Finding Hidden SSID’s

It’s extremely easy to find the ID for a “hidden” network—all you have to do is use a utility like inSSIDer, NetStumbler, or Kismet to scan the network for a short while to show all of the current networks out there. It’s really that simple, and there’s plenty of other tools that do the same job.

Don’t believe me? Grab a copy, start it up, and then click the Start Scanning button—within a minute you’ll see a list of every single network in range. You can then identify which ones are using WEP and start cracking them.

Hidden networks show up as Unknown in version 1 of this particular tool, but they do show all of the other data about the network, including the encryption type and MAC address. Version 2.0 of inSSIDer actually does show the SSID for a hidden network. You’ll see in this screenshot the lhdevnet network is hidden.

image167

Real hackers are going to be using tools like Kismet and Aircrack to figure out the SSID before they crack your network, so whether or not a particular tool is showing the right data is beside the point. Should also note that you can use this tool to figure out how to change the wireless router channel and optimize your Wi-Fi signal.

Hidden Wireless SSIDs Actually Leak Your SSID Name

 

image126

When you hide your wireless SSID on the router side of things, what actually happens behind the scenes is that your laptop or mobile device is going to start pinging over the air to try and find your router—no matter where you are. So you’re sitting there at the neighborhood coffee shop, and your laptop or iPhone is telling anybody with a network scanner that you’ve got a hidden network at your house or job.

Microsoft’s Technet explains exactly why hidden SSIDs are not a security feature, especially with older clients:

A non-broadcast network is not undetectable. Non-broadcast networks are advertised in the probe requests sent out by wireless clients and in the responses to the probe requests sent by wireless APs. Unlike broadcast networks, wireless clients running Windows XP with Service Pack 2 or Windows Server® 2003 with Service Pack 1 that are configured to connect to non-broadcast networks are constantly disclosing the SSID of those networks, even when those networks are not in range.

Therefore, using non-broadcast networks compromises the privacy of the wireless network configuration of a Windows XP or Windows Server 2003-based wireless client because it is periodically disclosing its set of preferred non-broadcast wireless networks.

The behavior is a little better in Windows 7 or Vista as long as you don’t have automatic connection enabled—the only way to be sure that you’re not leaking the network name is to disable automatic connection to wireless networks with a hidden SSID. Microsoft’s explanation:

The Connect even if the network is not broadcasting check box determines whether the wireless network broadcasts (cleared, the default value) or does not broadcast (selected) its SSID. When selected, Wireless Auto Configuration sends probe requests to discover if the non-broadcast network is in range.

How Should You Secure Your Network Then?

 

When it comes to wireless network security, there’s really only one rule that you need to follow: Use WPA2 encryption, and make sure that you are using a strong network key.

If you’re not using encryption, or you’re using the pathetic WEP encryption scheme, it doesn’t matter whether you hide your SSID, filter MAC addresses, or cover your head in tin foil—your network is wide open for hacking in a matter of minutes.

Wireless Device Control

Major data thefts have been initiated by attackers who have gained wireless access to organizations from nearby parking lots, bypassing organizations’ security perimeters by connecting wirelessly to access points inside the organization.  Wireless clients accompanying travelling officials are infected on a regular basis through remote exploitation during air travel or in cyber cafés.  Such exploited systems are then used as back doors when they are reconnected to the network of a target organization.  The discovery of unauthorized wireless access points on their networks, planted and sometimes hidden for unrestricted access to an internal network is also a problem and is.  Because they do not require direct physical connections, wireless devices are a convenient vector for attackers to maintain long-term access into a target environment.

Wireless technology has complicated our security operations by introducing a mobile threat that sometimes goes beyond our control.  In order for us to ensure security is maintained, we must identify and assess all assets, which we control in an effort to reduce risk to operations. 

To compromise a network through a wireless device requires:

· A relative close proximity to the network being attacked

· Determination of the Service Set Identifier (SSID) (not always required)

· The channel being used (identifies the frequency used)

· The type of encryption (if any) used:

            WEP (Wired Equivalent Privacy)

            WPA (WiFi Protected Access)

            WPA2 (government grade security implementation)

Other implementations

Improperly configured devices always offer easy avenues for exploitation and compromise.  Attacking a system that has been left in a default configuration, generally means it is in an adhoc (peer to peer) open mode or one that does not require authentication to join.  These types of networks create a great risk to anyone who uses them since every bit of data transmitted over them is subject to compromise, not just the network.  Regular scanning and monitoring of wireless networks is necessary since some devices, if power surges or loss occurs, lose their configurations and will default to an open state and therefore a threat.

Attacking authenticated systems is a challenge but with weak implementations of encryption technologies will afford easier avenues in.  Cracking encryption usage requires the monitoring, collecting, and cracking effort of a large amount of packets.  Lack of packets being transmitted does not mean cracking cannot be attempted, it just requires the use of tools designed to request traffic, such as a broadcast, authentication request, or similar activity.  These types of attacks cause the Access Points (APs) to respond in kind with requested information.

Attacks on wireless networks require a near proximity if desiring two way access to networks, but if all that is desired is the ability to monitor and steal data, then these types of attacks can be conducted up to seven miles, yes miles, away.  Generally a monitoring effort need only have line-of-sight with the targeted site.

Keep track of the version of firmware, your access logs, encryption algorithm, and method of key rotation to prevent being targeted.

Also limit the distance of your signals and how far they broadcast, not only by reducing the strength through the configuration software, but by physical location of the devices, shielding of office windows with inexpensive film, and landscaping.

MAC (Media Access Control) address management and filtering can offer security to your wireless networks.  Limiting address assignment to specific MAC addresses can offer the flexibility to incorporate this type of security filtering technique.  DO NOT rely solely on this method, as MAC addresses can be compromised over the airwaves, and hackers know this.  They will incorporate MAC spoofing and ARP (Address Resolution Protocol) poisoning to overcome these restrictions.  So incorporate a good secure “blend” of techniques to afford appropriate protection.   802.11w is looking to improve this and the committee estimates to finish the standard by Jan 2010.

Consistent monitoring and auditing of assigned IP addresses and MAC address access is the only way to determine if someone has infiltrated your wireless network.  Discovering a compromise should prompt for immediate key rotation, and potentially new key generation followed by a physical distribution method and reassessment of your network.  Utilizing appliances such as AirDefense (one such product is by Motorola®) and the BVS Yellowjacket wireless network analyzer allow us to detect and identify wireless devices to search for rogue devices, and to deny unauthorized wireless devices’ connectivity to our wireless networks.

And just for your information I can crack WPA2 just as fast as I can crack WEP. You’re not safe so please consider all the above points to help you find the best way to secure your Wireless Access. Or just get rid of it completely.