How To Find Hidden SSID

Known as security though obscurity many people may hide there ssid's from broadcasting. Just like mac address blocking this is a worthless form of protection.
Having a hidden ssid less secure then many think. Its like the wizard hiding behind the curtain.

It just does not add any value to your security and like mac address blocking it adds complication with no reward.
Today I am going to show you how easy it is to reveal and find a hidden network using Kali Linux. First things first. Hidden SSIDs

You will sometimes see as the SSID on the airodump-ng display. This means the SSID is hidden. The “?” is normally the length of the SSID.
For example, if the SSID was “test123” then it would show up as where 7 is the number of characters. When the hidden ssid length 0 or hidden ssid length 1, it means the AP does not reveal the actual length and the real length could be any value.

You will need a Compatible Wireless card i recommend these Compatible Wireless Cards:

• Alfa Networks AWUS036H
• TP-LINK TL-WN722N  

Let's get started!

Let's see what wireless cards are connected to our device using the following command:
iwconfig

Now we run the following command to find to find hidden networks around us.
airodump-ng wlan0 

As you can see from the devices found we have one with a hidden SSID. This hidden SSID is depicted as with x being the number of letters in the SSID. Some do not display this number. Honestly the length does not much matter to us. What we are interested in is the clients attached to that access point. You see all we have to do is de-authenticate a client and when that client re-authenticates it will send the SSID though the air allowing us to retrieve it. Lets run airodump-ng again and filter out everything but the access point in question with this command.

airodump-ng -c 5 --bssid BC:F6:85:BF:4F:70 mon0

Explanation of the switches are:
-c = channel of target access point.
--bssid = MAC address from the target access point.

Target Hidden SSID

Here we can see the target access point with one client attached. We now need to de-authenticate this client and see if we can get the SSID during the re authentication.

Connected Client to AP

Now open a new terminal window and leave airodump-ng running.

Run the following command in the new terminal.

This switches to this command are as follows:

-0 = Attack mode 0= de-authentication (The number following this indicates the number of deauth packets.)
-a = Target access point mac address
-c = Target client mac address

Now switch back to the original terminal window that still has airodump-ng running.

This is what it should now look like.

As you can see we now know that the SSID for the target router is "The Interweb"

Unable to Reveal Hidden SSID name?

If it does not work the first time try aireplay-ng again until it works however it is very possible the target Client might reconnect to another Access Point nearby if it doesn't reconnect.

Trouble shooting issues

BSSID PWR is -1

If the BSSID PWR is -1, then the driver doesn't support signal level reporting.
If the PWR is -1 for a limited number of stations then this is for a packet which came from the AP to the client but the client transmissions are out of range for your card. Meaning you are hearing only 1/2 of the communication. If all clients have PWR as -1 then the driver doesn't support signal level reporting.

NOTIHING UNDER STATION

If nothing shows up under the station just means no devices are connected over wireless this attack requires a device to be connected over wireless to work sadly you will need to wait for a device to connect. Ethernet devices do not count.

Source and Credits to :matthewhknight.com