Hey!
Welcome to our first blog post of 2020! Happy new year to all π
We wanted to kick off this yearβs first blog post covering how secure is a Hidden SSID. We have been into a few customer environments recently where they were hiding some of their SSIDs as they believed this was more secure.
Shout out to Mr. Andrew McHale for his explanation as to why we shouldnβt be hiding SSIDs:
βSome clients donβt probe for SSIDβs, they rely on Beacons to decide what is available. If you hide the SSID in the Beacon then some clients wonβt see SSID to connect to.
Others will try listening to beacons first and only probe if they donβt see the SSID theyβre looking for. This wastes time.
On DFS channels the client has to listen for a Beacon or Probe Response before it probes itself. Normally Vocera clients always probe for the specific SSID we have programmed it for. But on DFS channels, to save that probing time, if we hear a Beacon supporting our SSID we will forego probing on that channel. If you hide the beacon we have to apply that extra 15ms for probing and dwelling on that DFS channel.β
To summarise what Andrew was saying there is that we should not be hiding the SSIDs as it can have a negative impact on client roaming & association.
Letβs now do some testing and see how secure it is to hide an SSID & what steps we have to do to be able to find what the hidden SSID name is β if that is even possible of course π
For our tests today I will be using my Mist AP41 β connected back to my Mist Cloud dashboard. The SSID we will be trying to find is called βMatts_Hidden_SSIDβ. I will also be using the WLAN-Pi & Wireshark to capture wireless packets.
Here is how my SSID is configured on My Mist dashboard β we can clearly see the SSID name and that I have selected to hide the SSID.
Next, letβs take a look at what wireless channels my AP is using in the 5GHz band so I can configure my WLAN-Pi to capture on those channels.
We can see in the above image that my AP is using a 40MHz wide channel & occupying channels 108 + 112. So we need to configure my WLAN-Pi to use those channels.
![wlanpi@wlanpi: -
as: w Ianpi
Using keyboardβinteractive authentication .
Password :
/ Ill I \
Welcome Co Debian Stretch with
Armhian Linux 4 . I g. 66βsunxi64
System load:
Memory usage :
CPU temp :
Usage of / :
0.00 0.00 0.04
16 * of gg3MB
330c
of ISG
syszem
Up time:
I g min
.2s4.g.232
sudo apt update
s udo apt
install
Lasc login: Thu occ 3 2019 from 192.168.42.2
wlanpi@wlanpi : β$ sudo iw wIanO sec channel 108 40MHz
Usage :
iw [options] dev sec channel
[NOHT 1 HT40+lHT40-l
SMHz 1 10MHz 1 80MHz
Options :
β β debug
enable net link debugging
wlanpi@wlanpi : β$ sudo iw WI ano sec channel 108 HT40+
wlanpi@wlanpi : β$](https://wifininjas.net/wp-content/uploads/2020/01/image.png)
Now we have configured the WLAN-Pi to capture on those channels, I was ready to start capturing some packets.
Letβs take a look at some of the packets that were starting to come flooding in β I could see my other SSID βWiFi Ninjasβ that I had not set to be hidden being broadcasted in the beacon frames but I could see that there was also another SSID coming from my Mist AP but we could not see the hidden SSID β still pretty secure at this point πΒ
How about if we filter on probe responses only? By using this Wireshark filter: wlan.fc.type_subtype == 0x0005
Ooooh not quite so secure anymore is hiding the SSID? π We can quite clearly see in the SSID parameters the SSID name now! This didnβt take too much effort either did it? There are a few requirements that we need to meet though to be able to see the probe response.
I associated to the SSID whilst capturing the packets but if a client does not associate during your packet capture you wonβt see the probe response so you might have to send a de-auth or something like that but thatβs for another blog π
To summarise then, hiding the SSID is not only not secure, but it can also have a negative impact on roaming β next time I go to a customer site that has the SSID hidden, I will be sending them to this blog π
If you are new to Wireshark we did another blog last year on some useful filters which can be found here: https://wifininjas.net/index.php/2019/05/29/wn-blog-002-wireshark-filters/
I also have set up my own custom profiles, using a colour profile, my own custom columns & have added known devices MAC address to name profile so thatβs how you can see βMatt_iPhoneXβ instead of my MAC address. If you want any help with how to set up your Wireshark like this feel free to give us a shout and we will help you.
Hope you enjoyed the blog post π
x