Bypassing hidden SSID and MAC filtering "protection"

Question

I was browsing over this question and had some follow up questions from a practical perspective.

What tools will show the SSID of an AP with the SSID set to hidden or broadcasting disabled? I have looked at Kismet and similar tools but they don't seem to show the name of the hidden SSID. Do you have to use a packet inspector such as Wireshark to see this? If a packet inspector will show it, why wouldn't tools such as Kismet show it?

As for MAC filtering, it is trivial to see a list of clients connected to an AP. My understanding is the problem lies with booting the other client of the network so that there is no conflict? In which case, how could you do this if you are not on the network? Or would you join the network and have there be a conflict briefly while you removed the other client?

Perhaps it is as simple as deassociating the user and joining first, or some other sort of DoS attack?

Answer 1

If you don't broadcast the SSID it takes some monitoring of traffic with Kismet, but it will eventually pick it up. The more traffic actually going across the wifi, the faster it will identify it.

Mac filtering can be bypassed multiple ways, by being patient, or by flooding a device with garbage. The second can be done with a jammer and a directional antenna, or through various techniques detailed elsewhere.

Spoofing a mac address is trivial, and once done (if time is not a factor) one simply waits till the device disconnects and connects in it's place.