Description: Welcome to Part 6 of the WLAN Security Megaprimer! Please start this series by watching Part 1 http://www.securitytube.net/video/1756, if you have not done so already.
In this video, we will look at how to find the SSID of networks configured to be non-broadcasting (Hidden SSID). We will first understand the basics of hidden SSIDs and how they work using Beacon frames. Then we will explore both passive and active techniques to discover the SSID of a Hidden SSID network.
We will conduct the attacks using airodump-ng, aireplay-ng and Wireshark! So boot up your Backtracks and get ready! :)
As always please leave your comments / suggestions in this thread.
Tags: wireless security , 802.11 , hidden ssid , sniffing , wireshark , aircrack , airodump , aireplay ,
tnx Vivek
once again, excellent detail!
Again, another fantastic video AND as a bonus Vivek is letting his cheeky comedy side come out to play which made me giggle :-)
Just love that access point 'tsunami' - lots of big waves coming out of that ;-)
Thanks Vivek, can't wait for the next one - laughing off mac filters!
Just one thing I don't understand Vivek. I'm getting 'No such BSSID available' when I do this against an AP. The only difference seems to be WPA2 is used:
airodump-ng mon0
CH 3 ][ Elapsed: 16 s ][ 2011-04-21 16:41
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:14:6C:EE:CC:F8 -72 38 5 0 6 54e. WPA TKIP PSK SKY70438
BSSID STATION PWR Rate Lost Packets Probes
00:14:6C:EE:CC:F8 94:44:52:7C:52:AA -70 0 - 1e 0 11 SKY70438
aireplay-ng --deauth 0 mon0 -a 00:14:6C:EE:CC:F8
16:44:52 Waiting for beacon frame (BSSID: 00:14:6C:EE:CC:F8) on channel 3
16:45:02 No such BSSID available.
Appreciate you're a busy guy and this is not 1 to 1 tuition. If I'm being an idiot just ignore me, but if this is something that needs covering it may be worth adding a side note to this excellent tutorial.
@behrouz, hugol Thanks!
@Blackmarketeer Thanks Buddy! Its difficult to do a remote debug but looks like the access point is on Channel 6 (from the first dump) and aireplay-ng seems to be waiting on channel 3 for the access point. Maybe change the channel to 6 before using aireplay-ng. Let me know if this works.
}BLUSH{ ....
iwconfig mon0 channel 3
I don't want to talk about it......
:-)
Thank you kind Sir :-)
~~~~~~~~ ~~~~~~~~~~
~~~~~~~~ TSUNAMI ~~~~~~~~~~
~~~~~~~~ ~~~~~~~~~~
You joker :-)
Just loged in here to just say thats very good and nice thing you do. i hope you keep them coming. And just awsome that you explain evryting in-depth. Greetings from Estonia!
And I always thought hiding the SSID was foolproof :( so much for my CWNA training........
Your enthusiasm is contagious. That's why I love your videos. Maybe I'll do a few myself in the near future.
I imagine Vivek is going through the capture>interfaces>start dialog in Wireshark to make it easier for persons learning it but you can start a capture directly from the "start" page in Wireshark by clicking on the interface link in the Capture section if you want to save a few clicks. After the 1st one, you can use Ctrl-E.
hey man put your videos on torrent.
@Blackmarketeer It happens to us all :)
@varendi You bet! thanks!
@WCNA Thanks my friend! Would love it if you post your videos. This site is all about sharing :)
@bmwmgii I would love to :) I just don't have the time to organize it all right now. If you or anyone else has the time, my full support to you! :)
thank you thank you thank you VIVEK so much
you are the best teacher i ever seen
i only need one thing
i cant download the video .... is there a way to upload it on youtube or mediafire? please please
sorry for my bad english .... cuz i talk arabic
god help you on the megaprimer and the best site
i wait you.
@ Shadi : you can download from viemo only register ;)
@behrouz im downloading now but it wont complete the all video ... it stops sending data with internet download manager
because of vimeo have time out for downloading
you use a low speed internet connection ?
if you have a low speed network connection
use a windows vps and install a downloader then you can download from vps
thx
i dont have vps and rdp ....... damn
can any one upload this video on youtube or mediafire for me?
Shady,
I use firefox with the downloadhelper add in, it works great have you tried it?
i have a bad connection .... only 100ko/s when downloading
make sure and delete the previous incomplete downloads, then try again...
it wont .... i have try it more then 6 times
can you upload it to me on youtube ? mediafire? fitzroy
Incredible , Incredible , Incredible
i really appreciate your work. thank you again
even thought i cracked hidden WEP security Access point yesterday , but i watched your video as if it's the first time i've ever heared about THIS.
The best way to download the video is just using Vimeo and a download manager. I have enabled video downloads on Vimeo for all my videos so this should work smoothly.
@ahmadqdemat Thanks my friend :) I am happy that you are now aware of the actual reasons.
didnt work vivek
i really hope to upload only that video== 130mb === on
youtube
thx
I wanted to point out something I noticed with my WAP (WRT54GS). When I disabled the SSID broadcast, it didn't show "Tag length: 0" and "Tag interpretation: Broadcast". What I saw was similar to what I read about on the airodump-ng page when I was reading it earlier this morning (http://www.aircrack-ng.org/doku.php?id=airodump-ng&DokuWiki=1ff114c81d7272b8376fed51a7547cb6#hidden_ssids_length). Wireshark shows me "Tag length: 11" and "Tag interpretation: \000\000\000\000\000\000\000\000\000\000\000". According to the airodump-ng page, the WRT54GS is one of those that will hide the SSID, but will still show the length. I also verified this using airodump-ng itself and sure enough it shows "<length: 11="">" under the ESSID column.
So Vivek's D-link will not only hides the SSID, but its length also; while my Linksys will hide the SSID, but not the length. Is this a manufacturer type configuration (ie all Linksys' will show length if the SSID is hidden && all D-link's will hide both the SSID and the length)? Or is this something that varies from model to model no matter the manufacturer?
haha Typo in the "<length: 11="">" part of that last reply.
Just finished the video and realized that next time I should jot all my questions down in notepad until the video is over - just in case I have others. That way I don't have a bunch of replies one after another.
Anyway, another great video, Vivek! Definitely not getting bored in between videos. I'm a little behind because I keep getting lost in reading more into the tools you're describing :) I'm looking forward to watching part 7 tomorrow on my lunch break!
@lorddicranius - Your question is very interesting and a great one! The funny things is Hidden SSID is not really part of the 802.11 standard and is something created by the vendors. Here is an interesting blog post:
http://blogs.technet.com/b/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx
So, this makes the implementation very very vendor dependent. Thus we are seeing such inconsistent behavior across vendors. Hope this answers your question.
Great read, thanks for the link and the info regarding vendors and hidden SSIDs :)
Excellent Video Vivek
:D thank you agin :)
this Pwning Hidden Ssids video is much more intresting than other 5 :)
Vivek your enthusiasm is very contagious. You are able to do what most teachers can’t which is keep peoples attention. I appreciate the lessons! Keep it up
Vivek, These are superb videos. I like the relaxed manner which absolutely defines that you know your stuff. I am only on episode 6 but by morning I hope to be through the whole 15 posted!! Excellent work, keep it coming!!
I just wanted to thank Vivek for these videos. I have been searching for something like this.
Something that goes in-depth on how and why that pen tool works not just a type this command with these parameters in order to hack.
Thanks again Vivek
Loved the idea of the active attack!
Didn't know it was so easy to disconnect clients from the AP.
I found your use of Wireshark once again enlightening. I was trying to explain the null SSIDs I was seeing in Wireshark. I had a hunch they were for a network with a "hidden" SSID. Knowing you would use the same tool I was using in this tutorial, I verified! Thanks again! I always learn something.
Vivek these videos are some of the best. Your knowledge on this is outstanding. Keep them coming
Just finished this one , even though I already did this before in WLAN lab , I never used Wireshark , it's great to really see the data flow in wireshark.Great teacher , great videos , and I wish you a lot of success in you professional carrier :)
Finally we are going into the right things bro.. The lesson number 5 was really haaaaaaaard.. Thank you anyway for the best wlan security course in the web.. And the best thing is that you are doing this for FREE.. THANK YOU.
As always, great stuff Vivek! One lil comment. When aireplay is used with the bssid parameter(-a), only the clients authenticated with that bssid get deauthenticated.
Hello Vivek, First off Thanks so much for doing such a great job.
You demonstrated fakeauth helps determine if the AP has MAC filter enabled. However my question is, Whats the purpose of faking an authentication? Is it just to see if the AP is Mac filtered? Or does its serve other purposes?
sorry i posted my question above on the wrong video page :( I couldnt delete it i will report my question on PART 7
sorry i posted my question above on the wrong video page :( I couldnt delete it i will report my question on PART 7
Ok, i just watched part 8 and got my answer :) Thanks so much Viek
Another great video. I would like to echo what one of the first comments said about your sense of humor. The videos are already excellent due to thoroughness and content, but the added humor makes them even better. So glad I found this place.
haha dude ur the man, i cant believe how simple things become when taught by an amazing teacher like urself, i cant get enough of your videos, thank you for every single one, you answer all my questions right on your videos i hope u have much success
once again, Thank YOU
Just like the saying "A picture is like a thousand words" similarly Viveks wifi security video series is like a thousand books on wifi security. Vivek, you've set a very very high standard of teaching and am sure you'll make a benchmark for future(and current as well) tutors on how to teach!!!
Regarding Pwning Hidden ssids video, I would like to know a solution for the deauth attack from a home users point of view running Win XP or later versions. I know deauth packets cant be disabled coz they are part of Management frames so how can they be detected and traced back??
Please help
Excellent Vivek. Thank you for taking your time to teach us. =)
Vivek, you are my hero! Thanks so much!
Thanks Vivek! Another superb lesson!
Well explained in an easy to understand way. Love it, keep it coming.
Thanks Vivek. nice work. keep going.
Deauth broadcast is so badass! xD
When I have airodump-ng running I notice one AP in particular sending ridiculous amounts of broadcast frames:
00:00:00:00:00:00 -49 12101 14 0 11 54 OPN <length: 0="">
That's after only 5 minutes of having airodump-ng running, I checked the packets and there's no sort of identifying things that I can see. Also, it jumps between channels 1 and 11 and sometimes the auth changes from OPN to WEP. There is one client apparently broadcasting from this AP:
00:00:00:00:00:00 00:18:0A:01:52:CF -70 0 - 1 0 14
Any ideas as to what the AP is?
This was a great video. It is astounding to me how easy it is to get STAs to deauth.
Great job doing the live demo, that was impressive.
This is shaping up to be a great megaprimer Vivek. It'll be hard to tear myself away from it and get some sleep tonight! After I finish each video I can't wait to start the next one.
I really admire you for taking the time to make all of these and share them with us. It was the whole open source free software mindset that attracted me to this sort of stuff in the first place. It was less than a year ago that I started running ubuntu for the first time after my windows system died on me. I never thought I would have discovered such cool programs/tools and community support as I have since then. I also never thought I would have come so far in terms of my knowledge about such things in that period of time. It is in large part thanks to you that I have been able to do so. I know it sounds sappy but your work, as well as that of others in the community, really gives me hope that this world can become a better place. Keep up the great work man!
Good information, can't wait to get to video 48 and then find some more videos!
Hi Vivek!
This is another great video!
I'm agree with other people. I also have a slow connection and sometimes I struggle watching streaming videos. When I try to download them on vimeo, sometimes it stalls and sometimes I'm stuck with download quotas. A torrent would be far more convenient :) But I know you're very busy, I'll do with this.
I also had some problems sending deauthenticate packets through mon0. It says "“mon0 is on channel -1, but the AP uses channel 1".
For those with the same problem, I had to send the deauth packet through wlan0 instead of mon0. Here is my solution:
airmon-ng check kill
airmon-ng stop mon0
airmon-ng stop wlan0
airmon-ng start wlan0 1
#at this point make sure wlan0 is not associated with any AP
#you may have to type: ip link set wlan0 state up
aireplay-ng --deauth -a XX:XX:XX:XX:XX;XX wlan0
Thanks again for those great videos!
I'm definitely not getting bored in between, and I love the fact that you explain everything! THANK YOU SO MUCH!
Hai.. Its highly valuable videos. I already seen the these attacks in some other youtube videos..
but no one explain this much basic concepts and with wire-shark live experiment and wats actually going on background.
thanks for sharing... :-)
i have one question if somebody put his ssid in hidden mode, then Is it my wifi is detecting the AP. or if i got hidden ssid then how to connect to AP? (Open connection mode).
another question is this alfa card is available in Indian market. or where i get it?
By
Ramki
there is no SSID in association response right?
Very cool! So question: If you continue to send deauth packets to the access point, will it block every client from connecting if you continue a steady stream of deauth packets?
@Xray yes it would generate a DOS situation for the AP.
My notes for this part: http://41j.com/blog/2011/10/securitytube-wireless-lan-security-megaprimer-notes-part-6-finding-hidden-ssids/
While watching this tutorial one devil's thought came into my mind to do this live on my university's wifi network but that would be illegal and I won't do it :D
Great video again. :)
hi vivek,
i wrote you an email last night - just forget about it, everything is clear now ;)
nobody mentioned the answer of the little exercise you gave us in this video. i did not detect the ssid in the association response is that correct?
best wishes to you
Vivek,
I was able to see the same behavior when using my Ipad. However, when I used the deauth tool against Win7 the PCAPs showed Reassociation Request (0x02) and Response (0x03). I am not sure if you cover this in later videos but it may be worth noting.
Enjoying the video series so far. Thanks so much for your work!
- Stefan
hi there
what will happen, if you will use DeAuth on essid instead of ssid? I know, this video is old, but some one might see my comment:(
Anayway, many thanks to Vivek for his shared knowledge he is The Jedi master
sorry, essid i meant the back bone Ess
Awesome. I was following your videos on freak site aswell. I was very happy after watching your videos long back. Now again. Please keep on going. and really appreciate your time, patience,intrest. Rock on. I can write much more but let me stop here even I dont want to stop. Vivek, you are my master.
Thanks Vivek! Appreciate all your efforts in making this great video series.
Haha great. I also had to run and Deauth before clients revealed the SSID by themselves.
Love it, thank you. You generous man.
Vivek your awesome.
Thanks for the great great series..!
you have such a nice personality ! :)
i really enjoyed your detailed explainings..
Gr8888 Video .. Thank you :)
hey vivek! It´s amazing what you´re doing in all the videos! The way you explain it makes it a lot easier.
Would it be possible to download your power points in order to read them? Thank you very much!
hey vivek! It´s amazing what you´re doing in all the videos! The way you explain it makes it a lot easier.
Would it be possible to download your power points in order to read them? Thank you very much!
I didnt realize that when scanning for nearby wireless APs that I was using the passive method for finding SSIDs. I did learn more about deAuth packets and that will be helpful for me. As a User you dont realize how easy it is to get the SSID, I thought that it would at least add some layer of protection but really if someone is snooping they are more than likely to be using BT5 or similar tools. Thanks..Love this series and hoping to get myself enrolled into your course in a couple months...till then i have to enjoy the free vids.
Great video and a lot of fun to watch. Thanks!
Vivek, you are a champ. All these videos are great!
great vid vivek, really enjoyed it!!
thnx vivek sir HOPE to see u in future!!!
Oh the awesomeness... You rock Vivek! :D
OMG! Vivek your videos are not long.... They are great!!! Thanks again
You explain very clearly....THnk uuuuuuu
I just joined your student Vivek and I just want to say Thank you because it is the sixth video in one day and I can't do something else except following those amazing courses and try to apply them. Really thank you
Thank you Vivek! You are the best! On my way to part 7 now...:-D..Keep it up! (p/s i never get bored in between any of your videos....)
Fantastic work Vivek! Very well done videos and easy to follow. I want to become a penetration tester (white hat) and your videos have been just wonderful. I have only finished the sixth video but am having a great time and look forward to learning more. Thank you!!
This was great Vivek! I Love the example of the deauth requests! For networks utilizing authentication, is it possible to forge these packets still if an attacker is not authenticated? Great example and live demo? Do IDS/IPS protect against prolonged denial of service - deauth requests?
As always - great! Thanks for your tutorials!
awesome awesome awesome and again awesome video thanx sir