SSID

The SSID is the first piece of information required to connect to a wireless network. 802.11 networks use the SSID to distinguish BSSes from each other. By itself the SSID is not intended to be used as a password or access control measure, but users are often led to believe by vendors that they are. Gathering the SSID is simple; If the target access point responds to a Broadcast SSID Probe, most wireless card drivers configured with an SSID of ANY will be able to associate with the wireless network. Having the SSID set to ANY usually makes the driver send a Probe Request to the broadcast address with a zero-length SSID. This, in turn, causes any access point that will respond to these requests (most do by default) to issue a response with its SSID and info. In the intended case, this makes it easier on the user because the user doesn’t have to remember the SSID to connect to the wireless LAN—but, of course, it makes it much simpler for attackers to gather this data. SSIDs can be found in a variety of 802.11 traffic:

• Beacons By default, beacons are sent continually by the access point and can be observed with a wireless sniffer. The Ethereal filter string to see only beacons is wlan.fc.type==0 and wlan.fc.subtype==8

If you would like to filter out the beacon’s frames (they are transmitted constantly and get in the way), just enclose the previous statement in !(), like so: !(wlan.fc.type==0 and wlan.fc.subtype==8)

• Probe Requests Probe Requests are sent by client systems wishing to connect to the wireless network. If the client is configured with an SSID, it will be shown in the request. A Probe Request with a null SSID likely indicates a network name of ANY configured for the card.

• Probe Responses Probe Responses are sent in response to a Probe Request. The Probe Request can either have a blank SSID or the SSID of the network the client wishes to connect to.

• Association and Reassociation Requests These requests are made by the client when joining or rejoining the network. Reassociation requests are meant to support wireless clients roaming from access point to access point within the same ESS (Extended Service Set), but they can also be issued if the clients wander out of a given AP’s range and then back into range.

If the network you are monitoring has blocked the Broadcast Probe Responses or removed the SSID from beacon frames, you may need to wait until a client tries to reassociate to obtain the SSID. You can help this process along with the essid_jack tool from the Air-Jack toolkit (http://sourceforge.net/projects/airjack/). essid_jack will send a deauthentication frame to the broadcast address that is spoofed to look like it’s coming from the access point. This kicks off all the active clients for the given channel and causes them to try and reconnect to the WLAN. The client Probe Requests and AP Responses will contain the “hidden” SSID.

To use essid_jack, supply the BSSID address and channel of the wireless network you are trying to enumerate. By default, it will send the packet to the broadcast address affecting all active clients, but you can specify a single client MAC to target with the –d switch, as shown here:

[root@localhost tools]# ./essid_jack –b 00:40:96:54:1c:0b –d 00:02:2D:07:E2:E1 -c 11 -i aj0 Got it, the essid is (escape characters are c style): “sigma”



See Also:







biOos