Your SSID Isn’t Hidden Forever Detecting Non-Broadcasted SSIDs Eric Geier
A common security practice among wireless network administrators is to disable Service Set Identifier (SSID) broadcasting on wireless access points or routers. The reason is that disabling SSID broadcasting is supposed to hide and protect their wireless network. Even if an individual knows there is a wireless network at a certain location, this person must know the SSID in order to establish a connection with the network.
Therefore, hiding the SSID by disabling SSID broadcasting helps to prevent others from connecting to the network. Don't let this give you a false sense of security, however — people with the right equipment can still easily retrieve the SSID of the network.
The SSID Broadcasting Option
As a default configuration, the beacons sent from wireless access points or routers, which notify wireless clients of near-by networks, contain the SSID. The SSID, for example, shows up in Windows XP's list of available wireless networks.
However, when SSID broadcasting is disabled, the SSID isn't sent in the beacons. This keeps the network from showing up in Windows, and in the end along with other security measures like encryption, helps protect your wireless network.
As an example, imagine that Brian pops open his laptop in the local coffee shop right next to your office that you recently decked out with the newest 802.11g equipment. After booting into Windows XP, he views the available wireless networks and your network isn't showing up even though he's close enough to pick up a signal.
If you hadn't disabled SSID broadcasting in your office's network, Brian would see yours listed as an available wireless network. If your network isn't secured by encryption, Brain could connect through your network and access the Internet and any shared files on your computers.
Detecting a Non-Broadcasted SSID
Disabling SSID broadcasting from your wireless access point or router's beacons, however, doesn't prevent hackers or war drivers from detecting your wireless network and even the SSID. If Brian were a wireless hacker he could open a legitimate software program such as AirMagnet and easily find your network's SSID.
AirMagnet picks the SSID up from other packets sent from wireless devices on the network. The SSID is contained in the 802.11 association request and in certain instances, the probe request and response packets as well, even though you have SSID broadcasting disabled. For example, the SSID of your network could be found by AirMagnet when a computer on your network is booted up and causes the wireless client to send an association request packet to the wireless access point to gain access to the network.
Hackers and wardrivers can also use tools like AirJack to reveal a hidden network's SSID on-demand. These tools usually work by sending a spoofed 802.11 Deauthentication frame to a particular wireless client. This causes the wireless client to re-authenticate and re-associate with the access point. The tools can then quickly capture the SSID of the network from the association request frame.
