Perform the following instructions to get started:
Wireless Lab
network as a hidden SSID. The configuration option to do this may differ across access points. In my case, I need to check the Invisible
option in the Visibility Status option, as shown in the following screenshot:Wireless Lab
has disappeared from the beacon frames. This is what hidden SSIDs are all about:aireplay-ng
utility to send deauthentication packets to all stations on behalf of the Wireless Lab
access point by typing aireplay-ng -0 5 -a <mac> --ignore-negative wlan0mon
, where <mac>
is the MAC address of the router. The -0
option is used to choose a deauthentication attack, and 5
is the number of deauthentication packets to send. Finally, -a
specifies the MAC address of the access point you are targeting:wlan.fc.type_subtype == 0x0c
:(wlan.bssid == <the AP MAC>) && !(wlan.fc.type_subtype == 0x08)
to monitor all non-beacon packets to and fro from the access point. The &&
sign stands for the logical AND operator and the !
sign stands for the logical NOT operator:Even though the SSID is hidden and not broadcasted, whenever a legitimate client tries to connect to the access point, they exchange probe request and probe response packets. These packets contain the SSID of the access point. As these packets are not encrypted, they can be very easily sniffed from the air and the SSID can be found.
We will cover using probe requests for other purposes such as tracking in a later chapter.
In many cases, all clients may be already connected to the access point and there may be no probe request/response packets available in the Wireshark trace. Here, we can forcibly disconnect the clients from the access point by sending forged deauthentication packets on the air. These packets will force the clients to reconnect back to the access point, thus revealing the SSID.
In the previous exercise, we sent broadcast deauthentication packets to force reconnection of all wireless clients. Try to verify how you can selectively target individual clients using the aireplay-ng
utility.
It is important to note that, even though we are illustrating many of these concepts using Wireshark, it is possible to orchestrate these attacks with other tools, such as the aircrack-ng
suite as well. We encourage you to explore the entire aircrack-ng
suite of tools and other documentation located on their website at http://www.aircrack-ng.org.
3.144.143.31