SSID Hiding and MAC Filtering

From csn
Jump to navigation Jump to search

In this lab, we will show the vulnerabilities of SSID hiding and MAC filtering. This should illustrate why you would never use either of these mechanisms for security purposes.

Lab Setup

You should start by setting up a network as shown below.

Basic lab setup
Basic lab setup

AP Setup

We are going to start by hiding the SSID broadcast. Wireless networks are found/discovered by wireless clients in two ways; by using probe request messages and beacons. Both of these frame types contain the SSID. By hiding the SSID broadcast, the SSID, found in the beacon, is padded with zeros. Furthermore, the AP will not respond to probe requests which are sent by clients searching for surrounding APs. Hide the SSID under wireless->basic settings. Remember to save and apply. Once you have applied, your SSID should be hidden. You should find that you cannot connect to your AP without the SSID.

Both of the above mechanisms are bad security mechanisms. Both can be bypassed simply by monitoring the wireless medium using a special wireless mode called monitor mode and a network analysis tool called Wireshark. Once these values are known, MAC addresses can be changed with specific software and SSIDs can be manually entered. Later in the semester we will explore/show how these security mechanisms can be circumvented.

Wireshark

Open Wireshark with root. On the terminal, type

sudo wireshark

and start capturing on your wifi adaptor on PC1. Ping your access point over the link and ensure that you have captured these frames. Save your packet capture for later. What can you see? What is do you think might be missing?

Putting the wireless interface in monitor mode

Click the network icon in the top right and "Turn Off" Wifi. This will stop the OS from controlling our network device. Issue a:

david@chompsky:~$ sudo ifconfig -a

Identify which is your newly inserted wireless interface name (it should be the last one listed)

You can use one of the two methods below for putting your wireless card in monitor mode.

Method 1: the standard tools

Look for the wireless adaptor name in the output. On my computer, it was: wlx00c0ca84b9ab. Use the commands below changing the interface name to suit the computer in front of you.

sudo iwconfig wlx00c0ca84b9ab mode monitor
sudo ifconfig wlx00c0ca84b9ab up
sudo rfkill unblock all
sudo ifconfig wlx00c0ca84b9ab up

Method 2: using Aircrack

On the command line issue:

sudo rfkill unblock all
sudo airmon-ng start [interfacename] [channel]

If this works correctly then do another

ifconfig

You should have a new interface called mon0

Wireshark

Once you have setup your monitor mode interface you should open Wireshark:

sudo wireshark

Start capturing on your monitor mod interface. Remember that you can change the channel of your monitor mode adaptor by opening a terminal and typing:

sudo iwconfig wlx00c0ca84b9ab channel [Channel your AP is using]

You should notice that the beacons being transmitted by your access point have the SSID field filled with garbage. Look through these messages closely. Is it still possible to determine the SSID? Have a close look at the probe request and probe response messages when devices are connecting. Can you search for or filter for these messages?

Do you think this is a good security mechanism? Why/why not?

Change your MAC address

Note that you can also see all of the MAC addresses of connected stations. Look at your current MAC address with:

sudo ifconfig [interface_name]

Change your MAC address with:

sudo ifconfig [interface_name] down
sudo ifconfig [interface_name] hw ether [MAC:ADDRESS]
sudo ifconfig [interface_name] up

Take a look at your changed MAC address with:

sudo ifconfig [interface_name]

Hopefully, this lab should have shown why hiding the SSID and MAC address filtering are poor security mechanisms. You should also know and understand how easily they can be circumvented.