How to bruteForce Hidden ESSID Using MDK3

[secure_it]

MDK3's one of the best feature is to bruteforcing hideen ESSID's.it works in 2 way one we can try with every possible combination,suitable for short ESSID's or we can try using default/custom created ESSID list.I have attached shmoo group's WPA Tables ESSID with modification of some more default ESSID which I got from different forums.so now there is approx 1143 ESSID's.using MDK3 within few seconds you can get the Hidden ESSID's.
I have set the 11 chars. Essid and set it to hidden.
Tested using Linksys WUSB54GC adapter and Linksys WRT54G Router.


Commands:

bt~#airodump-ng rausb0

open one more window

#if command supplied without target -t parameter.it will bruteforce for all #hidden ESSID's in range.

bt ~ # mdk3 rausb0 p -f SSID.txt -t 00:21:29:68:16:C2

SSID Wordlist Mode activated!

Waiting for beacon frame from target...
Sniffer thread started

SSID is hidden. SSID Length is: 11.
Trying SSID: linksys
Trying SSID: ascend
Trying SSID: <any ssid>
Trying SSID: mynetwork
Trying SSID: fatport
Trying SSID: 2WIRE975
Trying SSID: 2WIRE186
Trying SSID: 2WIRE707
Trying SSID: 2WIRE774
Trying SSID: 2WIRE436
Packets sent: 1143 - Speed: 120 packets/sec
Got response from 00:21:29:68:16:C2, SSID: "thunderbolt"


Here you got hidden ESSID in less then 10 seconds.by default its speed is 300 pps.In airodump-ng window you can see that hidden essid <length: 11> has been now changed to your essid.e.g. thunderbolt.


Download Essid File

[Bestia]

Hi

Tried using your "How to" but came up with an issue
Set my AP to a 3 char SSID and disabled the SSID broadcast
when i run airodump-ng the ssid length is reported as 1 which i suspect is not allowing the MDK3 command to run successfully

Any ideas ?

Running the VMware version of BT3 with a linksys WUSB54GC adapter
AP router is SMC7904WBA

[secure_it]

Quote:

Originally Posted by Bestia

Hi

Tried using your "How to" but came up with an issue
Set my AP to a 3 char SSID and disabled the SSID broadcast
when i run airodump-ng the ssid length is reported as 1 which i suspect is not allowing the MDK3 command to run successfully

Any ideas ?

Running the VMware version of BT3 with a linksys WUSB54GC adapter
AP router is SMC7904WBA

When the length is 0 or 1, it means the AP does not reveal the actual length and the real length could be any value.when this kind of condition occure then there are 3 methods either wait for a wireless client to authenticate with AP or deauth exist Wireless Client or use these wireshark filters to capture the packets.

wlan.fc.type_subtype == 0 (association request)
wlan.fc.type_subtype == 4 (probe request)
wlan.fc.type_subtype == 5 (probe response)let me know if it works.

[Bestia]

Worked like magic

used wireshark to capture packets between my apple iphone and the AP
the probe reponse filter wlan.fc.type_subtype == 5 was particulary helpful in giving me the tag length of 3 and the tag interpretation of "SMC" (SSID) for my test setup as well as giving additional info such as both supported rates and extended supported rates.

Highly reccomend this test if you want a better understanding of the link setup between a client and AP especially Association and Probe requests and responses - also used wlan.fc.type_subtype == 1 (assoc response) filter

Thanks for your Advice as not only have i a better understanding of whats happening but also have learnt the uusefullness of wireshark

[tiong]

Hi my senior secure_it, may i ask u is it posibble to crack Hidden ESSID not using wordlist(dictionary list)? like crack WEP password just capture enought IVS than can easy crack that password without having any wordlist, because if the Hidden ESSID put the word are very2 difficult to guess(not a dictionary word) than our wordlist dont have this word than cannot crack already.And WPA security is it also same crack it must using wordlist, not same like WEP just capture enought IVS than can been crack. Thank u.

[=Tron=]

Quote:

Originally Posted by tiong

...is it posibble to crack Hidden ESSID not using wordlist(dictionary list)? like crack WEP password just capture enought IVS than can easy crack that password without having any wordlist...

No, but it can be intercepted in clear-text once a client connects to the AP using a valid ESSID.

[tiong]

Hi my Senior Tron Thank ur reply, may i ask you, if that AP ESSID is hidden than once a client connects to that AP using a valid ESSID, Than this is a GOOD chance to crack this hidden ESSID, Using what tools?how to do it? is it just using command: airodump-ng -w myfile -c 6 rausb0 , Than the hidden ESSID will apear on airodump-ng screen? Thank you very much.

[=Tron=]

Quote:

Originally Posted by tiong

is it just using command: airodump-ng -w myfile -c 6 rausb0 , Than the hidden ESSID will apear on airodump-ng screen? Thank you very much.

That is absolutely correct.

[secure_it]

Quote:

Originally Posted by tiong

Hi my senior secure_it, may i ask u is it posibble to crack Hidden ESSID not using wordlist(dictionary list)? like crack WEP password just capture enought IVS than can easy crack that password without having any wordlist, because if the Hidden ESSID put the word are very2 difficult to guess(not a dictionary word) than our wordlist dont have this word than cannot crack already.And WPA security is it also same crack it must using wordlist, not same like WEP just capture enought IVS than can been crack. Thank u.

You can use the mdk3 p -t <BSSID> -b<character set> for bruteforcing the ESSID but its recommend for short SSID like 1 to 7 chars as it takes lot of time.

[Slimmay]

Quote:

Originally Posted by secure_it

You can use the mdk3 p -t <BSSID> -b<character set> for bruteforcing the ESSID but its recommend for short SSID like 1 to 7 chars as it takes lot of time.

So when if I try and brute force my hidden essid (7 chars - linksys) do I need to be in range of the AP for every essid try, or can I be downstairs where the signal doesn't reach?

Also, can a hidden essid's length be 1 or 0 (which indicates a hidden length) when brute forcing?

Thanks.