MDK3's one of the best feature is to bruteforcing hideen ESSID's.it works in 2 way one we can try with every possible combination,suitable for short ESSID's or we can try using default/custom created ESSID list.I have attached shmoo group's WPA Tables ESSID with modification of some more default ESSID which I got from different forums.so now there is approx 1143 ESSID's.using MDK3 within few seconds you can get the Hidden ESSID's.
I have set the 11 chars. Essid and set it to hidden.
Tested using Linksys WUSB54GC adapter and Linksys WRT54G Router.


Commands:

bt~#airodump-ng rausb0

open one more window

#if command supplied without target -t parameter.it will bruteforce for all #hidden ESSID's in range.

bt ~ # mdk3 rausb0 p -f SSID.txt -t 00:21:29:68:16:C2

SSID Wordlist Mode activated!

Waiting for beacon frame from target...
Sniffer thread started

SSID is hidden. SSID Length is: 11.
Trying SSID: linksys
Trying SSID: ascend
Trying SSID: <any ssid>
Trying SSID: mynetwork
Trying SSID: fatport
Trying SSID: 2WIRE975
Trying SSID: 2WIRE186
Trying SSID: 2WIRE707
Trying SSID: 2WIRE774
Trying SSID: 2WIRE436
Packets sent: 1143 - Speed: 120 packets/sec
Got response from 00:21:29:68:16:C2, SSID: "thunderbolt"


Here you got hidden ESSID in less then 10 seconds.by default its speed is 300 pps.In airodump-ng window you can see that hidden essid <length: 11> has been now changed to your essid.e.g. thunderbolt.


Download Essid File (http://www.4shared.com/account/file/57251079/d7b4d5e2/SSID.html)

(http://www.4shared.com/account/file/57251079/d7b4d5e2/SSID.html)

Hi

Tried using your "How to" but came up with an issue
Set my AP to a 3 char SSID and disabled the SSID broadcast
when i run airodump-ng the ssid length is reported as 1 which i suspect is not allowing the MDK3 command to run successfully

Any ideas ?

Running the VMware version of BT3 with a linksys WUSB54GC adapter
AP router is SMC7904WBA

Hi

Tried using your "How to" but came up with an issue
Set my AP to a 3 char SSID and disabled the SSID broadcast
when i run airodump-ng the ssid length is reported as 1 which i suspect is not allowing the MDK3 command to run successfully

Any ideas ?

Running the VMware version of BT3 with a linksys WUSB54GC adapter
AP router is SMC7904WBA
When the length is 0 or 1, it means the AP does not reveal the actual length and the real length could be any value.when this kind of condition occure then there are 3 methods either wait for a wireless client to authenticate with AP or deauth exist Wireless Client or use these wireshark filters to capture the packets.

wlan.fc.type_subtype == 0 (association request)
wlan.fc.type_subtype == 4 (probe request)
wlan.fc.type_subtype == 5 (probe response)let me know if it works.

Worked like magic :)

used wireshark to capture packets between my apple iphone and the AP
the probe reponse filter wlan.fc.type_subtype == 5 was particulary helpful in giving me the tag length of 3 and the tag interpretation of "SMC" (SSID) for my test setup as well as giving additional info such as both supported rates and extended supported rates.

Highly reccomend this test if you want a better understanding of the link setup between a client and AP especially Association and Probe requests and responses - also used wlan.fc.type_subtype == 1 (assoc response) filter

Thanks for your Advice as not only have i a better understanding of whats happening but also have learnt the uusefullness of wireshark

Hi my senior secure_it, may i ask u is it posibble to crack Hidden ESSID not using wordlist(dictionary list)? like crack WEP password just capture enought IVS than can easy crack that password without having any wordlist, because if the Hidden ESSID put the word are very2 difficult to guess(not a dictionary word) than our wordlist dont have this word than cannot crack already.And WPA security is it also same crack it must using wordlist, not same like WEP just capture enought IVS than can been crack. Thank u.

...is it posibble to crack Hidden ESSID not using wordlist(dictionary list)? like crack WEP password just capture enought IVS than can easy crack that password without having any wordlist...No, but it can be intercepted in clear-text once a client connects to the AP using a valid ESSID.

Hi my Senior Tron Thank ur reply, may i ask you, if that AP ESSID is hidden than once a client connects to that AP using a valid ESSID, Than this is a GOOD chance to crack this hidden ESSID, Using what tools?how to do it? is it just using command: airodump-ng -w myfile -c 6 rausb0 , Than the hidden ESSID will apear on airodump-ng screen? Thank you very much.

is it just using command: airodump-ng -w myfile -c 6 rausb0 , Than the hidden ESSID will apear on airodump-ng screen? Thank you very much.That is absolutely correct.

Hi my senior secure_it, may i ask u is it posibble to crack Hidden ESSID not using wordlist(dictionary list)? like crack WEP password just capture enought IVS than can easy crack that password without having any wordlist, because if the Hidden ESSID put the word are very2 difficult to guess(not a dictionary word) than our wordlist dont have this word than cannot crack already.And WPA security is it also same crack it must using wordlist, not same like WEP just capture enought IVS than can been crack. Thank u.

You can use the mdk3 p -t <BSSID> -b<character set> for bruteforcing the ESSID but its recommend for short SSID like 1 to 7 chars as it takes lot of time.

You can use the mdk3 p -t <BSSID> -b<character set> for bruteforcing the ESSID but its recommend for short SSID like 1 to 7 chars as it takes lot of time.


So when if I try and brute force my hidden essid (7 chars - linksys) do I need to be in range of the AP for every essid try, or can I be downstairs where the signal doesn't reach?

Also, can a hidden essid's length be 1 or 0 (which indicates a hidden length) when brute forcing?

Thanks.

So when if I try and brute force my hidden essid (7 chars - linksys) do I need to be in range of the AP for every essid try, or can I be downstairs where the signal doesn't reach?Yes, you need to be within range during the whole process. For testing purposes I would also recommend using a shorter ESSID, as it will work just as well as a proof of concept as using a longer but will spare you a lot of time.

So when if I try and brute force my hidden essid (7 chars - linksys) do I need to be in range of the AP for every essid try, or can I be downstairs where the signal doesn't reach?

Also, can a hidden essid's length be 1 or 0 (which indicates a hidden length) when brute forcing?

Thanks.
essid length 0 or 1 denotes that aircrack-ng could not determine the ESSID length.there may be many reasons like AP is far or AP have some sort of protection which preventing the aircrack-ng to guess correct essid,in that case when a client got assoicated with AP.you can get the essid and yes essid length can be 1 char but not 0.do what Tron have recommended as bruteforcing 2 chars essid would be good option for learning how things are working and also play with pps settings to get good results.e.g. lowering it.

can you not just listen and get the the ID that way ? why are we brute forcing stuff we dont need to ?

can you not just listen and get the the ID that way ? why are we brute forcing stuff we dont need to ?

My thoughts exactly.

The only time this would have any sort of validity is when attacking your neighbour's network to prove how uber l337 you are to your friends.

Please don't go on to tell me that you would use this methodology if you were hired by a company to test the security measures surrounding their Wifi infrastructure either. I have never been to a company where a user system was not probing for the corporate SSID and it could not be easily obtained - either social engineering or the glaringly obvious... sniffer.

The only time this would have any sort of validity is when attacking your neighbour's network to prove how uber l337 you are to your friends.

Please don't go on to tell me that you would use this methodology if you were hired by a company to test the security measures surrounding their Wifi infrastructure either. I have never been to a company where a user system was not probing for the corporate SSID and it could not be easily obtained - either social engineering or the glaringly obvious... sniffer.

I have a few AP's in my neighbourhood with hidden ESSID's and I never managed to catch the station probing for them and I'm thinking about the same way to secure my AP. The only way it could be cracked then, is by deauthing me from my AP or brute forcing it so I've also been looking for a method to test the bf'ing.
I'm glad I found this thread. Now I just need to find time to do the testing.

Greetings to =Tron= from Lodz

i would think that airodump-ng, and then send a spew of deauth packets would do the job if trying to get the hidden essid by viewing the probes

def will take a look at this essid tool tonight