Introduction
In this lab, you will learn the process of targeting a Wi-Fi network that has a "hidden" SSID (Service Set Identifier). Hiding an SSID is a basic security measure where a network does not broadcast its name, making it invisible in standard Wi-Fi scans. However, this is not a robust security feature, and the SSID can be easily discovered.
We will use tools from the aircrack-ng suite to first discover the hidden network's name and then use Fluxion, an automated social engineering toolkit, to target it. This lab is for educational purposes only and demonstrates a common technique in wireless penetration testing. You will work within a simulated wireless environment.
Scan for Networks and Identify a Hidden Network (No ESSID)
In this step, we will begin by installing the necessary tools and then scanning for available wireless networks. Our goal is to identify a network that is not broadcasting its name (ESSID).
First, open a terminal and update your package list, then install the aircrack-ng suite, which contains the tools we need for scanning.
sudo apt-get update
sudo apt-get install -y aircrack-ng
This lab uses a simulated wireless interface named wlan0. To scan for networks, we first need to put this interface into "monitor mode". This mode allows the card to capture all Wi-Fi traffic on a specific channel, not just traffic addressed to it. We use airmon-ng for this.
sudo airmon-ng start wlan0
This command will create a new virtual interface, typically named wlan0mon, which is now in monitor mode.
Now, let's use airodump-ng to scan for all nearby networks using our monitor mode interface.
sudo airodump-ng wlan0mon
After a few moments, you will see a list of networks. Look for an entry where the ESSID is blank or shows as <length: 0>. This is our hidden network.
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
1A:2B:3C:4D:5E:6F -30 10 0 0 6 54e WPA2 CCMP PSK <length: 0>
AA:BB:CC:DD:EE:FF -55 25 5 1 11 54e WPA2 CCMP PSK MyHomeWiFi
From the output above, the network with BSSID 1A:2B:3C:4D:5E:6F is our target. Note its BSSID and CH (channel). You can press Ctrl+C to stop the scan.
Use 'airodump-ng' to Wait for a Client to Connect and Reveal the ESSID
In this step, we will focus our scanning efforts on the hidden network to uncover its real name (ESSID). A hidden network's name is revealed when a client device connects or attempts to connect to it. We can capture this information by monitoring the specific channel and BSSID of the hidden network.
Use the airodump-ng command again, but this time, specify the BSSID and channel of the hidden network you identified in the previous step. This makes the capture process more efficient. Replace <BSSID> and <CHANNEL> with the values you noted.
sudo airodump-ng --bssid 1A:2B:3C:4D:5E:6F --channel 6 wlan0mon
Initially, the ESSID will still appear hidden. You need to wait for a client to connect. In this simulated environment, a client will connect automatically after a few seconds.
Once a client connects, airodump-ng will capture the association frames and display the ESSID. The output will update to show the network's name.
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
1A:2B:3C:4D:5E:6F -30 35 15 2 6 54e WPA2 CCMP PSK MyHiddenNet
BSSID STATION PWR Rate Lost Frames Probe
1A:2B:3C:4D:5E:6F 00:11:22:33:44:55 -40 0 - 1 0 15
As you can see, the ESSID has been revealed as MyHiddenNet. Take note of this name. You have successfully uncloaked the hidden network. You can now press Ctrl+C to stop the scan.
Launch Fluxion and Manually Enter the Revealed ESSID
In this step, we will install and launch Fluxion, the tool we'll use for the attack phase. Since we now know the hidden network's ESSID, we can configure Fluxion to target it correctly.
First, clone the Fluxion repository from GitHub into your ~/project directory.
git clone https://github.com/FluxionNetwork/fluxion.git
Next, navigate into the newly created fluxion directory.
cd fluxion
Fluxion has an installer script to check for and install all required dependencies. Run it with sudo privileges.
sudo ./fluxion.sh -i
Once the installation is complete, you can launch Fluxion.
sudo ./fluxion.sh
Fluxion will start and first ask you to select a language. Type 1 for English and press Enter.
Next, it will ask you to select a wireless adapter. You should see wlan0mon in the list. Select it by typing its corresponding number and pressing Enter.
Then, Fluxion will present a scanner menu. Choose an option to scan for targets, for example, 1. All channels. Fluxion will start scanning and will soon display a list of available networks, similar to airodump-ng.
Select the Hidden Network by its BSSID
In this step, you will select the target network from the list provided by Fluxion and manually input the ESSID you discovered earlier.
After the scan in the previous step completes, Fluxion will display a list of networks. Find your target network in this list. It will be identified by its BSSID (1A:2B:3C:4D:5E:6F), but the ESSID column might still be empty.
[+] Select a target.
[ID] [BSSID] [CH] [PWR] [ENC] [ESSID]
[01] [1A:2B:3C:4D:5E:6F] [06] [-30] [WPA2]
[02] [AA:BB:CC:DD:EE:FF] [11] [-55] [WPA2] MyHomeWiFi
Type the number corresponding to your target network (e.g., 1 in the example above) and press Enter.
Because Fluxion detected that the network has a hidden ESSID, it will now prompt you to enter it manually.
[*] The selected network has a hidden ESSID, please enter it manually.
>
Type the ESSID you discovered in Step 2 (MyHiddenNet) and press Enter.
Fluxion will then ask for a location to save attack-related files, such as a captured handshake. You can simply press Enter to accept the default location. After this, Fluxion will proceed to the attack selection menu.
Proceed with a Handshake Snooper or Captive Portal Attack
In this final step, with the target selected and its ESSID provided, Fluxion will present you with a menu of attack options. We will choose a passive attack to understand how handshakes are captured.
Fluxion's attack menu offers several choices. The two most common are:
- Handshake Snooper: This attack passively listens for a WPA/WPA2 4-way handshake, which occurs when a client authenticates with the access point. It can be combined with a deauthentication attack to speed up the process by forcing clients to reconnect.
- Captive Portal: A more aggressive attack that creates a fake access point (Evil Twin) and a fake login page to trick users into entering their Wi-Fi password.
For this lab, we will select the Handshake Snooper to see how Fluxion prepares to capture the handshake.
From the attack menu, select the option for Handshake Snooper.
[+] Select an attack.
[1] Handshake snooper
[2] Captive Portal
Type 1 and press Enter.
Fluxion will then ask how you want to capture the handshake. It will give you two options: one passive and one active (using a deauthenticator). The active method is faster. Select the option that uses a deauthenticator (e.g., aircrack-ng).
Fluxion will now start the attack. It will open several terminal windows to monitor for clients and send deauthentication packets, waiting to capture a handshake when a client reconnects. Reaching this stage is the objective of our lab. In a real-world scenario, you would now wait for the handshake file to be captured.
Summary
In this lab, you successfully targeted a Wi-Fi network with a hidden SSID. You learned that hiding an SSID is not an effective security measure, as the network's name can be easily revealed.
You practiced a complete workflow:
- Used
airodump-ngto scan for and identify a hidden network. - Focused the scan on the target's BSSID and channel to de-cloak its ESSID.
- Launched the
Fluxionframework. - Targeted the hidden network in Fluxion by manually providing its discovered ESSID.
- Initiated a
Handshake Snooperattack, preparing to capture authentication credentials.
These skills are fundamental in wireless security auditing and demonstrate how attackers can bypass simple obscurity-based defenses. Always ensure you have explicit permission before performing these actions on any network.