How to bruteForce Hidden ESSID Using MDK3

[imported_=Tron=]

So when if I try and brute force my hidden essid (7 chars - linksys) do I need to be in range of the AP for every essid try, or can I be downstairs where the signal doesn't reach?

Yes, you need to be within range during the whole process. For testing purposes I would also recommend using a shorter ESSID, as it will work just as well as a proof of concept as using a longer but will spare you a lot of time.

[secure_it]

So when if I try and brute force my hidden essid (7 chars - linksys) do I need to be in range of the AP for every essid try, or can I be downstairs where the signal doesn't reach?

Also, can a hidden essid's length be 1 or 0 (which indicates a hidden length) when brute forcing?

Thanks.

essid length 0 or 1 denotes that aircrack-ng could not determine the ESSID length.there may be many reasons like AP is far or AP have some sort of protection which preventing the aircrack-ng to guess correct essid,in that case when a client got assoicated with AP.you can get the essid and yes essid length can be 1 char but not 0.do what Tron have recommended as bruteforcing 2 chars essid would be good option for learning how things are working and also play with pps settings to get good results.e.g. lowering it.

[opreat0r]

can you not just listen and get the the ID that way ? why are we brute forcing stuff we dont need to ?

[Baraqel]

can you not just listen and get the the ID that way ? why are we brute forcing stuff we dont need to ?

My thoughts exactly.

The only time this would have any sort of validity is when attacking your neighbour's network to prove how uber l337 you are to your friends.

Please don't go on to tell me that you would use this methodology if you were hired by a company to test the security measures surrounding their Wifi infrastructure either. I have never been to a company where a user system was not probing for the corporate SSID and it could not be easily obtained - either social engineering or the glaringly obvious... sniffer.

[imported_catalyst]

The only time this would have any sort of validity is when attacking your neighbour's network to prove how uber l337 you are to your friends.

Please don't go on to tell me that you would use this methodology if you were hired by a company to test the security measures surrounding their Wifi infrastructure either. I have never been to a company where a user system was not probing for the corporate SSID and it could not be easily obtained - either social engineering or the glaringly obvious... sniffer.

I have a few AP's in my neighbourhood with hidden ESSID's and I never managed to catch the station probing for them and I'm thinking about the same way to secure my AP. The only way it could be cracked then, is by deauthing me from my AP or brute forcing it so I've also been looking for a method to test the bf'ing.
I'm glad I found this thread. Now I just need to find time to do the testing.

Greetings to =Tron= from Lodz

[thefatmoop]

i would think that airodump-ng, and then send a spew of deauth packets would do the job if trying to get the hidden essid by viewing the probes

def will take a look at this essid tool tonight

[TAPE]

Although there are the obvious queries on the benefits / uses of bruteforcing the ESSID,
I think it is interesting and have given it a whirl..

I would appreciate responses from those who have gotten it to work as I am still getting some grief ;

Have set up a router with a hidden 3 letter (uppercase) ESSID (BBB), and use the below code;

Code:

mdk3 <interface> p -c <channel> -t <target ap> -b <charset Upper case>

so in my case;

Code:

mdk3 rausb0 p -c 1 -t 00:11:22:33:44:55 -b u

it runs through sets of possibilities and in the end advises that it has completed the full set of
possible combinations without giving the correct response.

channel set to: 1
SSID Bruteforce Mode activated!

Waiting for beacon frame rom target...
SSID is hidden. SSID length is: 3.
Sniffer thread started
Trying SSID: RGA
Trying SSID: etc etc etc etc
Packets sent: 17526 - Speed: 125 packets/sec
all 17576 possible SSIDs sent.

When using the -f option (obviously with the correct ESSID included) ;

Code:

mdk3 rausb0 p -c 1 -t 00:11:22:33:44:55 -f wordlist.txt

There are no attempts shown during the process ;

channel set to 1
SSID Wordlist Mode activated!

Waiting for beacon frame from target...
Sniffer thread started

SSID is hidden. SSID length is: 3.
Trying SSID:
Packets sent: 1 -Speed: 1 packets/sec

then the last line is complemented with 'killed' ;

Packets sent: 1 -Speed: 1 packets/secKilled

Any ideas as to where I am going wrong ?

Any info appreciated !

EDIT
----
Getting mixed results, wordlist mode seems to be working more or less consistently
but sometimes needs to be run a couple of times before success.
Still cant get Bruteforce to work though.

Oh well, getting there !

EDIT#2
-------

OK, the problem seemed to be the speed at which it was sending, default is 300/sec for Bruteforce
and unlimited for the wordlist option (which is obviously too fast for my particular router / adapter to work with..)

Adjusted to max 100 / 150 pass/sec as follows ;

Code:

mdk3 rausb0 p -c 1 -t 00:11:22:33:44:55 -b u -s 100

Reducing the speed for the dictionary attack seems to have worked as well.

Finally...

[nttcar]

I try
mdk3 rausb0 p -c 1 -t 00:11:22:33:44:55 -b u -s 100, I am getting all the non hidden SSID then ran couple of times but the one hidden ssid, I am not able to get it. When I try airoway.sh, it show deauth message on the mac address I try to find but still no luck after ran for two hours. Any one know where is the step by step guide from wireshark . thanks

[Lincoln]

Might want to check out for reference: http://forums.remote-exploit.org/bt4...track-4-a.html

[TAPE]

I try
mdk3 rausb0 p -c 1 -t 00:11:22:33:44:55 -b u -s 100, I am getting all the non hidden SSID then ran couple of times but the one hidden ssid, I am not able to get it. When I try airoway.sh, it show deauth message on the mac address I try to find but still no luck after ran for two hours. Any one know where is the step by step guide from wireshark . thanks

Well if the SSID is not an uppercase value the above code wont work
(the u option for bruteforcing is only checking uppercase values)

If it is a short essid (3 or 4 characters) then try with the "a" flag ;

Code:

mdk3 rausb0 p -c 1 -t 00:11:22:33:44:55 -b a -s 150