Cracking The Name of a Hidden SSID

The process outlined below can be used for obtaining the name of a wireless network that is “hiding” it’s SSID.

We can see on my Windows box, that there is a hidden wireless network in range:


Within our Kali Linux VM, we type iwconfig to obtain the interface name of our wireless card. For any of this to work, you’ll need a compatible Wifi adapter (not covered in this post).


Running the following command will list all of the available wireless networks within range: airodump-ng wlan0

We can easily determine that the hidden wireless network’s BSSID is: E0:1C:41:C9:2D:57 and that it’s broadcasting on channel 1.  We need both pieces of information for the next command.


We can now focus solely on the target BSSID on channel 1 by running the command: airodump-ng wlan0 -c 1 –bssid E0:1C:41:C9:2D:57

If there are any connected clients to the hidden wireless network, this will tell us their network card’s MAC address, which can be seen below.


With this information, we now run the next command: aireplay-ng -0 5 -a E0:1C:41:C9:2D:57 -c 1C:5C:F2:17:C0:BB


The above command, when run, will forcibly disconnect/boot the connected user off the BSSID.  When this happens, a device will automatically attempt to reconnect to the wireless network.  Upon reconnection, we should be able to glean the name of the hidden wireless network (ESSID).



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s