Hi MrShannon.
Thank's. Nice that you like this little wifi-toys.
All functions you asked for (and much more) are allready implemented:
1. case:
"I would like to prevent wlanresponse and wlandump-ng from using deauth and instead only listen for probe requests and stand up those SSID's for capture."
use option -p and wlandump-ng doesn't transmit
example:
wlandump-ng -i <device> -o capname.cap -c 1 -t 5 -m 1024 -s 20 -p
2. case:
"I'm interested in a sort of "passive" behavior, collecting the handshakes of clients that are looking for networks, not kicking them off of ones they are already connected to."
example:
wlandump-ng -i wlp3s0f0u1 -o capname.cap -c 1 -t 60 -m 1024 -s 20 -r -d 10000000 -D 1000000
use option -d and -D with high values and set option -r to reset the counters if channel 1 reached
you can also set option -b to activate beaconing.
But keep in mind:
Clients in connection with an ap also sending proberesponses and they are trying to connect us
3. case:
"I'm only interested in special BSSIDs"
use option -F (soft coded Berkeley Packet Filter)
wlandump-ng -i wlp3s0f0u1 -o capname.cap -F myfilterfile -c 1 -t 60 -m 1024 -s 20 -r -d 10000000 -D 1000000
myfilterfile is a text file containing valid wireshark/tcpdump filters (use your favorite wireshark filters).
example 1:
(wlan host 11:22:33:44:55:66 || wlan src aa:bb:cc:dd:ee:ff)
only this BSSID 11:22:33:44:55:66 in connection with this client aa:bb:cc:dd:ee:ff is under attack
example 2:
!(wlan host 11:22:33:44:55:66 || wlan src aa:bb:cc:dd:ee:ff)
everything is under attack, except of this BSSID 11:22:33:44:55:66 in connection with this client aa:bb:cc:dd:ee:ff
All combinations of all switches are possible.
Using this combinations, you are able either to use wlandump-ng as a surgeon uses his scalpel or as a conqueror uses an area weapon.
But it's not possible to implement "a single tactics option switch". Just play around and use different combinations and put your favourit options into a simple bashscript (example for different scenarios: raspberry pi root .bash_profile).
#!/bin/bash
cd /home
export WLANDEV=`ls -1 /sys/class/net | grep ^wl`
if [[ ! -z $WLANDEV ]]
then
ARCHIVNAME=`date +'%Y%m%d%H%M'`
ip link set $WLANDEV down
iw dev $WLANDEV set type monitor
ip link set $WLANDEV up
wlanresponse -i $WLANDEV -o $ARCHIVNAME.cap -t 3 -b
# wlanresponse -i $WLANDEV -o $ARCHIVNAME.cap -t 43200 -b
# wlanresponse -i $WLANDEV -o $ARCHIVNAME.cap -t 86400 -b
# wlandump-ng -i $WLANDEV -o $ARCHIVNAME.cap -c 1 -t 600 -d 1000000 -D 100000 -m 512 -b -r -s 0
# wlandump-ng -i $WLANDEV -o $ARCHIVNAME.cap -c 1 -t 4 -d 20 -D 2 -m 128 -b -r -s 0
fi
pioff &
systemctl start
[email protected]
This is the most (more than mdk3 can do) brutal mode for mobile and portable operations:
wlanresponse -i $WLANDEV -o $ARCHIVNAME.cap -t 3 -b
This is a friendly, stationary mode:
wlandump-ng -i $WLANDEV -o $ARCHIVNAME.cap -c 1 -t 600 -d 1000000 -D 100000 -m 512 -b -r -s 0
in this cases option -F is not used, because I'm using the "hard coded Berkeley Packet Filter"
For all UBUNTU users:
Do not try to use this .bash_profile. It will not work for you because UBUNTU is known to start "hundreds" of unneeded services that prevents wlandump-ng/wlanresponse to do their" work". wlandump-ng/wlanresponse needs full access to the device, so you must identify and stop them:
for example this two:
systemctl stop NetworkManager.service
systemctl stop wpa_supplicant.service
Cheers