[brachiator]

Today I was trying out KisMac for the first time, to see if I could pick up my neighbor's wireless network -- nothing sinister here; he's been asking me about securing his network and I told him I'd try to detect it in my part of the apartment bldg.

The big surprise to me was that my own network showed up, including the non-default SSID I'd set -- but I'd set up the WAP-router specifically to NOT broadcast the SSID?

What gives? I'm using a Linksys WAP 4-port router 802.11b...

Thanks!

[John Strung]

I think if you connect to an SSID once, your computer remembers it and automatically looks for it whenever it tries to connnect.

[ghporter]

John's right; your computer will remember its normal network, even if the SSID isn't being broadcast. The trick is to check YOUR OWN network with SOMEONE ELSE'S wireless computer.

[brachiator]

Oh, okay. Thanks, John and GHP.

I recall dimly about one's computer remembering one's usual (only?) network, but I didn't realize that this could be picked up by KisMac. I guess that it would be kept at a relatively low level by the sytem networking components, so that any (authorized, I'd hope) networking app would know it?

Thanks, again! I'll try searching for my network on my neighbor's computer.

[car1son]

I haven't used Kismac, but there are wireless stumblers that record the SSID by monitoring traffic of the client systems. It needs to see the client use the wirless network, so extended monitoring may be required, but the SSID is transmitted in the clear at that time. Combined with the recording of the client's MAC address and usual WEP cracker, anyone with the time, access, and will can jump onto your net.
If KisMac is a Mac port of Kismet, then it can probably do this (since Kismet can.)

[tooki]

If I recall correctly, the SSID is ALWAYS transmitted -- when you "disable" beaconing (i.e. public network), the WAP is simply adding a command to the WiFi client to not display that WAP in the list of available networks.

tooki

[brachiator]

That's interesting, tooki. I suppose that the transmission of the SSID is necessary to run the network, but it really reduces the level of security that one'd expect from the description "disable SSID broadcast." Oh, well, it is what it is... I know that all of the security is not going to protect a broadcast net from a knowledgeable and dedicated cracker. But I can dream, man -- I can dream!

Thanks, everyone!

[ginoledesma]

When a user disables broadcasting of SSIDs, what happens is that the SSID is simply removed from the beacon frame. If an 802.11x card successfully establishes a connection with an access point, the SSID is part of that frame. Programs like MacStumbler and KisMAC simply analyze the 802.11 frames that are found when someone connects/reconnects to an access point and extract the SSID.

Also, of important note is that the SSID is within the management frame of an 802.11 frame. WEP only encrypts the data portion of the frame, and not the management frames. So as long as someone "knows" the SSID, this can be easily sniffed.

[brachiator]

thanks, ginoledesma... So if I understand correctly, the stumbler won't be able to read the SSID from the beacon frame if SSID is disabled, although it can pick up the SSID as it is negotiated between the WAP and a client that knows the SSID (I'm guessing that there's a query/response initiated by the client that contains the SSID?)...

So, everything else being equal, my network is IMPREGNABLE! (at least from a disabled SSID standpoint ) while I am away at work, until I come home, open up my Powerbook, and connect? And then again until I dis/re-connect again?

[John Strung]

If you have not already done so, in addition to turning off SSID broadcast (and changing the default SSID), you should also use WEP and MAC address filtering.

Nothing is impregnable, but that will discourage anyone who is not really serious about breaking into your system.