Sign in to follow this  
Followers 0
KoolAide187

Is there a way to get a hidden SSID without...

24 posts in this topic

Is there any other ways to get a hidden SSID without disassociating a client and brute forcing the SSID? Like for instance I want to crack my WEP encrypted router but I don't have any wireless clients connected to it. I don't want to brute force the SSID and I can't disassociate a client connected because I have no clients other than me wanting to connect. So there will be no waiting for a client to connect.

Now my theory was... could you use wireshark to listen and maybe disassemble the packet and find what SSID it came from by filtering the MAC addy?

Is there any other way?

I don't think I could fake auth to the router because I don't have the ssid handy. I know what it is but this is just theory and experimentation. There has to be more than just 2 ways to find out a hidden SSID besides the 2 ways listed above.

I heard somebody say something about turning kismet to de-cloak but I can't get my kismet to work properly. So any other options besides kismet and the ones above? I use airodump to acctually find the hidden router and it tells me the lenth 10 stuff but doesn't say the name.

Just wondering. Thanks.

0

Share this post


Link to post
Share on other sites

Is there any other ways to get a hidden SSID without disassociating a client and brute forcing the SSID? Like for instance I want to crack my WEP encrypted router but I don't have any wireless clients connected to it. I don't want to brute force the SSID and I can't disassociate a client connected because I have no clients other than me wanting to connect. So there will be no waiting for a client to connect.

Now my theory was... could you use wireshark to listen and maybe disassemble the packet and find what SSID it came from by filtering the MAC addy?

Is there any other way?

I don't think I could fake auth to the router because I don't have the ssid handy. I know what it is but this is just theory and experimentation. There has to be more than just 2 ways to find out a hidden SSID besides the 2 ways listed above.

I heard somebody say something about turning kismet to de-cloak but I can't get my kismet to work properly. So any other options besides kismet and the ones above? I use airodump to acctually find the hidden router and it tells me the lenth 10 stuff but doesn't say the name.

Just wondering. Thanks.

I'm not entirely sure if I'm missing something in this question. But if you are trying to connect wirelessly, why don't you try to use a utility like Kismet or Netstumbler to de-cloak the SSID?

I've never heard of brute forcing an SSID. Also you don't have to have client connected to a router to get past WEP.

-1

Share this post


Link to post
Share on other sites

im going to guess he's talking about wep psk? which does need a handshake packet.. but it could just be he read a guide wrong/got confused idk. + he said kismet isn't working.

1

Share this post


Link to post
Share on other sites

im going to guess he's talking about wep psk? which does need a handshake packet.. but it could just be he read a guide wrong/got confused idk. + he said kismet isn't working.

Wait WHAT? WEP psk? wtf are you talkin about? NO!... "a hidden SSID", to get the hidden SSID you have to disassociate a client or brute force the router to get the SSID. I am asking for any other way besides kismet to tell me my AP's by unhiding it or a glitch to get around it. I re-read what I wrote... I doesn't really come any more clear than that. If anybody understand hidden SSID's and english... please respond. If you don't understand don't respond or atleast try and keep up with what I am saying. - Thanks. ;)

-1

Share this post


Link to post
Share on other sites

Negative. I appreciate the help. I am sure there is probably another way of doing it. Or maybe I just didn't explain myself well enough. Basically I want to find a hidden SSID without "any" clients connected wirelessly to a router. Or without having to brute force the SSID. I am sure there is probably other ways, but nobody seems to know enough about it to help me.

Taking kismet's de-cloak out of the picture. Would wireshark work for finding a hidden SSID without any clients connected to the AP? Or anything else?

-1

Share this post


Link to post
Share on other sites

Negative. I appreciate the help. I am sure there is probably another way of doing it. Or maybe I just didn't explain myself well enough. Basically I want to find a hidden SSID without "any" clients connected wirelessly to a router. Or without having to brute force the SSID. I am sure there is probably other ways, but nobody seems to know enough about it to help me.

Taking kismet's de-cloak out of the picture. Would wireshark work for finding a hidden SSID without any clients connected to the AP? Or anything else?

You're asking the impossible. How would wireshark be any better at magically finding the SSID? If the AP isn't broadcasting its SSID and there aren't any clients associating with the AP, then there will be no packets containing the SSID for wireshark to pick up.

You understand that you can disassociate a client from the network to get the hidden SSID, yet you don't see the relevance of dinscurge's post about the WEP handshake packet. This clearly shows that you have no idea what you're talking about, as the whole point of disassociating the client *is* to get the handshake packet. Read up on the basics of 802.11/WEP/WPA and get back to us.

0

Share this post


Link to post
Share on other sites

Negative. I appreciate the help. I am sure there is probably another way of doing it. Or maybe I just didn't explain myself well enough. Basically I want to find a hidden SSID without "any" clients connected wirelessly to a router. Or without having to brute force the SSID. I am sure there is probably other ways, but nobody seems to know enough about it to help me.

Taking kismet's de-cloak out of the picture. Would wireshark work for finding a hidden SSID without any clients connected to the AP? Or anything else?

You're asking the impossible. How would wireshark be any better at magically finding the SSID? If the AP isn't broadcasting its SSID and there aren't any clients associating with the AP, then there will be no packets containing the SSID for wireshark to pick up.

You understand that you can disassociate a client from the network to get the hidden SSID, yet you don't see the relevance of dinscurge's post about the WEP handshake packet. This clearly shows that you have no idea what you're talking about, as the whole point of disassociating the client *is* to get the handshake packet. Read up on the basics of 802.11/WEP/WPA and get back to us.

No that's not it at all. It just makes me mad when people respond to my posts and they don't read what I have written. I know exactly what the handshake is for but my idea with wireshark was... if a wireless router can be detected by kismet or airodump and it's SSID is hidden. Yes it shows up as a hidden SSID but... if it is even though it isn't broadcasting and those programs can still pick it up.

Then it is broadcasting some sort of packets to even be picked up by Airodump or kismet. Or else it would look like there was no router even there. So in theory why can't wireshark pick up those hidden SSID packets and possible be decrypted to a SSID?

Does that make sense? I am sorry before for getting angry about the suggestion about the handshake idea but my point was there isn't "any" clients associated therefore there will be no handshake association and no clients to deauth.

I shall find a way. When I do. I will enlighten you all. ;)

-4

Share this post


Link to post
Share on other sites

Stuff that Kool-Aide said.

If Kismet can't do it Wireshark won't be able to do it.

Listen, I don't usually break my veil of obscurity to post, but I just wanted to mention I hate you.

Edited by ZomboKat
1

Share this post


Link to post
Share on other sites

If I had to guess I'd look at the first 6 bytes of the MAC Address and get the manufacturer, then look up default SSIDs for the specific devices,,,, After that forge an ARP and inject it using all the default SSIDs... It is worth a try.

1

Share this post


Link to post
Share on other sites

If they've turned off SSID broadcast, chances are they've changed the SSID. Though I wouldn't bother looking up the MAC, just try some common SSIDs. There aren't that many of them, 3 or 4 would probably cover 70% of the routers on the market.

0

Share this post


Link to post
Share on other sites

just try some common SSIDs. There aren't that many of them, 3 or 4 would probably cover 70% of the routers on the market.

Okay: linksys, netgear, Actiontec<1-9> <~~~ almost always used by qwest!, persons last name... I'm actually surprised at how many cloak the SSID and leave it to the default... I guess they just read somewhere to cloak it, but fail to use logic in their decisions. Anyway, an educated guess is always better and less of a shot in the dark.

EDIT: come to think of it one of my WRT-54G's shipped with the SSID cloaked by default... Perhaps it was a refurb or something.

Edited by tekio
0

Share this post


Link to post
Share on other sites

That's odd. I would have thought that's an uncommon configuration, at least if it was the user to hide the SSID. Though if you have an ISP deploying them, I can see why they'd hide the SSID and still leave it as something simple. So... I wonder where we can get some real statistics for market share? If we can get the top X routers, we can look up their default SSIDs and make a real list. Also, if anyone else has some more ISP specific info, that could be helpful as well.

Actually, this is a good starting point.

0

Share this post


Link to post
Share on other sites

I know Qwest, in my area uses Actiontec and will always deploy on the same channel: 9; but, will number the SSID according to ownership in the signal area.. For example the second household that can detect Actiontec will be named Actiotec1, the third Actiontec2, and so on.

Default SSID on my routers:

WRT-54G == linksys

Belkin N Wireless Router == Belkin

Apple Gigabit Airport Extreme == Apple

1

Share this post


Link to post
Share on other sites

I know Qwest, in my area uses Actiontec and will always deploy on the same channel: 9; but, will number the SSID according to ownership in the signal area.. For example the second household that can detect Actiontec will be named Actiotec1, the third Actiontec2, and so on.

Default SSID on my routers:

WRT-54G == linksys

Belkin N Wireless Router == Belkin

Apple Gigabit Airport Extreme == Apple

Those are all cool thoughts but they still go back to the idea of brute forcing the SSID in a way. I was implying getting it by decrypting the packets they send out even though it's hidden. I read some articles and they all say yes they send out packets but they all have a null byte of 0 when it shows up. So not much you can decrypt with that. BUT! there are some routers who are subject to using the filters:

wlan.fc.type_subtype == 0 (association request)

wlan.fc.type_subtype == 4 (probe request)

wlan.fc.type_subtype == 5 (probe response)

Which said that some will actually give you data from the probe requests. I haven't had time to test it yet. Work before play. :(

As for Zombokat... all I can say is, Hate me all you like it just makes me more popular.

0

Share this post


Link to post
Share on other sites

That's odd. I would have thought that's an uncommon configuration, at least if it was the user to hide the SSID. Though if you have an ISP deploying them, I can see why they'd hide the SSID and still leave it as something simple. So... I wonder where we can get some real statistics for market share? If we can get the top X routers, we can look up their default SSIDs and make a real list. Also, if anyone else has some more ISP specific info, that could be helpful as well.

Actually, this is a good starting point.

Bro don't waste your time by looking that stuff up. They have brute force word lists specifically for SSID's. http://www.4shared.com/account/file/57251079/d7b4d5e2/SSID.html There is one. You could start with that and add on more of the newer routers if you just feel like having a project. Just wanted to save you some time if you're thinkin about making a big list of them. ;)

-1

Share this post


Link to post
Share on other sites

I know Qwest, in my area uses Actiontec and will always deploy on the same channel: 9; but, will number the SSID according to ownership in the signal area.. For example the second household that can detect Actiontec will be named Actiotec1, the third Actiontec2, and so on.

Default SSID on my routers:

WRT-54G == linksys

Belkin N Wireless Router == Belkin

Apple Gigabit Airport Extreme == Apple

Those are all cool thoughts but they still go back to the idea of brute forcing the SSID in a way. I was implying getting it by decrypting the packets they send out even though it's hidden. I read some articles and they all say yes they send out packets but they all have a null byte of 0 when it shows up. So not much you can decrypt with that. BUT! there are some routers who are subject to using the filters:

wlan.fc.type_subtype == 0 (association request)

wlan.fc.type_subtype == 4 (probe request)

wlan.fc.type_subtype == 5 (probe response)

Which said that some will actually give you data from the probe requests. I haven't had time to test it yet. Work before play. :(

As for Zombokat... all I can say is, Hate me all you like it just makes me more popular.

A probe request (I could be wrong) doesn't do anything to get the SSID when cloaked; passive tools such as Kismet are much better at getting a cloaked SSID. Also, bruteforcing is not very good because if WEP-PSK is used, the router (not sure about clients) will only respond when a WEP key is given, packets are authenticated.. No matter what, in that case, you need a client that is authed to spoof it's MAC. Hey, maybe some routers will consider their own mac trusted and work w/o auth?

EDIT: i tested this and the wlan considers the lan port/MAC addresses trusted with one of my routers... Could be cool, but one would need a MAC from the LAN port.... Perhaps I may try writing a PERL script that will try brutefircing the LAN MAC addresses with Aireplay-ng. OF course only a POC as it would be next to useless in the real world....

Edited by tekio
1

Share this post


Link to post
Share on other sites

I know Qwest, in my area uses Actiontec and will always deploy on the same channel: 9; but, will number the SSID according to ownership in the signal area.. For example the second household that can detect Actiontec will be named Actiotec1, the third Actiontec2, and so on.

Default SSID on my routers:

WRT-54G == linksys

Belkin N Wireless Router == Belkin

Apple Gigabit Airport Extreme == Apple

Those are all cool thoughts but they still go back to the idea of brute forcing the SSID in a way. I was implying getting it by decrypting the packets they send out even though it's hidden. I read some articles and they all say yes they send out packets but they all have a null byte of 0 when it shows up. So not much you can decrypt with that. BUT! there are some routers who are subject to using the filters:

wlan.fc.type_subtype == 0 (association request)

wlan.fc.type_subtype == 4 (probe request)

wlan.fc.type_subtype == 5 (probe response)

Which said that some will actually give you data from the probe requests. I haven't had time to test it yet. Work before play. :(

As for Zombokat... all I can say is, Hate me all you like it just makes me more popular.

A probe request (I could be wrong) doesn't do anything to get the SSID when cloaked; passive tools such as Kismet are much better at getting a cloaked SSID. Also, bruteforcing is not very good because if WEP-PSK is used, the router (not sure about clients) will only respond when a WEP key is given, packets are authenticated.. No matter what, in that case, you need a client that is authed to spoof it's MAC. Hey, maybe some routers will consider their own mac trusted and work w/o auth?

EDIT: i tested this and the wlan considers the lan port/MAC addresses trusted with one of my routers... Could be cool, but one would need a MAC from the LAN port.... Perhaps I may try writing a PERL script that will try brutefircing the LAN MAC addresses with Aireplay-ng. OF course only a POC as it would be next to useless in the real world....

Good good ideas man. I have thought about the mac address spoofing idea... but I don't think that will work because when a client reassociates with an AP they resend the IV packets that you use to relay when you're cracking a WEP key. I have heard it works for hijacking people on a pay for AP you know the ones where you put in your credit card info and it connects you automatically without putting in a wep key. But that's about it. The perl script idea sounds bad ass. Keep me up to date if you will on that. I'd like to check it out. Thanks for the input.

0

Share this post


Link to post
Share on other sites

I know Qwest, in my area uses Actiontec and will always deploy on the same channel: 9; but, will number the SSID according to ownership in the signal area.. For example the second household that can detect Actiontec will be named Actiotec1, the third Actiontec2, and so on.

Default SSID on my routers:

WRT-54G == linksys

Belkin N Wireless Router == Belkin

Apple Gigabit Airport Extreme == Apple

Those are all cool thoughts but they still go back to the idea of brute forcing the SSID in a way. I was implying getting it by decrypting the packets they send out even though it's hidden. I read some articles and they all say yes they send out packets but they all have a null byte of 0 when it shows up. So not much you can decrypt with that. BUT! there are some routers who are subject to using the filters:

wlan.fc.type_subtype == 0 (association request)

wlan.fc.type_subtype == 4 (probe request)

wlan.fc.type_subtype == 5 (probe response)

Which said that some will actually give you data from the probe requests. I haven't had time to test it yet. Work before play. :(

As for Zombokat... all I can say is, Hate me all you like it just makes me more popular.

A probe request (I could be wrong) doesn't do anything to get the SSID when cloaked; passive tools such as Kismet are much better at getting a cloaked SSID. Also, bruteforcing is not very good because if WEP-PSK is used, the router (not sure about clients) will only respond when a WEP key is given, packets are authenticated.. No matter what, in that case, you need a client that is authed to spoof it's MAC. Hey, maybe some routers will consider their own mac trusted and work w/o auth?

EDIT: i tested this and the wlan considers the lan port/MAC addresses trusted with one of my routers... Could be cool, but one would need a MAC from the LAN port.... Perhaps I may try writing a PERL script that will try brutefircing the LAN MAC addresses with Aireplay-ng. OF course only a POC as it would be next to useless in the real world....

Good good ideas man. I have thought about the mac address spoofing idea... but I don't think that will work because when a client reassociates with an AP they resend the IV packets that you use to relay when you're cracking a WEP key. I have heard it works for hijacking people on a pay for AP you know the ones where you put in your credit card info and it connects you automatically without putting in a wep key. But that's about it. The perl script idea sounds bad ass. Keep me up to date if you will on that. I'd like to check it out. Thanks for the input.

I've not studied this for a while; perhaps a review is in order... I was thinking with WEP-PSK each client has to have the WEP key to associate. No association, and a deauth cannot be sent to get the SSID. However, if the MAC is trusted it is possible to associate ,therefor, a deauth is possible.

0

Share this post


Link to post
Share on other sites

yea but that would need a client to spoof and that would still kinda rule out the whole no clients thing. But if you were to brute force a mac. That would be kinda cool but still you would be brute forcing. My whole reason for the post honestly was to find a way without deauthing or brute forcing. Maybe some sort of packet decryption method. Where you could use your data packets to crack the actually SSID. I know it sounds dumb but it was just an idea. You would think it is impossible but look how far technology and security has come. You can crack into a network wirelessly. Seems like 10 or less years ago you had to use a phone line to get on the internet.

0

Share this post


Link to post
Share on other sites

yea but that would need a client to spoof and that would still kinda rule out the whole no clients thing. But if you were to brute force a mac. That would be kinda cool but still you would be brute forcing. My whole reason for the post honestly was to find a way without deauthing or brute forcing. Maybe some sort of packet decryption method. Where you could use your data packets to crack the actually SSID. I know it sounds dumb but it was just an idea. You would think it is impossible but look how far technology and security has come. You can crack into a network wirelessly. Seems like 10 or less years ago you had to use a phone line to get on the internet.

If the key is obtained you should be able capture decrypted packets in Wireshark. Still, there would need be traffic with the SSID though....

EDIT: forgot to add there is a vulnerability of the Nesses Datacom Algorithm where it is easy do decrypt because there are so many collisions. All WRT-54Gs that I've seen use this to generate WEP keys.

Edited by tekio
0

Share this post


Link to post
Share on other sites

Wellenriter would discover a cloaked SSID. It is a passive sniffer that reads the packets to decode the SSID, rather than Netstumbler which sends beacon packets out looking for responses, aka "CAN YOU HEAR ME NOW? CAN YOU HEAR ME NOW? CAN YOU HEAR ME NOW?...".

Hope this helps.

0

Share this post


Link to post
Share on other sites

I know Qwest, in my area uses Actiontec and will always deploy on the same channel: 9; but, will number the SSID according to ownership in the signal area.. For example the second household that can detect Actiontec will be named Actiotec1, the third Actiontec2, and so on.

Default SSID on my routers:

WRT-54G == linksys

Belkin N Wireless Router == Belkin

Apple Gigabit Airport Extreme == Apple

One new thing that I've discovered about the Qwest Actiontec wifi/modems is that EVERY single one in my area was deployed using only 60bit (really 40) encryption. Weird. Anyone else had any experiences with the Qwest Actiontec wifi/modems?

0

Share this post


Link to post
Share on other sites

I know Qwest, in my area uses Actiontec and will always deploy on the same channel: 9; but, will number the SSID according to ownership in the signal area.. For example the second household that can detect Actiontec will be named Actiotec1, the third Actiontec2, and so on.

Never even heard of Actiontec all my friends have quest here they are setup with 2wire routers.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0