Jump to content
Nytro

Uncovering Hidden SSIDs

By Nytro, in Wireless Pentesting

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Uncovering Hidden SSIDs

By default every access point is broadcasting the SSID in the beacon frames. Sometimes network administrators might choose to configure the AP not to broadcast the SSID because they are thinking that they will avoid attacks just because if a malicious user doesn’t know that a network exist how he is going to attack it? Even though that hiding the wireless network name is a good choice however this doesn’t offer any security as it is relative easy for a determined attacker to discover it.

The first step is to create a monitor mode interface in order to be able to sniff wireless packets.

2.png?w=645Enable Monitor Mode Interface

Then we will use the airodump-ng mon0 in order to start capturing raw 802.11 frames which they will contain all the available wireless networks of the area. As we can see from the image below there is only one network which doesn’t broadcasting the SSID.

7.png?w=645&h=253Hidden Wireless Network

Alternatively we can check the beacon frames in wireshark and we will notice that the SSID is hidden.

1.png?w=645&h=315Beacon Frames – Hidden Wireless SSID

There are two ways to obtain the SSID for a wireless network that is not broadcasting.

  1. Passive
  2. Active

In the passive we will have to wait for a legitimate client to connect to the access point while we are monitoring the wireless traffic and to examine the Probe Request and Probe Response packets which will contain the SSID of the network.

3.png?w=645&h=209Probe Response Packet contains the SSID

This technique is stealthier than the active and it can be used in a scenario when we are attacking a corporate wireless network especially in the morning when there will be a variety of devices that will try to connect and unveil it’s presence.

The other method is to send directly deauthentication packets to all the clients on behalf of the access point which in this case is the Wireless Pentest Lab. This will force all the devices that are connected to the access point to disconnect and reconnect which again Probe response packets will be generated that will reveal the cloaked SSID.

We can send the deauthentication packets with the use of aireplay-ng as it can be seen below:

4.png?w=645&h=158Sending deuathentication packets

The value 5 is actually the number of deauthentication packets that we want to send and the -a specifies the MAC address of the access point. As we can see in the next screenshot after the deauthentication packets the probe response packets are generated again and because of these packets are not encrypted they unveil the wireless SSID.

6.png?w=645&h=144Generation of Probe Response Packets

Sursa: https://pentestlab.wordpress.com/2015/01/31/uncovering-hidden-ssids/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...