2.1 - UNCOVERING HIDDEN SSIDs
- Every Access Point offers the option, known as "Closed Network", of hidding the SSID when broadcasting beacon frames to announce itself. This option is usually considered a security measure, but as it will be explained here, it is actually easy to uncover the hidden SSID.
- At the AP used in this practice, "Closed Network" can be enabled in this way:
- Then, capturing beacon frames from the AP, Wireshark is not able to detect the SSID, actually showing the field in blank:
- The attacker "kali" uses airodump-ng to detect that the victim "roch" is connected to the AP, but it is not able to learn the ESSID, just showing that it has got a length of 8 characters: <length: 8>:
- The trick consists on forcing the client "roch" to deauthenticate, knowing that later it will try to reconnect to the AP. Using aireplay-ng 5 packets are sent to the Access Point whose MAC address is 00:25:F2:9B:91:23, through "kali"s interface (00:C0:CA:72:1A:36), forcing the "roch" client (28:C6:8E:63:15:6B) to be disconnected:
- Using this filter at Wireshark (wlan.bssid == 00:25:F2:9B:91:23) && !(wlan.fc.type_subtype == 0x08), meaning packets different than subtype beacon frame (0x08), the deauthentication packets can be observed:
- Next, waiting just some instants, when client "roch" tries to reconnect by means of a Probe Request packet, the AP answers with a Probe Response message, showing the expected SSID in clear text ("spaniard"):