반응형
앞의 글에 연결되는 글이다.
사용된 라이브러리에 대한 자료형에 대한 설명을 간략히 정리한다.
struct radiotap_header{ // RadioTap is the standard for 802.11 reception/transmission/injection
uint8_t it_rev; // Revision: Version of RadioTap
uint8_t it_pad; // Padding: 0 - Aligns the fields onto natural word boundaries
uint16_t it_len;// Length: 26 - entire length of RadioTap header
};
it_rev : RadioTap 버전정보 (0)
it_pad: Padding (0)
it_len: RadioTap 헤더의 길이(26)
아래는 디버거를 이용하여 조회한 내용이다.
Breakpoint 2, pcapHandler (args=0x0, header=0x7ffffff900, packet=0x7fb7c04094 "") at 802sniff.c:78
78 int offset = 0;
(gdb) n
80 rtaphdr = (struct radiotap_header *) packet;
(gdb) print *rtaphdr
$6 = {it_rev = 0 '\000', it_pad = 0 '\000', it_len = 26}
| 구분 | Offset | 길이(bytes) |
| RadioTap | 0 | 4 |
| CHANNEL | 18 | 2 |
| channelFreq | CHANNEL[1]*256 + CHANNEL[0] | little endial format |
| RSSI | 22 | |
| rssiDbm | RSSI[0] - 256 | 1 |
| BSSID | 42 | |
| ESSID길이 | 63 | 1 |
| ESSID | 64 | ESSID길이 |
| SSID | ESSID | 최대 63 |
디버거로 조회한 내용을 아래에 표시한다.
$ sudo gdb 802sniff
GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "aarch64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from 802sniff...done.
(gdb) break pcapHandler
Breakpoint 1 at 0xdd0: file 802sniff.c, line 82.
(gdb) run wlan0mon
Starting program: /home/igi/work1/pcap2/802sniff wlan0mon
Breakpoint 1, pcapHandler (args=0x0, header=0x7ffffff900, packet=0x7fb7c04094 "") at 802sniff.c:82
82 int offset = 0;
(gdb) l
77 * TKIP = PCS:00-0f-ac-02
78 * Microsoft Suite TKIP = PCS:00-50-f2-02, tag-type: 0xdd
79 * WPA2 Enterprise = (AKM:00-0f-ac-04,PCS:00-0f-ac-04) tag-type: 0x30
80 *
81 */
82 int offset = 0;
83 struct radiotap_header *rtaphdr;
84 rtaphdr = (struct radiotap_header *) packet;
85 offset = rtaphdr->it_len; // 26 bytes on my machine
86 //if(packet[offset]==0x80){ // 0x80 is 128 in dec. It is a Beacon MGMT frame // REMOVED for BPF syntax
(gdb)
87 bssid = packet + 42; // store the BSSID/AP MAC addr, 36 byte offset is transmitter address
88 essid = packet + 64; // store the ESSID/Router name too
89 essidLen = packet + 63; // store the ESSID length // this can be used to avoid looping bytes until >0x1 as below
90 rssi = packet + 22; // this is hex and this value is subtracted from 256 to get -X dbm.
91 signed int rssiDbm = rssi[0] - 256;
92 channel = packet + 18; // channel in little endian format (2 bytes)
93 int channelFreq = channel[1] * 256 + channel[0]; // a little bit of math, remember little endian
94 // 87 byte offset contains the "channel number" as per 802.11, e.g. 2412 = "channel 11"
95 char *ssid = malloc(63); // 63 byte limit
96 unsigned int i = 0; // used in loop below:
(gdb)
97 while(essid[i] > 0x1){ // uncomment these to see each byte individually:
98 //printf ("hex byte: %x\n",essid[i]); // view byte
99 //printf ("hex char: %c\n",essid[i]); // view ASCII
100 ssid[i] = essid[i]; // store the ESSID bytes in *ssid
101 i++; // POSTFIX
102 }
103 ssid[i] = '\0'; // terminate the string
104 fprintf(stdout,"RSSI: %d dBm\n",rssiDbm);
105 fprintf(stdout,"AP Frequency: %iMhz\n",channelFreq);
106 fprintf(stdout,"ESSID length: %i bytes.\n",essidLen[0]);
(gdb)
107 fprintf(stdout,"ESSID string: %s\n", ssid); // print the stored ESSID bytes
108 fprintf(stdout,"BSSID string: %02X:%02X:%02X:%02X:%02X:%02X\n",bssid[0],bssid[1],bssid[2],bssid[3],bssid[4],bssid[5]);
109 //} // REMOVED for BPF syntax
110
111 // Let's write the beacon to a file:
112 pcap_dumper_t *outputFile;
113 pcap_t *fileHandle;
114 char *outputFileName = "output.cap";
115 fileHandle = pcap_open_dead(DLT_IEEE802_11_RADIO, BUFSIZ);
116 outputFile = pcap_dump_open(fileHandle,outputFileName);
(gdb) break 104
Breakpoint 2 at 0x5555555ebc: file 802sniff.c, line 104.
(gdb) c
Continuing.
Breakpoint 2, pcapHandler (args=0x0, header=0x7ffffff900, packet=0x7fb7c04094 "") at 802sniff.c:104
104 fprintf(stdout,"RSSI: %d dBm\n",rssiDbm);
(gdb) print rssiDbm
$1 = -84
(gdb) print channelFreq
$2 = 2457
(gdb) print essidLen[0]
$5 = 6 '\006'
(gdb) print ssid
$6 = 0x555556a700 "iptime"
반응형
'라즈베리파이 > WIFI 무선랜 해킹' 카테고리의 다른 글
| RealTek 88x2au USB무선랜의 5Ghz 인식 및 설정 (0) | 2020.08.28 |
|---|---|
| aireplay-ng 로 wifi 접속 차단하는 명령 (0) | 2020.08.13 |
| (4) wifi 무선랜 패킷 캡쳐 ( pcaplib을 이용한 SSID 추출 ) (0) | 2020.08.02 |
| (3) wifi 무선랜 패킷 수집 ( pcap라이브러리로 ssid 추출 ) (0) | 2020.08.02 |
| (2) wifi 무선랜 패킷 수집(tins라이브러리로 SSID 추출하기) (0) | 2020.08.02 |