The purpose of this blog post is to demonstrate why hidden SSID & MAC Address filtering should only be layers of wireless security used in conjunction with strong encryption such as WPA.
Below are the steps an attacker could take to bypass a hidden SSID and MAC Address filtering to gain a foothold on your network and either instigate further attacks or use your internet connection.
Tools
- Kismet
The Attack
1. I first use kismet to look at the wireless networks within range.
My target wireless network is "batman". I can see from kismet that this has no encryption and the SSID is hidden.
At this stage I wouldn't know that the AP was using MAC Address filtering so I could try to join the network using:
iwconfig eth1 essid batman
Then I would try to obtain an IP address using:
dhclient eth1
The request for an IP Address would fail as the WAP is filtering MAC addresses.
2. Within Kismet I look at the clients connected to "batman" to obtain a valid client MAC address.
I see an active client is using the MAC of 00:16:6F:4D:AE:8C
I could then either wait for the client to disconnect or use a tool such as aireplay-ng to force a disconnection. As this is a test lab I will simply disconnect the valid client.
3. I check my current wireless card config using ifconfig
Note: I see that Kismet has not brought the card out of promiscuous mode. This will need to be done manually.
4. I now want take my card out of promiscuous mode, change my MAC address to that of the valid client, and join the hidden (batman) network. To do this I use the following commands:
ifconfig eth1 -promisc
ifconfig eth1 down
ifconfig eth1 hw ether 00:16:6F:4D:AE:8C
ifconfig eth1 up
iwconfig eth1 essid batman
I verify the output of these commands with ifconfig and iwconfig as i go along.
5. I now request an IP address from the DHCP server on the WAP using:
dhclient eth1
I have successfully been assigned an IP address of 192.168.1.202 from the WAP (192.168.1.5 hmmm this is useful to know as I can try the web interface on that using either default passwords (Kismet will tell me the make of the WAP) or hydra........)
If the WAP was not using DHCP I would at this stage configure my card manually and set up my own DNS.
7. I now test connectivity to the web using ping:
ping www.yahoo.com
my ping works, this tells me I have web access and DNS is working correctly.
Conclusion
Hopefully this demonstration has proven to you how simple it is for an attacker to bypass some of the more basic restrictions. Don't rely on a hidden SSID or MAC Address filtering as your only security measures. They may stop the average neighbor from using your internet connection but they will not prevent an attacker from breaking into your network and using your internet connection.
