Results 1 to 6 of 6

Thread: Aireplay-ng Hidden SSID deauth problem

  1. #1
    Join Date
    2013-Nov
    Posts
    24

    Angry Aireplay-ng Hidden SSID deauth problem

    Problem: unable to reveal hidden SSID

    Steps Taken:
    1. Airmon-ng to start up the monitoring interface
    2. Started airodump-ng
    ---Ran into problem isolating the channel of the wireless AP
    ---had to first set the dump to scan all channels, then narroed it down to channel 5
    Why does the dump show channel '-1'?
    3. Once I now am capturing packets, I want deauth some clients, so they reconnect, revealing the SSID, and capturing the handshake
    ---Aireplay-ng deauth seems to need a beacon packet first but the problem is, a hidden SSID won't beacon out, how do I get around that?
    ---And I can't specify an ESSID because it's hidden...
    ---I checked, mon2 is fixed to channel 5 also and the dump is below:
    ---Also, for some reason all the Hidden SSID airodump shows has a power of '-1'

    TERM1--------------
    CH 5 ][ Elapsed: 48 mins ][ 2013-11-14 12:38

    BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    00:25:00:FF:94:73 -1 0 0 2 0 128 -1 OPN <length: 0>

    BSSID STATION PWR Rate Lost Frames Probe

    00:25:00:FF:94:73 AA:52:DE:C6:33:E0 -74 0 - 6 2 30537




    TERM2----------
    aireplay-ng -a 00:25:00:FF:94:73 -0 10 mon2
    12:10:13 Waiting for beacon frame (BSSID: 00:25:00:FF:94:73) on channel 5
    12:10:23 No such BSSID available.
    Please specify an ESSID (-e).

    Let me know if you need anything else to help out. Thanks.
    Last edited by polyphemus; 2013-11-16 at 15:24.

  2. #2
    Join Date
    2013-Nov
    Posts
    24
    Any solutions? Or am I just out of luck? And is anyone else having this problem? It didn't sound like it when I was doing my googling around

  3. #3
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Just a point here, you seem to know what you are doing but just to make sure, you reveal the SSID by capturing a probe request/response. To capture this, you need to have a client associate to the network and essentially capture a 4-way handshake.

    Here is what I would do:

    Code:
    airmon-ng start wlan0 -w capture
    airodump-ng -c 5 --bssid 00:25:00:FF:94:73 mon0
    aireplay-ng -0 5 -a 00:25:00:FF:94:73 mon0
    aircrack-ng capture.cap
    If running aircrack didn't show the SSID, I would open the cap file in wireshark and look for the packets just before or in the 4-way handshake (more specifically at the info tab) and look for "SSID=XXXXXXX".

    *APs that don't broadcast their SSID still send out beacons, else the clients wouldn't know theres anything there in the first place. They just don't give out the SSID*

    Also, make sure your card is not connected to an AP in wlan0 and that you only have it in one instance of monitor mode so it does not get confused.

    HOWEVER, at the end of your post you said it has a power of -1. I have had the same exact thing happen to me, and I get very similar output when I try to find the the ssid is... ex: <length: 0> and Pwr -1.

    I think this may just be a probe or beacon of some sort from a client floating around but I haven't been able to figure that out.

    Good luck though!
    Last edited by soxrok2212; 2013-11-22 at 02:54.

  4. #4
    Join Date
    2013-Nov
    Posts
    24
    Quote Originally Posted by soxrok2212 View Post
    Just a point here, you seem to know what you are doing but just to make sure, you reveal the SSID by capturing a probe request/response. To capture this, you need to have a client associate to the network and essentially capture a 4-way handshake.

    Here is what I would do:

    Code:
    airmon-ng start wlan0 -w capture
    airodump-ng -c 5 --bssid 00:25:00:FF:94:73 mon0
    aireplay-ng -0 5 -a 00:25:00:FF:94:73 mon0
    aircrack-ng capture.cap
    If running aircrack didn't show the SSID, I would open the cap file in wireshark and look for the packets just before or in the 4-way handshake (more specifically at the info tab) and look for "SSID=XXXXXXX".

    *APs that don't broadcast their SSID still send out beacons, else the clients wouldn't know theres anything there in the first place. They just don't give out the SSID*

    Also, make sure your card is not connected to an AP in wlan0 and that you only have it in one instance of monitor mode so it does not get confused.

    HOWEVER, at the end of your post you said it has a power of -1. I have had the same exact thing happen to me, and I get very similar output when I try to find the the ssid is... ex: <length: 0> and Pwr -1.

    I think this may just be a probe or beacon of some sort from a client floating around but I haven't been able to figure that out.

    Good luck though!

    So i noticed that when I try to do a deauth, it require a beacon packet prior to generating the ARP that kicks everyone off. It just hangs there, then spits an error back telling to specify the essid (which obviously I dont have) So maybe if I fake an authentication using aireplay-ng it'll work?? Will a fake authentication generate a beacon frame? And I would think that all APs normally shoot out beacon frames, but when I run airodump-ng, it always show 0 frames for beacons. Do beacons only popup when a client is trying to associate and looking for that AP? Does the client sends a probe request then the AP tell the client "yea, I'm that AP" and those are the beacon packets? I'm trying to figure out how to get a beacon packet generated so aireplay-ng can sniff it to start the deauth.

    Also, have the same problem with REAVER. "Wash" will pick up the AP is scan mode, but then REAVER won't work, and it tells me it could not associate itself (thinking it can't sniff a beacon either).

    I appreciate the help man.

  5. #5
    Join Date
    2013-Nov
    Location
    the state of oppression
    Posts
    16
    What is your recieve quality (RXQ)? If it is low, you are either too far away from the AP, or there is too much interference. If your RXQ is poor, you will pretty much have problems all around. The solution is to get closer, and minimize obstructions.

  6. #6
    Join Date
    2013-Nov
    Posts
    6
    to make your channel from -1 i found using ( ifconfig wlan0 down) worked for me

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •