On hidden WiFi networks
Disabling SSID broadcast is not a security measure and may hurt your privacy. For opting out of location services, refer to n/nomap.
Automaattinen sisällysluettelo / Automatically generated Table of Contents
- The issue with hidden networks
- Connecting to a hidden network
- Seeing hidden networks
- QR codes for hidden SSIDs
The issue with hidden networks
When you hide your WiFi network, your access point (AP) will still announce its existence with the MAC (Media Access Control) address without name. Some location services, such as WiGLE will still records its existence (n/nomap) and as the Service Set IDentifier (SSID) is required for connecting, your devices will shout around everywhere asking for it, so scanning around will make you identifiable and possibly trackable as not many people are likely to be broadcasting the same set of SSIDs.
I have said it before, but I am a fan of openwireless.org and wonder if making that SSID hidden to not reveal myself so obviously on WiGLE (as hidden SSIDs are more common) would work for promoting it and those with the ability to see it, would be more likely to be interested in opening their network as opposed to people not seeing it.
Connecting to a hidden network
Please remember to replace wlan0
with your actual interface name if
applicable.
SailfishOS displays the MAC addresses and I understand Windows to display “hidden network” or something similar as well. Android and iOS require entering the name through manual adding and warn about hidden networks, on Linux at least NetworkManager has a button “connect to hidden network”.
iwd
provides commands iwctl station wlan0 get-hidden-access-points
and
iwctl station wlan0 connect-hidden
, although they may require
iwctl station wlan0 scan
at first. In /var/lib/iwd/<ssid>.<type>
there would
be
[Settings]
Hidden = true
Seeing hidden networks
Many platforms have apps for this, however Android prevents getting the hidden
SSID, so I am focusing on Linux. The required Fedora package is aircrack-ng
.
- Switch to monitoring mode through
airmon-ng start wlan0
- If there are warnings about interfering services, stop them or
airmon-ng check kill
. This will likely disconnect your network connectivity, unless you have multiple NICs. airodump-ng wlan0
- Wait patiently as ESSID
<length: 0>
gets replaced with the actual SSID once devices connect. On the bottom you will see devices asking for specific SSID.
- This could be sped up by exploiting WiFi vulnerabilities, but that would no longer be in the white hat territory and thus I don’t concern myself with it.
Returning to normalcy
- Exit
airodump-ng
byCTRL - C
as usual. - Exit monitoring mode through
airmon-ng stop wlan0phy
- Restart your network management (the
airmon-ng start wlan0
andairmon-ng check-kill
probably gave you a hint), for me it’ssystemctl restart iwd NetworkManager
, whilewpa_supplicant
would be more common.
TODO
I should investigate and write about these:
man airodump-ng
may have nice flags as currently nothing is stored.- Security people should have some data to compare to on what is normal in the network environment and when changes happen. Then again with less data stored, there is less chance of doing something illegal by accident, while I think the passive listening this page focuses on is the same as VHF scan all button.
- I think
kismet
does the same asairodump-ng
, while it may be more focused on wardriving.
QR codes for hidden SSIDs
zxing
and Wikipedia agree on
WIFI:T:WPA;S:mynetwork;P:mypass;;
so my wondering would be:
WIFI:T:nopass;S:openwireless.org;;H:true;
where only P:mypass
got omitted.
# The capital H is the highest error correction, others are LMQ % qrencode -l H -t utf8 "WIFI:T:nopass;S:openwireless.org;;H:true;" █████████████████████████████████████ █████████████████████████████████████ ████ ▄▄▄▄▄ █▀ █▀▀▀▀ ▀▄▄▀█ ▄▄▄▄▄ ████ ████ █ █ █▀ ▄ █▀▄▀▄█▄▄ █ █ █ ████ ████ █▄▄▄█ █▀█ █▄▀▀█▀▀█▀██ █▄▄▄█ ████ ████▄▄▄▄▄▄▄█▄█▄█ █ █▄▀ ▀ █▄▄▄▄▄▄▄████ ████ ▄ █▄ ▄ ▄█▄█ ██▀▀ ▄▀▄▀ █▄▀████ █████ █▄▀▄▄ ▀ ▄▄▄▀▀▄▀▀ ▄▀ ▀▀▄█ ████ ████ ▀▄█▄█▄▄█▄▀▄▀█ ▄▄██▀▀▄ ▄▀▀ ████ ████▄▄█▀ ▀▄ ▀ ▄█▀ ▀█▄▄█ ▀██ ▀▀███████ ████▀ ▀▀▄▄ █ █▄▄▀▄▄▄▄█ ▄▀▄ ██▀▀████ ████ █▄█ ▄▄█▄▀█ ▄███▄▄█▀▀▄▀▀▀█▄▄▀████ ████▄█▄██▄▄█ ▄▄▄▀▀█▄ ▄▄█ ▄▄▄ ▀▄▄▄████ ████ ▄▄▄▄▄ █▄▀▄█▀ ▄▄▀ █ █▄█ ▀ █ ████ ████ █ █ █ ███▄█▄▄█▄▀▀ ▄ ▀▄ █████ ████ █▄▄▄█ █ ▄ ▄█▀▄ ▀ ▀▄▄▀▄▀ ▀████ ████▄▄▄▄▄▄▄█▄▄▄▄███▄▄▄█▄▄▄▄▄▄▄▄▄█████ █████████████████████████████████████ █████████████████████████████████████
While the above looks messy in my jekyll serve -l
,
Binary Eye detected it regardless.