Re: Wireless SSID discovery

From: Olivier Fauchon (
Date: 12/21/04

  • Next message: GuidoZ: "Re: delving deeper"
    Date: Tue, 21 Dec 2004 01:04:29 +0100

    Andrew Bagrin wrote:
    > I'm doing a wireless pen-test and am able to use aircrack to crack
    > the wep key, however, when I use Kismet, Cain, airdump etc.. I can't
    > get the SSID of a the access point if the SSID broadcast has been
    > disabled. Does anyone know how to do this, or is there any tools that
    > will let you get the SSID even if its not being broadcasted.
    > Thanks,
    > Andrew
    > !DSPAM:41c723d1225102275466979!

    Ok, hidden SSID must not be considered as a security feature. Because
    SSID (wireless network name) is not only sent in beacons ( Network
    announcement frames), but in probe/responses, association and
    reassociations frames too.

    You can disable SSID in beacon frames only. All other management frames
    contains the SSID or the network.

    There are many ways to discover the hidden SSID

    - Forge DISASSOCIATE frames, to a station seaming to come from the
    ACCESS POINT, so the station tries to reassociate (and send the SSID)
    - Reboot a client, so it reassociate when it initialize (if you have
    physical access to equipements)
    - RF jam (interferences) a client so it tries to reassociate (and expose
    - Install a fake Access point near a client with weak signal so it tries
    to roam (probe requests will be sent).

    Hope that helps.

    Olivier Fauchon
    GNU/Linux Systems Specialist
    Certified Wireless Network Administrator

  • Next message: GuidoZ: "Re: delving deeper"

    Relevant Pages

    • Re: ath vap - second hostap _almost_ works
      ... I am able to create and configure the wlan1 interface and clients can ... see the SSID and associate to the network. ... 1971 rx management frames ...
    • Re: Hidden SSIDs
      ... which searches through the scan data looking for a particular ssid. ... Any AP with a hidden SSID will only respond to probe requests that specify its SSID, ... the response will have an empty SSID field. ... frames from the APs. ...
    • Re: Hidden SSIDs
      ... which searches through the scan data looking for a particular ssid. ... by creating a new BSS entry) with the SSID from Probe Response ... the AP that is using hidden SSIDs will ... frames from the APs. ...
    • Re: Undetectable APs
      ... If you're seriously worried about attacks via wireless, ... that can be done to an encrypted access point or router, ... little to a wireless client adapter. ... Most modern AP's have a feature where they don't broadcast their SSID ...
    • Re: Doesnt anyone Know anything about roaming?
      ... I assume you use WZC on the Windows XP clients (and not a third party WLAN ... Then the selection of the SSID is done by WZC, ... make sure everything you buy conforms to the dominant wireless ... >> you can mix brands, operating systems, even network a Mac to a Windows PC ...