SecurityTube, Wireless Lan Security Megaprimer notes: part 6 (Finding hidden SSIDs)

The video is here.

Hidden SSID means, to turn off SSID broadcasting in the beacon frames.

* Beacon frames have NULL in SSID (tag length is 0)

* A security though obscurity technique.

Set your AP not to broadcast it’s SSD, check that the SSID length is 0 in wireshark.

While the beacon frame does not contain the SSID, Probe and association request packets do!

Passive solution: Monitor for connections extract SSID from Probe/association request packets.

Passive Method

aerodump-ng mon0 # Find the access point with ESSID <length: 0>
iwconfig wlan0 channel XX #set the channel of the access point above
wireshark # start a capture as usual, run it in the background
aerodump-ng mon0 --channel <CHANNEL> # fire up aerodump on the channel found above

Now connect a client, aerodump will automatically figure out the network name and show it.

Also take a look at the wireshark dump and see if you can find the SSID.

Active Method

Force the network to send Probe/Association packets. We’re going to force de-authanticate one or all clients.
They will reconnect and then we can grab the SSID.

To send deauthentication packets:

aireplay-ng --deauth 0 -a HIDDENAPMAC mon0

While your running the above command, have aerodump-ng running in another window, you should see the SSID appear here.