aircrack suite not identifying the hidden ssid

baronobeefdip · 01-04-2012, 12:37 AM

I am pentesting my wireless and i hid the ssid but i heard that you can recover the name of the ssid by using aireplay and airodump but i googled and exhausted all resources on how to do so. those youtube videos weren't helping either. what is happening is that i am able to run the wireless nic in monitor mode and view the APs in the area. i am also able to view there bssid and the mac addresses of the clients connected to them (the station) but heres where it gets confusing. when i do what the youtube videos showed by taking the AP mac and the client's NIC mac i can run this aireplay command to force a client to deauthenticate and when it re-connects to the AP the ssid will be revealed (correct me if i'm wrong)

Code:

aireplay-ng -0 13 -a (AP mac address) -c (client mac address) mon0

when i run the command it waits for a beacon frame from the channel that the AP is on, then it gives me the error

Code:

No Such BSSID available
Please Specify an ESSID (-e)

on all of the youtube videos and guides i have seen they never had to put in a essid to find a hidden ssid so why isn't it working for me. there are obviously clients connected to it so how come my deauthentication attempts aren't working

leslie_jones · 01-04-2012, 01:29 AM

There are reasons why you won't see some hidden BSSID's - AFAIR you'll need something to handshake with it to reveal it.

This is one of the best resources online for WIFI security and pentesting: http://www.securitytube.net/downloads

baronobeefdip · 01-04-2012, 10:35 AM

that doesn't explain why the youtube tutorials work without providing an ssid

http://www.youtube.com/watch?v=ZeCVkWMUSzE

leslie_jones · 01-04-2012, 11:08 AM

Is your hidden AP seeing any traffic from clients?

I can assure you that if you work through that huge DVD it explains, in great detail, the whole hidden SSID gig and how airodump-ng pulls the information to identify hidden networks where it can.

Aircrack is not perfect, it has some issues, but if you work through the DVD you'll find the theory behind finding hidden SSID's, and how to find them by hand from airodump-ng dump files using Wireshark. You'll also be able to answer the question you have asked for yourself and understand why your airodump-ng is not demunging your hidden ssid.

If you don't want to download the whole DVD and go through it (which is the best free resource on wireless security on the net IMHO), jump right in to the relevant lesson here: http://www.securitytube.net/video/1773

baronobeefdip · 01-04-2012, 02:12 PM

Quote:

Originally Posted by leslie_jones

Is your hidden AP seeing any traffic from clients?
[/url]

yes there is traffic on the AP in fact there are at least four clients connected to it and if i was to run a deauthentication attack i would be able to sniff out the hidden ssid when it attempts to re-connect to the AP

leslie_jones · 01-05-2012, 12:51 AM

Quote:

Originally Posted by baronobeefdip

yes there is traffic on the AP in fact there are at least four clients connected to it and if i was to run a deauthentication attack i would be able to sniff out the hidden ssid when it attempts to re-connect to the AP

And have you worked through the Video link I sent you?

baronobeefdip · 01-08-2012, 02:58 PM

yes and still no success, i keep getting that message for specifying the ssid even though it's hidden how does it expect me to specify it after it's hidden. i know the idea of getting a client to dissacosiate with it forceing it to re-connect thus showing the hidden ssid but i keep getting those ssid entry errors. this is really irritating. let me paste the commands i am using

Code:

aireplay-ng -c 00:26:4A:29:F1:67 -a 00:0D:97:07:E0:1B --fakeauth 0 -o 0 mon0

No source MAC (-h) specified. Using the device MAC (D0:DF:9A:8A:31:EE)
14:50:51  Waiting for beacon frame (BSSID: 00:0D:97:07:E0:1B) on channel 3
14:51:02  No such BSSID available.
Please specify an ESSID (-e).

as you can see the -h ooption is asking me to specify a source mac address. isn't that what the -C option does

leslie_jones · 01-09-2012, 12:40 AM

Quote:

Originally Posted by baronobeefdip

Code:

aireplay-ng -c 00:26:4A:29:F1:67 -a 00:0D:97:07:E0:1B --fakeauth 0 -o 0 mon0

What are you trying to achieve with that command????
Why would you be trying to do a 'fake authentication attack' to find the hidden SSID????

With respect, the reason people go to the lengths of writing tutorials and producing hours and hours of video is to help people learn. The reason people write 'man' and 'wiki' pages is to help people use the tools. Please tell me where in that video link I gave you, it shows you a command anything like the command you have used?

Quote:

Originally Posted by baronobeefdip

as you can see the -h ooption is asking me to specify a source mac address. isn't that what the -C option does

I don't see a -C option (there is a -c option, but that would, of course, be a different thing) on the current wiki page: http://www.aircrack-ng.org/doku.php?...04c992ac9171ee

OR even the MAN for that matter:

Code:

AIREPLAY-NG(1)                                                                                             AIREPLAY-NG(1)

NAME
       aireplay-ng - inject packets into a wireless network to generate traffic

SYNOPSIS
       aireplay-ng [options] <replay interface>

DESCRIPTION
       aireplay-ng  is  used  to  inject/replay frames.  The primary function is to generate traffic for the later use in
       aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can  cause  deauthentications
       for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP
       request injection and ARP-request reinjection. With the packetforge-ng tool  it's  possible  to  create  arbitrary
       frames.

       aireplay-ng supports single-NIC injection/monitor.
       This feature needs driver patching.

OPTIONS
       -H, --help
              Shows the help screen.

       Filter options:

       -b <bssid>
              MAC address of access point.

       -d <dmac>
              MAC address of destination.

       -s <smac>
              MAC address of source.

       -m <len>
              Minimum packet length.

       -n <len>
              Maximum packet length.

       -u <type>
              Frame control, type field.

       -v <subt>
              Frame control, subtype field.

       -t <tods>
              Frame control, "To" DS bit.

       -f <fromds>
              Frame control, "From" DS bit.

       -D     Disable AP Detection.

       Replay options:

       -x <nbpps>
              Number of packets per second.

       -p <fctrl>
              Set frame control word (hex).

       -a <bssid>
              Set Access Point MAC address.

       -c <dmac>
              Set destination MAC address.

       -h <smac>
              Set source MAC address.

       -g <nb_packets>
              Change ring buffer size (default: 8 packets). The minimum is 1.

       -F     Choose first matching packet.

       -e <essid>
              Set  target  SSID  for  Fake Authentication attack (see below). For SSID containing special characters, see
              http://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_single_quote_etc._in_ap_names

       -o <npackets>
              Set the number of packets for every authentication and association attempt (Default: 1). 0 means auto

       -q <seconds>
              Set the time between keep-alive packets in fake authentication mode.

       -y <prga>
              Specifies the keystream file for fake shared key authentication.

       -j     ARP Replay attack : inject FromDS pakets (see below).

       -k <IP>
              Set destination IP in fragments.

       -l <IP>
              Set source IP in fragments.

       -B     Test option: bitrate test.

       Source options:

       -i <iface>
              Capture packets from this interface.

       -r <file>
              Extract packets from this pcap file.

       Miscellaneous options:

       -R     disable /dev/rtc usage.

       Attack modes:

       -0 <count>, --deauth=<count>
              This attack sends disassocate packets to one or more clients which are currently associated with a particu-
              lar access point. Disassociating clients can be done for a number of reasons: Recovering  a  hidden  ESSID.
              This  is  an  ESSID  which is not being broadcast. Another term for this is "cloaked" or Capturing WPA/WPA2
              handshakes by forcing clients to reauthenticate or Generate ARP requests (Windows clients  sometimes  flush
              their  ARP  cache when disconnected).  Of course, this attack is totally useless if there are no associated
              wireless client or on fake authentications.

       -1 <delay>, --fakeauth=<delay>
              The fake authentication attack allows you to perform the two types of WEP authentication (Open  System  and
              Shared Key) plus associate with the access point (AP). This is useful is only useful when you need an asso-
              ciated MAC address in various aireplay-ng attacks and there is currently no associated client. It should be
              noted  that the fake authentication attack does NOT generate any ARP packets. Fake authentication cannot be
              used to authenticate/associate with WPA/WPA2 Access Points.

What people won't do here is tell you how to crack anything, it is against the forum policy for one thing, but in addition nobody wants to produce 'script kiddies' that don't understand what they are doing.

The best you can hope for is to be pointed to the best resources available - which you have been. It's up to you to work through those because I know, having worked through them myself, they deal with this subject in detail and completely and will enable anyone with the right kit/lab set up to be able to find hidden SSID's. It may *not* necessarily be by using airodump-ng (it can be a little buggy and unpredictable as you'd know if you'd watched that video series), you may have to actually read the packet captures to do it, but that is all covered in the series Vivek has made. I'm sorry if that appears rude or curt - but it's the best answer I can give you within the rules of this forum.

baronobeefdip · 01-09-2012, 11:50 PM

i think i may have found the problem
i was making the mistake of not running aireplay and airodump at the same time because aireplay picks a channel to detects APs on at random and will not detect the AP if it's not on the right channel it is being transmitted on but setting the airodump process to a fixed channel will eliminate this problem making aireplay able to detect it and not having to choose a random channel. thats why it was not giving me a bssid since it's on the channel 113 and evidently its unreachable to both aireplay and airodump. so i was unable to capture anything and unable to get the name thus making my wifi signal unhackable. i did however changed the channel to something below 11 and was able to obtain the handshake but haven't got around to hiding the ssid yet since i was working through one procedure at a time.

so my security as far as i know works. if my finding that i am describing in the above paragraph are wrong or inaccurate then let me know. it's what i have been observing. i would go into more detail about my experiments but i would be condoning hacking and other related activities on this forum and opening these findings to google search so i am just happy to say that