29 Apr, 2024
5 minutes
Identifying APs With Hidden SSIDs
One common challenge is dealing with Access Points (APs) that conceal their presence by not broadcasting their Service Set Identifier (SSID, or the WIFI name). This article goes into techniques for locating the MAC addresses of such APs, a fundamental step in the penetration testing of WiFi networks, using various tools and techniques to detect these APs, including passive and active scanning methods.
I was recently in an engagement with an incredibly crowded wireless environment (I’m talking about >50 in range! half of which are hidden), given the target has a hidden SSID, this made it surprisingly tricky to identify the right AP and its MAC address (or BSSID) for further testing, which inspired this article.
This article assumes basic knowledge of WIFI technologies and the aircrack-ng suite, and you have some idea of what the SSID might be (I hope you’re not testing some completely random network).
When using airodump, a hidden network can show up as this:
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
24:F5:32:D3:32:5B -6 554 178 0 149 780 WPA2 CCMP PSK <length: 9>
Or this if the SSID length is hidden altogether:
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
24:F5:32:D3:32:5B -6 554 178 0 149 780 WPA2 CCMP PSK <length: 0>
And we might see a lot of stations in range but no WIFI names, so how do we identify the right AP? Here are a few methods, and they can be combined for maximum effectiveness.
Method 1: Listen and Wait
This method is good for making a list of potential targets when you have no information at all.
From the output of airodump, gather a list of suspects to be filtered. If the length of ESSID is broadcasted, you might be able make an educated guess on which is the right AP, then focus the capture on a few channels or or the specific BSSID:
airodump-ng wlan1 --band a --channel 149
airodump-ng wlan1 --band a --bssid 24:F5:32:D3:32:5B
If you’re lucky, you might catch some devices trying to connect to the AP, this should reveal the SSID and the right AP, and you’re good to go.
I have also seen some connections with the right SSID, but BSSID shows (not associated), since the goal is to acquire the BSSID, this is where method 2 comes in handy.
Method 2: Manual Connection
This method can be used when you have the SSID, but can’t pin point the AP.
If you know the SSID, or see it popping up in airodump but without BSSID like this, which can happen if the device is searching for the network, but not connected:
BSSID STATION PWR Rate Lost Frames Notes Probes
(not associated) 3F:7F:24:6C:B4:23 -34 0 - 6 2 4 john_cena
You can try to manually connect to the AP using another device with a random password, the goal is to capture the initial handshake where the MAC address of the AP will be exposed. Filter by the SSID so that the results are easier to see:
airodump-ng wlan1 --band a --essid john_cena
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
24:F5:32:D3:32:5B -7 100 73 12 1 149 780 WPA2 CCMP PSK john_cena
BSSID STATION PWR Rate Lost Frames Notes Probes
24:F5:32:D3:32:5B 3F:7F:24:6C:B4:23 -22 0 - 6e 0 18 john_cena
The handshake will be captured, but since the password will be wrong, this capture cannot be used for hash cracking.
Method 3: Deauth
This method can be used when you have the BSSID, but want to make sure the AP and its SSID is correct.
Once you have some potential BSSIDs to test, you can filter by those and deauth one of the clients, wait for the client to reconnect, which will reveal the SSID and BSSID of the AP. Of course, this method is a lot more noisy than the other ones. Start capturing on the specific BSSID:
airodump-ng wlan1 --band a --bssid 24:F5:32:D3:32:5B -c 44
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
24:F5:32:D3:32:5B -4 153 72 0 44 780 WPA2 CCMP PSK <length: 9>
BSSID STATION PWR Rate Lost Frames Notes Probes
24:F5:32:D3:32:5B 3F:7F:24:6C:B4:23 -22 0 - 6e 0 18
Deauth the client:
aireplay-ng --deauth 44 -a 24:F5:32:D3:32:5B -c 3F:7F:24:6C:B4:23 wlan1
Wait for it to reconnect, and the BSSID and SSID should appear:
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
24:F5:32:D3:32:5B 10 100 359 108 23 44 780 WPA2 CCMP PSK john_cena
BSSID STATION PWR Rate Lost Frames Notes Probes
24:F5:32:D3:32:5B 3F:7F:24:6C:B4:23 -26 6e- 6e 139 2877 PMKID
This also captures the WPA handshake, which can be used for cracking.
Method 4: Bruteforce
This method can be used when you have the BSSID, but you don’t want to deauth any clients and/or have a list of possible SSIDs.
Using the MDK4 tool, we can bruteforce the SSID using a wordlist, this is useful when you have a list of potential SSIDs, but couldn’t find a connected client, or don’t want to deauth any. Let’s say you’re pentesting EvilCorp’s WIFI networks, the wordlist could be:
EvilCorp
evilcorp
Evilcorp
EvilCorp-ap
evilcorp-ap
Evilcorp-ap
EvilCorp-AP
evilcorp-AP
Evilcorp-AP
EvilCorp-wifi
evilcorp-wifi
Evilcorp-wifi
EvilCorp-WIFI
evilcorp-WIFI
Evilcorp-WIFI
Or in this case, we know the AP owner is a big WWE fan:
mdk4 wlan1 p -t 24:F5:32:D3:32:5B -f ssids.txt
Waiting for a beacon frame from target to get its SSID length.
SSID length is 9
Trying SSID: bert_hart
Packets sent: 1 - Speed: 1 packets/sec
Wordlist completed.
Probe Response from target AP with SSID john_cena
Job's done, have a nice day :)
MDK4 also has a full bruteforce mode where character sets can be specified, but this is not recommended unless the SSID length is short, and it wouldn’t work if the length is unknown altogether.
960 Words