Time for action – uncovering hidden SSIDs

Perform the following instructions to get started:

1. Using Wireshark, if we monitor beacon frames in the Wireless Lab network, we are able to see the SSID in plain text. You should see beacon frames, as shown in the following screenshot:
   
2. Configure your access point to set the Wireless Lab network as a hidden SSID. The configuration option to do this may differ across access points. In my case, I need to check the Invisible option in the Visibility Status option, as shown in the following screenshot:
   
3. Now if you take a look at the Wireshark trace, you will find that the SSID Wireless Lab has disappeared from the beacon frames. This is what hidden SSIDs are all about:
   
4. In order to bypass beacon frames, we will first use the passive technique of waiting for a legitimate client to connect to the access point. This will generate probe request and probe response packets that will contain the SSID of the network, thus revealing its presence:
   
5. Alternatively, you can use the aireplay-ng utility to send deauthentication packets to all stations on behalf of the Wireless Lab access point by typing aireplay-ng -0 5 -a <mac> --ignore-negative wlan0mon, where <mac> is the MAC address of the router. The -0 option is used to choose a deauthentication attack, and 5 is the number of deauthentication packets to send. Finally, -a specifies the MAC address of the access point you are targeting:
   
6. The preceding deauthentication packets will force all legitimate clients to disconnect and reconnect. It would be a good idea to add a filter for deauthentication packets to view them in an isolated way, which we can do with wlan.fc.type_subtype == 0x0c:
   
7. The probe responses from the access point will end up revealing its hidden SSID. These packets will show up on Wireshark as shown in the following screenshot. Once the legitimate clients connect back, we can see the hidden SSID using the probe request and probe response frames. You can use the filter (wlan.bssid == <the AP MAC>) && !(wlan.fc.type_subtype == 0x08) to monitor all non-beacon packets to and fro from the access point. The && sign stands for the logical AND operator and the ! sign stands for the logical NOT operator:
   

What just happened?

Even though the SSID is hidden and not broadcasted, whenever a legitimate client tries to connect to the access point, they exchange probe request and probe response packets. These packets contain the SSID of the access point. As these packets are not encrypted, they can be very easily sniffed from the air and the SSID can be found.

We will cover using probe requests for other purposes such as tracking in a later chapter.

In many cases, all clients may be already connected to the access point and there may be no probe request/response packets available in the Wireshark trace. Here, we can forcibly disconnect the clients from the access point by sending forged deauthentication packets on the air. These packets will force the clients to reconnect back to the access point, thus revealing the SSID.

Have a go hero – selecting deauthentication

In the previous exercise, we sent broadcast deauthentication packets to force reconnection of all wireless clients. Try to verify how you can selectively target inpidual clients using the aireplay-ng utility.

It is important to note that, even though we are illustrating many of these concepts using Wireshark, it is possible to orchestrate these attacks with other tools, such as the aircrack-ng suite as well. We encourage you to explore the entire aircrack-ng suite of tools and other documentation located on their website at http://www.aircrack-ng.org.