The other day I had a wireless network packet capture file saved as a .cap file. The ESSID that was displaying via normal aircrack-ng output of the WPA/WPA2 wireless packet capture lead me to believe there was at least one space included in the beginning of the ESSID and likely after the ESSID since it was not processing properly using oclHashcat-plus. I had never run into this before so wasn’t exactly sure the easiest way to figure out the number of spaces so I posed the question in the Freenode aircrack-ng IRC channel and got a couple responses which are noted below as well as instructions following the clearest solution.
How Many Spaces Located In SSID Via WPA/WPA Packet Capture:
As noted in the intro paragraph I posed the question in the #aircrack-ng IRC channel on the Freenode network about how to determine the amount of spaces located in an SSID or more correctly in an ESSID. I received two responses which included first dumping the WPA/WPA2 wireless packet capture using aircrack-ng to hex and second opening the WPA/WPA2 wireless packet capture within Wireshark which would provide a graphical display including the ESSID length. I initially decided to use Wireshark since I was familiar and figured I could accomplish the task easiest this way so that is described in more detail below. While writing this article I wanted to discover a way to discover SSID length using a tool within the aircrack-ng suite of tools which I was able to do using airodump-ng which is also described below.
Initial WPA/WPA2 Wireless Packet Capture Output From aircrack-ng:
[root@dev ~]# aircrack-ng wireless-packet-capture.cap Opening wireless-packet-capture.cap Read 815 packets. # BSSID ESSID Encryption 1 1C:11:44:06:33:FF somessid1 WPA (1 handshake) Choosing first network as target. Opening wireless-packet-capture.cap Please specify a dictionary (option -w). Quitting aircrack-ng... [root@dev ~]#
So as you can see the wireless-packet-capture.cap file was input into aircrack-ng and I could see right off the bat that the ESSID was not lining up right underneath the ESSID column as it normally would so I knew there was at least one space in the beginning of the ESSID. The interesting part here is that if the spaces are in fact a hacker deterrent it would have done a much better job if the space was not included before the ESSID as it would have been more difficult to determine there were spaces following the ESSID. Anyhow as you can see the Encryption column is not lining up properly either leading us to again believe there are some amount of spaces following the ESSID of somessid1.
Determine SSID Length Using Wireshark:
Determining WPA/WPA2 SSID length or ESSID length using Wireshark is easy. Once you have a wireless packet capture and you need to determine SSID length start by opening the packet capture within Wireshark which will display similar to the below.
WPA/WPA2 Wireless Packet Capture Opened In Wireshark:
Now highlight a packet that is either a Beacon Frame or a Response Probe within Wireshark to display something similar to the below Wireshark display.
Wireless Packet Capture Beacon Frame Highlighted In Wireshark:
Now to get the details of the actual SSID including the ESSID length we need to expand “IEEE 802.11 wireless LAN management frame” by clicking the arrow to the left of the description followed by expanding “Tagged parameters (229 bytes)” to display the list of tagged parameters. You can now see the “Tag: SSID parameter set: somessid1 ” which we can expand to display the ESSID total length which in the above example is 32 chars including all of the spaces. Remember we know there is one space before the SSID so we can now caculate that there are 22 spaces following the SSID so when processing the wireless packet capture with aircrack-ng using the -e switch you will need to put the SSID in quotes with the final result being a command similar to the below example which is followed by the aircrack-ng command needed to process a wireless packet capture for use with oclHashcat-plus.
Wireless Packet Capture Beacon Frame Showing SSID Tag Details:
**NOTE** Keep in mind that the above example images all have the real ESSID blurred out for privacy reasons. In the SSID Tag Details section the blur covers where you will see the SSID you are investigating.
Example WPA/WPA2 aircrack-ng Cracking Commands When ESSID Includes Spaces:
[root@dev ~]# aircrack-ng -e ' somessid1 ' wireless-packet-capture.cap -w wordlist.txt
Example .cap File Processing Via aircrack-ng For .cap File Use With oclHashcat-plus:
[root@dev ~]# aircrack-ng -J wireless-packet-capture.cap.hccap -e ' somessid1 ' wireless-packet-capture.cap
The first command above will actually begin attempting to crack the wireless packet capture while the second will generate a .hccap file for use with oclHashcat-plus. So now to be able to accomplish the same goal we accomplished with Wireshark using the Linux CLI we can actually use the method below using airodump-ng which is installed in the aircrack-ng suite of tools.
Determine SSID Length Of Wireless Packet Capture Using airodump-ng:
Issue a similar airodump-ng command first…
The airodump-ng Command To Start With:
[root@dev ~]# airodump-ng -r wireless-packet-capture.cap --output-format csv -w wireless-packet-capture-output
This command will display something similar to the below output on your screen which can be ended and the details you need regarding SSID length output to wireless-packet-capture-output.csv by hitting the “q” key on your keyboard.
Output From Initial airodump-ng Command:
CH 0 ][ Elapsed: 0 s ][ 2012-05-10 17:04 ][ Finished reading input file wireless-packet-capture.cap. BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 1C:11:44:06:33:FF 4096 1 27 0 1 54e WPA2 CCMP PSK somessid1 BSSID STATION PWR Rate Lost Packets Probes 1C:11:44:06:33:FF 00:22:88:32:37:39 4096 0 -1487 0 1 1C:11:44:06:33:FF 00:11:55:4A:A8:8B 4096 1487e-1487e 51 33 [root@dev ~]#
Depending on what you named the file with the -w switch you will now have a file named something.csv which in this example is wireless-packet-capture-output.csv. When looking inside the output file we can obtain the SSID length in the ID-length column as shown below.
CSV File Contents Of airodump-ng Output:
[root@dev ~]# cat wireless-packet-capture-output.csv BSSID, First time seen, Last time seen, channel, Speed, Privacy, Cipher, Authentication, Power, # beacons, # IV, LAN IP, ID-length, ESSID, Key 1C:11:44:06:33:FF, 2012-05-10 16:33:18, 2012-04-14 16:33:18, 1, 54, WPA2WPA , CCMP TKIP,PSK, 4096, 1, 27, 0. 0. 0. 0, 32, somessid1 , Station MAC, First time seen, Last time seen, Power, # packets, BSSID, Probed ESSIDs 00:11:55:4A:A8:8B, 2012-04-14 16:33:18, 2012-04-14 16:33:18, 4096, 33, 1C:11:44:06:33:FF, 00:22:88:32:37:39, 2012-04-14 16:33:18, 2012-04-14 16:33:18, 4096, 1, 1C:11:44:06:33:FF, [root@dev ~]#
As you can see in this example the ESSID length is 32 characters which means that outside of the 9 characters making up the letters and numbers in somessid1 there are 23 spaces which include 1 space before somessid1 and 22 spaces following somessid1. You can also count the characters by counting all of the positions between the commas and subtracting one for the first space following the first comma.
Now you have multiple ways to verify the number of spaces included in a SSID or ESSID. I actually prefer the second method and will use that in the future because it is more accurate in determining how many spaces before letters/numbers/symbols in the SSID and how many spaces after the letters/numbers/symbols in the SSID.