Monday, April 14, 2014

Detection of SSID by gorvam saddar



2           Detection of SSID
The attacker can discover the SSID of a network usually by passive scanning because the SSID occurs in the following frame types: Beacon, Probe Requests, Probe Responses, Association Requests, and Reassociation Requests. Recall that management frames are always in the clear, even when WEP is enabled.
On a number of APs, it is possible to configure so that the SSID transmitted in the Beacon frames is masked, or even turn off Beacons altogether.  The SSID shown in the Beacon frames is set to null in the hope of making the WLAN invisible unless a client already knows the correct SSID.  In such a case, a station wishing to join a WLAN begins the association process by sending Probe Requests since it could not detect any APs via Beacons that match its SSID.
If the Beacons are not turned off, and the SSID in them is not set to null, an attacker obtains the SSID included in the Beacon frame by passive scanning.
When the Beacon displays a null SSID, there are two possibilities.  Eventually, an Associate Request may appear from a legitimate station that already has a correct SSID.  To such a request, there will be an Associate Response frame from the AP.  Both frames will contain the SSID in the clear, and the attacker sniffs these.  If the station wishes to join any available AP, it sends Probe Requests on all channels, and listens for Probe Responses that contain the SSIDs of the APs.  The station considers all Probe Responses, just as it would have with the non-empty SSID Beacon frames, to select an AP. Normal association then begins.  The attacker waits to sniff these Probe Responses and extract the SSIDs.
If Beacon transmission is disabled, the attacker has two choices.  The attacker can keep sniffing waiting for a voluntary Associate Request to appear from a legitimate station that already has a correct SSID and sniff the SSID as described above.  The attacker can also chose to actively probe by injecting frames that he constructs, and then sniffs the response as described in a later section.
When the above methods fail, SSID discovery is done by active scanning (see Section 5).
Posted by at
Labels:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)