Aircrack-ng is the heart of this post; it is a set of tools widely used to crack/recover WEP/WPA/WPA2-PSK. It supports various attacks such as PTW, which can be used to decrypt WEP key with a less number of initialization vectors, and dictionary/brute force attacks, which can be used against WPA/WPA2-PSK. It includes a wide variety of tools such as packet sniffer and packet injector. The most common ones are airodump-ng, aireply-ng, and airmon-ng.
UNCOVERING HIDDEN SSIDS
It’s common practice for network administrators to disable broadcasting SSID. Normally,
the SSIDs are sent in the form of beacon frames, but this does not happen when a network
administrator disables an SSID. This is said to be a good security practice according to many network administrators; however, this terribly fails in real-world situations. The reason being that anytime a client reassociates with the access point, it will send the SSID parameter in plain text, which will reveal the real SSID.
Now, we have two methods to do this: the first one is that we keep analyzing beacon frames
and wait for the client to disconnect and reconnect to the access point; the second option is that we send disassociation packets by using a deauthentication attack, which will force everyone on the network to disconnect and then reconnect to the access point revealing to us the SSID. So let’s see this in action.
the SSIDs are sent in the form of beacon frames, but this does not happen when a network
administrator disables an SSID. This is said to be a good security practice according to many network administrators; however, this terribly fails in real-world situations. The reason being that anytime a client reassociates with the access point, it will send the SSID parameter in plain text, which will reveal the real SSID.
Now, we have two methods to do this: the first one is that we keep analyzing beacon frames
and wait for the client to disconnect and reconnect to the access point; the second option is that we send disassociation packets by using a deauthentication attack, which will force everyone on the network to disconnect and then reconnect to the access point revealing to us the SSID. So let’s see this in action.
TURNING ON THE MONITOR MODE
The next thing we want to do is switch our network card into monitor mode. As mentioned in the “Network Sniffing” chapter (Chapter 6), to sniff on wired networks, we need to switch our network card into promiscous mode. However, to sniff on wireless networks, we need to make sure that our network card is in the monitor mode. One of the advantages of the Alpha card is that it allows us to sniff in the monitor mode, so you need to make sure that your network card is allowed to sniff in the montior mode for this work.
We can use the following command to change the network card to the monitor mode:
airmon-ng start wlan0
We can use the following command to change the network card to the monitor mode:
airmon-ng start wlan0
So now we can see that we have succesfully enabled monitor mode on the mon0 interface.
We can use the iwconfig command to confirm all the interfaces that have monitor mode
enabled.
We can use the iwconfig command to confirm all the interfaces that have monitor mode
enabled.
MONITORING BEACON FRAMES ON WIRESHARK
Now that we have the monitor mode enabled, we will sniff on the mon0 network interfaces, which will bring us beacon frames containing the SSID that is being broadcasted. If the SSID is not broadcasted, it won’t show up.
We selected the appropriate interface to sniff on, and we are now able to see beacon frames
from other access points, which we are not associated with. Whenever the client authenticates against the access point with the hidden SSID, it will send an SSID parameter; therefore, we can easily figure out what the real SSID is.
from other access points, which we are not associated with. Whenever the client authenticates against the access point with the hidden SSID, it will send an SSID parameter; therefore, we can easily figure out what the real SSID is.
MONITORING WITH AIRODUMP-NG
The easy way around is to use airodump-ng to start monitoring the traffic; as soon as the client authenticates, the SSID will be revealed.
Command:
airodump-ng mon0
Command:
airodump-ng mon0
The access point that is not broadcasting it’s ESSID would appear with the names such as
“<length: 0>”, as soon as the client would re-authenticate the hidden SSID would appear.
“<length: 0>”, as soon as the client would re-authenticate the hidden SSID would appear.
No comments:
Post a Comment