Objective
Assess the security of your WiFi network by detecting its hidden SSID.
Distributions
It’s recommended that you use Kali Linux, but this can be done with any Linux distribution.
Requirements
A working Linux installation with root privileges and an installed wireless adapter.
Difficulty
Easy
Conventions
- # – requires given linux commands to be executed with root privileges either directly as a root user or by use of
sudocommand - $ – requires given linux commands to be executed as a regular non-privileged user
Introduction
WiFi security isn’t easy. There’s a ton of potential threats, and even more reported “solutions” flying around out there. One supposed security measure that you can take is hiding your network’s SSID. The guide will demonstrate why that does absolutely nothing to stop attackers.
Install Aircrack-ng
If you’re running Kali, you already have aircrack-ng. If you’re on another distribution, and you want to try this out, you’ll have to install it. The name of the package should be the same no matter what you’re running, so use your package manager to grab it.
$ sudo apt install aircrack-ng
Scan For Networks
Before you get started, run ifconfig or ip a to find the name of your wireless interface. You’re going to need it.
Once you have your wireless interface, disconnect. You can use Aircrack while connected, but you won’t be able to test your network this way. Aircrack will immediately discover your network’s SSID.
As root, run the following linux command. Substitute your wireless interface in place of wlan0.
$ sudo airmon-ng start wlan0
That will create a temporary virtual interface for monitoring. It will print out the name of the interface, so make note of that too. It’s usually mon0.
Now, monitor that interface.
$ sudo airodump-ng mon0
The screen will begin to populate with a list of WiFi networks in your area. It will display all of the information that it can in two tables. The top table has the networks. The bottom one contains the clients connecting to those networks. The important parts to note are the BSSID, Channel, and ESSID. Your hidden network will report an ESSID that looks something like this:
The bottom table will show you the BSSID(MAC address) of each client and the network that they are seen connecting to, if it’s known.
Narrow Your Scan
There’s a lot of noise in that readout. Cancel your current command and rerun it specifying the BSSID and channel of your network.
$ sudo airodump-ng -c 1 --bssid XX:XX:XX:XX:XX:XX mon0
This command will show your network and only your network.
Disconnect A Device
You have two options while monitoring your network. You can either wait for a device to connect, and that will immediately populate the SSID of your network, or you can forcefully disconnect one of your devices, and it will broadcast the SSID when it attempts to reconnect.
To disconnect a client, you need to use the aireplay-ng command, and pass it the BSSID of the network and the BSSID of the client. The -0 flag tells the command to send a disconnect signal. The number that follows is the amount of requests that it should send.
$ sudo aireplay-ng -0 15 -c CLIENT BSSID -a NETWORK BSSID mon0
Depending on your computer’s configuration, you might need to add the --ignore-negative-one flag too.
Shortly after you run the command, you will see the network’s SSID fill in in place of the length value.
Closing Thoughts
You’ve now exposed your network’s “hidden” SSID. Clearly, hiding your SSID is a minor inconvenience at best. There’s noting wrong with doing it, but don’t expect to secure your network that way.
Warning: this article is for educational purposes only, and the process should only ever be performed with your own network.
