Kismet Wireless

Kismet Forums

 

Posted by:PAinguIN
Subject:Cloaked/Non-Broadcasting SSID with Encryption?
Date:04:05:53 11/11/2012

> > Hi all....
> >
> > I've been working with a friend trying to determine why we are having problems collecting data from an AP.
> >
> > Typically in Kismet, if an AP is not broadcasting an SSID there is no encryption as you need to know the SSID to connect. Well, after Kismet monitors an association from Client to AP the SSID becomes apparent (usually).
> >
> > Well, in this case, the SSID is cloaked/non-broadcasting and Kismet shows that encryption is enabled and that it is WEP.
> >
> > After collecting over 20000 IV's Aircrack is still unable to decipher the key.
> >
> > This is not typical by any means. The SSID would show if the network was not encrypted but since this one is (and I'm not sure how unless this 3Com Router supports that) the SSID cannot be determined.
> >
> > Shouldn't matter because packets are being captured using the BSSID/MAC to identify the AP.
> >
> > Here is a screenshot of what's going on. Notice there are two AP's with a "Hidden" SSID and which are encrypted. Any input would be appreciated.
> >
> > http://imageshack.us/photo/my-images/22/wep1.jpg/
> >
> > Regards,
> >
> > PAinguIN
>
> I'm not sure about the SSID not showing up but you are correct that you can use the BSSID to identify the AP. Also, you can (and I often recommend) cloak and encrypt your AP since simply turning off broadcast on your AP will not by any means hide your AP since you can still see traffic to/from it. Lastly, 20,000 IV's is a good start but I've had to collect upwards of 40,000 IV's from my own APs before and documentation I have read on pen testing WEP (a couple of years old) suggested needing up to ~100,000 IV's.
>
> Maybe Dragorn will have a little more insight into this issue.

Thank you for your input lasertab!

Yeah, I've dealt with some WLAN's that have required insanely large amounts of IV's and then I've dealt with some where you only needed 5000-15000. It's a crap shoot really, you just never know how many IV's you'll need and you also can never tell how quickly you will be able to capture packets containing IV's.

But you agree, even though an AP is not broadcasting it's SSID one should still be able to "crack" a WEP key (respectively) using the BSSID/MAC to identify the AP?

Perhaps you are right that it may simply take a larger number of IV's. But what about the "W" under the "C" column. Any idea what that stands for? I haven't been able to find anything on it on the site here or by searching the web.

Thanks again!

PAinguIN


Reply to this message