Re: Wireless SSID discovery
From: Olivier Fauchon (olivier_at_aixmarseille.com)
Date: Tue, 21 Dec 2004 01:04:29 +0100 To: firstname.lastname@example.org
Andrew Bagrin wrote:
> I'm doing a wireless pen-test and am able to use aircrack to crack
> the wep key, however, when I use Kismet, Cain, airdump etc.. I can't
> get the SSID of a the access point if the SSID broadcast has been
> disabled. Does anyone know how to do this, or is there any tools that
> will let you get the SSID even if its not being broadcasted.
Ok, hidden SSID must not be considered as a security feature. Because
SSID (wireless network name) is not only sent in beacons ( Network
announcement frames), but in probe/responses, association and
reassociations frames too.
You can disable SSID in beacon frames only. All other management frames
contains the SSID or the network.
There are many ways to discover the hidden SSID
- Forge DISASSOCIATE frames, to a station seaming to come from the
ACCESS POINT, so the station tries to reassociate (and send the SSID)
- Reboot a client, so it reassociate when it initialize (if you have
physical access to equipements)
- RF jam (interferences) a client so it tries to reassociate (and expose
- Install a fake Access point near a client with weak signal so it tries
to roam (probe requests will be sent).
Hope that helps.
-- Olivier Fauchon GNU/Linux Systems Specialist Certified Wireless Network Administrator Email: email@example.com Web: http://www.aixmarseille.com