Hi Everyone,
I enjoy learning about wireless networks and I have a few installed in my apartment. I have a question. If a the SSID of a WLAN is not broadcasted, how can a hacker discover the network? What types of software would he use?
For my home, I use NetStumbler, but because my SSID is disabled, it won't detect it. I'm trying to understand if there are any other security holes. I've enabled encryption, MAC filtering, limited IP range, and disabled SSID. Thanks for the help!
Duy
Believe me, you have done everything right. Unless you have a Super Hacker that is an enemy, I would not worry about it.
"Robert Jacobs" wrote in news:IU_Kd.4411$To.3800@trnddc09:
No, he hasn't done everything right Yes, he shouldn't worry about it
The SSID is *intended* to be broadcast. Hiding it is a bogus security measure. The SSID is always broadcast and *cannot* be hidden - just because NetStumbler does not report it is a function of the way the tool works.
Hiding the SSID will cause useful things to not work properly, or at all. Have a look here:
Security ahould be based on encryption and authentication. 'Security by obscurity' is no security at all.
In order:
- As best you can (username, strong password) secure the access to your wireless access point's config.
- If you have WEP, use it. It's crackability is often exaggerated.
- If you have WPA-PSK, use it. Although the encryption is the same as WEP, the fact that the keys are changed frequently (TKIP) means there isn't enough time to crack it.
- If you have - or can set up - a RADIUS server, use WPA. This will provide proper authentication
- If you have AES encryption available (part of WPA2), use it. This uses a more secure encryption algorithm and is the best solution currently available for securing a home wireless network.
All other commonly touted 'security' techniques are simply 'security by obscurity'. A cracker will have the tools to overcome them. At best, you are making it more difficult for your friendly next door neighbour to accidentally access your network. You are not deterring anyone with determination.
Hope this helps
Why does linksys publish this regarding the SSID:
"To increase Network Security, most Wireless Access Points and Wireless Routers are capable of disabling the SSID from being broadcasted into the open air. With the SSID Broadcast enabled, someone could obtain your SSID with simple Site Survey software and possibly gain access to your Wireless network."
--- cnewton at akaMail.com Anti-Spam filter in place--
so what do you think he did wrong?
ahh, saw the rest of your post. I dont believe anyone around here has ever said not broadcasting your SSID was a security function, it just keeps nozzy people away. And as far as making things not work on your network, thats bull. If you set a device to access a certain SSID, even if its not broadcasting, it will connect if its working properly. And I belive I stated that it wont keep out someone that is determined, but most crackers wont bother with secured networks as there are so many open ones.
If you enjoy learning, learn about VPN's, I have a few in my my apartment and started playing with PDA's with built in wireless (iPAQ 4551), they don't do wep very well, but have built in VPN client stuff, seemed like a good idea to learn about em and find out how to set my system up as a private VPN... Really cool, and then you don't have to worry so much about the other stuff.
"Robert Jacobs" wrote in news:5W3Ld.4861$To.2153@trnddc09:
Please do not top post. If you hadn't fallen into this bad habit :) then you might have read my whole post...
No, that's what I said. But many others have fallen into the error of beliveing that a broadcast SSID is somehow 'bad' and introduces a security hole. It doesn't. I believe the eror dates from early days when wireless security was less well understood, and it is now repeated without any justification.
However, it's not really sensible for commercial organisations to reveal their identity, so using an SSID which is not the same as your business name is a good thing. But that's not the same as security...
No it doesn't - it creates a problem. Things stop working, or stop working well. At its simplest, neighbours cannot see your network with (for example) the usual supplier's utility program for setting up a card, and so may use a channel which overlaps with a channel already in use. This causes interference. You're just being a 'bad neighbour'.
I repeat: the SSID is *designed* to be broadcast. As a more complex example, an Extended Service Set and roaming will not work properly without it.
Nope, you're *wrong*
I never said otherwise. But if that's all you think the SSID is for, I regret to say that you're wrong.
Agreed
Please read the paper in the link above. If you disagree with what it says, I'd be interested to hear your arguments.
Kind regards
I wont dispute the article, since I dont go arount testing out these things, but I will say that most home network users dont go arount roaming from one AP to the other, so I dont think most people will have problems with not broadcasting thier SSID.
from the article: Since a station always includes the SSID in the ASSOCIATE message, it can be forced to expose a hidden WLAN through a simple active attack. To do this, an attacker simply sends a forged DISASSOCIATE message to an active station, seemingly coming from the AP. Within seconds (at most 30), the station will REASSOCIATE, exposing the SSID. This simple attack means that the only WLAN that can be successfully hidden is one that is not being used.
exposing the ssid is an extra step which can take up to thirty seconds to determine ssid. that makes wardriving a little difficult, doncha think? and if the network is not being used at the time (i.e. at night, while people are sleeping), it *is* successfully hidden.
if the attacker knows a network exists but not the name, they can take steps to find it, but if they are just wardriving, it is probably not going to be noticed at all. it may not stop the dedicated, but it will stop some, and that is always welcome.
i don't have any specific numbers, but i know very few people who need more than one base station and hiding ssid is an option for them. if a more elaborate network setup needs ssid in the clear, so be it. if their house is large enough that they need more than one base station, then nearby houses are probably not close enough to matter that much.
if one is associated with a specific network that has a hidden ssid, and another network appears with ssid not hidden, that blindly overrides it????
that sounds like a bug in windows (or a stupid feature, since it is 'by design'). whatever your opinion is on ssid hiding, if a user picks a given network, the computer should remain connected to that network. period. also, not everyone uses windows.
my first responsibility is my network security. being a 'good neighbor' comes in second. sorry. and in many cases, houses are far enough apart that it won't matter. if a neighbors network appears and interferes with mine, i can be a 'good neighbor' and switch channels on my own.
it is not a myth. for the typical user, it is hidden. yes, a skilled attacker can figure it out, but it is just one more step to overcome.
it is kinda like locking your car. someone can always toss a brick thru the window. locking a car won't stop the dedicated thief, but it does stop the opportunist.
because it is one more step for the attacker to overcome, and the drawbacks are minimal, if any.
There's a bit more to that mis-feature than Microsloth admits. If you turn off SSID broadcast on your access point, and someone else sets up an access point nearby to broadcast the same SSID, wireless clients will ALWAYS select the one being broadcast. There's no filtering by the MAC address of the access point.
This caused a rather nasty problem at one company, where some hacker setup a man in the middle exploit with this trick. He was apparently capturing all kinds of good info and had successfully cracked the WEP key. The only reason he was caught was that someone noticed that Netstumbler was returning the company SSID when it should not have been visible. It's ironic that this company implemented SSID broadcasting instead of SSID hiding as a security measure.
In my never humble opinion, SSID hiding is a waste of time. The only reason it's popular is that nobody has bothered to scribble a simple Windoze sniffer that will sniff association request frames for the SSID. I'm tempted to write one just to prove the point, but I'm a really lousy programmist. Anyway, Kismet will easily show "hidden" SSID's.
Drivel: SSID appears in several types of frames, not all frames. These are: BEACON frames ASSOCIATION REQUESTS REASSOCIATION REQUESTS ASSOCIATION RESPONSES PROBE REQUESTS PROBE RESPONSES Disabling SSID broadcasts plants a blank SSID in the BEACON and PROBE RESPONSE frames. The others still have the SSID in the frame and can be easily sniffed.
Ah, some detail:
Curtis Newton wrote in news: snipped-for-privacy@4ax.com:
The first sentence is entirely incorrect. The SSID is *always* transmitted. Using the feature provided will stop beacon frames being tranmitted: this does not prevent the SSID being transmitted in other frames. Statements like this appear to be a misunderstanding of both IEEE 802.11 and what 'security' means...
The second sentence is partially correct: someone could attempt to associate with your network using the SSID. They could indeed 'possibly' gain access. They will of course fail if they do not authenticate, and even if authenticated all traffic will be dropped if not encrypted correctly.
I repeat what I said previously: I believe the error dates from early days when wireless security was less well understood, and it is now repeated without any justification.
Here also is a statement from Microsoft (OK, OK...): showing something else that doesn't work when SSID broadcast is disabled.
Hope this helps
Richard Perkin is right though, on both counts...
"Robert Jacobs" wrote in news:Er5Ld.3344$zb.630@trnddc07:
Please do not top post.
As far as you comment goes:
showing something else that doesn't work properly when SSID broadcast is disabled.
Stopping SSID broadcast is a myth. It can't be done - yes, the transmission of beacon frames can be disabled (in violation of IEEE
802.11), but the SSID is *always* transmitted in other frames.It cannot be stopped. It's not designed to be stopped. It causes problems. It leads to the 'bad neighbour' syndrome, potentially causing interference. It does not increase security. So why do it?
Kind regards
But other people might. Notice that the OP said that Netstumbler doesn't detect his own network because it isn't broadcasting SSID. A neighbor setting up his wireless network also won't see the OP's network with Netstumbler and might set his network to the same channel, possibly causing reception problems for both. If the neighbor also gets the bright idea to disable *his* SSID, then he and the OP and anybody else setting up a wireless network nearby will be left to guess about the cause of interference problems and won't know which channels to avoid.
Hiding SSID is roughly analogous to making your car invisible so that it won't be a target for vandals and thieves. So long as you're the only one doing this and you drive very carefully, you might get away with it. But if other people start turning their cars invisible, you've got trouble. You'll need to get some kind of radar -- by analogy, sniffing software that can see hidden wireless networks -- so that you can detect and avoid the other invisible cars on the road. If a lot of other people get radar, there is soon no point in having an invisible car, as the vandals and thieves will also be able to detect the invisible cars. Of course, the bad guys always *were* able to detect your car: making it invisible just protected it from the harmless.
Yawnnn, Dam!!!!!! top posted again........ As far as the SSID, I will not broadcast mine and my network will continue to work just fine, and you continue to broadcast yours and your network will work just fine....
Taking a moment's reflection, Robert Jacobs mused: | | ahh, saw the rest of your post. I dont believe anyone around here has ever | said not broadcasting your SSID was a security function, it just keeps | nozzy people away. And as far as making things not work on your network, | thats bull. If you set a device to access a certain SSID, even if its not | broadcasting, it will connect if its working properly.
Not lately, but people used to recommend it all the time here.
As for disabling SSID breaking functionality being bull ... it's not. With SSID disabled, my Linksys WPG54G will not consistently connect to my wireless network.
Taking a moment's reflection, Robert Jacobs mused: | | I wont dispute the article, since I dont go arount testing out these | things, but I will say that most home network users dont go arount | roaming from one AP to the other, so I dont think most people will have | problems with not broadcasting thier SSID.
... except then you run the risk of multiple networks all being on the same channel, and interfering with out another ... with no one being the wiser since they can't see them.
Then you have something setup wrong in your wireless connection.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.