Hidden SSIDs come up constantly in conversations about WiFi security. The idea is straightforward: if your network isn’t broadcasting its name, attackers can’t find it. Problem solved.
Except it isn’t. Not even close.
A hidden SSID is what’s sometimes called security through obscurity — the belief that concealment is a substitute for actual security controls. It isn’t. The network still exists. It still broadcasts beacon frames. And the moment any legitimate client connects or reconnects, it announces the SSID to anyone in range who’s listening.
All you need is patience. Or a deauth packet. Patience is optional.
The attack, step by step
1. Monitor mode and initial scan
With the Alfa AWUS036H in monitor mode, airodump-ng is launched on channel 6 to survey the environment. The hidden network shows up immediately — no SSID in the broadcast, but the BSSID, channel, and signal strength are all visible. The network is hiding its name, not its existence.
airodump-ng is relaunched with output saved to a file called hidden to capture everything that follows.
2. Forcing the SSID into the open
There’s already an authenticated client on the network. That’s the opportunity. A deauthentication packet is sent to that client using aireplay-ng, booting it off the network. The client immediately tries to reconnect — and during that reconnection process, the full authentication exchange happens in plaintext, including the SSID.
In this case, the hidden network turns out to be Cisco. One deauth packet. Mystery solved.
This is why hidden SSIDs provide zero meaningful protection against an active attacker. Your clients give you away every time they reconnect.
3. ARP Request Replay to generate IVs
With the SSID now known, the attack continues exactly as in the previous episodes. An ARP Request Replay attack is launched against the network to drive up IV generation rates, collecting the volume of IVs needed for aircrack-ng to work effectively.
4. Cracking the WEP key
Once enough IVs are captured, aircrack-ng recovers the WEP encryption key. The hidden SSID added no meaningful resistance to the process — just one extra step at the beginning.
The real lesson here
Hidden SSIDs are a client-side problem dressed up as a network security feature. Administrators enable them thinking they’re reducing attack surface. What they’re actually doing is adding mild inconvenience for legitimate users — because clients have to be manually configured with the SSID rather than discovering it automatically — while adding zero friction for an attacker with a wireless adapter in monitor mode.
If anything, the forced manual configuration of clients creates new problems. Devices configured to actively probe for a hidden SSID are broadcasting that SSID in their probe requests constantly — which is a different exposure we’ll come back to later in this series.
Security through obscurity isn’t a layer of defence. It’s a false sense of it. If you ever see a client report that recommends hiding SSIDs as a security control, that’s a finding in itself.
Real security means assuming the attacker can see your network. Because they can.