Perform the following instructions to get started:
Invisible
option in the Visibility Status option, as shown in the following screenshot:aireplay-ng
utility to send deauthentication packets to all stations on behalf of the Wireless Lab access point by typing aireplay-ng -0 5 -a <mac> --ignore-negative mon0
, where <mac>
is the MAC address of the router. The -0
option is used to choose a deauthentication attack, and 5
is the number of deauthentication packets to send. Finally, -a
specifies the MAC address of the access point you are targeting:Even though the SSID is hidden and not broadcasted, whenever a legitimate client tries to connect to the access point, they exchange probe request and probe response packets. These packets contain the SSID of the access point. As these packets are not encrypted, they can be very easily sniffed from the air and the SSID can be found.
We will cover using probe requests for other purposes such as tracking in a later chapter.
In many cases, all clients may be already connected to the access point and there may be no probe request/response packets available in the Wireshark trace. Here, we can forcibly disconnect the clients from the access point by sending forged deauthentication packets on the air. These packets will force the clients to reconnect back to the access point, thus revealing the SSID.
In the previous exercise, we sent broadcast deauthentication packets to force reconnection of all wireless clients. Try to verify how you can selectively target individual clients using the aireplay-ng
utility.
It is important to note that, even though we are illustrating many of these concepts using Wireshark, it is possible to orchestrate these attacks with other tools, such as the aircrack-ng
suite as well. We encourage you to explore the entire aircrack-NG suite of tools and other documentation located on their website at http://www.aircrack-ng.org.