hidden ssid

13 posts by 6 authors in: Forums > CWSP - Enterprise Wi-Fi Security
Last Post: January 3, 2005:
  • is it possible to find the exact ssid in a wep enabled enviroment. I examine the beacons and the encypted data with airopeak but can't get the ssid of my network,airopeek put dots (.) for every character in the ssid. And airopeek only shows ...s for the ssid.
    How can i find the ssid of a hidden network?

  • Hi:

    1. To discover the "hidden" SSID ask someone who knows it or check the SSID field of a configured station. Ok, I just had to get that one out of the way.

    2. Assuming that the service set is operational and stations are configured with the SSID, capture management frames that carry the SSID even when the SSID is "hidden" -- that is probe request, probe response, association request, and reassociation request. That's all it takes, and you probably won't have to wait long.

    3. If you want to wait less for the above capture, transmit a disassociation request or a deauthentication request with the receiver address of an operational client; this will provoke one or more of the above frames that will reveal the "hidden" SSID. Crafting that management frame is non-trivial with standard tools, but someone has probably written an application to do it easily.

    4. Tell everyone who will listen that hiding SSIDs is a violation of the 802.11 standard and should be avoided, especially since the adoption of the 802.11i amendment.

    Thanks. /criss

  • Criss_Hyde Escribió:

    4. Tell everyone who will listen that hiding SSIDs is a violation of the 802.11 standard and should be avoided, especially since the adoption of the 802.11i amendment.

    I have to disagree a bit here. For one the 802.11i standard is not in high use at this time. Secondly hiding the SSID, although very minimally, provides a slight security increase. If nothing else it keeps casual eavesdroppers off of your network. This is especially true if you are running wireless at your home. Often times when standards of any kind are created, it is done with little or no regard for security.

  • By (Deleted User)

    Hi Sys73m47ic(sic):

    After 1999 802.11's one cipher suite, WEP, was discovered to be miserably broken and serious work began to fix 802.11 security. In the meantime several faux security practices became popular, such as "hiding" the SSID.

    TKIP was introduced by the Wi-Fi Alliance in 2003, a year before it was standardized by the IEEE, and was specifically engineered to be compatible with the majority of existing WEP based 802.11 hardware.

    Since the 802.11i amendment in 2004, the 802.11 standard has three cipher suites -- WEP (essentially unchanged), TKIP, and CCMP. The 802.11i amendment was all about fixing 802.11 security and doing it right, TKIP for older hardware and CCMP for newer hardware to come. Did that amendment add anything to the 802.11 standard about "hiding" SSIDs? No, it did not. Hellooo?

    The very existence of silly faux security practices -- such as "hidden" SSIDs, obscure SSIDs, MAC filters, cell sizing (except for performance), DHCP denial, turning equipment off -- keeps some people from doing what they should: abandon WEP and implement real or robust security based on TKIP and/or CCMP.

    Anyone who has 802.11 hardware in production use that cannot be upgraded to TKIP :-(such as the first two generations of Apple Airport base stations)-: should replace it. Period.

    I hope this helps.

    Thanks. /criss

  • By (Deleted User)


    I am very well aware of the security mechanisms involved with wireless networks. I am not arguing the fact that hiding the SSID provides some robust security solution. What I am saying, even though it is security through obscurity, it does help when the kiddies drive by your house with Netstumbler. Granted, it is only a mild deterrent, but then again so is standard WEP. You should make it as difficult as possible to gain access to your network. If you are at your home and your network has WEP, MAC filtering, and hiding the SSID then someone may be more likely just go hit up your neighbor’s house that has a default install, depending on their motivation.

    Obscuring the SSID also makes sense. If you are in a business park and you are blasting an SSID that identifies your company, then someone is going to know exactly what organization has that access point. I mean, why hand a potential attacker any more information? Make them work for it. It may not make a whole lot of sense security-wise, but from an information leakage standpoint it makes sense.

    Yes, for a business there is no excuse and a better solution should be investigated. The best security practices involve layering. Why use one layer of security when you can use 2, 3, or 4? Many businesses do not understand their wireless networks or the potential hazards they pose, so they will continue to throw up open wireless networks.

  • By (Deleted User)

    Hi Guest:

    I assume others will be reading our posts, so I add information for their benefit. And I assume everybody knows hiding SSIDs and obscuring SSIDs is not robust security.

    I oppose so called security by obscurity. It is a waste of time, creates confusion for customers, and instills a false sense of real security that keeps people from using real security. The IEEE never intended any security in the use of SSID. The spotlight for 802.11 security should be on TKIP, CCMP, and key management.

    If you are using TKIP or CCMP and protecting your keys, you need not and should not care when the kiddies go by your home or business with netstumber.

    If a homeowner with skeleton key locks (WEP) on his doors asked for security advice, it would be silly to suggest he take the house number off the front porch and mailbox, paint the doors the same color as the house, make the door jambs stick, and make the door knobs fall off unless turned counter-clockwise. He should get some real locks, protect the keys, and not make life hard for himself, his friends, and his mailman.

    It is a pleasure corresponding with you, although I wish I knew your name!

    Thanks. /criss

  • By (Deleted User)

    Very interesting debate on wireless security might I say. I enjoy this forum!

    I too would love to know the "hidden" SSID of the challenger to Criss.

    It is not I, for I am just a servant in the court of kings.

    I am studying the thesis of CWAP , and boy does my brain hurt.


  • Sorry for not posting my name on the forum. I was at a hacker conference, and for obvious reasons, did not want to log in to my account.

    I think you are missing the point a bit. Like I had stated before, it does not provide robust security. What I am saying is it would fall under the category of "best practices." Security involves layering as I stated before. Here is an example. Microsoft has a history of providing an operating system that has many services started by default. These services can actually leave your system open to remote compromise. It is a best practice to disable these services if they are not in use and properly configured. Also, there is nothing in the OS documentation that says to change service banners to cloak the running service. These are just some of the things we do as best practices. They do not provide huge security solutions, but they do serve a purpose. That is my point. Just because an organization did not intend for something to be configured a certain way, does not mean it is not a good idea to do.

    Now to the issue of causing confusion. I do not understand how that can be. If you have a competent systems administrator they should know how to properly set up a wireless client. Users should not be adjusting their own settings. Most of these issues would be transparent to the user.

    Security through obscurity, on its own, is not a protection measure. I totally agree with that. On the other hand, when used with a more robust security solution, it does serve a small purpose in the total security scheme.

  • By (Deleted User)

    Hi Sysmin:

    I think I understand your point exactly. I just disagree. (Yes, layering is a good thing.)

    Fiddling with the SSID for security purposes was born out of the heartbreak of WEP 2000-2003. It was a misfortune. It is a shame it earned "best practice" notoriety. It should be laid to rest along with WEP. It should not stand in the way of immediate use of TKIP or CCMP.

    Use SSID for what it was intended -- distinguishing your service sets from someone else's.

    See Jim Geier on this subject as well.

    I hope you agree that I see your point, even if you disagree with mine!
    Thanks. /criss

  • You are correct it is very sad. It is sad that security, more often then not, is an after thought instead of being built into the specification in the first place.

    Another thing that I find funny is all of the "security experts" who talk about how this is possible and how that is possible, yet have never taken the time to actually do it. One example is cracking WEP. I wish I had a dollar for everyone I hear talking about cracking WEP. Not many of them have actually done it, knows what it takes, or knows the processes involved. Some of these people actually write books, which is very sad. My advice to everyone who claims to be a “security expert” is to actually see what you talk about in action. Sometimes, even though it is possible, it is not as easy as clicking a button. I mean, if it was that easy then the original poster would have easily been able to get the information that he sought. Which makes me wonder about the original poster, if this is a network you are supposed to be on, then wouldn’t someone have given you that information?

    I am glad that we both see each other’s point, and just agree to disagree. For the moment anyway, the future always brings changes.

Page 1 of 2