advertisement
Login | Register   
  Include Code  Search Tips
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Book Excerpt: '802.11 Wireless Networks: The Definitive Guide'
eBook: Locking Down Your Wireless Network
Wireless Security
Wireless Security Doesn't Have to Be an Oxymoron
DevX: Security Zone
Open Source Intrusion Detection: No-cost System Lockdown
Partners & Affiliates
advertisement
advertisement
advertisement
advertisement
Average Rating: 3/5 | Rate this item | 3 users have rated this item.
Secure Your Wireless Networks with Scapy Packet Manipulation (cont'd)
Discovering Hidden Access Points and SSID
In many cases access points are deployed in such a way that they are restricted from broadcasting beacon packets. At the same time it is also possible to cloak SSIDs so they cannot be determined by simply looking at the beacon. The previous example detected one beacon packet with cloaked SSID as shown below: 

00:06:25:51:6b:79['\x00\x00\x00\x00\x00\x00\x00'|ESS+privacy]
advertisement

You can sniff non-beacon packets and try to determine hidden access points or cloaked SSIDs. Management frames probe and associate disclose these values. Scapy has support for several of these layers as well, as shown below:

>>> Dot11
Dot11 Dot11AssoResp Dot11ProbeReq
Dot11ATIM Dot11Auth Dot11ProbeResp
Dot11Addr2MACField Dot11Beacon Dot11ReassoReq
Dot11Addr3MACField Dot11Deauth Dot11ReassoResp
Dot11Addr4MACField Dot11Disas Dot11WEP
Dot11AddrMACField Dot11Elt Dot11AssoReq
Dot11PacketList
>>>

Here is a simple script to extract non-beacon packets and SSIDs: 


#!/usr/bin/env python
import sys
from scapy import *
interface = sys.argv[1]
unique = []
def sniffNonBeacon(p):
if not p.haslayer(Dot11Beacon):
if unique.count(p.addr2) == 0:
unique.append(p.addr2)
print p.sprintf("[%Dot11.addr1%][%Dot11.addr2%][%Dot11Elt.info%]")
print p.summary()
sniff(iface=interface,prn=sniffNonBeacon)

This is the output of the script: 


root@bluelinux:/home/shreeraj/wifi# ./sniffnb.py eth1
[00:0b:6c:21:27:c5][00:06:25:51:6b:79]['linksys']
802.11 Management 5L 00:06:25:51:6b:79 > 00:0b:6c:21:27:c5 / Dot11ProbeResp / SSID='linksys' / Dot11Elt / Dot11Elt
[00:06:25:51:6b:79][00:00:00:00:00:00][??]
802.11 Control 13L 00:00:00:00:00:00 > 00:06:25:51:6b:79
[ff:ff:ff:ff:ff:ff][00:0b:6c:21:27:c5]['linksys']
802.11 Management 4L 00:0b:6c:21:27:c5 > ff:ff:ff:ff:ff:ff / Dot11ProbeReq / SSID='linksys' / Dot11Elt

As is evident, we have harvested the 'linksys' SSID for the access point 00:06:25:51:6b:79, extracted from both probe request and response packet. Whenever a new client tries to access the access point, this packet is sent out "in the air" and is served by the corresponding access point. This way you can discover hidden networks in the air.

Previous Page: Sniffing Packets and Discovering Network Access Points Next Page: MAC and IP Address Harvesting
Page 1: IntroductionPage 4: MAC and IP Address Harvesting
Page 2: Sniffing Packets and Discovering Network Access PointsPage 5: Further Intrusion Detection with Sniffing
Page 3: Discovering Hidden Access Points and SSID 
Please rate this item (5=best)
 1  2  3  4  5
advertisement