1
00:00:00,390 --> 00:00:06,230
In this video I am going to teach you how to use Python to discover so-called hidden wireless networks.

2
00:00:06,240 --> 00:00:06,680
OK.

3
00:00:06,720 --> 00:00:09,820
So why do I say so.

4
00:00:09,840 --> 00:00:16,350
Well it is because in reality these are not actually truly hidden because when network administrators

5
00:00:16,380 --> 00:00:23,790
activate a feature called Hidden SS I.D. what they actually do is they don't add the SS I.D. to the

6
00:00:23,790 --> 00:00:25,740
Beacon frames.

7
00:00:25,830 --> 00:00:32,910
So a beacon frame in simple terms contains all the information about a network and it is being transmitted

8
00:00:32,910 --> 00:00:39,540
periodically or broadcasted periodically for synchronization over the wireless network and for other

9
00:00:39,540 --> 00:00:40,940
purposes.

10
00:00:40,950 --> 00:00:48,290
So this is actually part of the infrastructure of wireless networks and we won't get deeper into that.

11
00:00:48,330 --> 00:00:54,930
What I need to add here is that SSA is not only included in the Beacon frames but also in probe requests

12
00:00:54,990 --> 00:01:02,490
and probe responses so a hidden SSA is not actually a real way to truly hide a network.

13
00:01:02,880 --> 00:01:06,570
But like I said some administrators actually still use it.

14
00:01:08,230 --> 00:01:08,750
OK.

15
00:01:08,760 --> 00:01:17,190
Now here's the outline for a potential attack that will help us find or help someone find a hidden SS

16
00:01:17,190 --> 00:01:17,670
I.D..

17
00:01:18,780 --> 00:01:25,020
I need to specify that for this work you need a wireless card that supports monitor mode and you can

18
00:01:25,020 --> 00:01:28,920
get one very cheap for actually less than 10 dollars online.

19
00:01:28,920 --> 00:01:29,220
All right.

20
00:01:29,220 --> 00:01:31,620
So what is the scenario.

21
00:01:31,630 --> 00:01:37,770
Let's say a client is connected to a network with a hidden SS I.D. now an attacker will wait for it

22
00:01:37,770 --> 00:01:43,590
to disconnect from the network or the attacker can forcefully disconnect the client from the network

23
00:01:43,620 --> 00:01:46,620
using spoofed the authentication.

24
00:01:46,620 --> 00:01:53,820
Now the client disconnects and immediately tries to reconnect one of the packets from these transmissions.

25
00:01:53,820 --> 00:01:57,130
Or from this traffic will contain the desire as I say.

26
00:01:57,490 --> 00:02:05,490
Now let's actually get into the code which is inspired by Bastian Baldanza great book Understanding

27
00:02:05,490 --> 00:02:08,950
network hacks which I really recommend.

28
00:02:08,970 --> 00:02:13,640
So we'll start from scape dot all import everything.

29
00:02:13,710 --> 00:02:19,680
We'll be using escapee and the first thing to do is to set a variable or to define a variable to the

30
00:02:19,680 --> 00:02:24,140
name of our network card that actually supports monitor mode.

31
00:02:24,170 --> 00:02:30,460
So let's say I face equals V Line V Line 0.

32
00:02:31,050 --> 00:02:34,380
Then we'll define a function to output probe requests.

33
00:02:34,380 --> 00:02:38,520
Association requests and or probe responses.

34
00:02:38,700 --> 00:02:43,300
So probe requests probe responses or association requests.

35
00:02:43,320 --> 00:02:50,740
So let's actually say the F H underscore packet and we'll take the parameter of a packet.

36
00:02:51,600 --> 00:02:59,850
And if back at that has layer so back it has layer

37
00:03:02,260 --> 00:03:07,720
DOT level and probe request.

38
00:03:07,740 --> 00:03:20,340
So I said probe request probe responses and association requests or back it has layer dot the 11 probe

39
00:03:20,680 --> 00:03:35,540
part ESB or back it has layer dot eleven a as S O BRAC.

40
00:03:35,550 --> 00:03:39,740
So association requests in this case will simply print.

41
00:03:39,780 --> 00:03:49,560
And for this specific script we can or we use or it was inspired using a python to so print SS I.D.

42
00:03:49,920 --> 00:03:58,990
identified identified and then space and we can say plus back at DOT in full.

43
00:03:59,040 --> 00:04:10,000
All right OK now will we need to put our Wi-Fi adapter or our Wi-Fi card in monitor mode and for that

44
00:04:10,000 --> 00:04:10,770
we use.

45
00:04:10,850 --> 00:04:12,460
Oh let's start system.

46
00:04:12,550 --> 00:04:14,100
But for us to use.

47
00:04:14,120 --> 00:04:14,730
Oh yes.

48
00:04:14,740 --> 00:04:16,480
We need to import it first.

49
00:04:16,510 --> 00:04:25,150
So import os and then as you can see as you know from previous videos we can work with system commands

50
00:04:25,150 --> 00:04:27,000
using OS system.

51
00:04:27,040 --> 00:04:34,150
And in this case it's gonna be I w config not icon thing but config.

52
00:04:34,150 --> 00:04:37,820
And then plus I face.

53
00:04:37,840 --> 00:04:44,300
So the name of our interface which is V Line 0 and then we need to specify mode monitor.

54
00:04:44,330 --> 00:04:51,610
So mode monitor then what's left is just to start sniffing and dumping packets according to the function

55
00:04:51,610 --> 00:04:54,610
we've just defined over here.

56
00:04:55,330 --> 00:04:56,680
So we can save print

57
00:04:59,450 --> 00:05:08,940
and since we're using five on food we can say sniffing traffic on interface space.

58
00:05:09,080 --> 00:05:15,420
Plus a face and then actually start this net for what sniff on I face.

59
00:05:15,530 --> 00:05:22,670
So sniff is a method from escaping all import all so sniff is included from this end.

60
00:05:23,510 --> 00:05:33,020
So I face is going to be our I face or interface which is V1 zero and the function PR n which I've told

61
00:05:33,020 --> 00:05:40,970
you about in the detail video of escapee is gonna be so the function is gonna be back at the function

62
00:05:40,970 --> 00:05:42,590
we've just defined here.

63
00:05:42,590 --> 00:05:49,500
Once again the PR and argument and the sniff method escapee allows us to use functions for hours and

64
00:05:49,510 --> 00:05:49,910
effort.

65
00:05:50,270 --> 00:05:50,890
All right.

66
00:05:50,910 --> 00:05:57,050
Now in this case it will listen to network traffic using the interface or the device or the Wi-Fi adapter

67
00:05:57,050 --> 00:06:04,400
in monitor mode and it will dump those packets defined as per hour if statement in the back packet function.

68
00:06:04,430 --> 00:06:12,350
So like I said probe requests probe responses and association requests and it will actually output the

69
00:06:12,350 --> 00:06:19,940
SSA D found as you can see there is not much glamour to the code just a bunch of commands sequenced

70
00:06:19,970 --> 00:06:21,100
or chained together.

71
00:06:21,100 --> 00:06:28,520
But yet again it goes to show the bar of Python and most importantly the flexibility and the large capabilities

72
00:06:28,790 --> 00:06:29,590
of escape.

73
00:06:29,660 --> 00:06:32,930
Which probably deserves an entire course itself.

74
00:06:32,930 --> 00:06:34,150
Now let's save this.

75
00:06:34,280 --> 00:06:42,500
And if you have a Wi-Fi adapter that supports monitor mode you can just simply plug it in and then run

76
00:06:42,500 --> 00:06:49,360
the script and it will actually give you the hidden SS I.D. that it identified.

77
00:06:49,370 --> 00:06:52,100
Now if you're eager to experiment and learn more.

78
00:06:52,130 --> 00:06:58,910
Definitely check out the documentation of escapee at escapee dot net as well as the book I recommended.

79
00:06:58,910 --> 00:07:02,800
Understanding network hacks by Bastian Bowman.