The owners of some wireless access points configure them so that they do not broadcast their name (ESSID). This is considered, in their opinion, additional protection (along with the password) TD.
Simply put, a hidden Wi-Fi network (hidden) is a network that is not visible in the list of available networks. To connect to it, you must enter its name manually.
In fact, this method of protection is untenable, if only because at certain moments the name of the wireless network (ESSID) is still broadcast in an open form.
There is a whole set of recommendations on how to protect your wireless router. But this type of protection (hiding the name of Wi-Fi), as well as filtering by MAC address, are not recommended for use, because they cause certain difficulties to legitimate users and do not provide any protection.
This material shows the failure of protection by hiding the network. The next section will show how easy it is to bypass MAC filtering.
How to see hidden Wi-Fi networks
Let's start with the fact that hidden networks are not so hidden. They are very easy to see with Airodump-ng. To do this, we translate our wireless card into monitor mode:
ifconfig wlan0 down && iwconfig wlan0 mode monitor && ifconfig wlan0 up
And run Airodump-ng:
airodump-ng wlan0
1542759723640-png.1758
Pay attention to line
20: 02: AF: 32 : D2:61 -40 108 3 0 6 54e WPA2 CCMP PSK <length: 3>
This is the “hidden” Wi-Fi network. All data, except for ESSID, is available on a par with other access points. And we already know something about the ESSID: <length: 3>. This means that the length of the name is 3 characters.
We will learn the name of this TD by running brute force using the mdk3 program. For now, let's move on to another hidden Wi-Fi network and find out its name with Airodump-ng.
Getting the name of a hidden Wi-Fi network using Airodump-ng
The network name (ESSID) is transmitted in the broadcast in the clear and can be intercepted during client connection. You can wait for the client to connect in a natural way, or you can speed up the process if you “knock out” (deauthenticate) from the access point. After that, it will immediately start to reconnect, the name of the network will appear in the broadcast in clear text, and we, in turn, will intercept it. The sequence of actions corresponds exactly to the one described in the article “Capturing handshakes in Kali Linux”. Therefore, if you are already familiar with it, then it will be quite easy for you.
We look available to attack the access point
airodump-ng wlan0
1542759798353-png.1759
Network with a hidden name:
20: 25: 64: 16: 58: 8C -42 1856 0 0 1 54e WPA2 CCMP PSK <length: 11>
Its BSSID is 20: 25: 64: 16: 58: 8C, the length of its name is 11 characters, it works on channel 1. So I run airodump-ng on the first channel:
airodump-ng wlan0 --channel 1
If you remember, during the handshake capture, I also indicated the -w key after which the file name prefix followed. This can be done now - since the seizure of a handshake does not prevent the identification of the name of the hidden TD. In this case, you will kill two birds with one stone at once.
You can do nothing - just wait for someone to connect or reconnect naturally. If you are in a hurry, you can force the process using de-authentication attack.
To do this, we open a new terminal window and type the command there:
aireplay-ng -0 3 -a 20: 25: 64: 16: 58: 8C wlan0
Here -0 means deauthentication, 3 means the number of sent packets, -a 20:25: 64: 16: 58: 8C is the CSS ID of the target AP, and wlan0 is the network interface in monitor mode.
The result was obtained almost instantly:
Line of interest:
20: 25: 64: 16: 58: 8C -34 100 1270 601 0 54e WPA2 CCMP PSK SecondaryAP
Ie The name of the "hidden" network is SecondaryAP .
Simply put, a hidden Wi-Fi network (hidden) is a network that is not visible in the list of available networks. To connect to it, you must enter its name manually.
In fact, this method of protection is untenable, if only because at certain moments the name of the wireless network (ESSID) is still broadcast in an open form.
There is a whole set of recommendations on how to protect your wireless router. But this type of protection (hiding the name of Wi-Fi), as well as filtering by MAC address, are not recommended for use, because they cause certain difficulties to legitimate users and do not provide any protection.
This material shows the failure of protection by hiding the network. The next section will show how easy it is to bypass MAC filtering.
How to see hidden Wi-Fi networks
Let's start with the fact that hidden networks are not so hidden. They are very easy to see with Airodump-ng. To do this, we translate our wireless card into monitor mode:
ifconfig wlan0 down && iwconfig wlan0 mode monitor && ifconfig wlan0 up
And run Airodump-ng:
airodump-ng wlan0
1542759723640-png.1758
Pay attention to line
20: 02: AF: 32 : D2:61 -40 108 3 0 6 54e WPA2 CCMP PSK <length: 3>
This is the “hidden” Wi-Fi network. All data, except for ESSID, is available on a par with other access points. And we already know something about the ESSID: <length: 3>. This means that the length of the name is 3 characters.
We will learn the name of this TD by running brute force using the mdk3 program. For now, let's move on to another hidden Wi-Fi network and find out its name with Airodump-ng.
Getting the name of a hidden Wi-Fi network using Airodump-ng
The network name (ESSID) is transmitted in the broadcast in the clear and can be intercepted during client connection. You can wait for the client to connect in a natural way, or you can speed up the process if you “knock out” (deauthenticate) from the access point. After that, it will immediately start to reconnect, the name of the network will appear in the broadcast in clear text, and we, in turn, will intercept it. The sequence of actions corresponds exactly to the one described in the article “Capturing handshakes in Kali Linux”. Therefore, if you are already familiar with it, then it will be quite easy for you.
We look available to attack the access point
airodump-ng wlan0
1542759798353-png.1759
Network with a hidden name:
20: 25: 64: 16: 58: 8C -42 1856 0 0 1 54e WPA2 CCMP PSK <length: 11>
Its BSSID is 20: 25: 64: 16: 58: 8C, the length of its name is 11 characters, it works on channel 1. So I run airodump-ng on the first channel:
airodump-ng wlan0 --channel 1
If you remember, during the handshake capture, I also indicated the -w key after which the file name prefix followed. This can be done now - since the seizure of a handshake does not prevent the identification of the name of the hidden TD. In this case, you will kill two birds with one stone at once.
You can do nothing - just wait for someone to connect or reconnect naturally. If you are in a hurry, you can force the process using de-authentication attack.
To do this, we open a new terminal window and type the command there:
aireplay-ng -0 3 -a 20: 25: 64: 16: 58: 8C wlan0
Here -0 means deauthentication, 3 means the number of sent packets, -a 20:25: 64: 16: 58: 8C is the CSS ID of the target AP, and wlan0 is the network interface in monitor mode.
The result was obtained almost instantly:
Line of interest:
20: 25: 64: 16: 58: 8C -34 100 1270 601 0 54e WPA2 CCMP PSK SecondaryAP
Ie The name of the "hidden" network is SecondaryAP .