Le mercredi 07 mars 2007 à 00:37 -0800, Jex a écrit :
> 1) Correct me if I'm wrong here, but isn't the SSID, when not cloaked,
> picked up anyways?

Yes right.
SSID cloaking is just a dumb way to fight dumb tools that just rely on
sending probe requests. A tool like Kismet relies more on monitoring
traffic. Thus, any time someone will send a probe request, it will pick
it up. Any time someone will associate to an AP, it will see it.
Therefore, in this kind of situation, cloaking SSID is pretty useless if
users are around.

> Cloaking the SSID keeps your Average Joe Bob from picking up your
> network and even knowing it exists,

Not really. Cloaking your SSID does not mean you don't send beacons
anymore. They just don't advertise your SSID. Therefore, Joe Bob will
know your network is there, but won't be able to associate it (yet).

Now, let's put it another way. You need to know SSID to associate.
Right. But do you really need to associate ? Not necessarily. If it's an
open or WEP network, and someone is already associated, then you just
need to spoof his MAC address, manualy set an IP address in the
appropriate range and you're in. Plain simple... If you're using WPA or
WPA2, what's the point in cloaking your SSID provided your PSK (or
802.1x method and credentials) is strong enough ?

> 2) Does an wireless router encrypt, or otherwise have any standing
> security layer that it turns off when it's cloaked? IIRC, it doesn't
> do anything different when it broadcasts itself.

SSID cloaking is just an addon, not something you trade against another
security feature.

Joshua's article reminds me WEP authentication, which is, like SSID
cloaking, on one hand just useless and on the other hand a huge
vulnerability ! Two useless so called security features ending up into
vulnerabilities. Great...

> I'm fairly new to the network security scene, only being a SysAdmin In
> Training, but I don't think it does, like somehow broadcast the SSID
> in a 'secure' fashion when it's not cloaked.

Broadcasting your SSID should not have a security impact.
You want to be secure ? Use active security: authentication and
encryption. Period. WPA and WPA2 are here to achieve this. Do you think
it makes you secure to have "nc -lp 31337 -e /bin/sh" running as root
because it runs on port 31337 ?...

> If you've got your wifi up and it's trying to pick up a prefferred
> cloaked SSID, and aren't at it, and broadcasts the SSID, then some
> ad-hoc wifi virus can pick up on that and use that. But again, what's
> to stop said ad-hoc wifi virus from doing it with a non-cloaked SSID?
> In fact, wouldn't a non-cloaked SSID be -easier- to pick up and try to
> use this in?

WPA/WPA2 provides mutual authentication between client and AP.
Therefore, rogue AP attacks will just fail, provided your PSK is strong
enough. Again, active and real security protects you, where obscurity
does not.

> 4) An alternate reading that can be derived from this article is that
> some companies are using cloaked SSIDs are their ONLY authentication
> mechanism, and they're at risk from anyone higher than Random Joe Bob
> who can operate a wifi sniffer.
> ... which, on the companies part, is dumb.

Just my point.
If they want to have security, like access control for instance, then
they have to use REAL access control mechanisms, not obscurity, which is
not even achieved with SSID cloaking BTW...

--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Cansecwest/core07 *WiFi (in)Security* Security Masters Dojo, Vancouver
http://cansecwest.com/dojowifi.html (Scapy WiFi programming included ;)

[ reply ]