Wireless networks are known for some time now to have weak authentication schemes which can be easily broken or bypassed even when stronger encryption is in use.
Before we go any further though we need to know what frames are as they are required for communication to take place.
1 – Management Frames
Used for maintaining access between the Access Point and the wireless clients. They contain the following sub-types:
– Association Request
– Reassociation Request
– Reassociation Request
– Probe Request
2 – Control Frames
These are responsible for ensuring a proper exchange of data between the Access Point and wireless clients. They contain the following sub-types:
– Request to Send (RTS)
– Clear to Send (CTS)
– Acknowledgement (ACK)
3 – Data Frames
You might be able to guess but this is where the carrying is done as such and the actual data is sent via the wireless networks and it has no sub-types.
Let’s get to it!
We are going to have a look at uncovering hidden SSID’s now as people think hiding their network instead of configuring encryption is going to make them invisible and safe but this is not the case as you will see shortly as the default configuration of most access points is to send out their SSID in the beacon frames but a hidden SSID does not broadcast it’s SSID in the beacon frames so only clients that know the correct SSID can connect.
Configure the router for this scenario with no encryption and make it invisible:
Before we begin make sure you have wireless injection working and monitor mode enabled as outlined here.
Now to start airodump-ng and see what we can see in the air:
As you can see there is now an access point with a BSSID (MAC Address) of 00:18:E7:XX:XX:XX, “OPN” encryption on channel 6 with an ESSID of “<length: 0>”, let’s uncover this and find out the hidden name!
Start up wireshark as per this previous step and select “mon0” as your interface and use the following filter to view these packets only and get rid of the excess noise:
wlan.addr == AP_MAC_ADDRESS
You have two options here to uncover the hidden SSID.
Wait for a device to connect to the network which will generate probe request and probe response packets which will contain the SSID of the access point. Simple and passive but may take ages if nothing is going to connect in the next few hours.
Manual connection looks like this in airodump-ng listening when you manually connect:
As you can see above the SSID is now known as test and you will also see the Probe Response in Wireshark:
Looking inside the packets you will find the SSID under the management frame also:
Send a few de-authentication packets with aireplay-ng
aireplay-ng -0 5 -a AP_MAC mon0
“-0” is for choosing the type of wireless de-authentication attack.
“5” is the number of de-authentication packets to send
“-a” specifies the access point MAC address you are targeting
The de-authentication packets will force any legitimate clients to disconnect and reconnect. By adding the following expression to wireshark you will be able to capture these de-authentication packets.
wlan.fc.type_subtype == 0x0c
OR add to the previous filter and use
(wlan.addr == AP_MAC_ADDRESS) && (wlan.fc.type_subtype == 0x0c)
One device is connected to the access point currently from the previous example so it will be disconnected and reconnect getting the same result but with an active rather than a passive approach.
Sending the de-authentication packets to the access point gives a warning about how it is better to target a client but we are being lazy in this scenario and just targeting the access point, we will target the client in future lessons though.
The wireshark filter we had running will also show us these de-authentication packets only as we were using a filter for that specific purpose:
Once again airodump-ng will show you the SSID also and uncover the hidden name of the access point: