SSID Detection even on APs that Have it Turned Off

SSID Detection even on APs that Have it Turned Off

Postby subterphuge » Sat Sep 21, 2002 8:22 am

Son of a bitch!

I was sitting around in my car waiting for a friend to get ready and left Kismet running while I waited. The only thing active was an AP with SSID turned off, but there were lots of packets coming in, so obviously it was currently in use. So here I am just listening to the 'thump, thump' of the encrypted packets coming in and then, suddenly, after about 5 minutes, low and behold, the bastard was revealed! The SSID 'No Hackers Allowed' appeared in place of NO SSID! I shit you not! The only thing I can think of that correlated with the sudden discovery was a Weak WEP packet, as I hadn't stayed in one place long enough prior to that spot to capture any others, and I noticed right away that the count went up from 0 to 1.

I didn't realize it was that easy to get an SSID name, even on those APs that have the SSID broadcast turned off. I wonder if there's any way, from a security standpoint, to prevent this? Or at least harden it from happening? Of course, there's not much that a malicious cracker could do with just the SSID since WEP still has to be dealt with, but still... I wonder how many people name their SSIDs with revealing info, such as the locations of where they are at? Could definitely provide a social engineering hook to those who really wanted to penetrate the AP.

"Yeah, Joyce, this is Bob over at corporate. I need the password to the wireless access point on the second floor... yeah, the one with the 'hidden' SSID of 2ND FLOOR TOP SECRET."

"Well Bob, since you know the name of the hidden SSID which we all know is impossible for those evil 'war-drivers' to detect since we have the broadcast turned off and are using super-secure WEP encryption to protect it, you must be legit and not one of those evil hackers trying to gain unauthorized access into our most trusted networks, so here the password is..."

"Thanks, Joyce. Those damn hackers... always trying to butt their noses into other people's business. Didn't their mommy ever teach them that curiosity killed the cat? Well, gotta run, Joyce. Better get a head-start on these APs that I need to... double-check. I trust its the same password for all of them?"

"Of course, Bob."

"Your secrets are safe with me. MUAHAHAHA."
subterphuge
 
Posts: 90
Joined: Tue Jul 23, 2002 2:17 am
Location: On the Road, Where the WEP is Weak and the Signal is Strong

Re: SSID Detection even on APs that Have it Turned Off

Postby blackwave » Sat Sep 21, 2002 10:41 am

Originally posted by subterphuge
Son of a bitch!


The SSID is sent in clear text when WEP is enabled, and even when the AP is cloaked. Kismet just needs to wait for some type of communication. Nothing new :)
-=BW=-
User avatar
blackwave
 
Posts: 4507
Joined: Mon Apr 15, 2002 3:00 am
Location: SoCal, OC

Postby subterphuge » Sat Sep 21, 2002 12:43 pm

All it needs is ANY communication from a remote? It didn't seem to happen until the weak WEP packet came in, and there was ALOT of traffic... so I just assumed it wasn't a coincidence.

How weak...

Image
subterphuge
 
Posts: 90
Joined: Tue Jul 23, 2002 2:17 am
Location: On the Road, Where the WEP is Weak and the Signal is Strong

Postby c0rnholio » Sat Sep 21, 2002 1:44 pm

when a client tries to communicate with an access-point, he sends the ssid in clear during the association stage.

thats all, no magic, no trix...you can't prevent this, because it's defined in the 802.11b standard.

i have also observed weak packets to apear, when a client associates....

but this is nothing problematic, because it take a lot more to decrypt wep traffic...if you have the time to do so, try to set up your own ap with wep, and sniff the traffic and try to find enough weak packets to get the shared secret...but be sure to have enough coffee (or beer) with you...

cheers
You mean...there is life outside my lab?
c0rnholio
 
Posts: 160
Joined: Tue Jun 18, 2002 2:18 am
Location: Germany

Postby blackwave » Sat Sep 21, 2002 1:54 pm

Originally posted by c0rnholio
if you have the time to do so, try to set up your own ap with wep, and sniff the traffic and try to find enough weak packets to get the shared secret...but be sure to have enough coffee (or beer) with you...


Especially since there are a few firmware updates that eliminate the generation of interesting packets ;)
-=BW=-
User avatar
blackwave
 
Posts: 4507
Joined: Mon Apr 15, 2002 3:00 am
Location: SoCal, OC

Postby c0rnholio » Sat Sep 21, 2002 2:03 pm

Originally posted by blackwave
Especially since there are a few firmware updates that eliminate the generation of interesting packets ;)


yeah, i tried them, to ensure that the manufacturers are not joking ;)
i tranfered several gig's of data and wasted about 14 hours, but didn't get the key...i had more than enough interesting packets in airsnort.

however, it let's me sleep better now ;)
You mean...there is life outside my lab?
c0rnholio
 
Posts: 160
Joined: Tue Jun 18, 2002 2:18 am
Location: Germany

Postby JoeTampa » Sat Sep 21, 2002 4:44 pm

And, incidentally, AirJack has a utility that allows you to spoof a deauthenticate frame to a user of that AP with the cloaked SSID, forcing it to reassociate and (in the process) divulge the SSID.
JoeTampa
Mini Stumbler
 
Posts: 51
Joined: Sat Apr 13, 2002 10:11 pm


Return to Unix/Linux

Who is online

Users browsing this forum: No registered users and 2 guests