How To Find hidden ssid name

July 17, 2015 by admin

Known as security though obscurity many people may hide there ssid's from broadcasting. Just like mac address blocking this is a worthless form of protection.
Having a hidden ssid less secure then many think. Its like the wizard hiding behind the curtain.

It just does not add any value to your security and like mac address blocking it adds complication with no reward.
Today I am going to show you how easy it is to reveal and find a hidden network using Kali Linux. First things first. Hidden SSIDs

You will sometimes see as the SSID on the airodump-ng display. This means the SSID is hidden. The “?” is normally the length of the SSID.
For example, if the SSID was “test123” then it would show up as where 7 is the number of characters. When the hidden ssid length 0 or hidden ssid length 1, it means the AP does not reveal the actual length and the real length could be any value.

You will need a Compatible Wireless card i recommend these Compatible Wireless Cards:


Compatible Wireless Cards

Alfa Networks AWUS036H - Works! Alfa Network AWUS036NH - Untested! TP-LINK TL-WN722N - Works!
Order a WiFi signal amplifier: WiFi signal amplifier Signal gain could be increase by -20 dbi.

Let's get started!

Let's see what wireless cards are connected to our device using the following command: iwconfig Now we run the following command to find to find hidden networks around us. airodump-ng wlan0

airodump-ng display

Discover networks within range using airodump-ng wlan0

As you can see from the devices found we have one with a hidden SSID. This hidden SSID is depicted as <length: x> with x being the number of letters in the SSID. Some do not display this number. Honestly the length does not much matter to us. What we are interested in is the clients attached to that access point. You see all we have to do is de-authenticate a client and when that client re-authenticates it will send the SSID though the air allowing us to retrieve it. Lets run airodump-ng again and filter out everything but the access point in question with this command.

airodump-ng -c 5 --bssid BC:F6:85:BF:4F:70 mon0

Explanation of the switches are

-c = channel of target access point.
--bssid = MAC address from the target access point.

Target Hidden SSID

Target Hidden SSID
Here we can see the target access point with one client attached. We now need to de-authenticate this client and see if we can get the SSID during the re authentication.

Connected Client to AP

Target Connected Client to AP
Now open a new terminal window and leave airodump-ng running.

Run the following command in the new terminal.

Using aireplay-ng -0 30 -a BC:F6:85:BF:4F:70 -c 00:24:07:67:20:48 mon0 To make the Target Client Reconnect to the Hidden SSID

This switches to this command are as follows

-0 = Attack mode 0= de-authentication (The number following this indicates the number of deauth packets.)
-a = Target access point mac address
-c = Target client mac address

Now switch back to the original terminal window that still has airodump-ng running.

This is what it should now look like.

Hidden SSID name

As you can see we now know that the SSID for the target router is "The Interweb"

Unable to Reveal Hidden SSID name?

If it does not work the first time try aireplay-ng again until it works however it is very possible the target Client might reconnect to another Access Point nearby if it doesn't reconnect.

Trouble shooting issues

BSSID PWR is -1

If the BSSID PWR is -1, then the driver doesn't support signal level reporting.
If the PWR is -1 for a limited number of stations then this is for a packet which came from the AP to the client but the client transmissions are out of range for your card. Meaning you are hearing only 1/2 of the communication. If all clients have PWR as -1 then the driver doesn't support signal level reporting.

NOTIHING UNDER STATION

If nothing shows up under the station just means no devices are connected over wireless this attack requires a device to be connected over wireless to work sadly you will need to wait for a device to connect. Ethernet devices do not count.


Last modified by Matthew Knight on July 15, 2015 at 1:45 am