Uncovering Hidden SSIDs
By default every access point is broadcasting the SSID in the beacon frames. Sometimes network administrators might choose to configure the AP not to broadcast the SSID because they are thinking that they will avoid attacks just because if a malicious user doesn’t know that a network exist how he is going to attack it? Even though that hiding the wireless network name is a good choice however this doesn’t offer any security as it is relative easy for a determined attacker to discover it.
The first step is to create a monitor mode interface in order to be able to sniff wireless packets.
Then we will use the airodump-ng mon0 in order to start capturing raw 802.11 frames which they will contain all the available wireless networks of the area. As we can see from the image below there is only one network which doesn’t broadcasting the SSID.
Alternatively we can check the beacon frames in wireshark and we will notice that the SSID is hidden.
There are two ways to obtain the SSID for a wireless network that is not broadcasting.
In the passive we will have to wait for a legitimate client to connect to the access point while we are monitoring the wireless traffic and to examine the Probe Request and Probe Response packets which will contain the SSID of the network.
This technique is stealthier than the active and it can be used in a scenario when we are attacking a corporate wireless network especially in the morning when there will be a variety of devices that will try to connect and unveil it’s presence.
The other method is to send directly deauthentication packets to all the clients on behalf of the access point which in this case is the Wireless Pentest Lab. This will force all the devices that are connected to the access point to disconnect and reconnect which again Probe response packets will be generated that will reveal the cloaked SSID.
We can send the deauthentication packets with the use of aireplay-ng as it can be seen below:
The value 5 is actually the number of deauthentication packets that we want to send and the -a specifies the MAC address of the access point. As we can see in the next screenshot after the deauthentication packets the probe response packets are generated again and because of these packets are not encrypted they unveil the wireless SSID.