Hidden SSID wireless networks, a security myth that makes you feel safer. Too bad it is just something that provides no extra security at all. My aim is to show you how easy it is to discover the SSID of an access point even if it is hidden.
I have no idea why the concept of not broadcasting the SSID exists at all. Per definition, a SSID is just the name the user gave to the network. It is used to distinguish a wireless access point from others. A hidden SSID only creates a false sense of security for the owner and adds no protection. Security through obscurity may work in certain cases but in this case it is something that just does not work.
Please be aware, this article is not promoting or encouraging any unethical behavior. All the information I present here is for educational purposes only. I am not responsible for any of your actions after reading the article. The misuse of the information presented here can get you in trouble. Use this information to discover the hidden SSID of your own wireless network only.
The steps I present in this article were executed on a Kali Linux 2016.2 Release. The distribution is installed on a laptop with a Qualcomm Atheros AR956x Wireless Network Adapter. The target access point is a TP-Link TL-WR841N Wireless Router I own. In order to reproduce these steps yourself you will need a Kali Linux installation. Also, your computer needs a compatible wireless network adapter.
You can download Kali Linux here:
Kali Linux | Penetration Testing and Ethical Hacking Linux Distribution
In order to check if your wireless network adapter is compatible go to:
Tutorial: Is My Wireless Card Compatible?
Let’s fire up a terminal window and scan for available wireless networks. I will use iwlist to list all the WiFi networks around me. The output is piped into grep to filter out data we don’t need.
iwlist wlan0 scan | grep 'Address\|ESSID'
Please note that all access points broadcast their address and SSID. Our target does that too.
I will now access the web interface of my wireless router and stop broadcasting the SSID. I will also change the name of the wireless network to something else.
When we do another scan using iwlist we will get different results. You can notice that this time we only have the MAC but the SSID is gone. Do you feel more secure now that the SSID is no longer there but the network is still visible? No way we can call this “extra security”.
Our job now is to discover the SSID of this target network. In order to achieve this we will start monitoring with airodump-ng. At the same time we will launch a deauth attack. This way, any client connected to the network will be forcefully disconnected. Clients will then try to reconnect automatically and transmit the SSID. The airodump-ng will eavesdrop this transmission and recover the SSID of the network.
Start by putting the wireless network adapter into down state. In my case the adapter is named wlan0, yours can be different.
ifconfig wlan0 down
Put the adapter into monitor mode.
airmon-ng start wlan0
The monitoring interface will be named wlan0mon. In older Kali Linux versions the name of this interface was mon0. You can check with ifconfig just to be sure.
Now that we are in monitor mode we can fire up airodump-ng to see what’s going on around us.
As you can see, there is our wireless network. We can see the MAC but the SSID is missing just like in the iwlist output.
Fire up a new terminal and launch a deauth attack using the MAC address of the access point.
aireplay-ng --deauth 10 -a C4:6E:1F:9E:63:14 wlan0mon
This forced any client connected to the wireless network to disconnect. If everything went as planned, clients should reconnect and transmit the SSID. The airodump-ng listing should now display the SSID of our target network.
This post is dedicated to the paranoid coworker I share the office with.