Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: How to bruteForce Hidden ESSID Using MDK3

  1. #1
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Thumbs up How to bruteForce Hidden ESSID Using MDK3

    MDK3's one of the best feature is to bruteforcing hideen ESSID's.it works in 2 way one we can try with every possible combination,suitable for short ESSID's or we can try using default/custom created ESSID list.I have attached shmoo group's WPA Tables ESSID with modification of some more default ESSID which I got from different forums.so now there is approx 1143 ESSID's.using MDK3 within few seconds you can get the Hidden ESSID's.
    I have set the 11 chars. Essid and set it to hidden.
    Tested using Linksys WUSB54GC adapter and Linksys WRT54G Router.


    Commands:

    bt~#airodump-ng rausb0

    open one more window

    #if command supplied without target -t parameter.it will bruteforce for all #hidden ESSID's in range.

    bt ~ # mdk3 rausb0 p -f SSID.txt -t 00:21:29:68:16:C2

    SSID Wordlist Mode activated!

    Waiting for beacon frame from target...
    Sniffer thread started

    SSID is hidden. SSID Length is: 11.
    Trying SSID: linksys
    Trying SSID: ascend
    Trying SSID: <any ssid>
    Trying SSID: mynetwork
    Trying SSID: fatport
    Trying SSID: 2WIRE975
    Trying SSID: 2WIRE186
    Trying SSID: 2WIRE707
    Trying SSID: 2WIRE774
    Trying SSID: 2WIRE436
    Packets sent: 1143 - Speed: 120 packets/sec
    Got response from 00:21:29:68:16:C2, SSID: "thunderbolt"


    Here you got hidden ESSID in less then 10 seconds.by default its speed is 300 pps.In airodump-ng window you can see that hidden essid <length: 11> has been now changed to your essid.e.g. thunderbolt.


    Download Essid File



  2. #2
    Just burned his ISO
    Join Date
    Jan 2010
    Location
    Melbourne, Australia
    Posts
    22

    Default

    Hi

    Tried using your "How to" but came up with an issue
    Set my AP to a 3 char SSID and disabled the SSID broadcast
    when i run airodump-ng the ssid length is reported as 1 which i suspect is not allowing the MDK3 command to run successfully

    Any ideas ?

    Running the VMware version of BT3 with a linksys WUSB54GC adapter
    AP router is SMC7904WBA

  3. #3
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Thumbs up

    Quote Originally Posted by Bestia View Post
    Hi

    Tried using your "How to" but came up with an issue
    Set my AP to a 3 char SSID and disabled the SSID broadcast
    when i run airodump-ng the ssid length is reported as 1 which i suspect is not allowing the MDK3 command to run successfully

    Any ideas ?

    Running the VMware version of BT3 with a linksys WUSB54GC adapter
    AP router is SMC7904WBA
    When the length is 0 or 1, it means the AP does not reveal the actual length and the real length could be any value.when this kind of condition occure then there are 3 methods either wait for a wireless client to authenticate with AP or deauth exist Wireless Client or use these wireshark filters to capture the packets.

    wlan.fc.type_subtype == 0 (association request)
    wlan.fc.type_subtype == 4 (probe request)
    wlan.fc.type_subtype == 5 (probe response)let me know if it works.

  4. #4
    Just burned his ISO
    Join Date
    Jan 2010
    Location
    Melbourne, Australia
    Posts
    22

    Default

    Worked like magic

    used wireshark to capture packets between my apple iphone and the AP
    the probe reponse filter wlan.fc.type_subtype == 5 was particulary helpful in giving me the tag length of 3 and the tag interpretation of "SMC" (SSID) for my test setup as well as giving additional info such as both supported rates and extended supported rates.

    Highly reccomend this test if you want a better understanding of the link setup between a client and AP especially Association and Probe requests and responses - also used wlan.fc.type_subtype == 1 (assoc response) filter

    Thanks for your Advice as not only have i a better understanding of whats happening but also have learnt the uusefullness of wireshark

  5. #5
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    9

    Smile Is it posibble to crack hidden ESSID not using wordlist?

    Hi my senior secure_it, may i ask u is it posibble to crack Hidden ESSID not using wordlist(dictionary list)? like crack WEP password just capture enought IVS than can easy crack that password without having any wordlist, because if the Hidden ESSID put the word are very2 difficult to guess(not a dictionary word) than our wordlist dont have this word than cannot crack already.And WPA security is it also same crack it must using wordlist, not same like WEP just capture enought IVS than can been crack. Thank u.

  6. #6
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by tiong View Post
    ...is it posibble to crack Hidden ESSID not using wordlist(dictionary list)? like crack WEP password just capture enought IVS than can easy crack that password without having any wordlist...
    No, but it can be intercepted in clear-text once a client connects to the AP using a valid ESSID.
    -Monkeys are like nature's humans.

  7. #7
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    9

    Smile How to intercepted in clear-text once a client connects to the AP using a valid ESSID

    Hi my Senior Tron Thank ur reply, may i ask you, if that AP ESSID is hidden than once a client connects to that AP using a valid ESSID, Than this is a GOOD chance to crack this hidden ESSID, Using what tools?how to do it? is it just using command: airodump-ng -w myfile -c 6 rausb0 , Than the hidden ESSID will apear on airodump-ng screen? Thank you very much.

  8. #8
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by tiong View Post
    is it just using command: airodump-ng -w myfile -c 6 rausb0 , Than the hidden ESSID will apear on airodump-ng screen? Thank you very much.
    That is absolutely correct.
    -Monkeys are like nature's humans.

  9. #9
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Post

    Quote Originally Posted by tiong View Post
    Hi my senior secure_it, may i ask u is it posibble to crack Hidden ESSID not using wordlist(dictionary list)? like crack WEP password just capture enought IVS than can easy crack that password without having any wordlist, because if the Hidden ESSID put the word are very2 difficult to guess(not a dictionary word) than our wordlist dont have this word than cannot crack already.And WPA security is it also same crack it must using wordlist, not same like WEP just capture enought IVS than can been crack. Thank u.
    You can use the mdk3 p -t <BSSID> -b<character set> for bruteforcing the ESSID but its recommend for short SSID like 1 to 7 chars as it takes lot of time.

  10. #10
    Junior Member
    Join Date
    Jul 2008
    Posts
    57

    Default

    Quote Originally Posted by secure_it View Post
    You can use the mdk3 p -t <BSSID> -b<character set> for bruteforcing the ESSID but its recommend for short SSID like 1 to 7 chars as it takes lot of time.

    So when if I try and brute force my hidden essid (7 chars - linksys) do I need to be in range of the AP for every essid try, or can I be downstairs where the signal doesn't reach?

    Also, can a hidden essid's length be 1 or 0 (which indicates a hidden length) when brute forcing?

    Thanks.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •