6

I'd like to know if there exists at least the possibility of a known/theoretical attack on a wireless SSID that does not involve a host within the network, what I mean by this is that some of the common ways of obtaining network access requires a host as a victim either for evil twin attack type or a handshake capture by deauthenticating said host, however, I'd like to know if any of you know ways around this.

Let me explain the scenario:

  • I've no physical way to reset the router and by this means, reconfigure it to service me only.
  • I've already discovered the router's SSID.
  • There are no hosts currently attached to the SSID's network.
  • I cannot do a bruteforce attack on the possible SSID's password because the router may "tag" my MAC address and just lock me out of trying to authenticate again.

So the scenario takes out any host that we can use as a leverage for the pentest; if someone has any experiences or knowledge of what to do in this type of scenarios I'd appreciate it.

arif
  • 1,088
  • 13
  • 24
strkIV
  • 88
  • 1
  • 7
  • What is the authentication method, WEP, WPA? Do you have any other information about the router, Model, chipsets? Is there any interesting information from `wash`? – Nalaurien Jun 16 '17 at 06:15
  • 2
    Maybe you can try a Pixie Dust attack if it has WPS activated. We need more data from the scenario. You can spoof your mac and try whatever. If it is blocked you can change it to another and keep testing. – OscarAkaElvis Jun 16 '17 at 13:35
  • Sorry about those details I left out. The network shows up from the scans with airmon-ng that the authentication method is a WPA2/PSK, with no authentication server. – strkIV Jun 16 '17 at 18:46
  • This is an interesting question, but for all I know, I think what you want to achieve it's impossible. BTW, by *"Hack an SSID"* you mean cracking the password? Can you rephrase that in your question? – Azteca Jun 16 '17 at 22:09
  • When I mean about "Hack the SSID" I mean to successfully intrude the network without the known attack vectors in a wireless scenario – strkIV Jun 16 '17 at 22:17
  • 3
    fake your MAC address. Almost all routers allow this. Then just use brute force. get locked out +1 your MAC. keep going. The router can't physically store more than a few thousand MAC if that so you should be able to recycle MAC addresses after a 1000 or +1. – cybernard Jun 17 '17 at 15:01

2 Answers2

3

If the network is WPA2 as you sais in comments, this is what you can do:

  • You didn't specify if there is WPS enabled or not. So check that using wash (included on reaver package) or using --wps on airodump-ng. Then if enable you can try Pixie Dust attack (very fast but only affecting some Access Points, maybe you could be lucky). Also you can try bruteforce on PIN or an attack based on a PIN database.

  • Another way to hack it is getting a Handshake and then cracking it offline. To do that, you must be "listening" with airodump-ng while a legitimate client connect to the network. It doesn't matter if the SSID is hidden. You'll get the handshake anyway and you'll crack it offline based on BSSID. To obtain it, the common method is using DoS deauthenticating client but your question said "without send deauth frames". So if you want the Handshake without DoS you only can wait, wait and wait... until a client connect to get it. You sais there is no clients connected to the network. Maybe you can only set the "listening" and wait for days... Once you have the Handshake captured file you can crack it without fear of being detected or whatever, is an offline proccess. You can use aircrack or hashcat tools (or maybe other).

  • Another possibility is to create a Rogue AP Evil Twin with a captive portal hoping the victim confuse the network and put his/her wireless password on your trap. This attack requires a little bit of "social engineering" and a victim without any knowledge about networking (but believe me sometimes it works!). Is usual again to perform DoS to the legitimate network to force them to investigate and maybe they can make click on your fake network. Again without sending "deauth frames" is very very difficult to be successful with this kind of attack.

Of couse you can perform all of these actions with your MAC spoofed to be pretty sure of you are not being detected.

I'll recommend to you a tool what can do ALL of these attacks: airgeddon

Hope it helps!

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
0

The Cafe Latte (WEP) attack comes to mind first. It might be a bit outside of what you wanted, but you didn't rule it out - so here you go: http://www.securitytube.net/video/122

You mentioned the possibility of the router "tagging and locking you out" - which means it may not use WEP by default. I'm not sure whether similar attacks exist for WPA.

Sas3
  • 2,638
  • 9
  • 20
  • That's the thing, I know that kind of attack may work under WPA but the authentication the router accepts fro the network is WPA2 – strkIV Jun 16 '17 at 18:47