Re: Wireless SSID discovery

[Olivier Fauchon <olivier () aixmarseille com>]

Andrew Bagrin wrote:
> I'm doing a wireless pen-test and am able to use aircrack  to crack
> the wep key, however, when I use Kismet, Cain, airdump etc.. I can't
> get the SSID of a the access point if the SSID broadcast has been
> disabled.  Does anyone know how to do this, or is there any tools that
> will let you get the SSID even if its not being broadcasted.
>
> Thanks,
>
> Andrew
>
> !DSPAM:41c723d1225102275466979!

Ok, hidden SSID must not be considered as a security feature. Because 
SSID (wireless network name) is not only sent in beacons ( Network 
announcement frames), but in probe/responses, association and 
reassociations frames too.

You can disable SSID in beacon frames only. All other management frames 
contains the SSID or the network.

There are many ways to discover the hidden SSID

- Forge DISASSOCIATE frames, to a station seaming to come from the 
ACCESS POINT, so the station tries to reassociate (and send the SSID)
- Reboot a client, so it reassociate when it initialize (if you have 
physical access to equipements)
- RF jam (interferences) a client so it tries to reassociate (and expose 
SSID)
- Install a fake Access point near a client with weak signal so it tries 
to roam (probe requests will be sent).

Hope that helps.


--
Olivier Fauchon
GNU/Linux Systems Specialist
Certified Wireless Network Administrator

Email: olivier () aixmarseille com
Web: http://www.aixmarseille.com