that performed the identity request, the manufacturer of the client device, the identity string, and the method used for the identity request. It joins the

Code:
Identity
,

Code:
AP
, and

Code:
Client
tables on the BSSID and MAC address, respectively, and orders the results by BSSID.
Code:
SummaryAP
: This view selects the SSID, the count of access points broadcasting the SSID, the encryption type, the manufacturer of the access point, and whether the SSID is cloaked. It groups the results by SSID and orders them by the count of access points in descending order.

Login
Username/Email:
Password:	Lost Password?
	Remember me