Here I will tell you about a bash script that I made for a very specific purpose, which I doubt others have this situation but, since I programmed it… it costs me nothing to share it 
Upstairs, what is this about?
It happens that in my city there is a fairly large network, many of us connect in a wired way (a network cable to a switch, linked to another, and many switches hehe), but large links (which cannot be by cable) They do with Wi-Fi equipment, in this way you have a network with several thousand users, that although there is no mail service and much less internet, you do play WoW (among others), you learn, share information, etc.
The fact is that it has been the case that certain Wi-Fi equipment is banned or expelled from the network, either because its owner violates network rules, or whatever. So, it is necessary to do a scan every X time to check if someone has reconnected the MAC of the ejected computer, and this is where this script comes in.
Simply put, what does the script do?
- First it does a scan in the subnet where it is running and detects the live hosts (the active IPs)
- Then, check if any of those IPs is a Ubiquiti (equipment used for links). It actually only detects if port 443 is open on each of the above IPs.
- It takes the MAC of each live device and with port 443 open, while at the same time comparing each MAC extracted with the one being searched.
- In case it finds a match, it generates a report.
Come on to the code!
Valid to clarify that for its operation it needs the following packages installed: nmap… nc… arping
Well, with nmap it does the mapping to detect active IPs, with nc then it checks which one has port 443 open, and finally with arping it extracts the MAC.
Yes, I know that with nmap you can do all this, but it took several seconds (or minutes more), I preferred to use several tools instead of just one to make everything work faster.
Yes now…. the code!
#! / bin / bash # # Requires having the packages installed: # nmap, arping, nc # # Author: KZKG ^ Gaara clear # Declaring variables DATE = `date + '% Y-% m-% d_% H-% M '`INTERFACE =' wlo1 'WANTEDMAC =' C8: CB: B8: B1: DA: E6 'YOURIP =` ifconfig | grep "192.168" | awk '{print $ 2}' `` YOURZONE = `echo $ YOURIP | awk -F "." '{print $ 3}' `` # Pulling Alive Hosts on the network (your IP) nmap -sn 192.168. $ YOURZONE.0 / 24 | grep "report for" | awk '{print $ 5}'> hosts-ip # Seeing which of these Hosts can be a Nano by having port 443 open rm hosts-nanos &> / dev / null for TMPVAR in `cat hosts-ip` do nc -zv -w 2 $ TMPVAR 443 &> / dev / null if [$? -ne 1]; then echo "$ TMPVAR" >> hosts-nanos fi done # Removing MAC from Nanos on the network rm hosts-mac &> / dev / null for TMPVAR in `cat hosts-nanos` do arping -I $ INTERFACE -f $ TMPVAR | grep "reply from" | awk '{print $ 5}' | cut -d '[' -f2 | cut -d ']' -f1 >> hosts-mac done # Comparing extracted MACs with the searched for MAC in `cat hosts-mac` do if [" $ MAC "=" $ WANTEDMAC "]; then MACLINE = `cat hosts-mac | grep -n $ MAC | cut -d ':' -f1` IPMAC = `cat hosts-nanos | sed $ MACLINE'q; d'` echo -e "\ n \ t ALERT, MAC of stolen device detected: $ MAC ... With IP: $ IPMAC" echo -e "\ t ... Generating Report ... "echo -e" Report generated by SpyMac \ n "> final_report_ $ YOURZONE.info echo -e" Report moment: $ DATE \ n ">> final_report_ $ YOURZONE.info echo -e" MAC of stolen device detected: $ WANTEDMAC \ n ">> final_report_ $ YOURZONE.info echo -e" IP currently used by this computer: $ IPMAC \ n ">> final_report_ $ YOURZONE.info echo -e" Report generated by: $ YOURIP \ n ">> final_report_ $ YOURZONE.info fi done exit
In case a match is found, it will show us the MAC found and also the IP used by that equipment.
This (still) has gaps hehe
I know there are things to improve, for example the MACs can be falsified, the MAC can be changed to the computer and that's it, I'm still looking for how to see the real MAC and not the false one if that is the case.
Also, by adding another for loop, I can make several MACs be compared at the same time and not compare / search only for a specific one, that is, search for the MACs that are in a list, 5, 10, whatever they are. It's something I have yet to do.
Maybe it is a Nano but it has port 443 blocked, I know how to be able to know with total security if it is a Ubiquiti device or not, that is, with curl (or wget) I can get the login form and compare it with one of a Ubiquiti, this is a more secure method than with port 443. It is another detail to add in future versions.
I would also like (which is already difficult for me) to generate a small script or even an APK to have this tool on my Android. I know I won't be able to put it in Play Store but... well, it's not like I want to 
Ah, iPhone users ... not even if I can (due to knowledge and time) would I port this tool to iOS ... JUAZ JUAZ JUAZ ... look in your App Store Let's see if by chance they have something similar, which I doubt 
Lesson finish date
Well, that's all. I repeat, I think that the specific script may not be useful to many (it's for a very specific situation), but maybe parts of the code will be, I hope so 