Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: How to bruteForce Hidden ESSID Using MDK3

  1. #11
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by Slimmay View Post
    So when if I try and brute force my hidden essid (7 chars - linksys) do I need to be in range of the AP for every essid try, or can I be downstairs where the signal doesn't reach?
    Yes, you need to be within range during the whole process. For testing purposes I would also recommend using a shorter ESSID, as it will work just as well as a proof of concept as using a longer but will spare you a lot of time.
    -Monkeys are like nature's humans.

  2. #12
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Lightbulb

    Quote Originally Posted by Slimmay View Post
    So when if I try and brute force my hidden essid (7 chars - linksys) do I need to be in range of the AP for every essid try, or can I be downstairs where the signal doesn't reach?

    Also, can a hidden essid's length be 1 or 0 (which indicates a hidden length) when brute forcing?

    Thanks.
    essid length 0 or 1 denotes that aircrack-ng could not determine the ESSID length.there may be many reasons like AP is far or AP have some sort of protection which preventing the aircrack-ng to guess correct essid,in that case when a client got assoicated with AP.you can get the essid and yes essid length can be 1 char but not 0.do what Tron have recommended as bruteforcing 2 chars essid would be good option for learning how things are working and also play with pps settings to get good results.e.g. lowering it.

  3. #13
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default

    can you not just listen and get the the ID that way ? why are we brute forcing stuff we dont need to ?

  4. #14
    Just burned his ISO
    Join Date
    Apr 2007
    Posts
    16

    Default

    Quote Originally Posted by operat0r View Post
    can you not just listen and get the the ID that way ? why are we brute forcing stuff we dont need to ?
    My thoughts exactly.

    The only time this would have any sort of validity is when attacking your neighbour's network to prove how uber l337 you are to your friends.

    Please don't go on to tell me that you would use this methodology if you were hired by a company to test the security measures surrounding their Wifi infrastructure either. I have never been to a company where a user system was not probing for the corporate SSID and it could not be easily obtained - either social engineering or the glaringly obvious... sniffer.

  5. #15
    Just burned his ISO
    Join Date
    Sep 2008
    Posts
    5

    Default

    Quote Originally Posted by Baraqel View Post
    The only time this would have any sort of validity is when attacking your neighbour's network to prove how uber l337 you are to your friends.

    Please don't go on to tell me that you would use this methodology if you were hired by a company to test the security measures surrounding their Wifi infrastructure either. I have never been to a company where a user system was not probing for the corporate SSID and it could not be easily obtained - either social engineering or the glaringly obvious... sniffer.
    I have a few AP's in my neighbourhood with hidden ESSID's and I never managed to catch the station probing for them and I'm thinking about the same way to secure my AP. The only way it could be cracked then, is by deauthing me from my AP or brute forcing it so I've also been looking for a method to test the bf'ing.
    I'm glad I found this thread. Now I just need to find time to do the testing.

    Greetings to =Tron= from Lodz

  6. #16
    Just burned his ISO
    Join Date
    Jul 2007
    Posts
    17

    Default

    i would think that airodump-ng, and then send a spew of deauth packets would do the job if trying to get the hidden essid by viewing the probes

    def will take a look at this essid tool tonight

  7. #17
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default

    Although there are the obvious queries on the benefits / uses of bruteforcing the ESSID,
    I think it is interesting and have given it a whirl..

    I would appreciate responses from those who have gotten it to work as I am still getting some grief ;

    Have set up a router with a hidden 3 letter (uppercase) ESSID (BBB), and use the below code;
    Code:
    mdk3 <interface> p -c <channel> -t <target ap> -b <charset Upper case>
    so in my case;
    Code:
    mdk3 rausb0 p -c 1 -t 00:11:22:33:44:55 -b u
    it runs through sets of possibilities and in the end advises that it has completed the full set of
    possible combinations without giving the correct response.
    channel set to: 1
    SSID Bruteforce Mode activated!

    Waiting for beacon frame rom target...
    SSID is hidden. SSID length is: 3.
    Sniffer thread started
    Trying SSID: RGA
    Trying SSID: etc etc etc etc
    Packets sent: 17526 - Speed: 125 packets/sec
    all 17576 possible SSIDs sent.
    When using the -f option (obviously with the correct ESSID included) ;

    Code:
    mdk3 rausb0 p -c 1 -t 00:11:22:33:44:55 -f wordlist.txt
    There are no attempts shown during the process ;

    channel set to 1
    SSID Wordlist Mode activated!

    Waiting for beacon frame from target...
    Sniffer thread started

    SSID is hidden. SSID length is: 3.
    Trying SSID:
    Packets sent: 1 -Speed: 1 packets/sec
    then the last line is complemented with 'killed' ;
    Packets sent: 1 -Speed: 1 packets/secKilled

    Any ideas as to where I am going wrong ?

    Any info appreciated !

    EDIT
    ----
    Getting mixed results, wordlist mode seems to be working more or less consistently
    but sometimes needs to be run a couple of times before success.
    Still cant get Bruteforce to work though.

    Oh well, getting there !

    EDIT#2
    -------

    OK, the problem seemed to be the speed at which it was sending, default is 300/sec for Bruteforce
    and unlimited for the wordlist option (which is obviously too fast for my particular router / adapter to work with..)

    Adjusted to max 100 / 150 pass/sec as follows ;

    Code:
    mdk3 rausb0 p -c 1 -t 00:11:22:33:44:55 -b u -s 100
    Reducing the speed for the dictionary attack seems to have worked as well.

    Finally...

  8. #18
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    1

    Default Still no success for finding hidden SSID

    I try
    mdk3 rausb0 p -c 1 -t 00:11:22:33:44:55 -b u -s 100, I am getting all the non hidden SSID then ran couple of times but the one hidden ssid, I am not able to get it. When I try airoway.sh, it show deauth message on the mac address I try to find but still no luck after ran for two hours. Any one know where is the step by step guide from wireshark . thanks

  9. #19
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    Might want to check out for reference: http://forums.remote-exploit.org/bt4...track-4-a.html

  10. #20
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default

    Quote Originally Posted by nttcar View Post
    I try
    mdk3 rausb0 p -c 1 -t 00:11:22:33:44:55 -b u -s 100, I am getting all the non hidden SSID then ran couple of times but the one hidden ssid, I am not able to get it. When I try airoway.sh, it show deauth message on the mac address I try to find but still no luck after ran for two hours. Any one know where is the step by step guide from wireshark . thanks
    Well if the SSID is not an uppercase value the above code wont work
    (the u option for bruteforcing is only checking uppercase values)

    If it is a short essid (3 or 4 characters) then try with the "a" flag ;

    Code:
    mdk3 rausb0 p -c 1 -t 00:11:22:33:44:55 -b a -s 150

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •