Sunday, October 30, 2011

WiFi: Discovering hidden SSID

Let's see why it means exactly 0 (zero) security if we hide our wireless' network SSID, hoping that no one can find it. People usually think that if they don't broadcast their SSID, then others can't connect to their network.

The AP still broadcasts Bacon frames, but without the SSID, so we see that something is there, but we don't know what. Here is how does it look in Wireshark and airodump-ng:

We can place our wifi card to monitor mode this way:

root@bt:~# airmon-ng start wlan0

This creates a mon0 interface which will belong to the wlan0 NIC, and we can't use wlan0 during this time. We can start monitoring with airodump-ng:

root@bt:~# airodump-ng mon0

We have two options:

1. We wait passively for a client to connect to the wireless network, cause then there will be a Probe request/response message exchange, where we will see the SSID in the response (this is the standard).

2. If we are inpatients, we can disconnect the clients with sending "deauth" packets with the AP's MAC address, thus causing them to reconnect, and we can reveal the SSID. Here it is:

root@bt:~# aireplay-ng -0 2 -a 06:24:B2:D8:3B:17 mon0

-0 - deauth packet
2 - number of packets
-a - AP MAC address
and the interface.

The result: we get the SSID.

So it doesn't worth doing ourselves additional work with hiding the SSID.

1 comment:

Anonymous said...

Szia!Jó kis írásaid vannak,Köszi