LabEx
Log InJoin Free

Discover a Hidden SSID using airodump-ng

Beginner
Practice Now

Introduction

Wireless networks can be configured to not broadcast their Service Set Identifier (SSID), making them "hidden". While this provides a minor layer of obscurity, it is not a robust security measure. An attacker can still discover the SSID using network analysis tools.

In this lab, you will learn the process of discovering a hidden SSID. You will use airodump-ng to monitor wireless traffic and identify a hidden network, and then use aireplay-ng to perform a deauthentication attack. This attack forces a connected client to briefly disconnect and then reconnect, revealing the network's SSID during the re-association process.

We will be working in a simulated wireless environment prepared for this lab.

Start airodump-ng in General Scan Mode

In this step, you will start airodump-ng, a tool for capturing 802.11 frames. We will use it to scan for all nearby wireless networks. The lab environment has been set up with a monitoring interface named wlan2mon.

First, open a terminal. All commands in this lab will be executed in the terminal.

Now, run airodump-ng on the monitoring interface. This requires sudo privileges.

sudo airodump-ng wlan2mon

After running the command, your terminal will fill with information about nearby Wi-Fi networks. Let this command continue to run, as we will observe its output in the next steps.

You should see a display similar to this, which updates in real-time:

CH  6 ][ Elapsed: 10 s ][ 2023-10-27 10:00

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 XX:XX:XX:XX:XX:XX  -30       10        0    0   6  54e  OPN              <length:  0>

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe

Keep this terminal open and running airodump-ng. You will need to open a new terminal for the commands in Step 4.

Identify a Network with a '<length 0>' ESSID

In this step, you will analyze the output of airodump-ng to find the hidden network.

Look at the terminal where airodump-ng is running. Hidden networks are identified by an ESSID (network name) that is not broadcasted. airodump-ng displays this as <length: 0>.

In the output, you should see a line similar to this:

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 XX:XX:XX:XX:XX:XX  -30       10        0    0   6  54e  OPN              <length:  0>

This line represents our target hidden network. Take note of two important pieces of information from this line:

  • BSSID: The MAC address of the access point. In the example, it's XX:XX:XX:XX:XX:XX.
  • CH: The channel the network is operating on. In the example, it's 6.

You will need the BSSID for the deauthentication attack in a later step. For your convenience in this lab, the BSSID of the simulated AP has been saved to a file. You can view it by running cat /tmp/bssid.txt in a new terminal if needed.

Wait for a Client to Connect to Reveal the SSID

In this step, we'll discuss the passive method for discovering a hidden SSID.

One way to discover the SSID is to simply wait. When a legitimate client connects to the hidden network, it sends probe requests and association requests that contain the SSID. If airodump-ng is running and listening on the correct channel, it will capture these packets and display the SSID.

The airodump-ng output shows two sections. The top section lists Access Points (APs), and the bottom section lists connected clients (Stations).

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 XX:XX:XX:XX:XX:XX  -30       10        0    0   6  54e  OPN              <length:  0>

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe
 XX:XX:XX:XX:XX:XX  YY:YY:YY:YY:YY:YY  -40    0- 1      0        1

In the example above, a client with MAC address YY:YY:YY:YY:YY:YY is connected to our hidden AP (XX:XX:XX:XX:XX:XX).

However, waiting for a client to connect can take a very long time. In the next step, we will use an active method to force the issue and reveal the SSID much more quickly.

Force a Deauthentication Attack to Reveal the SSID

In this step, you will actively force the SSID to be revealed using a deauthentication attack with aireplay-ng. This attack sends special packets to a connected client, causing it to disconnect from the network. A well-behaved client will then immediately try to reconnect, and during this reconnection handshake, it will reveal the SSID.

First, you need to open a new terminal. Do not close the terminal running airodump-ng.

In the new terminal, you will construct the aireplay-ng command. The command format is: sudo aireplay-ng --deauth <number_of_packets> -a <AP_BSSID> <interface>

  • --deauth 5: We will send 5 deauthentication packets.
  • -a <AP_BSSID>: This is the BSSID of the hidden network you identified in Step 2.
  • wlan2mon: This is our monitoring interface.

To make it easy, you can get the BSSID from the file we prepared. Execute this command to run the attack:

sudo aireplay-ng --deauth 5 -a $(cat /tmp/bssid.txt) wlan2mon

You will see output indicating that the deauthentication packets are being sent.

10:05:10  Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel 6
10:05:10  Sending 64 directed DeAuths. STMAC: [YY:YY:YY:YY:YY:YY] [ 0|63 ACKs]
...

Now, quickly switch your view back to the first terminal running airodump-ng to observe the result in the next step.

Note the Revealed SSID in the airodump-ng Display

In this final step, you will observe the results of the deauthentication attack.

Switch back to your first terminal, the one where airodump-ng has been running. After the deauthentication attack, the client reconnected to the access point. During this process, airodump-ng captured the SSID.

The line that previously showed <length: 0> for the ESSID should now display the actual network name, LabExHidden.

Before the attack:

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 XX:XX:XX:XX:XX:XX  -30       10        0    0   6  54e  OPN              <length:  0>

After the attack:

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 XX:XX:XX:XX:XX:XX  -32       25        1    0   6  54e  OPN              LabExHidden

You have successfully discovered the SSID of the hidden network!

You can now close both terminals by typing exit or using Ctrl+C to stop the running processes first.

Summary

In this lab, you learned a practical technique for discovering hidden Wi-Fi networks. You saw that hiding an SSID is not an effective security measure, as it can be easily uncovered.

You practiced using key tools from the aircrack-ng suite:

  • airodump-ng: To scan for wireless networks and identify a hidden one by its <length: 0> ESSID.
  • aireplay-ng: To perform a deauthentication attack, forcing a connected client to reveal the SSID upon reconnection.

This process of passive monitoring followed by an active attack is a fundamental concept in wireless security auditing.