Wednesday, June 15, 2022

Autohotkey (AHK) Reformat MAC Addresses

 Here is an AHK script to reformat MAC addresses. It takes a MAC address from the clipboard with :, -, ., or no separators and reformats it into several options each on their own line in the clipboard.

Output:

AA:AA:BB:BB:CC:CC
AA-AA-BB-BB-CC-CC
AAAABBBBCCCC
AAAA.BBBB.CCCC



Script:

;reformats MAC addresses. Press ALT+Shift+M

!+m::

Clipboard := StrReplace(Clipboard,"-","")

Clipboard := StrReplace(Clipboard,":","")

Clipboard := StrReplace(Clipboard,".","")

sleep 10

var1 := Clipboard 

var2 := RegExReplace(Clipboard,"(?<!^.)(..)(?=[^$])","$1:")

var3 := RegExReplace(Clipboard,"(?<!^.)(..)(?=[^$])","$1-")

var4 := RegExReplace(Clipboard,"(?<!^.)(....)(?=[^$])","$1.")

var5 = %var2%`n%var3%`n%var1%`n%var4%

Clipboard := var5

return

Posted by at No comments:

Wednesday, May 11, 2022

Windows ARP Scan Utility

ARP scanning a subnet in Windows can be done with Nmap but some AV/security utilities don't like Nmap and it's a bit heavy. arp-scan-windows can be used as a simple standalone program to scan a subnet. 

Link: https://github.com/rsweet2/arp-scan-windows

Posted by at No comments:

Wednesday, March 9, 2022

Cisco WLC - Use AP as a Sniffer

And send traffic to remote wireshark. 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.html#anc12

Wireshark Capture filter - host 10.1.1.3   more info


1) WLC / AP side

Here are the steps in order to collect a trace using a sniffer mode LAP

  • Configure the AP in Sniffer mode:

The AP will reboot and it will not be able to serve clients.

  • Once the AP has re-joined the WLC, configure the radio of the AP (802.11b/g/n or 802.11a/n):           
    • specify the sniffer IP address
    • select the channel
    • enable sniffing

  • The sniffer will receive the 802.11 traffic encapsulated using the airopeek protocol, from the WLC management IP address with source port UDP/5555 and destination UDP/5000

2) Sniffer side: Wireshark

If using Wireskark to receive the traffic, follow the steps below:

  • Set the capture options to receive only traffic coming from the sniffing AP. If you set the filter only for port UDP 5000, you will miss IP fragments in the capture if the AP has to fragment the packet (which will happen if it sniffed a 1500 bytes long frame to which it needs to add PEEKREMOTE encapsulation):

This filter is optional but strongly recommended as it excludes all the non-wireless related traffic from the capture. Consider that the WLC sends traffic to a UDP port there’s no application listening on the sniffer side; this results in having a ICMP port-unreachable response for each packet received from the WLC.


Although this is expected, the filter above helps to exclude also this traffic which is useless and so it can only cause the trace to be bigger and more difficult to read.

  • Then, start the capture:

  • The captured traffic has to be “decoded as..” PEEKREMOTE in order to be able to see the 802.11 traffic:

  • The 802.11 traffic will now be visible:

The RF info shown above (e.g. the channel, signal strength, noise..) are added by the AP.

Posted by at No comments:
Subscribe to: Posts (Atom)