Quote:
Originally Posted by baronobeefdip
Code:
aireplay-ng -c 00:26:4A:29:F1:67 -a 00:0D:97:07:E0:1B --fakeauth 0 -o 0 mon0
|
What are you trying to achieve with that command????
Why would you be trying to do a 'fake authentication attack' to find the hidden SSID????
With respect, the reason people go to the lengths of writing tutorials and producing hours and hours of video is to help people learn. The reason people write 'man' and 'wiki' pages is to help people use the tools. Please tell me where in that video link I gave you, it shows you a command anything like the command you have used?
Quote:
Originally Posted by baronobeefdip
as you can see the -h ooption is asking me to specify a source mac address. isn't that what the -C option does
|
I don't see a -C option (there is a -c option, but that would, of course, be a different thing) on the current wiki page:
http://www.aircrack-ng.org/doku.php?...04c992ac9171ee
OR even the MAN for that matter:
Code:
AIREPLAY-NG(1) AIREPLAY-NG(1)
NAME
aireplay-ng - inject packets into a wireless network to generate traffic
SYNOPSIS
aireplay-ng [options] <replay interface>
DESCRIPTION
aireplay-ng is used to inject/replay frames. The primary function is to generate traffic for the later use in
aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications
for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP
request injection and ARP-request reinjection. With the packetforge-ng tool it's possible to create arbitrary
frames.
aireplay-ng supports single-NIC injection/monitor.
This feature needs driver patching.
OPTIONS
-H, --help
Shows the help screen.
Filter options:
-b <bssid>
MAC address of access point.
-d <dmac>
MAC address of destination.
-s <smac>
MAC address of source.
-m <len>
Minimum packet length.
-n <len>
Maximum packet length.
-u <type>
Frame control, type field.
-v <subt>
Frame control, subtype field.
-t <tods>
Frame control, "To" DS bit.
-f <fromds>
Frame control, "From" DS bit.
-D Disable AP Detection.
Replay options:
-x <nbpps>
Number of packets per second.
-p <fctrl>
Set frame control word (hex).
-a <bssid>
Set Access Point MAC address.
-c <dmac>
Set destination MAC address.
-h <smac>
Set source MAC address.
-g <nb_packets>
Change ring buffer size (default: 8 packets). The minimum is 1.
-F Choose first matching packet.
-e <essid>
Set target SSID for Fake Authentication attack (see below). For SSID containing special characters, see
http://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_single_quote_etc._in_ap_names
-o <npackets>
Set the number of packets for every authentication and association attempt (Default: 1). 0 means auto
-q <seconds>
Set the time between keep-alive packets in fake authentication mode.
-y <prga>
Specifies the keystream file for fake shared key authentication.
-j ARP Replay attack : inject FromDS pakets (see below).
-k <IP>
Set destination IP in fragments.
-l <IP>
Set source IP in fragments.
-B Test option: bitrate test.
Source options:
-i <iface>
Capture packets from this interface.
-r <file>
Extract packets from this pcap file.
Miscellaneous options:
-R disable /dev/rtc usage.
Attack modes:
-0 <count>, --deauth=<count>
This attack sends disassocate packets to one or more clients which are currently associated with a particu-
lar access point. Disassociating clients can be done for a number of reasons: Recovering a hidden ESSID.
This is an ESSID which is not being broadcast. Another term for this is "cloaked" or Capturing WPA/WPA2
handshakes by forcing clients to reauthenticate or Generate ARP requests (Windows clients sometimes flush
their ARP cache when disconnected). Of course, this attack is totally useless if there are no associated
wireless client or on fake authentications.
-1 <delay>, --fakeauth=<delay>
The fake authentication attack allows you to perform the two types of WEP authentication (Open System and
Shared Key) plus associate with the access point (AP). This is useful is only useful when you need an asso-
ciated MAC address in various aireplay-ng attacks and there is currently no associated client. It should be
noted that the fake authentication attack does NOT generate any ARP packets. Fake authentication cannot be
used to authenticate/associate with WPA/WPA2 Access Points.
What people won't do here is tell you how to crack anything, it is against the forum policy for one thing, but in addition nobody wants to produce 'script kiddies' that don't understand what they are doing.
The best you can hope for is to be pointed to the best resources available - which you have been. It's up to you to work through those because I know, having worked through them myself, they deal with this subject in detail and completely and will enable anyone with the right kit/lab set up to be able to find hidden SSID's. It may *not* necessarily be by using airodump-ng (it can be a little buggy and unpredictable as you'd know if you'd watched that video series), you may have to actually read the packet captures to do it, but that is all covered in the series Vivek has made. I'm sorry if that appears rude or curt - but it's the best answer I can give you within the rules of this forum.