Cracking The Name of a Hidden SSID

The process outlined below can be used for obtaining the name of a wireless network that is “hiding” it’s SSID.

We can see on my Windows box, that there is a hidden wireless network in range:

1

Within our Kali Linux VM, we type iwconfig to obtain the interface name of our wireless card. For any of this to work, you’ll need a compatible Wifi adapter (not covered in this post).

2

Running the following command will list all of the available wireless networks within range: airodump-ng wlan0

We can easily determine that the hidden wireless network’s BSSID is: E0:1C:41:C9:2D:57 and that it’s broadcasting on channel 1.  We need both pieces of information for the next command.

3

We can now focus solely on the target BSSID on channel 1 by running the command: airodump-ng wlan0 -c 1 –bssid E0:1C:41:C9:2D:57

If there are any connected clients to the hidden wireless network, this will tell us their network card’s MAC address, which can be seen below.

4

With this information, we now run the next command: aireplay-ng -0 5 -a E0:1C:41:C9:2D:57 -c 1C:5C:F2:17:C0:BB

5

The above command, when run, will forcibly disconnect/boot the connected user off the BSSID.  When this happens, a device will automatically attempt to reconnect to the wireless network.  Upon reconnection, we should be able to glean the name of the hidden wireless network (ESSID).

6

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s