Case study of wireless networks to find hidden SSID

As a network administrator, security issues cannot be ignored or avoided. network firewall, IDS, IPS, and wireless networks all use 802.1x authentication methods with high security levels, however, if the company's internal staff access an AP without permission, it is used to disclose confidential files to the outside world in real time, or if someone with ulterior motives places illegal APS on the company's idle network interfaces to steal sensitive information, the seemingly solid network security is likely to crash because of this "ant nest.

What is the SSID? The Service Set Identifier (SSID) is used to distinguish different networks or autonomous domains. In short, the SSID is the ID of a LAN, which can contain up to 32 characters. The SSID is just an identifier. What is the relationship between it and "security? Let's look back at the process of connecting to the company AP. Click the icon in the lower right corner and select the SSID to be connected. If you need to authenticate the connection, enter the password twice. This completes the wireless network connection. Why can I see the SSID? This is because the AP has enabled the Broadcast SSID option when setting it to facilitate User connection. If a hacker wants to steal confidential data by placing an illegal Rogue AP in the network, I believe it will not be silly enough to open the broadcast and tell the Administrator that there is an AP in your network with "excellent signal quality", right? We can boldly assume that all the SSID we don't know may be illegal, and any hidden SSID we don't see will be illegal! Maybe there is such an evil small AP in your network now!

Although SSID broadcast is disabled, we can still find the SSID by listening to wireless packets and "pivoting" the wireless network. Airmagnet Laptop is such a professional wireless network testing software, the method of disabling SSID broadcasting cannot be avoided. Annouced SSID (advertised SSID): NO, SSID: test_lab. Airmagnet quickly and accurately obtains the information we need, and tells us that it originally did not broadcast the SSID, to see how this function is implemented.

First, let's take a look at how the AP broadcasts the SSID. When the AP is powered on, it will send Beacon frame (Beacon frame) broadcast. BI (sending interval of Beacon frames) is 100 milliseconds, that is, 10 Beacon frames are sent every second, let's take a look at the captured Beacon frame and see what it contains? The most basic signal strength, the Channel, and of course the SSID parameter set: "test_lab. If the AP broadcasts the SSID, the information contained in the beacon frame will be added to the center for broadcasting, in this way, the existence of such an SSID can be seen in the PC "view wireless network. What is the Beacon frame that does not broadcast the SSID? (), SSID parameter set: "\ 000 \ 000 \ 000 \ 000 \ 000 \ 000 \ 000 \ 000", Beacon frames no longer contain SSID information. This is how "Stealth" is implemented.

Let's take a look at the process of establishing a connection between a PC and an AP:

1. The site sends Probe request in all 13 channels.

2. the AP responds to the Probe response after receiving the request.

3. The site selects the AP with the strongest signal in the response packet.

4. The website sends authentication information.

5. The AP recognizes the authentication information of the site and registers it to establish a connection.

For an AP that broadcasts the SSID, the PC can see the SSID from "view wireless network". clicking the desired SSID is actually sending a detection request or a connection request, and the AP "responds ", confirm your identity and establish a connection. The connection process without broadcasting the SSID is a little more complicated. Because the AP does not broadcast the SSID, the PC cannot know which channel to send the connection request, so at this time, the PC will send a detection request to all 13 channels until the AP receives a response, and then the subsequent connection process can be performed. This is the key! Let's take a look at what () is included in Probe request's Probe request frame No. 8749. As we expected, the SSID parameter set: "test_lab" parameter -- "who is test_lab ?"

It is worth noting that once the PC is started, it will send a Probe request frame containing the previously connected SSID. If these data frames are captured by hackers, hackers are likely to forge a "What You Want" AP, which creates a dangerous security risk. This is not a problem to be discussed in this article. The AP's response after receiving the request () includes the same parameter: SSID parameter set: "test_lab" -- "I am the AP test_lab you are looking ". I don't need to say that everyone should understand the rest. Through this answer, the SSID will be ready!

If you are a network administrator facing a huge and complex network every day and need to quickly and accurately obtain information in the network, Airmagnet Laptop is undoubtedly the preferred wireless network management software, do not be confused by "no wireless network is found in the Area" displayed by XP, and think that there is no wireless network device in the network. As the saying goes, we must use professional wireless network testing software for periodic testing, in order to ensure that nothing is lost. During the on-site test, anheng's wireless network testing engineers found a large number of hidden non-sending access APs. Using Airmagnet Laptop not only can find the existing illegal AP, but also can locate the physical location of illegal devices, in addition, the captured data packets can be saved. With free Ethereal protocol analysis software, the wireless network can be further analyzed.

1. Apply five locks to your wireless network