In the default configuration mode, all access points send out their SSIDs in beacon frames. This allows clients in the vicinity to discover them easily. Hidden SSID is a configuration where the access point does not broadcast its SSID in beacon frames. Thus, only clients that know the SSID of the access point can connect to it.
Unfortunately, this measure does not provide robust security, but most network administrators think it does. Hidden SSIDs should not be considered a security measure by any stretch of the imagination. Hidden SSIDs are a security-through-obscurity feature and are relatively simple to beat. We will now take a look at how to uncover hidden SSIDs.
Uncovering Hidden SSIDs In Practice
- Using Wireshark, if we monitor beacon frames in the Wireless Lab network, we are able to see the SSID in plain text. You should see beacon frames, as shown in the following screenshot:
- Configure your access point to set the Wireless Lab network as a hidden SSID. The configuration option to do this may differ across access points. In my case, I need to check the Invisible option in the Visibility Status option, as shown in the following screenshot:
- Now if you take a look at the Wireshark trace, you will find that the SSID Wireless Lab has disappeared from the beacon frames. This is what hidden SSIDs are all about:
- In order to bypass beacon frames, we will first use the passive technique of waiting for a legitimate client to connect to the access point. This will generate probe request and probe response packets that will contain the SSID of the network, thus revealing its presence:
- Alternatively, you can use the aireplay-ng utility to send deauthentication packets to all stations on behalf of the “Wireless Lab” access point by typing:
aireplay-ng -0 5 -a <mac> --ignore-negative wlan0mon
where <mac> is the MAC address of the router. The -0 option is used to choose a deauthentication attack, and 5 is the number of deauthentication packets to send. Finally, -a specifies the MAC address of the access point you are targeting:
- The preceding deauthentication packets will force all legitimate clients to disconnect and reconnect. It would be a good idea to add a filter for deauthentication packets to view them in an isolated way, which we can do with wlan.fc.type_subtype == 0x0c:
- The probe responses from the access point will end up revealing its hidden SSID. These packets will show up on Wireshark as shown in the following screenshot. Once the legitimate clients connect back, we can see the hidden SSID using the probe request and probe response frames. You can use the filter (wlan.bssid == <the AP MAC>) && !(wlan.fc.type_subtype == 0x08) to monitor all non-beacon packets to and fro from the access point. The && sign stands for the logical AND operator and the ! sign stands for the logical NOT operator:
What Just Happened?
Even though the SSID is hidden and not broadcasted, whenever a legitimate client tries to connect to the access point, they exchange probe request and probe response packets. These packets contain the SSID of the access point. As these packets are not encrypted, they can be very easily sniffed from the air and the SSID can be found.
In many cases, all clients may be already connected to the access point and there may be no probe request/response packets available in the Wireshark trace. Here, we can forcibly disconnect the clients from the access point by sending forged deauthentication packets on the air. These packets will force the clients to reconnect back to the access point, thus revealing the SSID.
In the previous exercise, we sent broadcast deauthentication packets to force re-connection of all wireless clients. You can also try to verify how you can selectively target individual clients using the aireplay-ng utility.
It is important to note that, even though we are illustrating the concept using Wireshark, it is possible to orchestrate this attacks with other tools, such as the aircrack-ng suite as well. We encourage you to explore the entire aircrack-ng suite of tools and other documentation located on their website at http://www.aircrack-ng.org.
More About Wireless Hacking
If you find this article interesting, you should read Kali Linux Wireless Penetration Testing Beginner’s Guide, Third Edition by Cameron Buchanan and Vivek Ramachandran to explore wireless pentesting from the ground up.
Kali Linux Wireless Penetration Testing Beginner’s Guide, Third Edition has been updated to Kali Linux 2017.3 with the latest methodologies, including full coverage of the KRACK attack and how to defend against it. The book presents wireless pentesting from the ground up, introducing all elements of penetration testing with each new technology. You’ll learn various wireless testing methodologies by example, from the basics of wireless routing and encryption through to detailed coverage of hacking methods and attacks such as the Hirte and Caffe Latte.