WN Blog 025 – Hidden SSIDs

4 min read
Featured-HS

Hey!

Welcome to our first blog post of 2020! Happy new year to all 🙂

We wanted to kick off this year’s first blog post covering how secure is a Hidden SSID. We have been into a few customer environments recently where they were hiding some of their SSIDs as they believed this was more secure.

Shout out to Mr. Andrew McHale for his explanation as to why we shouldn’t be hiding SSIDs:

“Some clients don’t probe for SSID’s, they rely on Beacons to decide what is available. If you hide the SSID in the Beacon then some clients won’t see SSID to connect to.

Others will try listening to beacons first and only probe if they don’t see the SSID they’re looking for. This wastes time.

On DFS channels the client has to listen for a Beacon or Probe Response before it probes itself. Normally Vocera clients always probe for the specific SSID we have programmed it for. But on DFS channels, to save that probing time, if we hear a Beacon supporting our SSID we will forego probing on that channel. If you hide the beacon we have to apply that extra 15ms for probing and dwelling on that DFS channel.”

To summarise what Andrew was saying there is that we should not be hiding the SSIDs as it can have a negative impact on client roaming & association.

Let’s now do some testing and see how secure it is to hide an SSID & what steps we have to do to be able to find what the hidden SSID name is – if that is even possible of course 😉

For our tests today I will be using my Mist AP41 – connected back to my Mist Cloud dashboard. The SSID we will be trying to find is called “Matts_Hidden_SSID”. I will also be using the WLAN-Pi & Wireshark to capture wireless packets.

Here is how my SSID is configured on My Mist dashboard – we can clearly see the SSID name and that I have selected to hide the SSID.

MiSt 
Monitor 
Ma 
O), Clients 
Access Points 
switches 
Location 
Analytics 
Netw•ork 
Organization 
WIA NINJAS 
< Matts 
Hidden 
SSID 
Matts Hidden 
Labels 
SSID 
Security 
@ WPA-2/PSK with passphrase 
O 
WPA-2/EAP (802.1 X) 
Apply to Access Points 
SSID 
Aps 
Isolation 
AP Labels 
Specific APS 
WLAN Status 
@ Enabled C) Disabled 
Hide 
D No Static IP Devices 
Radio Band 
@ 2.4G and 5G 
O 
2.4G 
Band Steering 
O Enable 
Client Inactivity 
Drop inactive clients after 
Geofence 
O 
Open Access 
More Options 
Fast Roaming 
@ Default 
VLAN 
@ Untagged O 
Guest Portal 
Tagged 
O 
O 
Dynamic 
O 
1800 
O 
O 
O 
seconds 
No portal (go directlyto internet) 
Custom guest portal 
Forward to external portal 
SSO with Identity Provider C) Requires custom firmware 
Bypass guest/external portal in case of exception 
Contact Mist for Firmware 
D Minimum client RSSI (2.4G) O 
D Minimum client RSSI (5G) O 
Block clients having RSSI below the minimum 
Data Rates 
O 
Compatible (allow all connections) 
@ No Legacy (2.4G, no 1 1b) 
O 
High Density (disable all lower rates) 
prohibit peer to peer communication 
Filtering (Wired to Wireless) 
Broadcast/Multicast 
Custom Forwarding 
Custom Forwarding to Etho POE 
SSID Scheduling 
O Enabled @ Disabled 
QoS Priority 
Override QoS 
AirWatch 
O Enabled @ Disabled 
O 
Custom Rates 
WiFi Protocols 
WiFi-6 @ Enabled O 
WLAN Rate Limit 
Cl Limit uplink to 10 
O Limit downlink to 20 
Disabled 
Mbps

Next, let’s take a look at what wireless channels my AP is using in the 5GHz band so I can configure my WLAN-Pi to capture on those channels.

MiSt 
Monitor 
Ma 
O), Clients 
Access Points 
switches 
Location 
Analytics 
Netw•ork 
Organization 
WIA NINJAS 
Radio Management 
-92 darn 
AVG. NOISE 
Distribution 
Current Radio Values 
Name 
FRI, 09:16 AM 
site 
Matt Starling Home 
AVG. # NEIGHBORS 
MAC Address 
2.4 GHz 
5 GHz 
Optimize now 
0.0 0 
AP DENSITY 
AVG. # CO CHANNEL NEIGHBORS 
No. Clients 
Status 
Connected 
Channel 
Channel 
108+1 12 
0.1 
AVG. # APS PER CHANNEL 
Channel Width 
40 MHz 
1.00 
CHANNEL DIST. SCORE 
5 GHz Enabled 
17 dBm 
Channel 
5 GHz Overridden 
Power

We can see in the above image that my AP is using a 40MHz wide channel & occupying channels 108 + 112. So we need to configure my WLAN-Pi to use those channels.

wlanpi@wlanpi: - 
as: w Ianpi 
Using keyboard—interactive authentication . 
Password : 
/ Ill I \ 
Welcome Co Debian Stretch with 
Armhian Linux 4 . I g. 66—sunxi64 
System load: 
Memory usage : 
CPU temp : 
Usage of / : 
0.00 0.00 0.04 
16 * of gg3MB 
330c 
of ISG 
syszem 
Up time: 
I g min 
.2s4.g.232 
sudo apt update 
s udo apt 
install 
Lasc login: Thu occ 3 2019 from 192.168.42.2 
wlanpi@wlanpi : —$ sudo iw wIanO sec channel 108 40MHz 
Usage : 
iw [options] dev sec channel 
[NOHT 1 HT40+lHT40-l 
SMHz 1 10MHz 1 80MHz 
Options : 
— — debug 
enable net link debugging 
wlanpi@wlanpi : —$ sudo iw WI ano sec channel 108 HT40+ 
wlanpi@wlanpi : —$

Now we have configured the WLAN-Pi to capture on those channels, I was ready to start capturing some packets.

Let’s take a look at some of the packets that were starting to come flooding in – I could see my other SSID “WiFi Ninjas” that I had not set to be hidden being broadcasted in the beacon frames but I could see that there was also another SSID coming from my Mist AP but we could not see the hidden SSID – still pretty secure at this point 😉 

*SSH remote capture 
File Edit View Go Capture 
651 
8a2.11 
Ila 
dam s.a 
802.11 
802. Ila 
dam 6.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
658 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
670 
802.11 
802. Ila 
Analyze Statistics Telephany 
Wireless Tools 
Help 
Apply a display filter 
Absolute Time 
Expr ession 
Spatial streams 
+ Management Fr ames 
Control Frames Data Frames 
Time as Formatted 
28.160416 
28.570037 
29.184500 
Delta Time 
a. 00BBB8 
a. 102371 
a. 000008 
a. 102480 
a. 102364 
a. 102382 
a. 000020 
a. 102493 
a. oooala 
a. 102333 
a. 102356 
a. 102367 
a. 000008 
a. 102484 
a. 102368 
Frequency 
R SSI 
-26 
- 26 
- 26 
- 28 
- 28 
- 26 
- 26 
- 28 
- 26 
- 26 
- 26 
- 28 
- 26 
- 26 
- 28 
- 28 
- 26 
- 26 
- 28 
-26 
TX Rate 
Data rate (M$s) 
Source 
Destination 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Protocol 
Length 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
Colouring Rule Name 
Beacon 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Beacon 
MCS index I 
ss1D 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
Bandnidth 
PHY type 
Tag 
652 28.262787 
653 28.262795 
654 28.365275 
655 28.365283 
656 28.467647 
657 28.467655 
659 28.570057 
660 28.67255a 
661 28.67256a 
662 28.774893 
663 28.774901 
664 28.877257 
665 28.877265 
666 28.979632 
667 28.97964a 
668 29.082124 
669 29.082132 
554a 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
MHZ 
MHZ 
dam 
dam 
(2872 
6 Mist 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
79:32 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Info 
Beacon 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Beacon 
frame, 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
frame, 
su=3B11, 
SN=3a12, 
SN=3a13, 
SN=3a14, 
SN=3a15, 
SN=3a16, 
SN=3a17, 
SN=3a18, 
SN=3a19, 
sN=3a2a, 
SN=3a21, 
SN=3a22, 
SN=3a23, 
SN=3a24, 
SN=3a25, 
SN=3a26, 
SN=3a27, 
SN=3a28, 
SN=3a29, 
sN=3a3a, 
Frame 653: 
359 bytes 
on 
wire (2872 bits), 
359 bytes 
c a ptu red 
bits ) 
on 
Radiotap Header va, Length 32 
802. II radio information 
IEEE 8B2.II Beacon frame Flags: . 
IEEE 8a2.11 wireless LAN 
Fixed parameters (12 bytes) 
v Tagged parameters (287 bytes) 
ag: SSID parameter set: Boa Boa Boa Boa Boa Boa Boa Boa Boa Boa Boa 
Number: SSID arameter set a 
interface 
Boa Boa Boa Boa Boa Boa 
Tag Iength: 17 
Tag: Supported Rates 6(8), 9, 12(8), 
Tag Number: Supported Rates (I) 
Tag Iength: 8 
18, 
42 
17 
15 
al 
a2 
5e 
24(8), 
36 
2/ 
48, 
54 , 
Su p ported 
Su p ported 
Su p ported 
Su p ported 
Rates . 
Rates : 
Rates : 
Rates : 
Rates : 
• 6(8) (ax8c) 
9 (0x12) 
12(8) (0x98) 
(ax24) 
Su 
rted 
aza 
gala 
aa2a 
aaaa 
aasa 
aasa 
ana 
ana 
gaga 
aaaa 
aaca 
aada 
aaea 
a afa 
3122 
alsa 
3142 
alfa 
[Mbit/ sec) 
• •LG8 $ 
64 
al 
17 
7a 
14 
47 
04 
a2 
al 
32 
17 
al 
al 
al 
2f 
2a 
34 
35 
11 
28 
al 
88 
04 
ff 
dd 
15 
11 
al 
17 
74 
46 
al 
ff 
fa 
79 
17 
34 
57 
al 
32 
11 
04 
al 
ab 
a2 
al 
al 
17 
78 
04 
gf 
18 
24 
al 
02 
17 
64 
le 
al 
al 
16 
04 
27 
2a 
51 
le 
95 
2a 
bf 
00 
17 
ff 
72 
al 
al 
a2 
dd 
12 
17 
68 
2d 
04 
32 
18 
98 
34 
99 
23 
la 
42 
2a 
35 
24 
47 
al 
le 
a2 
04 
42 
43 
79 
48 
2a 
38 
17 
7f 
a2 
al 
32 
sa 
24 
al 
le 
84 
al 
ff 
al 
al 
62

How about if we filter on probe responses only? By using this Wireshark filter: wlan.fc.type_subtype == 0x0005

*SSH remote capture 
File Edit View Go 
152 
8a2.11 
8B2.11a 
dam 6.ø 
8ø2.11 
7øø 
8ø2.11 
8ß2. 
dam 6.ø 
7ß3 
8ø2.11 
dam 6.ø 
7ß5 
8ø2.11 
dam 6.ø 
833 
8ø2.11 
dam 6.ø 
936 
8ø2.11 
dam 6.ø 
964 
8ø2.11 
dam 6.ø 
975 
8ø2.11 
dam 6.ø 
978 
8ø2.11 
dam 6.ø 
98ø 
8ø2.11 
dam 6.ø 
:49.4øgø56 44.78ø149 
8ø2.11 
dam 6.ø 
:49.418688 44.789781 
8ø2.11 
dam 6.ø 
44.8ø4283 
8ø2.11 
dam 6.ø 
:49.443324 44.814417 
8ø2.11 
dam 6.ø 
8ø2.11 
dam 6.ø 
2469 
8ø2.11 
dam 6.ø 
8ø2.11 
dam 6.ø 
2477 
8ø2.11 
6.ø 
8m.11 
8ß2. 
Capture 
= ox0005 
Analyze Statistics Telephony 
Wireless Tools 
Help 
"Ian fc. type_subtype 
Absolute Time 
+ Management Fr ames 
Control Frames 
Da ta Frames 
Time as Formatted 
7.564445 
Delta Time 
a. øøøøøø 
13.7ø56ß2 
8.837292 
ø.ø16123 
ø.ø1ø13ø 
2.9435ø4 
1.64ø69ø 
ø.4356ß3 
ø.øøgsøg 
ø.ø14625 
ø.ø1ß247 
g. 592379 
ø.øøg632 
ø.ø145ß2 
ø.ø1ø134 
4.1ø4218 
1.578936 
ø.ø13265 
ø.ø14984 
a. ø1ß264 
Frequency 
R SSI 
-26 
- 28 
- 26 
- 28 
- 26 
- 26 
- 26 
- 26 
- 26 
- 28 
- 26 
- 26 
- 26 
- 26 
- 26 
- 28 
- 26 
- 26 
- 26 
-28 
TX Rate 
Data rate (Mb's) 
Source 
Destnaton 
Protocol 
Length 
356 
356 
353 
353 
353 
353 
356 
356 
356 
356 
356 
356 
356 
356 
356 
356 
353 
353 
353 
353 
Colouring Rule Name 
MCS index I 
Expr ession 
Spatial streams 
Tag 
5øø 21.27øø47 
2396 48.918635 
1894 ø6 
1899 ø6 
19ß2 ø6 
2474 
2479 
Frame 
: 52 
: 52 
: 52 
: 52 
3ø .1ß7339 
3ø .123462 
3ø.133592 
33. ø77øg6 
34.717786 
35.153389 
35.162898 
35.177523 
35.18777ø 
% .497571 
5ø.51ß836 
5ø.52582ø 
% .536ß84 
554a 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554B 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
d 8m 
dam 
d 8m 
(2824 
54 , 
6 Mist 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
6 Mist 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Le novo 
Len ovo 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
Len ovo 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
Len ovo 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
ss1D 
WiFi Ninjas 
Matts Hidden 
Matts Hidden 
Matts Hidden 
Matts Hidden 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
Matts 
Matts 
Matts 
Matts 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Hidden 
Hidden 
Hidden 
Hidden 
Bandwidth 
SSID 
SSID 
SSID 
SSID 
SSID 
SSID 
SSID 
SSID 
PHY type 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
Info 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
su=2596, 
SN=287ø, 
SN=3ø51, 
SN=3ß52, 
SN=3113, 
SN=3166, 
SN=3175, 
SN=3178, 
SN=3179, 
SN=318ø, 
SN=3426, 
SN=3427, 
SN=3428, 
SN=3429, 
SN=3549, 
SN=3582, 
SN=3583, 
SN=3584, 
SN=3585 , 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
353 bytes 
on 
wire (2824 bits), 
353 bytes 
ca red 
bits ) 
on 
interface 
Radiotap Header vø, Length 32 
8m.11 radio information 
IEEE 8e2.11 Probe Res rise Flags: . 
IEEE 8e2.11 wireless LAN 
Fixed parameters (12 bytes) 
SSID arameter set: Matts Hidden SSID 
Tag Number: SSID parameter set (e) 
Tag length: 17 
SSID: Matts Hidden SSID 
Tag: 
Tag: 
Tag: 
Tag: 
Tag: 
Tag: 
Tag: 
supported Rates 6(a), 9, 12(a), 18, 24(a), 36, 48, 
DS Parameter set: Current Channel: 
CMbit/ sec) 
Country Information: Country Code 63, Environment Any 
Power Constraint: 
T PC Report Transmit Power: 21, Link Margin. 
RSN Information 
Q8SS Load Element 
: measurement Pilot 
8ø2.11e ccA Version 
Transmission 
aaaa 
aala 
aaaa 
aasa 
eese 
aasa 
aa7a 
ane 
aaga 
aaaa 
aaba 
aaca 
aada 
aaea 
a afa 
aløa 
a12a 
a13a 
a14a 
else 
64 
65 
17 
78 
ø4 
6e 
17 
64 
16 
ø4 
27 
213 
11 
95 
213 
bf 
17 
15 
11 
53 
dd 
17 
68 
2d 
ø4 
32 
18 
be 
11 
49 
34 
23 
la 
42 
65 
44 
ø4 
42 
43 
13 
61 
17 
15 
f2 
213 
58 
74 
38 
17 
øø 
7f 
aa 
øø 
74 
84 
ff 
ff 
62 
73 
12 
17 
713 
14 
47 
ff 
ø4 
32 
5b 
98 
al 
ff 
2f 
213 
35 
48 
24 
88 
04 
ff 
aa 
dd 
69 
17 
74 
46 
ff 
79 
64 
48 
ce 
32 
64 
le 
ac 
•Ma tts Hidd 
en SSID 
• acn

Ooooh not quite so secure anymore is hiding the SSID? 🙂 We can quite clearly see in the SSID parameters the SSID name now! This didn’t take too much effort either did it? There are a few requirements that we need to meet though to be able to see the probe response.

I associated to the SSID whilst capturing the packets but if a client does not associate during your packet capture you won’t see the probe response so you might have to send a de-auth or something like that but that’s for another blog 😉

To summarise then, hiding the SSID is not only not secure, but it can also have a negative impact on roaming – next time I go to a customer site that has the SSID hidden, I will be sending them to this blog 😀

If you are new to Wireshark we did another blog last year on some useful filters which can be found here: https://wifininjas.net/index.php/2019/05/29/wn-blog-002-wireshark-filters/

I also have set up my own custom profiles, using a colour profile, my own custom columns & have added known devices MAC address to name profile so that’s how you can see “Matt_iPhoneX” instead of my MAC address. If you want any help with how to set up your Wireshark like this feel free to give us a shout and we will help you.

Hope you enjoyed the blog post 🙂

x

Share blog

Share on facebook
Share on twitter
Share on linkedin
Share on email

2 Responses

  1. Very informative, thank you.

    Can you say some useful practices for securing WiFi? Is it mandatory to use 802.1X infrastructure?

Blog

This WiFi Ninjas Blog archive consists of all the blogs we have ever written!