Discovering Hidden Access Points and SSID
In many cases access points are deployed in such a way that they are restricted from broadcasting beacon packets. At the same time it is also possible to cloak SSIDs so they cannot be determined by simply looking at the beacon. The previous example detected one beacon packet with cloaked SSID as shown below:
00:06:25:51:6b:79['\x00\x00\x00\x00\x00\x00\x00'|ESS+privacy]
You can sniff non-beacon packets and try to determine hidden access points or cloaked SSIDs. Management frames probe and associate disclose these values. Scapy has support for several of these layers as well, as shown below:
>>> Dot11 |
|
|
Dot11 |
Dot11AssoResp |
Dot11ProbeReq |
Dot11ATIM |
Dot11Auth |
Dot11ProbeResp |
Dot11Addr2MACField |
Dot11Beacon |
Dot11ReassoReq |
Dot11Addr3MACField |
Dot11Deauth |
Dot11ReassoResp |
Dot11Addr4MACField |
Dot11Disas |
Dot11WEP |
Dot11AddrMACField |
Dot11Elt |
Dot11AssoReq |
Dot11PacketList |
|
|
>>> |
|
|
Here is a simple script to extract non-beacon packets and SSIDs:
#!/usr/bin/env python
import sys
from scapy import *
interface = sys.argv[1]
unique = []
def sniffNonBeacon(p):
if not p.haslayer(Dot11Beacon):
if unique.count(p.addr2) == 0:
unique.append(p.addr2)
print p.sprintf("[%Dot11.addr1%][%Dot11.addr2%][%Dot11Elt.info%]")
print p.summary()
sniff(iface=interface,prn=sniffNonBeacon)
This is the output of the script:
root@bluelinux:/home/shreeraj/wifi# ./sniffnb.py eth1
[00:0b:6c:21:27:c5][00:06:25:51:6b:79]['linksys']
802.11 Management 5L 00:06:25:51:6b:79 > 00:0b:6c:21:27:c5 / Dot11ProbeResp / SSID='linksys' / Dot11Elt / Dot11Elt
[00:06:25:51:6b:79][00:00:00:00:00:00][??]
802.11 Control 13L 00:00:00:00:00:00 > 00:06:25:51:6b:79
[ff:ff:ff:ff:ff:ff][00:0b:6c:21:27:c5]['linksys']
802.11 Management 4L 00:0b:6c:21:27:c5 > ff:ff:ff:ff:ff:ff / Dot11ProbeReq / SSID='linksys' / Dot11Elt
As is evident, we have harvested the 'linksys' SSID for the access point 00:06:25:51:6b:79, extracted from both probe request and response packet. Whenever a new client tries to access the access point, this packet is sent out "in the air" and is served by the corresponding access point. This way you can discover hidden networks in the air.