Friday, December 28, 2007

Bypass Hidden SSID & MAC Address Filtering

The purpose of this blog post is to demonstrate why hidden SSID & MAC Address filtering should only be layers of wireless security used in conjunction with strong encryption such as WPA.

Below are the steps an attacker could take to bypass a hidden SSID and MAC Address filtering to gain a foothold on your network and either instigate further attacks or use your internet connection.


  • Kismet

The Attack

1. I first use kismet to look at the wireless networks within range.

My target wireless network is "batman". I can see from kismet that this has no encryption and the SSID is hidden.

At this stage I wouldn't know that the AP was using MAC Address filtering so I could try to join the network using:

iwconfig eth1 essid batman

Then I would try to obtain an IP address using:

dhclient eth1

The request for an IP Address would fail as the WAP is filtering MAC addresses.

2. Within Kismet I look at the clients connected to "batman" to obtain a valid client MAC address.

I see an active client is using the MAC of 00:16:6F:4D:AE:8C

I could then either wait for the client to disconnect or use a tool such as aireplay-ng to force a disconnection. As this is a test lab I will simply disconnect the valid client.

3. I check my current wireless card config using ifconfig

Note: I see that Kismet has not brought the card out of promiscuous mode. This will need to be done manually.

4. I now want take my card out of promiscuous mode, change my MAC address to that of the valid client, and join the hidden (batman) network. To do this I use the following commands:

ifconfig eth1 -promisc
ifconfig eth1 down
ifconfig eth1 hw ether 00:16:6F:4D:AE:8C
ifconfig eth1 up
iwconfig eth1 essid batman

I verify the output of these commands with ifconfig and iwconfig as i go along.

5. I now request an IP address from the DHCP server on the WAP using:

dhclient eth1

I have successfully been assigned an IP address of from the WAP ( hmmm this is useful to know as I can try the web interface on that using either default passwords (Kismet will tell me the make of the WAP) or hydra........)

If the WAP was not using DHCP I would at this stage configure my card manually and set up my own DNS.

7. I now test connectivity to the web using ping:


my ping works, this tells me I have web access and DNS is working correctly.


Hopefully this demonstration has proven to you how simple it is for an attacker to bypass some of the more basic restrictions. Don't rely on a hidden SSID or MAC Address filtering as your only security measures. They may stop the average neighbor from using your internet connection but they will not prevent an attacker from breaking into your network and using your internet connection.


Anonymous said...

Great, do you know where I can download Kismet to install on a windows machine.

Anonymous said...

"Great, do you know where I can download Kismet to install on a windows machine." just change ur os to linux

Anonymous said...

Very good!

Anonymous said...

what will you do if "filter all" is activated. meaning the router is broadcasting but doesn't respond to wireless clients because of this filter, and the owner uses wired connection. can something be done to bypass the MAC filter?

Anonymous said...

great demonstration,i was surprised how mac adress filter can be so easily bypassed :O

one more question if i enable filter all function on my router there will be still a chance to get in?

i know perfectly that my wifi is useless in that case but i'm so curious :)

bye Matt

SynJunkie said...

Hi Matt

There are plenty of good practical suggestions in the forum article linked below that may help you secure your wifi connection.,com_smf/Itemid,54/topic,3446.0/

Hope that helps


Anonymous said...

hi syn,
good link, it helped me to know a bit more about wireless security!
i also noticed that your blog has a lot of interesting articles,congratulations & thanks for the answer :D


SynJunkie said...

Glad to help. Cheers Matt

sigfunaris said...

nice tutorial.
a stupid question though:
your target was "batman" and you said it had hidden essid.
isnt batman the essid?

SynJunkie said...

Yes Batman was the hidden essid. it shows up in kismet and is identified as hidden by the <> tags and the colour.

Normally you wouldn't see batman, you would have to know it's there to connect to it. Tools such kismet allow us to see hidden essid's

Hope that make sense.



Anonymous said...

yes, it does.
But my question was, if i'm not able to retrieve the name like you did (batman) but i just have (no ssid) like in the screenshot you posted, is it possible to get the hidden name using this program?
i tried to read the log with wireshark (ubuntu) but i got no information about the essid. Any suggestion?

SynJunkie said...

ah now i see what you are asking.

If the AP has no connected user then the essid wont be sent in management frames. what you can do here is look at the AP mac and figure out the manufacturer and guess the essid.

If there are users connected you should see the essid.a Deauth and re-associate frames have the essid so you might need to deauth a user to grab the essid.

Does that help?

Avinash said...

syn junkie like u said if no clients are connected to the AP like the last one in screenshot and i know that the previous ssid was default of the router manufactured by thomson belguim "speedtouchB79037" what is to be done next srry for being such a noob when i try to connect with this ssid then the ssid is shown in the kismet list but --- error in wireless associationit seems

SynJunkie said...

Sorry mate. Seems like its a waiting game then.

Post the question There's a load of guys smarter than me that'll probably have a solution. Let me know how you get on though.



Anonymous said...

Can you still obtain the SSID your way if it's been changed from the default setting on the router to something unrecognizable?
In other words, are you safer if you are using a non default ssid?

"Using MAC filtering and hidden SSID with non default SSID"

SynJunkie said...

You can still get the SSID if there is traffic from the client. Moving away from the default to something random SSID does make life more difficult for the attacker if your using WPA or WPA2. The reason being, there are many precomputed hash lsts available for default SSID's such as Linksys or Netgear. if you have something random the attacker will have to create a hash list once he knows the SSID. Not impossible but more of a hassle which takes time.

Anonymous said...

Wow...amazing post thanks

Anonymous said...

very good demonstartion i tried today to connect to an ap with mac restrection with a client mac in the same time with him
i have succes to associat but the probleme is that the two off as connect with one mac
so i hope that you show me ho to use aireply to force a disconnection
thank you

SynJunkie said...

I dont have a lab set up anymore but here is a pretty good explanation that should get you going.

Anonymous said...

Excellent Site..will move my home here for a couple of!
On the point of " If the WAP was not using DHCP I would at this stage configure my card manually and set up my own DNS.",leaves me with one question.
Is the DNS referred to here the nameservers found in the configuration file that must be entered manually or one have to set up a DNS server.The manual configuration of the card seem pretty straightformward.
Thank you for any help offered

Musaddiq said...

Do Kismet needs a particular WiFi signal Receiver (i.e., a WLAN Card) to display the hidden SSID or even for instance if I want to hack a WEP or WPA access point. As I've learnt from a little search in Google that WiFi hacking requires the WiFi card to support Raw Monitoring Mode. I am using a DELL Inspiron 15(1545) with Dell 1397 WLAN half mini-card in it. Is it capable of hacking ? Can you please tell me which Wireless card did you use to bypass the hidden SSID ? Please reply.

Anonymous said...

hey syn
im really a big fan of ur work
and really need ur help
my internet connection is controlled by a traffic control server form
north star technology

thanks to u now i know how to bypass mac address filtering
but there is another BIG problem
the server limit my speed to 25kbs
and really need more speed

could u please find a way to bypass this speed limiting problem

thanks in advance

BIG FAN from Egypt

A newbie :) said...

Duuude i'm a total newbie, my quest is where do i type in kismec ? :P there is no space to type in...