Protected WLAN

Tim Smith tim at electronghost.co.uk
Mon May 23 16:28:41 UTC 2011


On Monday 23 May 2011 16:36:00 Tim wrote:
> On Mon, 2011-05-23 at 13:58 +0100, Tim Smith wrote:
> > One problem lies in the fact that 802.11 does not specify a particular
> > means of giving a NULL SSID so different APs do it in different ways.
> > Some give a zero-length SSID. Some give an SSID of length 1 consisting
> > of a zero octet (a C null-terminated empty string). Some use a single
> > ASCII 32. Some use a number of spaces equal to the length of the real
> > SSID. You will thus find all sorts of rubbish in your list of
> > available APs when looking at it using a station. Some of the older
> > ones may Go All Funny :-(
> > 
> > However, the SSID WILL be present in a probe response to a probe
> > request which contained it, so it's available to anyone with a
> > sniffer. This has to be the case or no stations would ever be able to
> > find it to associate, as you obviously know :-)
> 
> In essence, when you *try* to hide your SSID, it doesn't stop
> broadcasting a SSID, it broadcasts a bogus one?  Plus providing the real
> SSID details in other transmissions?

Yup.

> So, that would make it harder for you to connect to the ID you manually
> type into your client.  Not to mention the fun and games of picking your
> random ID from the neighbour's random ID?

Not really. This is SSID, not BSSID (BSSID is usually the MAC of the AP).
When you scan, you not only listen for beacons, but you (should) send probe 
requests. If you put an SSID into your probe request, you will get a 
response only from a BSS with a matching SSID, so you broadcast saying 
"network named 'MyHouseNetwork' please respond" at which point you get the 
response from the real BSS which has the real SSID in it and not the bogus 
one that went in the beacons.

This is not for security of the SSID, but because you also supply that SSID 
when you associate, so the AP may route you to different authentication 
systems depending on which "network" you're trying to connect to. It's sort 
of like having virtual IPs on one ethernet MAC. But only sort of.

> Though, whatever the specs say about what's supposed to be done, it's
> certainly been shown that various different things have a lot of trouble
> associating with the right access point, or any access point, when
> there's no SSID being sent.

Yup. There's a lot of broken kit out there :-) How your station chooses to 
store and query the scan information is a good source of bugs.

-- 
But while the ant gathered food, the grasshopper contracted to a point on a 
manifold that was NOT a 3-sphere...


More information about the users mailing list