get ip address from bssid

Daniel picture Daniel · Aug 18, 2013 · Viewed 14.3k times · Source

I am doing some penetration testing, and im trying to find out, if i can get the IP address of an router if i got the bssid, or any i can get with the AIR tools?

I use Linux Kali with the Air tools atm.

I would say this is pretty damn bad if its possible. Basicly most people´s rounters can be reached through their outside IP. Even companies. :O

So far i tried: - Passive TCPDUMP - Active scanning

So basicly, is there a way, if so please give me a hint or the answer :-)

I am 100% refering to some sort of scanning. All kind of cracking, bruteforce, password guessing, access stealing is not what im asking about :-)

Answer

mvp picture mvp · Aug 18, 2013

You can't do that if target access point is protected with WPA/WPA2.

This is why. Getting WiFi to work involves following steps:

  • Associate with target access point. If access point is using WPA/WPA2 and you don't know the password, then you cannot proceed to further steps, and certainly cannot know anything about IP address of target access point.
  • After association, your client (which is typically configured to use DHCP) has no IP address assigned (its IP address is 0.0.0.0). Technically, you can use sniffer at this stage to scan the network and find out IP addressed used, but most sniffers don't like to work with 0.0.0.0 address. To proceed further, your client sends DHCP request, which is served by access point. After getting successful DHCP ack with new IP address, client can proceed to next step.
  • After getting IP address, client can talk to access point and finally knows its IP address (it was served as default router in DHCP ack) - and that would be the answer to your question (yes, that late in the game!). However, even at that point, full network connectivity cannot be assumed. If access point implements captive portal, then your network access may be restricted until you open up web browser and (depending on wireless provider) either accept usage terms, provide some credentials or pay with credit card.
  • After passing captive portal, it is possible (but not common) that access point automatically re-associates and gives you completely different IP address (and access point also has different IP address now, from completely different subnet). This would mean that IP address you learned in previous steps was completely useless to you in terms of knowing actual network infrastructure.