Re: Wireless SSID discovery

From: Olivier Fauchon (
Date: 12/21/04

  • Next message: GuidoZ: "Re: delving deeper"
    Date: Tue, 21 Dec 2004 01:04:29 +0100

    Andrew Bagrin wrote:
    > I'm doing a wireless pen-test and am able to use aircrack to crack
    > the wep key, however, when I use Kismet, Cain, airdump etc.. I can't
    > get the SSID of a the access point if the SSID broadcast has been
    > disabled. Does anyone know how to do this, or is there any tools that
    > will let you get the SSID even if its not being broadcasted.
    > Thanks,
    > Andrew
    > !DSPAM:41c723d1225102275466979!

    Ok, hidden SSID must not be considered as a security feature. Because
    SSID (wireless network name) is not only sent in beacons ( Network
    announcement frames), but in probe/responses, association and
    reassociations frames too.

    You can disable SSID in beacon frames only. All other management frames
    contains the SSID or the network.

    There are many ways to discover the hidden SSID

    - Forge DISASSOCIATE frames, to a station seaming to come from the
    ACCESS POINT, so the station tries to reassociate (and send the SSID)
    - Reboot a client, so it reassociate when it initialize (if you have
    physical access to equipements)
    - RF jam (interferences) a client so it tries to reassociate (and expose
    - Install a fake Access point near a client with weak signal so it tries
    to roam (probe requests will be sent).

    Hope that helps.

    Olivier Fauchon
    GNU/Linux Systems Specialist
    Certified Wireless Network Administrator

  • Next message: GuidoZ: "Re: delving deeper"