lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Tue, 30 Jan 2007 20:35:18 -0600
From:	Larry Finger <>
To:	Jouni Malinen <>
CC:	Dan Williams <>,
	Johannes Berg <>,
	netdev <>,
	LKML <>
Subject: Re: Hidden SSID's

Jouni Malinen wrote:
> On Tue, Jan 30, 2007 at 01:08:29AM -0600, Larry Finger wrote:
>> Any AP with a hidden SSID will only respond to probe requests that specify its SSID, and will ignore
>> any other probes. In addition, the response will have an empty SSID field. These responses are the
>> only ones in which a substitution would occur. These are the same responses where the current code
>> sends back the "<hidden>" pseudo-SSID. My change would put the correct one there.
> Is the SSID from the probe response really used here? Your patch did not
> look like that.. The SSID from the last scan request command may not be
> the one that triggered the last scan (e.g., one could request a new scan
> without specifying an SSID).

If one does the equivalent of 'iwlist eth1 scan essid myssid', then a probe response with
NETWORK_EMPTY_ESSID set in the network flags will have 'myssid' returned in the SSID field of the
returned buffer. If the input command were 'iwlist eth1 scan', then an empty SSID would be returned
under the same circumstances. My code saves the SSID that is in the extra argument of the
SIOCSIWSCAN call, and uses that in the SIOCGIWSCAN call.
>> We aren't guessing. The response frame with the empty SSID field must have come from the AP with the
>> SSID we want. Filling in the expected value is just making it easier for the user-space tools.
> I don't see how the proposed patch would be using the correct SSID value
> in all cases. Especially cases where there are multiple APs using hidden
> SSIDs, but with different real SSID values and cases where multiple scan
> requests are being processed would be likely to leave windows open for
> reporting incorrect SSID.

I can think of one instance where the wrong value could be reported. That is if some other STA
probes a different hidden AP just when we have sent a probe request. For WPA this should not cause a
problem as wpa_supplicant will sort that out while authenticating.

What is the method that should be used to associated with a given hidden AP?


To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists