Worth of hidden SSID?

[george8]

Newbie observation and question:

I have been experimenting by NOT broadcasting my AP's SSID, and then sniffing/watching it using some aircrack tools. I have a VERY active network with

wireless clients connected at least 1/3 of the time or more. Wow, I didn't know that when a wireless client associates with the AP the SSID becomes visible

in airodump!! With no clients it shows <length> of course, but when I associate the wireless printer (or any client) my SSID shows up instantly. On an

active wireless network that makes the "no broadcast" thing virtually useless.

My question, and I am just trying to make sure I didn't miss something: I am assuming that ALL airodump screens from any hacker machine would see my SSID if

an association happens. I am running a VM and using a seperate USB antenna with the laptop's wireless physically switched off to be certain its not

connected for this experiment. Just trying to positively eliminate the notion that this laptop is already associated and that is why the SSID appears. As I

understand the VM thing my motherboard should have no bearing on what I am seeing in airodump regarding the SSID showing up upon association.

Is the SSID just there when an association is established? That would make not broadcasting quite worthless.

[eeepclover]

Correct, choosing not to broadcast your SSID will only keep the casual observers away from your network. Anyone with backtrack and a little knowledge will know how to kick a wireless client off of the network and watch it reattach -- thus, revealing the name of the hidden SSID.

Newbie observation and question:

I have been experimenting by NOT broadcasting my AP's SSID, and then sniffing/watching it using some aircrack tools. I have a VERY active network with

wireless clients connected at least 1/3 of the time or more. Wow, I didn't know that when a wireless client associates with the AP the SSID becomes visible

in airodump!! With no clients it shows <length> of course, but when I associate the wireless printer (or any client) my SSID shows up instantly. On an

active wireless network that makes the "no broadcast" thing virtually useless.

My question, and I am just trying to make sure I didn't miss something: I am assuming that ALL airodump screens from any hacker machine would see my SSID if

an association happens. I am running a VM and using a seperate USB antenna with the laptop's wireless physically switched off to be certain its not

connected for this experiment. Just trying to positively eliminate the notion that this laptop is already associated and that is why the SSID appears. As I

understand the VM thing my motherboard should have no bearing on what I am seeing in airodump regarding the SSID showing up upon association.

Is the SSID just there when an association is established? That would make not broadcasting quite worthless.

[TAPE]

Hiding the SSID is not really going to help in protecting your network if targetted.

The only thing is that it does do is put an additional layer of security on the network and then the
'low hanging fruit' principle (attackers would usually go for the easiest victim) could apply.

If the network was to be specifically targetted however, it is unlikely it will be an obstacle at all.


If there is activity between the client and the AP (either normal network activity or simply probe requests) then the SSID will show up on airodump if correctly filtered to the specific channel you are monitoring.

If there is a client connected, but no activity showing the SSID, then the client could be forced to disconnect / reconnect with either aireplay or airdrop for instance.

Code:

aireplay-ng mon0 0 -1 -a [bssid MAC] -c [client MAC]

If no activity and no clients / printers etc. then mdk3 could be used to see whether the SSID is a
dictionary term.

Code:

 
/pentest/wireless/mdk3/./mdk3 mon0 p -c [channel] -t [target bssid MAC] -f /path_to/ssid_wordlist

If the above fails, then a more desperate measure could be to try and bruteforce the SSID with mdk3 ;

Code:

/pentest/wireless/mdk3/./mdk3 mon0 p -c [channel] -t [target bssid MAC] -b a -s 100

Took me around 30 minutes to go through all characters for a 3 digit SSID, anything above 4 digits is not really worth trying with this method.

So in short, you're better off having a strong encryption / password and not relying on hiding the ssid to make the network more secure.

[Thorn]

In addition to what TAPE said, using a completely passive wireless tool such as kismet will still show a hidden SSID when a client connects to the WLAN. The hidden attribute is only protection against active probes by clients that haven't associated with the WLAN previously. This will help protect you against programs -generally Windows applications- like the Windows Wireless Client or NetStumbler. Other than that, it's useless. Like WEP or MAC filtering, it is only effectively a 'No Trespass' sign. Honest people will respect it, but anyone with bad intent can go right around it.

[thorin]

There is basically zero point in trying to hide your SSID. If someone wants to know it all they have to do is wait for a valid client to connect (one that knows the SSID), during the association process it is sent via plain text.

[george8]

I appreciate all the responses. At least I know my own conclusions were correct. I see little point in hiding the SSID. You know it could have a "reverse effect". Might be someone would think I wonder what is so important in that network that the user is trying to hide its contents?

Sort of like many using a proxy for cloaking an IP. It makes sense but in a way it also draws attention because it sort of makes a person wonder what you are up to that needs a proxy.

[plasmasnake]

hey, i c everywhere ppl say you can deauth a station to reveal the hidden ssid, but the problem is when i use aireplay-ng -0 option, it waits for a beacon, and since a hidden ssid doesnt send any beacons, aireplay-ng fails to send deauth packets. Am I doing something wrong here? or it just doesn't work for this? any help would be appreciated.

[GReekPower]

I think I have a small solution here.
If you have for essid something like "my essid" then you have 2 words seperated by space or in ascii code character 32.
Instead of character 32 you can type character 255 (pressing left Alt and 255).
Character 255 is a blank character and not same as space character...
So everybody will find your essid but ain't login, except the know the 255 character!!!!

[inrikey]

I think I have a small solution here.
If you have for essid something like "my essid" then you have 2 words seperated by space or in ascii code character 32.
Instead of character 32 you can type character 255 (pressing left Alt and 255).
Character 255 is a blank character and not same as space character...
So everybody will find your essid but ain't login, except the know the 255 character!!!!

this is a better solution for the SSID for many reasons

[george8]

I actually just tried what greekpower suggested above. My AP will not allow that character in the SSID stating that it is an illegal character. I wonder if that error is unique to my AP?

Has anyone else here tried to use the character 255 approach for their SSID? As I am typing in the Admin panel of the router it does "jump the space" and appear to be just a normal space, but when I go to save the changes the "illegal character" box pops up and it is disallowed on my AP.

Anyone else here willing to try it and let me know? Thanks