Jump to content


Photo
- - - - -

Is there a way to get a hidden SSID without...


  • Please log in to reply
23 replies to this topic

#1 Kool-Aide

Kool-Aide

    SCRiPT KiDDie

  • Members
  • 25 posts
  • Gender:Male
  • Location:Arkansizzle

Posted 18 September 2009 - 12:12 AM

Is there any other ways to get a hidden SSID without disassociating a client and brute forcing the SSID? Like for instance I want to crack my WEP encrypted router but I don't have any wireless clients connected to it. I don't want to brute force the SSID and I can't disassociate a client connected because I have no clients other than me wanting to connect. So there will be no waiting for a client to connect.

Now my theory was... could you use wireshark to listen and maybe disassemble the packet and find what SSID it came from by filtering the MAC addy?

Is there any other way?

I don't think I could fake auth to the router because I don't have the ssid handy. I know what it is but this is just theory and experimentation. There has to be more than just 2 ways to find out a hidden SSID besides the 2 ways listed above.

I heard somebody say something about turning kismet to de-cloak but I can't get my kismet to work properly. So any other options besides kismet and the ones above? I use airodump to acctually find the hidden router and it tells me the lenth 10 stuff but doesn't say the name.

Just wondering. Thanks.

#2 Sector-Xero

Sector-Xero

    HACK THE PLANET!

  • Members
  • 65 posts
  • Gender:Male

Posted 18 September 2009 - 08:52 PM

Is there any other ways to get a hidden SSID without disassociating a client and brute forcing the SSID? Like for instance I want to crack my WEP encrypted router but I don't have any wireless clients connected to it. I don't want to brute force the SSID and I can't disassociate a client connected because I have no clients other than me wanting to connect. So there will be no waiting for a client to connect.

Now my theory was... could you use wireshark to listen and maybe disassemble the packet and find what SSID it came from by filtering the MAC addy?

Is there any other way?

I don't think I could fake auth to the router because I don't have the ssid handy. I know what it is but this is just theory and experimentation. There has to be more than just 2 ways to find out a hidden SSID besides the 2 ways listed above.

I heard somebody say something about turning kismet to de-cloak but I can't get my kismet to work properly. So any other options besides kismet and the ones above? I use airodump to acctually find the hidden router and it tells me the lenth 10 stuff but doesn't say the name.

Just wondering. Thanks.



I'm not entirely sure if I'm missing something in this question. But if you are trying to connect wirelessly, why don't you try to use a utility like Kismet or Netstumbler to de-cloak the SSID?

I've never heard of brute forcing an SSID. Also you don't have to have client connected to a router to get past WEP.

#3 dinscurge

dinscurge

    "I Hack, therefore, I am"

  • Members
  • 935 posts
  • Country:
  • Gender:Male
  • Location:the bunker

Posted 18 September 2009 - 10:39 PM

im going to guess he's talking about wep psk? which does need a handshake packet.. but it could just be he read a guide wrong/got confused idk. + he said kismet isn't working.

#4 Kool-Aide

Kool-Aide

    SCRiPT KiDDie

  • Members
  • 25 posts
  • Gender:Male
  • Location:Arkansizzle

Posted 19 September 2009 - 04:12 AM

im going to guess he's talking about wep psk? which does need a handshake packet.. but it could just be he read a guide wrong/got confused idk. + he said kismet isn't working.


Wait WHAT? WEP psk? wtf are you talkin about? NO!... "a hidden SSID", to get the hidden SSID you have to disassociate a client or brute force the router to get the SSID. I am asking for any other way besides kismet to tell me my AP's by unhiding it or a glitch to get around it. I re-read what I wrote... I doesn't really come any more clear than that. If anybody understand hidden SSID's and english... please respond. If you don't understand don't respond or atleast try and keep up with what I am saying. - Thanks. ;)

#5 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 19 September 2009 - 10:43 AM

This appears to be a good start

#6 Kool-Aide

Kool-Aide

    SCRiPT KiDDie

  • Members
  • 25 posts
  • Gender:Male
  • Location:Arkansizzle

Posted 21 September 2009 - 10:37 PM

This appears to be a good start


Negative. I appreciate the help. I am sure there is probably another way of doing it. Or maybe I just didn't explain myself well enough. Basically I want to find a hidden SSID without "any" clients connected wirelessly to a router. Or without having to brute force the SSID. I am sure there is probably other ways, but nobody seems to know enough about it to help me.

Taking kismet's de-cloak out of the picture. Would wireshark work for finding a hidden SSID without any clients connected to the AP? Or anything else?

#7 Spyril

Spyril

    Hakker addict

  • Members
  • 588 posts
  • Location:North Dakota

Posted 21 September 2009 - 10:56 PM


This appears to be a good start


Negative. I appreciate the help. I am sure there is probably another way of doing it. Or maybe I just didn't explain myself well enough. Basically I want to find a hidden SSID without "any" clients connected wirelessly to a router. Or without having to brute force the SSID. I am sure there is probably other ways, but nobody seems to know enough about it to help me.

Taking kismet's de-cloak out of the picture. Would wireshark work for finding a hidden SSID without any clients connected to the AP? Or anything else?


You're asking the impossible. How would wireshark be any better at magically finding the SSID? If the AP isn't broadcasting its SSID and there aren't any clients associating with the AP, then there will be no packets containing the SSID for wireshark to pick up.

You understand that you can disassociate a client from the network to get the hidden SSID, yet you don't see the relevance of dinscurge's post about the WEP handshake packet. This clearly shows that you have no idea what you're talking about, as the whole point of disassociating the client *is* to get the handshake packet. Read up on the basics of 802.11/WEP/WPA and get back to us.

#8 Kool-Aide

Kool-Aide

    SCRiPT KiDDie

  • Members
  • 25 posts
  • Gender:Male
  • Location:Arkansizzle

Posted 22 September 2009 - 02:49 AM



This appears to be a good start


Negative. I appreciate the help. I am sure there is probably another way of doing it. Or maybe I just didn't explain myself well enough. Basically I want to find a hidden SSID without "any" clients connected wirelessly to a router. Or without having to brute force the SSID. I am sure there is probably other ways, but nobody seems to know enough about it to help me.

Taking kismet's de-cloak out of the picture. Would wireshark work for finding a hidden SSID without any clients connected to the AP? Or anything else?


You're asking the impossible. How would wireshark be any better at magically finding the SSID? If the AP isn't broadcasting its SSID and there aren't any clients associating with the AP, then there will be no packets containing the SSID for wireshark to pick up.

You understand that you can disassociate a client from the network to get the hidden SSID, yet you don't see the relevance of dinscurge's post about the WEP handshake packet. This clearly shows that you have no idea what you're talking about, as the whole point of disassociating the client *is* to get the handshake packet. Read up on the basics of 802.11/WEP/WPA and get back to us.



No that's not it at all. It just makes me mad when people respond to my posts and they don't read what I have written. I know exactly what the handshake is for but my idea with wireshark was... if a wireless router can be detected by kismet or airodump and it's SSID is hidden. Yes it shows up as a hidden SSID but... if it is even though it isn't broadcasting and those programs can still pick it up.

Then it is broadcasting some sort of packets to even be picked up by Airodump or kismet. Or else it would look like there was no router even there. So in theory why can't wireshark pick up those hidden SSID packets and possible be decrypted to a SSID?

Does that make sense? I am sorry before for getting angry about the suggestion about the handshake idea but my point was there isn't "any" clients associated therefore there will be no handshake association and no clients to deauth.

I shall find a way. When I do. I will enlighten you all. ;)

#9 ZomboKat

ZomboKat

    the 0ne

  • Members
  • 1 posts
  • Country:
  • Gender:Male
  • Location:Gladstone

Posted 22 September 2009 - 12:12 PM

Stuff that Kool-Aide said.


If Kismet can't do it Wireshark won't be able to do it.

Listen, I don't usually break my veil of obscurity to post, but I just wanted to mention I hate you.

Edited by ZomboKat, 22 September 2009 - 12:12 PM.


#10 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,082 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 22 September 2009 - 04:16 PM

If I had to guess I'd look at the first 6 bytes of the MAC Address and get the manufacturer, then look up default SSIDs for the specific devices,,,, After that forge an ARP and inject it using all the default SSIDs... It is worth a try.

#11 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 22 September 2009 - 04:31 PM

If they've turned off SSID broadcast, chances are they've changed the SSID. Though I wouldn't bother looking up the MAC, just try some common SSIDs. There aren't that many of them, 3 or 4 would probably cover 70% of the routers on the market.

#12 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,082 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 22 September 2009 - 04:57 PM

just try some common SSIDs. There aren't that many of them, 3 or 4 would probably cover 70% of the routers on the market.

Okay: linksys, netgear, Actiontec<1-9> <~~~ almost always used by qwest!, persons last name... I'm actually surprised at how many cloak the SSID and leave it to the default... I guess they just read somewhere to cloak it, but fail to use logic in their decisions. Anyway, an educated guess is always better and less of a shot in the dark.

EDIT: come to think of it one of my WRT-54G's shipped with the SSID cloaked by default... Perhaps it was a refurb or something.

Edited by tekio, 22 September 2009 - 05:03 PM.


#13 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 22 September 2009 - 05:19 PM

That's odd. I would have thought that's an uncommon configuration, at least if it was the user to hide the SSID. Though if you have an ISP deploying them, I can see why they'd hide the SSID and still leave it as something simple. So... I wonder where we can get some real statistics for market share? If we can get the top X routers, we can look up their default SSIDs and make a real list. Also, if anyone else has some more ISP specific info, that could be helpful as well.

Actually, this is a good starting point.

#14 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,082 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 22 September 2009 - 05:29 PM

I know Qwest, in my area uses Actiontec and will always deploy on the same channel: 9; but, will number the SSID according to ownership in the signal area.. For example the second household that can detect Actiontec will be named Actiotec1, the third Actiontec2, and so on.

Default SSID on my routers:
WRT-54G == linksys
Belkin N Wireless Router == Belkin
Apple Gigabit Airport Extreme == Apple

#15 Kool-Aide

Kool-Aide

    SCRiPT KiDDie

  • Members
  • 25 posts
  • Gender:Male
  • Location:Arkansizzle

Posted 23 September 2009 - 01:44 AM

I know Qwest, in my area uses Actiontec and will always deploy on the same channel: 9; but, will number the SSID according to ownership in the signal area.. For example the second household that can detect Actiontec will be named Actiotec1, the third Actiontec2, and so on.

Default SSID on my routers:
WRT-54G == linksys
Belkin N Wireless Router == Belkin
Apple Gigabit Airport Extreme == Apple


Those are all cool thoughts but they still go back to the idea of brute forcing the SSID in a way. I was implying getting it by decrypting the packets they send out even though it's hidden. I read some articles and they all say yes they send out packets but they all have a null byte of 0 when it shows up. So not much you can decrypt with that. BUT! there are some routers who are subject to using the filters:
wlan.fc.type_subtype == 0 (association request)
wlan.fc.type_subtype == 4 (probe request)
wlan.fc.type_subtype == 5 (probe response)

Which said that some will actually give you data from the probe requests. I haven't had time to test it yet. Work before play. :(

As for Zombokat... all I can say is, Hate me all you like it just makes me more popular.

#16 Kool-Aide

Kool-Aide

    SCRiPT KiDDie

  • Members
  • 25 posts
  • Gender:Male
  • Location:Arkansizzle

Posted 23 September 2009 - 01:48 AM

That's odd. I would have thought that's an uncommon configuration, at least if it was the user to hide the SSID. Though if you have an ISP deploying them, I can see why they'd hide the SSID and still leave it as something simple. So... I wonder where we can get some real statistics for market share? If we can get the top X routers, we can look up their default SSIDs and make a real list. Also, if anyone else has some more ISP specific info, that could be helpful as well.

Actually, this is a good starting point.


Bro don't waste your time by looking that stuff up. They have brute force word lists specifically for SSID's. http://www.4shared.c...4d5e2/SSID.html There is one. You could start with that and add on more of the newer routers if you just feel like having a project. Just wanted to save you some time if you're thinkin about making a big list of them. ;)

#17 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,082 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 23 September 2009 - 09:17 AM


I know Qwest, in my area uses Actiontec and will always deploy on the same channel: 9; but, will number the SSID according to ownership in the signal area.. For example the second household that can detect Actiontec will be named Actiotec1, the third Actiontec2, and so on.

Default SSID on my routers:
WRT-54G == linksys
Belkin N Wireless Router == Belkin
Apple Gigabit Airport Extreme == Apple


Those are all cool thoughts but they still go back to the idea of brute forcing the SSID in a way. I was implying getting it by decrypting the packets they send out even though it's hidden. I read some articles and they all say yes they send out packets but they all have a null byte of 0 when it shows up. So not much you can decrypt with that. BUT! there are some routers who are subject to using the filters:
wlan.fc.type_subtype == 0 (association request)
wlan.fc.type_subtype == 4 (probe request)
wlan.fc.type_subtype == 5 (probe response)

Which said that some will actually give you data from the probe requests. I haven't had time to test it yet. Work before play. :(

As for Zombokat... all I can say is, Hate me all you like it just makes me more popular.



A probe request (I could be wrong) doesn't do anything to get the SSID when cloaked; passive tools such as Kismet are much better at getting a cloaked SSID. Also, bruteforcing is not very good because if WEP-PSK is used, the router (not sure about clients) will only respond when a WEP key is given, packets are authenticated.. No matter what, in that case, you need a client that is authed to spoof it's MAC. Hey, maybe some routers will consider their own mac trusted and work w/o auth?


EDIT: i tested this and the wlan considers the lan port/MAC addresses trusted with one of my routers... Could be cool, but one would need a MAC from the LAN port.... Perhaps I may try writing a PERL script that will try brutefircing the LAN MAC addresses with Aireplay-ng. OF course only a POC as it would be next to useless in the real world....

Edited by tekio, 24 September 2009 - 05:18 PM.


#18 Kool-Aide

Kool-Aide

    SCRiPT KiDDie

  • Members
  • 25 posts
  • Gender:Male
  • Location:Arkansizzle

Posted 26 September 2009 - 12:00 AM



I know Qwest, in my area uses Actiontec and will always deploy on the same channel: 9; but, will number the SSID according to ownership in the signal area.. For example the second household that can detect Actiontec will be named Actiotec1, the third Actiontec2, and so on.

Default SSID on my routers:
WRT-54G == linksys
Belkin N Wireless Router == Belkin
Apple Gigabit Airport Extreme == Apple


Those are all cool thoughts but they still go back to the idea of brute forcing the SSID in a way. I was implying getting it by decrypting the packets they send out even though it's hidden. I read some articles and they all say yes they send out packets but they all have a null byte of 0 when it shows up. So not much you can decrypt with that. BUT! there are some routers who are subject to using the filters:
wlan.fc.type_subtype == 0 (association request)
wlan.fc.type_subtype == 4 (probe request)
wlan.fc.type_subtype == 5 (probe response)

Which said that some will actually give you data from the probe requests. I haven't had time to test it yet. Work before play. :(

As for Zombokat... all I can say is, Hate me all you like it just makes me more popular.



A probe request (I could be wrong) doesn't do anything to get the SSID when cloaked; passive tools such as Kismet are much better at getting a cloaked SSID. Also, bruteforcing is not very good because if WEP-PSK is used, the router (not sure about clients) will only respond when a WEP key is given, packets are authenticated.. No matter what, in that case, you need a client that is authed to spoof it's MAC. Hey, maybe some routers will consider their own mac trusted and work w/o auth?


EDIT: i tested this and the wlan considers the lan port/MAC addresses trusted with one of my routers... Could be cool, but one would need a MAC from the LAN port.... Perhaps I may try writing a PERL script that will try brutefircing the LAN MAC addresses with Aireplay-ng. OF course only a POC as it would be next to useless in the real world....




Good good ideas man. I have thought about the mac address spoofing idea... but I don't think that will work because when a client reassociates with an AP they resend the IV packets that you use to relay when you're cracking a WEP key. I have heard it works for hijacking people on a pay for AP you know the ones where you put in your credit card info and it connects you automatically without putting in a wep key. But that's about it. The perl script idea sounds bad ass. Keep me up to date if you will on that. I'd like to check it out. Thanks for the input.

#19 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,082 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 26 September 2009 - 06:25 PM




I know Qwest, in my area uses Actiontec and will always deploy on the same channel: 9; but, will number the SSID according to ownership in the signal area.. For example the second household that can detect Actiontec will be named Actiotec1, the third Actiontec2, and so on.

Default SSID on my routers:
WRT-54G == linksys
Belkin N Wireless Router == Belkin
Apple Gigabit Airport Extreme == Apple


Those are all cool thoughts but they still go back to the idea of brute forcing the SSID in a way. I was implying getting it by decrypting the packets they send out even though it's hidden. I read some articles and they all say yes they send out packets but they all have a null byte of 0 when it shows up. So not much you can decrypt with that. BUT! there are some routers who are subject to using the filters:
wlan.fc.type_subtype == 0 (association request)
wlan.fc.type_subtype == 4 (probe request)
wlan.fc.type_subtype == 5 (probe response)

Which said that some will actually give you data from the probe requests. I haven't had time to test it yet. Work before play. :(

As for Zombokat... all I can say is, Hate me all you like it just makes me more popular.



A probe request (I could be wrong) doesn't do anything to get the SSID when cloaked; passive tools such as Kismet are much better at getting a cloaked SSID. Also, bruteforcing is not very good because if WEP-PSK is used, the router (not sure about clients) will only respond when a WEP key is given, packets are authenticated.. No matter what, in that case, you need a client that is authed to spoof it's MAC. Hey, maybe some routers will consider their own mac trusted and work w/o auth?


EDIT: i tested this and the wlan considers the lan port/MAC addresses trusted with one of my routers... Could be cool, but one would need a MAC from the LAN port.... Perhaps I may try writing a PERL script that will try brutefircing the LAN MAC addresses with Aireplay-ng. OF course only a POC as it would be next to useless in the real world....




Good good ideas man. I have thought about the mac address spoofing idea... but I don't think that will work because when a client reassociates with an AP they resend the IV packets that you use to relay when you're cracking a WEP key. I have heard it works for hijacking people on a pay for AP you know the ones where you put in your credit card info and it connects you automatically without putting in a wep key. But that's about it. The perl script idea sounds bad ass. Keep me up to date if you will on that. I'd like to check it out. Thanks for the input.


I've not studied this for a while; perhaps a review is in order... I was thinking with WEP-PSK each client has to have the WEP key to associate. No association, and a deauth cannot be sent to get the SSID. However, if the MAC is trusted it is possible to associate ,therefor, a deauth is possible.

#20 Kool-Aide

Kool-Aide

    SCRiPT KiDDie

  • Members
  • 25 posts
  • Gender:Male
  • Location:Arkansizzle

Posted 27 September 2009 - 05:12 AM

yea but that would need a client to spoof and that would still kinda rule out the whole no clients thing. But if you were to brute force a mac. That would be kinda cool but still you would be brute forcing. My whole reason for the post honestly was to find a way without deauthing or brute forcing. Maybe some sort of packet decryption method. Where you could use your data packets to crack the actually SSID. I know it sounds dumb but it was just an idea. You would think it is impossible but look how far technology and security has come. You can crack into a network wirelessly. Seems like 10 or less years ago you had to use a phone line to get on the internet.




BinRev is hosted by the great people at Lunarpages!