Uncovering Hidden SSIDs

31 Jan

By default every access point is broadcasting the SSID in the beacon frames. Sometimes network administrators might choose to configure the AP not to broadcast the SSID because they are thinking that they will avoid attacks just because if a malicious user doesn’t know that a network exist how he is going to attack it? Even though that hiding the wireless network name is a good choice however this doesn’t offer any security as it is relative easy for a determined attacker to discover it.

The first step is to create a monitor mode interface in order to be able to sniff wireless packets.

Enable Monitor Mode Interface

Enable Monitor Mode Interface


Then we will use the airodump-ng mon0 in order to start capturing raw 802.11 frames which they will contain all the available wireless networks of the area. As we can see from the image below there is only one network which doesn’t broadcasting the SSID.

Hidden Wireless Network

Hidden Wireless Network


Alternatively we can check the beacon frames in wireshark and we will notice that the SSID is hidden.

Beacon Frames - Hidden Wireless SSID

Beacon Frames – Hidden Wireless SSID


There are two ways to obtain the SSID for a wireless network that is not broadcasting.

  1. Passive
  2. Active

In the passive we will have to wait for a legitimate client to connect to the access point while we are monitoring the wireless traffic and to examine the Probe Request and Probe Response packets which will contain the SSID of the network.

Probe Response Packet contains the SSID

Probe Response Packet contains the SSID


This technique is stealthier than the active and it can be used in a scenario when we are attacking a corporate wireless network especially in the morning when there will be a variety of devices that will try to connect and unveil it’s presence.

The other method is to send directly deauthentication packets to all the clients on behalf of the access point which in this case is the Wireless Pentest Lab. This will force all the devices that are connected to the access point to disconnect and reconnect which again Probe response packets will be generated that will reveal the cloaked SSID.

We can send the deauthentication packets with the use of aireplay-ng as it can be seen below:

Sending deuathentication packets

Sending deuathentication packets


The value 5 is actually the number of deauthentication packets that we want to send and the -a specifies the MAC address of the access point. As we can see in the next screenshot after the deauthentication packets the probe response packets are generated again and because of these packets are not encrypted they unveil the wireless SSID.

Generation of Probe Response Packets

Generation of Probe Response Packets

Leave a comment

Posted by on January 31, 2015 in Wireless


Tags: , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: