Before we move on to understand how an SSID attack is launched let us cover some basics first so that you know exactly what you are doing.
A full understanding of the SSID concept is an important tool to have under your belt as a penetration tester or ethical hacker. Although SSID means the "Wi-Fi name" for the less savvy user, this is usually the initial point of entry for many malicious attacks or authorized penetration tests.
Also known as the service set identifier, the SSID indicates what are the access points available in your range and their names.
All the information available is broadcast by the network interface cards (NIC) in the range. From the example below you can see that one of the access points being broadcast in my range is called:
Really, asshole? Curry again?
SSIDs can be up to 32 alphanumeric characters long which allows kids to put up a public joke every now and then. I say kids because as a technologist I would not even want people to know my SSID, or try to connect to it.
That means that users who need to use the network will be required to provide the SSID and password in order to establish a connection. This touches on the concept of security through obscurity and greatly reduces the chances of an attack.
With this brief intro, let's design an attack to uncover a hidden SSID as a penetration tester would.
THE ATTACK
Disclaimer: The following content requires you to have basic knowledge of Kali Linux or Backtrack, but feel free to go ahead as I will be covering those topics on hackernoon, my website and youtube.
I hope you are still with me because now it starts to get fun. There are basically 3 things that we need to do:
- Enable monitoring mode on our wireless interface: airmon-ng
- Discover access points that are broadcasting: airdump-ng
- Wait for association or cause a de-authentication attack: aireplay-ng
In order to encourage best practices let's perform an ifconfig and check our settings to see what interfaces we have to deal with.
et0 is the lan (ethernet connection wired)
lo loop-back interface
W0 is the wireless lan interface
Next, let's run airmon-ng without any parameters just to verify that it is able and willing to recognize the wireless card.
Bingo, the wireless card has been recognized, so our next step is simple and we just need to launch a command to start listening a.k.a monitoring on that wireless interface.
The command is: airmon-ng start wlan0
Now we have this new logical interface called mon0 ready for us to start listening on. As good practice we should launch airmon-ng one more time just to verify the mon0 is now recognized, as we can see it is.
For this example I have set a hidden SSID just so we can see how the process works. So now our goal is to identify what is the service set identifier that is not being advertised to the general public.
The next step is to launch airodump-ng mon0 to start our backtrack (or kali linux) machine to listen to the activity going on. It's important to remember that we added mon0 because that is the logical interface that we want to listen to.
This will cause the logical interface to listen to all the activity going on. You will be able to see that backtrack is cycling through all the channels searching for all the interfaces it can find on the top left corner of the screen. What we need to do is look at the upper right side and look for interfaces that are not displaying SSIDs such as <length: 0>, which in this case is our hidden SSID.
At this point we have harvested a lot of information. We know the hidden SSID channel (CH), MAC address and we also know that it does not use any kind of encryption. Since we now have a good idea of our target we can use some commands to narrow down our results (this is especially good when dealing with multiple access points).
Since we know this hidden SSID is running on channel 1 we will save some screen real estate and run airodump-np -c 1mon0 to listen only to channel 1.
Now we are only listening to channel 1 as you can see on the top left corner. We now just need to wait long enough for someone to connect to the SSID and the name will be revealed. In our case, the hidden SSID which you can verify in the screenshot below.
Sneaky-SSID
Although it is possible to figure out hidden SSIDs in this fashion, it is a lot faster if we were to launch a de-authentication attack and force the user to reconnect and give out the SSID by reconnecting to it.
If speed is of essence than waiting for someone to reconnect may not be suitable and that is why in the next article we will be studying how to launch a de-authentication attack to harvest hidden SSIDs in a much faster fashion by forcing the users to reconnect.
Disclaimer: This ethical hacking tutorial is against misuse of the information and I strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general.