In this article we are going to pwn hidden ssids over the network. People believe that hiding an SSID is a security feature but actually for a real pentester it isn’t a problem at all to get the SSID and we will be demonstrating how. SSIDs or service set identifiers are the names of the access points through which they are identified. People use SSIDs as a way to have security through obscurity hoping an attacker will not discover the hidden SSID.
We have set up our own network you will see below and it is worth note that doing this attack on a network other than your own is against the law so be very careful in doing some of the steps shown below. We will see two methods of finding hidden SSIDs where one method is active and the other passive. For the active method patience is the key and in the other the pentester or hacker can proceed without being patient.
Setting up the wireless Alfa card in monitor mode:
Wlan0 is the interface:
Setting it up in monitor mode,
3. Using command airodump-ng wlan0mon, ConnectMAGIC will be our target:
4. NOTE: I opened the router admin page and I made i SSID Hidden as you can see below
5. Our target has now ssid hidden. METHOD: 1–Passive method
As this method requires patience an attacker would wait for a legitimate client to connect to the network, let’s see how it works:
STEP 1: Open the terminal and start sniffing on that network which you have kept as a target:Command—airodump-ng wlan0mon –channel 6 –bssid 40:C8:CB:04:23:B4
STEP 2: Now as soon as an legitimate client connects to this network SSIDs will be shown, I just connected my host machine to the network and we can see what I get:
As you can see that I got the Service Set Identifier of our target. When you as a hacker start sniffing on the target you will have to wait until a user comes and connects to the network you have put on target, it may be few hours or a day so that is why this method requires patience. When a user tries to connect to a network, there are procedures followed for example the probe request, probe response, association request and association response and then at last authentication procedure. All these procedures can be monitored using Wireshark (Tool available freely in Kali Linux). When these packets are viewed or subcategorized you will see that they contain SSIDs in clear text, so this happens behind the scenes.
METHOD: 2–Active method
If you have no patience and need the SSID as soon as possible the Active method is the method you should use. So what an attacker will do is he or she will first send deauthentication packets to the target network of which the SSID is hidden and then he would wait for the users to connect. Let’s see how it works through commands:
STEP 1: Start the sniffing using the command in the first terminal:
airodump-ng wlan0mon –channel 6 –bssid 40:C8:CB:04:23:B4
STEP 2: Send the deauth packets to the target in another terminal using the command as shown below, (left screen)
STEP 3: Wait for the legitimate user to connect(right screen) and as you can see when the user connects the SSID is shown.
Some things to keep in mind while performing this:
1. Set the Alfa card on the same channel on which target is there. (Command: ifconfig wlan0mon channel 6)—-in my case channel was 6.
2. Sometimes airodump-ng may not work or show the results so just disconnect the Alfa card and use the commands to set the card again as shown in the beginning of this write-up.
3. BSSID is the broadcast SSID i.e. the MAC address of the access point and ESSID is the name of access point.
Just for some automation I did this whole process with a python script. Python contains a library called scapy which is used to sniff, inject and parse the packets and also supports 802.11 protocol:
import sys
from scapy.all import *
hidden_ssid=set()
def pack(pkt):
if pkt.haslayer(Dot11Beacon):
if not pkt.info:
if pkt.addr3 not in hidden_ssid:
hidden_ssid.add(pkt.addr3)
print “HIDDEN SSID :”,pkt.addr3
elif pkt.haslayer(Dot11ProbeResp) and (pkt.addr3 in hidden_ssid):
print “HIDDEN SSID UNCOVERED: “,pkt.info,pkt.addr3
sniff(sys.argv[1],count=int(sys.argv[2]),prn=pack)
NOTE: In the above script addr3 is the BSSID. Packets are divided into layers for example Radiotap/Dot11/Dot11Beacon etc..
Usage: ./hiddenSSID.py <MAC address>
Leave a Reply