Hidden SSID is an option for every access-point in order to not broadcast the SSID. In case that an access-point is not broadcasting the SSID, only clients that already know the preconfigured SSID can establish a connection. At the time that legitimate clients are trying to connect to the access point Probe Request and Probe response packets are generated. These packets are containing the SSID of the wireless network. Using aireplay-ng and Wireshark the SSID can be revealed. Aireplay-ng is used to send Deauthentication packets to the stations that are connected in order to force them to disconnect and reconnect. Finally using Wireshark we will reveal the SSID of the wireless network.
- airmon-ng start wlan0
This command creates mon0 interface. You can check if mon0 is created using the ifconfig command.
- airodump-ng mon0
Where airodump-ng is the tool and mon0 is the monitor interface. At this time we want to reveal the SSID of the access point with BSSID 00:05:59:49:A7:A0. The <length: 0> means that the SSID is hidden.
- airodump-ng -c 1 –bssid 00:05:59:49:A7:A0 mon0
Where airodump-ng is the tool, mon0 the interface, -c the channel and –bssid the MAC address of the access point. The figure above shows that there is one client connected with MAC address 64:A7:69:AD:5F:D2.
The next step is to deauthenticate the client. The following command is used.
- aireplay-ng -0 30 -a 00:05:59:49:A7:A0 -c 64:A7:69:AD:5F:D2 mon0
Where aireplay-ng is the tool, -0 the parameter for the Deauthentication attack, 30 is the number of deauths, -a the MAC address of the wireless router, –c the MAC address of the client and mon0 the interface.
At this point Wireshark is used in order to view the deauthentication packets. We can isolate the results by adding the following filter.
- wlan.fc.type_subtype == 0x0c
Finally as soon as the client connects back to the access point the SSID will be revealed. Analyzing the Probe Responses from the access point we can see the SSID as shown in the next picture. The following filter can be used in order to monitor all the beacon frames.
- (wlan.bssid == 00:05:59:49:A7:A0) && !(wlan.fc.type_subtype == 0x08)