Identifying APs With Hidden SSIDs

渗透技巧 7个月前 admin
114 0 0
Guide on locating and analysing access points with hidden SSIDs for WIFI pentesting.
用于WIFI渗透测试的具有隐藏SSID的接入点的定位和分析指南。


One common challenge is dealing with Access Points (APs) that conceal their presence by not broadcasting their Service Set Identifier (SSID, or the WIFI name). This article goes into techniques for locating the MAC addresses of such APs, a fundamental step in the penetration testing of WiFi networks, using various tools and techniques to detect these APs, including passive and active scanning methods.
一个常见的挑战是处理通过不广播其服务集标识符(SSID或WIFI名称)来隐藏其存在的接入点 (AP)。本文将介绍定位此类 AP 的 MAC 地址的技术,这是 WiFi 网络渗透测试的基本步骤,使用各种工具和技术来检测这些 AP,包括被动和主动扫描方法。

I was recently in an engagement with an incredibly crowded wireless environment (I’m talking about >50 in range! half of which are hidden), given the target has a hidden SSID, this made it surprisingly tricky to identify the right AP and its MAC address (or BSSID) for further testing, which inspired this article.
我最近遇到了一个非常拥挤的无线环境(我说的是 >50 的范围!其中一半是隐藏的),因为目标有一个隐藏的 SSID,这使得识别正确的 AP 及其 MAC 地址(或 BSSID)以进行进一步测试变得非常棘手,这激发了本文的灵感。

This article assumes basic knowledge of WIFI technologies and the aircrack-ng suite, and you have some idea of what the SSID might be (I hope you’re not testing some completely random network).
本文假设您具备 WIFI 技术和 aircrack-ng 套件的基本知识,并且您对 SSID 可能是什么有所了解(我希望您不是在测试一些完全随机的网络)。

When using airodump, a hidden network can show up as this:
使用 airodump 时,隐藏网络可以显示如下所示:

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
 
 24:F5:32:D3:32:5B   -6      554      178    0 149  780   WPA2 CCMP   PSK  <length:  9>
Term 术语

Or this if the SSID length is hidden altogether:
或者,如果SSID长度完全隐藏,则为以下条件:

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
 
 24:F5:32:D3:32:5B   -6      554      178    0 149  780   WPA2 CCMP   PSK  <length:  0>
Term 术语

And we might see a lot of stations in range but no WIFI names, so how do we identify the right AP? Here are a few methods, and they can be combined for maximum effectiveness.
我们可能会在范围内看到很多电台,但没有 WIFI 名称,那么我们如何识别正确的 AP?这里有一些方法,它们可以结合起来以获得最大的效果。

Method 1: Listen and Wait
方法1:倾听并等待

This method is good for making a list of potential targets when you have no information at all.
当您根本没有信息时,这种方法非常适合列出潜在目标。

From the output of airodump, gather a list of suspects to be filtered. If the length of ESSID is broadcasted, you might be able make an educated guess on which is the right AP, then focus the capture on a few channels or or the specific BSSID:
从 airodump 的输出中,收集要筛选的嫌疑人列表。如果广播了 ESSID 的长度,您也许可以对哪个是正确的 AP 进行有根据的猜测,然后将捕获重点放在几个通道或特定的 BSSID 上:

airodump-ng wlan1 --band a --channel 149
airodump-ng wlan1 --band a --bssid 24:F5:32:D3:32:5B
Bash 巴什

If you’re lucky, you might catch some devices trying to connect to the AP, this should reveal the SSID and the right AP, and you’re good to go. I have also seen some connections with the right SSID, but BSSID shows (not associated), since the goal is to acquire the BSSID, this is where method 2 comes in handy.
如果幸运的话,您可能会发现一些设备试图连接到 AP,这应该会显示 SSID 和正确的 AP,您就可以开始了。我还看到了与正确 SSID 的一些联系,但 BSSID 显示 (not associated) ,由于目标是获取 BSSID,这就是方法 2 派上用场的地方。

Method 2: Manual Connection
方法2:手动连接

This method can be used when you have the SSID, but can’t pin point the AP.
当您有 SSID,但无法确定 AP 时,可以使用此方法。

If you know the SSID, or see it popping up in airodump but without BSSID like this, which can happen if the device is searching for the network, but not connected:
如果您知道 SSID,或者看到它在 airodump 中弹出但没有像这样 BSSID,如果设备正在搜索网络但未连接,则可能会发生这种情况:

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 (not associated)   3F:7F:24:6C:B4:23  -34    0 - 6      2        4         john_cena
Term 术语

You can try to manually connect to the AP using another device with a random password, the goal is to capture the initial handshake where the MAC address of the AP will be exposed. Filter by the SSID so that the results are easier to see:
您可以尝试使用随机密码使用另一台设备手动连接到 AP,目标是捕获将暴露 AP 的 MAC 地址的初始握手。按SSID过滤,以便更容易查看结果:

airodump-ng wlan1 --band a --essid john_cena
Bash 巴什
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 24:F5:32:D3:32:5B   -7 100       73       12    1 149  780   WPA2 CCMP   PSK  john_cena
 
 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 24:F5:32:D3:32:5B  3F:7F:24:6C:B4:23  -22    0 - 6e     0       18         john_cena
Term 术语

The handshake will be captured, but since the password will be wrong, this capture cannot be used for hash cracking.
握手将被捕获,但由于密码错误,因此此捕获不能用于哈希破解。

Method 3: Deauth 方法3:Deauth

This method can be used when you have the BSSID, but want to make sure the AP and its SSID is correct.
当您拥有 BSSID 但希望确保 AP 及其 SSID 正确时,可以使用此方法。

Once you have some potential BSSIDs to test, you can filter by those and deauth one of the clients, wait for the client to reconnect, which will reveal the SSID and BSSID of the AP. Of course, this method is a lot more noisy than the other ones. Start capturing on the specific BSSID:
一旦您有一些潜在的 BSSID 要测试,您可以按这些 BSSID 进行筛选并取消其中一个客户端的身份验证,等待客户端重新连接,这将显示 AP 的 SSID 和 BSSID。当然,这种方法比其他方法嘈杂得多。开始在特定 BSSID 上捕获:

airodump-ng wlan1 --band a --bssid 24:F5:32:D3:32:5B -c 44
Bash 巴什
 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID  

 24:F5:32:D3:32:5B   -4      153       72    0  44  780   WPA2 CCMP   PSK  <length:  9>                       

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 24:F5:32:D3:32:5B  3F:7F:24:6C:B4:23  -22    0 - 6e     0       18   
Term 术语

Deauth the client: Deauth 客户端:

aireplay-ng --deauth 44 -a 24:F5:32:D3:32:5B -c 3F:7F:24:6C:B4:23 wlan1
Bash 巴什

Wait for it to reconnect, and the BSSID and SSID should appear:
等待它重新连接,BSSID 和 SSID 应该出现:

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 24:F5:32:D3:32:5B   10 100      359      108   23  44  780   WPA2 CCMP   PSK  john_cena                      

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 24:F5:32:D3:32:5B  3F:7F:24:6C:B4:23  -26    6e- 6e   139     2877  PMKID
Term 术语

This also captures the WPA handshake, which can be used for cracking.
这也捕获了WPA握手,可用于破解。

Method 4: Bruteforce 方法4:蛮力

This method can be used when you have the BSSID, but you don’t want to deauth any clients and/or have a list of possible SSIDs.
当您拥有 BSSID,但您不希望取消任何客户端和/或可能的 SSID 列表时,可以使用此方法。

Using the MDK4 tool, we can bruteforce the SSID using a wordlist, this is useful when you have a list of potential SSIDs, but couldn’t find a connected client, or don’t want to deauth any. Let’s say you’re pentesting EvilCorp’s WIFI networks, the wordlist could be:
使用 MDK4 工具,我们可以使用单词列表暴力破解 SSID,当您有潜在 SSID 列表但找不到连接的客户端或不想取消任何身份验证时,这很有用。假设您正在对 EvilCorp 的 WIFI 网络进行渗透测试,单词列表可能是:

EvilCorp
evilcorp
Evilcorp
EvilCorp-ap
evilcorp-ap
Evilcorp-ap
EvilCorp-AP
evilcorp-AP
Evilcorp-AP
EvilCorp-wifi
evilcorp-wifi
Evilcorp-wifi
EvilCorp-WIFI
evilcorp-WIFI
Evilcorp-WIFI
Txt

Or in this case, we know the AP owner is a big WWE fan:
或者在这种情况下,我们知道 AP 所有者是 WWE 的忠实粉丝:

mdk4 wlan1 p -t 24:F5:32:D3:32:5B -f ssids.txt
Bash 巴什
Waiting for a beacon frame from target to get its SSID length.
SSID length is 9
Trying SSID: bert_hart                                           
Packets sent:      1 - Speed:    1 packets/sec

Wordlist completed.
Probe Response from target AP with SSID john_cena                
Job's done, have a nice day :)
Term 术语

MDK4 also has a full bruteforce mode where character sets can be specified, but this is not recommended unless the SSID length is short, and it wouldn’t work if the length is unknown altogether.
MDK4 还具有可以指定字符集的完整暴力模式,但除非 SSID 长度很短,否则不建议这样做,如果长度完全未知,则不起作用。

原文始发于Xre0uSIdentifying APs With Hidden SSIDs

版权声明:admin 发表于 2024年4月30日 下午3:42。
转载请注明:Identifying APs With Hidden SSIDs | CTF导航

相关文章