using hidden AP names, can figure out the length of the nwid.

Wed, 15 Sep 2010 17:43:56 -0700 

I was setting up one of my routers (WRT-54G with DD-WRT)  to be able
to use it at home and noticed that when I'd set the APs network ID
(happy), and run an "ifconfig rum0 scan" I get the following output:

# ifconfig rum0 scan
rum0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0e:3b:1e:f0:14
        priority: 4
        groups: wlan egress
        media: IEEE802.11 autoselect (OFDM54 mode 11g)
        status: active
        ieee80211: nwid Olympus chan 6 bssid 00:1d:7e:ba:5d:f0 120dB
wpapsk 0xa8b998937cb300969596b972ba6363abf2c8aa5080469cc0c74fba6a62733fd9
wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher
tkip 100dBm
                nwid 0x0000000000 chan 10 bssid 00:0c:41:75:cf:22 89dB
54M privacy,short_preamble,short_slottime
                nwid Olympus chan 6 bssid 00:1d:7e:ba:5d:f0 120dB 54M
privacy,short_preamble,short_slottime
        inet 192.168.1.17 netmask 0xffffff00 broadcast 192.168.1.255

the "nwid" field shows 10 zeros



So I set the network ID to something longer (mega_happy_time) #
ifconfig rum0 scan
rum0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0e:3b:1e:f0:14
        priority: 4
        groups: wlan egress
        media: IEEE802.11 autoselect (OFDM54 mode 11g)
        status: active
        ieee80211: nwid Olympus chan 6 bssid 00:1d:7e:ba:5d:f0 120dB
wpapsk 0xa8b998937cb300969596b972ba6363abf2c8aa5080469cc0c74fba6a62733fd9
wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher
tkip 100dBm
                nwid 0x000000000000000000000000000000 chan 10 bssid
00:0c:41:75:cf:22 89dB 54M privacy,short_preamble,short_slottime
                nwid Olympus chan 6 bssid 00:1d:7e:ba:5d:f0 120dB 54M
privacy,short_preamble,short_slottime
        inet 192.168.1.17 netmask 0xffffff00 broadcast
192.168.1.255and issued the same command:

with a 15 character nwid, it shows 30 zeros.  So, if I come across a
wireless with a hidden network, I can guess the number of characters
in the nwid.

Just for giggles, I set the nwid to "1" and ran it again...
# ifconfig rum0 scan
rum0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0e:3b:1e:f0:14
        priority: 4
        groups: wlan egress
        media: IEEE802.11 autoselect (OFDM54 mode 11g)
        status: active
        ieee80211: nwid Olympus chan 6 bssid 00:1d:7e:ba:5d:f0 120dB
wpapsk 0xa8b998937cb300969596b972ba6363abf2c8aa5080469cc0c74fba6a62733fd9
wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher
tkip 100dBm
                nwid 0x00 chan 10 bssid 00:0c:41:75:cf:22 89dB 54M
privacy,short_preamble,short_slottime
                nwid Olympus chan 6 bssid 00:1d:7e:ba:5d:f0 120dB 54M
privacy,short_preamble,short_slottime
        inet 192.168.1.17 netmask 0xffffff00 broadcast 192.168.1.255

This was on an AP setup with WPA2, with AES (CCMP), with the broadcast
set to "hidden".   I realize that this is probably not a big deal, but
I just thought it was interesting to point out.  I mean, without the
passphrase, it would be difficult to access the box.

This was on a laptop running a Hawking USB wireless (HWUG1) which
attaches to rum(4). I tried this on a cvs build from 15 September
2010.

Bryan

Reply via email to