قالب وردپرس درنا توس
Home / Tips and Tricks / Hidden Wi-Fi networks are everywhere – these attacks will find them «Null-byte :: WonderHowTo

Hidden Wi-Fi networks are everywhere – these attacks will find them «Null-byte :: WonderHowTo



There are hidden Wi-Fi networks everywhere – networks that will never show up in the list of available unlocked and password protected hotspots that your phone or computer can see – but are more secure than regular networks that take their name to any device in the list. neighborhood?

The short answer is no, for a variety of reasons.

Hidden networks are basically the same as regular Wi-Fi networks; only they don’t broadcast their name (ESSID) in the beacon frames that regular networks broadcast. If the name is not listed, your phone or computer will never find it just by looking for nearby hotspots to join. To join a hidden network, you first need to know its name, and there are a few attacks that can accomplish this.

It doesn̵

7;t take an elaborate crazy attack to discover hidden Wi-Fi networks in your area, so just about anyone who can work their way through a computer can find one. You don’t have to be a hacker, pen tester, cybersecurity professional, or anyone with any other fancy cyber skills.

Ways in which someone can discover a hidden network

For example, you can check the phone, computer, or other device of a person who has previously connected to the hidden network, because their device is “screaming out” the name of the network in plain text. That’s because it never knows when it’s physically close to the network as the network doesn’t announce its presence so it’s constantly looking for it.

You can also unauthenticate someone who is currently connected to the hidden network. Then when they try to reconnect to the hotspot, you can intercept the network name. Whether this way or above, you can use airodump and Wireshark to get the name, as you will soon see.

Another option we’ll show you today is to attack the network with MDK3 and force the name brute from a glossary. To come along, you’ll need a computer, Arduino IDE, Wireshark, and a wireless network card or adapter that can be put into monitor mode.

One of those adapters is the Alfa AWUS036NEH ($ 29.99), but there are many that work. Other possible options include the Alfa AWUS036NHA ($ 35.99), TP-Link Nano ($ 14.99), Alfa AWUS036NH ($ 49.99), Panda PAU05 ($ 19.99) and Alfa AWUS036ACH ($ 59.99) ). You can learn more about monitor mode adapters in our Kali field test guide and wireless hacker collection adapters.

You also need a hidden network to attack. An easy way to do that is to make your own, and a good way to do that is with a D1 Mini and Arduino IDE. Check out our full guide on how to turn a D1 Mini microcontroller into a hackable Wi-Fi network for more information, only we’ll use a different sketch today.

Step 1: Create a hidden network on a D1 Mini (optional)

I assume you don’t have a hidden network to look up so we’ll be creating one with a D1 Mini and Arduino IDE. I won’t go into detail on how to set up a D1 Mini with Arduino IDE as we already have many guides showing how to do it so check one out if you don’t know how to connect to the D1 Mini.

Connect your D1 Mini to your computer then open the sample sketch “WiFiAccessPoint” in Arduino IDE. You can find the sketch via File -> Examples -> ESP8266WiFi -> WiFiAccessPoint.

This sketch is pretty good to use – we just need to tweak a little thing to create a hidden network. Since the example sketch is for creating a visible access point, we need to tweak it a bit. Go to this line in the script:

WiFi.softAP(ssid, password);

And change it to this:

WiFi.softAP(ssid, password, 1, 1);

The first “1” is to set it to channel 1, while the second “1” means it is a hidden network. The full sketch should now look like this:

/*
   Copyright (c) 2015, Majenko Technologies
   All rights reserved.

   Redistribution and use in source and binary forms, with or without modification,
   are permitted provided that the following conditions are met:

 * * Redistributions of source code must retain the above copyright notice, this
     list of conditions and the following disclaimer.

 * * Redistributions in binary form must reproduce the above copyright notice, this
     list of conditions and the following disclaimer in the documentation and/or
     other materials provided with the distribution.

 * * Neither the name of Majenko Technologies nor the names of its
     contributors may be used to endorse or promote products derived from
     this software without specific prior written permission.

   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
   ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
   WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
   DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
   ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
   (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
   LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
   ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
   SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

/* Create a WiFi access point and provide a web server on it. */

#include 
#include 
#include 

#ifndef APSSID
#define APSSID "ESPap"
#define APPSK  "thereisnospoon"
#endif

/* Set these to your desired credentials. */
const char *ssid = APSSID;
const char *password = APPSK;

ESP8266WebServer server(80);

/* Just a little test message.  Go to http://192.168.4.1 in a web browser
   connected to this access point to see it.
*/
void handleRoot() {
  server.send(200, "text/html", "

You are connected

"); } void setup() { delay(1000); Serial.begin(115200); Serial.println(); Serial.print("Configuring access point..."); /* You can remove the password parameter if you want the AP to be open. */ WiFi.softAP(ssid, password, 1, 1); IPAddress myIP = WiFi.softAPIP(); Serial.print("AP IP address: "); Serial.println(myIP); server.on("/", handleRoot); server.begin(); Serial.println("HTTP server started"); } void loop() { server.handleClient(); }

Now press the Upload button to compile the sketch and flash it to the D1 Mini. After it’s done, your D1 Mini should now broadcast a hidden access point with the name “ESPap” and the password “thereisnospoon”, as shown in the example.

Step 2: Connect a device to your new hidden network

To see a device searching for the hidden network, first connect to it with your phone or another device using the default name (ESPap) and password (thereisnospoon). Then disconnect it from the network. After we put the wireless adapter into monitor mode and run a quick scan on channel 1, we should be able to have the device try to connect automatically, but more on that in a second.

Step 3: Put your wireless adapter in monitor mode

By putting your Wi-Fi card or adapter in monitor mode, you can monitor wireless traffic that isn’t just for your computer. Without out, it will only focus on what you are allowed to watch, so monitor mode is important for this attack to work. I assume you know how to do this, but in case you don’t, check out our full guide on how to check and enable monitor mode.

Step 4: Scan channel 1 for traffic

With the card in monitor mode, it is now time to see the channel we will be listening on, which would be channel 1, which we included in the example sketch above. This will drastically limit our search. To do this just use this in a Terminal window:

~$ sudo airodump-ng CARDNAME -c 1

[sudo] password:

Airodump should now start scanning, and if your phone is still on and trying to find the hidden network, you should see it frantically trying to connect to it. It might look like a lot of different devices, but it’s really just one device that randomizes its MAC address. Find the wireless destination address.

In practice, you could start scanning with airodump, wait for someone to come home, go to work, or some other scenario where their device automatically searches for and connects to the nearby hidden network they previously joined . If no other devices in the room have previously connected to the hidden AP, it may be clear which device is targeted on the scan, but it can also be troublesome if many networks are stored.

For me, airodump has given me a clear indication of the hidden network. Once you find yours, copy the MAC address of the network device then turn off your phone or turn off the Wi-Fi.

Step 5: Open Wireshark

Now is the time to eavesdrop on traffic. Open Wireshark:

~$ sudo wireshark

[sudo] password:

It should capture packets on the correct channel, but make sure to select the same wireless network adapter that is in monitor mode first. Next, let’s use the filter below to limit traffic to the hidden network only.

wlan.ta == HIDDEN-MAC-ADDRESS

This Wireshark display filter should show me all transmissions coming from the hidden network.

In the info column you should see a lot of details, including the SSID, which should be some zeros:

SSID=0000000000

So even though the AP doesn’t have a name, it still has to send that it’s available to connect to with details about its capabilities, but it obscures the SSID.

Using something like Wigle WiFi to scan for networks will still record it, so even the MAC address could be something that can be geolocated and later found on a service like Wigli WiFi.

Step 6: Turn your phone back on

To find the name of the hidden network, we turn on the phone or any other device that was previously connected to the network and make sure that Wi-Fi is turned on. Once it is ready to search for networks, the probe response will be forced. This is basically a packet that contains the name of the network as it is necessary to form the key that the two will use to connect.

You should then see lines in Wireshark showing the SSID name “ESPap”. As you can see, there is no way to keep this completely secret.

Step 7 Use MDK3 to give the name brute force

Another way to find the SSID is to use a tool called MDK3, which can find out the name of a network by brute-forcing it. To do that, you need a good brute-force list. Let’s use the glossary “commonssids” below for our test. Download it on your desktop.

https://gist.githubusercontent.com/jgamblin/da795e571fb5f91f9e86a27f2c2f626f/raw/0e5e53b97e372a21cb20513d5064fde11aed844c/commonssids.txt

Then in a new Terminal window we can go to the desktop and cat the file to see all the common network names it has listed.

~$ cd Desktop
~$/Desktop$ cat commonssids.txt

ssid
xfinitywifi
linksys

BTWiFi-with-FON
NETGEAR
Ziggo
dlink
BTWifi-X
default
FreeWifi
hpsetup
UPC Wi-Free
optimumwifi
FreeWifi_secure
AndroidAP
eduroam
BTWIFI
TELENETHOMESPOT
cablewifi
...

We then use MDK3 to force the device to reveal its network name by only making it respond. Then it will try to associate the network with all the different Wi-Fi names in our glossary to see if it gets a positive answer. It’s an old-fashioned way to brutally force hidden network names if it doesn’t work the first few times.

Use the following command to brute force the network name. If you’ve used a different word list or renamed “commonssids”, make sure to edit it here. The target (-t) is the MAC address discovered and the file (-f) is the dictionary.

~/Desktop$ sudo mdk3 CARDNAME p -t HIDDEN-MAC-ADDRESS -f commonssids.txt

[sudo] password:

Now before running the command, go to Wireshark so you can see what’s going on. After you run the list and check Terminal and Wireshark, you will see that it didn’t work, and that’s because the dictionary doesn’t actually contain “ESPap”.

Now you can use a different dictionary or add new names to your current list. For this demonstration, just go to the file with the following command and add “ESPap” to the list of nano. Save and close.

~$ nano commonssids.txt

Now rerun the brute force attack and see what happens.

~/Desktop$ sudo mdk3 CARDNAME p -t HIDDEN-MAC-ADDRESS -f commonssids.txt

[sudo] password:

You should now see that it was able to correctly guess the network name and unmask the previously hidden network without necessarily having a device connected to it. So even if no device tries to connect or reconnect after they’ve been kicked off, we should still be able to scan MAC addresses with brute force.

Once the network name is known, it can be attacked as if it were a non-hidden network. Hiding a network name isn’t really good security practice if you want to keep your network unobtrusive. That’s because people can not only see that it exists, but they can easily extract the name.

No hidden network is really hidden

While hiding a Wi-Fi network may not make it show up on people’s phones nearby, it really isn’t a safe way to hide or make your network more secure. A phone can constantly shout the network name in plain text when it is within range.

If you want to make your network more secure, I recommend that you turn off your Wi-Fi power so it doesn’t broadcast that far. Also, make sure to set a very long and secure Wi-Fi password that you don’t use in other places.

Do you want to earn money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.

Buy now (90% discount)>

Other worthwhile deals to check out:

Cover photo, screenshots and GIFs by Retia / Null byte

Source link