hidden ssid - broadcast beacons - Question

Bryan Kadzban bryan at kadzban.is-a-geek.net
Tue Aug 14 12:57:06 EDT 2007


On Tue, Aug 14, 2007 at 02:03:53PM +0200, Stefan Bauer wrote:
> i gave wireshark a try and it collects a huge amount of packets (~
> 8000) but to my fault, all of them are just broadcast packets with the
> following SSID string:
> 
> "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\"
> 
> which looks like this is the default string if the ssid is "hidden" ?

Yes, that looks like the hidden-SSID string to me.  The broadcasts here
are probably the beacon frames.  Probe-response frames sent in response
to a probe-request-to-the-null-SSID *might* have the SSID in them,
though that depends on the AP.  Probe-response frames sent in response
to a probe-request-to-this-SSID should have the SSID in them (as will
the probe request).

Also, association-request and association-response frames will both have
the SSID in them, because the AP must know which SSID the client is
associating with.  There's no way around that one.

> i assume that there will only be another traffic than broadcasts if
> there is some client activity.

Client associations, yes.  Normal client activity (sending and receiving
normal wireless frames), no.

> is there a way to generate client
> activity without real client-stations who are doing association to the
> accesspoints?

If there are any clients that have associated already, but are just
sitting there, then faking a deauthenticate frame from the AP will
force them to re-associate, which will give you the SSID.  (This is
what the 802.11w group is trying to prevent by authenticating wireless
management frames.  Since they're not authenticated now, anyone can
spoof them.)

But if no normal clients are in range of the AP, then I don't think you
can do anything to reliably get the SSID.  You *may* be able to send a
probe-request for the null SSID, but that depends on how the AP works.
(I'd guess that most APs won't provide their SSID in this probe
response, but I don't know for sure.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20070814/745cc9ad/attachment.pgp 


More information about the HostAP mailing list