Hidden SSIDs

Almost live from WLANPros Phoenix 2019!

I’m taking a great class at the WLANPros bootcamp this weekend: Wireless Penetration Testing with Phil Morgan. We’ve seen tons of info already about hacking testing wifi. On day 1 we basically got to know a couple basic Linux command, sat through (6) separate slides about the legalities of what we are about to learn, plus an oath of intent/responsibilty, and then finally spent some time using Aircrack to do some things.

I’ve always been awed by security related activities but I’ve never really gotten into it. There’s much more to come but the one thing I enjoyed today was learning how to find the name of the hidden SSIDs that uneducated security officers love to use as security features in their networks…specifically healthcare. I’m currently on my 3rd hospital deployment where I’ve heard the dreaded “We are going to hide all the networks except guest because it’s better if people don’t see them!” 

Well, actually it’s not, and as I learned today, it’s quite easy to figure out with just a few simple commands and some patience. By hiding the SSID, you’re just peaking the interest of some shady characters and possibly dumb teenagers. Nobody else is really going to care…

And since I was paying attention during the 30 minute talk on responsibility, let’s go ahead and mention now that I’m not responsible for any trouble you get yourself into by using this blog as a guide. This is for educational purposes only!

Let’s get into it…

We are using our brand new Kali linux chromebooks which are preloaded with all kinds of proven security/penetration tools to help you get where you shouldn’t. One of these tools is the Aircrack-ng suite. 

Aircrack-ng suite has several different tools included in it that can do different things. Here is a very basic rundown:

  • Airmon-ng  – configures an interface in monitor mode
  • Airodump-ng – displays active wireless SSIDs, APs, and client information. 
  • Aircrack-ng – is for key cracking
  • Aireplay-ng – is for packet injection
  • Airbase-ng – does all kinds of things including acting as an AP, capturing handshakes and simulating different attacks on clients.
  • Airdecap-ng – decrypts packets

This is nowhere close to a complete list. You can find loads more info on the suite here: https://www.aircrack-ng.org

To find the hidden SSIDs I mentioned above, we are going to use Airmon-ng and Airodump-ng.

To start out, you’ll need to be sure you have some supported wlan adapters. The onboard adapter does work, but supplied with our Chromebooks were 2 panda wireless adapters that natively support promiscuous mode. I’ll be using one of those for this task.

To turn one of those into a monitor, first run LSUSB(lowercase) to make sure Kali has detected the device:

LSUSB.jpg

If you see the USB drives in this output (Ralink Technology in this pic) Lets run one more command to confirm they are now wireless interfaces:

IWCONFIG.jpg

Now that we know the devices have been detected, lets put one in monitor mode:

airmon-ng start wlan1

When you start the device in monitor mode, it changes the name of the device to wlan1mon:

IWCONFIG.jpg

With that change, we also have to change the next command a little. Since we’ve changed it to monitor mode, the only step left is to start looking at some data:

airodump wlan1mon

Once we run this, we’ll end up on a scanning screen that is going to show us various info about the networks and clients we hear. 

AIRODUMP.jpg

Here we see the networks that are broadcasting, and below, the clients that are probing. You’ll notice in the output of the networks that there are a couple that are listed as <length:  0>. These are hidden networks. Now that we see them, we can mark them to keep track of them while we wait. Depending on the amount of users connecting to this network, this could take seconds or hours. 

Press “Tab” to bring up a highlight. Now that it’s highlighted, we can use the M key to change the color of the text for the line.  Use your arrow keys to highlight every “Length” line and press M to cycle through the 6 colors available. Change each Length line to a different color. 

If you noticed, when you highlight certain lines, client lines highlight as well. These are clients that are connected to the SSID that is highlighted. To figure out what the names are, we only have to wait for a client to attempt an authentication to one of these networks. Automagically, the network name will appear:

DMPHIGHLIGHT.jpg

Success! The highlighted hhonors network was previously “length: 0”. I’m not sure why we are seeing this instance as hidden and the other network we’re not. But with wifi here isn’t exactly the best… unless of course someone was causing trouble. IT WAS NOT ME.  The other two networks eventually resolved as clients connected but I took this pic too early.

…til next time..

On to day 2!