One of the security mechanisms used by Wi-Fi networks is hiding their names, since a client device can only connect to a Wi-Fi network with a known SSID. In this article, we will debunk this obsolete security mechanism and we will show you several ways to find out a hidden network’s SSID.
Wi-Fi networks, specifically access points and routers with wireless capabilities, continuously send wireless management beacon packets -802.11 standard- to let the client devices know which wireless networks are available.
As it might have happened to you in the past, when you are within your home or office network coverage area, your telephone or tablet automatically connects to your saved network.
Let’s see how this technology works and why this happens.
How are Wi-Fi networks announced?
To connect to a wireless network, we first need to know if it is available. This is possible thanks to a specific Wi-Fi technology (802.11 standard) which constantly sends out management beacon packets with the information of the wireless network. This way, Wi-Fi capable devices receive these packets that let them know which wireless networks are available.
Therefore, when we display the list of available wireless networks from our phone, tablet or laptop, we will see the networks from which our device had received one of these packets. The list is constantly updated, which is really helpful when roaming.
Once we have the list of available wireless networks, we can try to connect to them. In case of a password-protected Wi-Fi network, we will have an extra step. By default, the wireless network we have just connected to will be saved to our device, so the next time we are within that network’s coverage area, our device will automatically connect to it without having to re-enter the network password, providing and improved user experience.
This process does not only include the broadcasting access points, but also the client devices that do not only “listen” to nearby networks, but also request connection to previously saved wireless networks, bypassing the network name broadcasting by the access point. Therefore, the client devices do not only check for saved networks to connect to, but also constantly request connection to those saved networks in order to improve connectivity.
Of course, our clien
How to connect to a hidden SSID Wi-Fi network?
If a wireless network is set as hidden, when the access point or router starts broadcasting, the wireless network name will be missing in the management beacon packets. This lets the client devices know that there is an available Wi-Fi network, but its SSID is hidden, and consequently the client device is not able to connect to it, unless the network name is previously known, since this works as a first filter or first security step through obscurity.
If you wish to connect to a hidden wireless network, you will be required to enter the network name first, and then, if it is correct, the network password.
The following table shows roughly the regular sequence:
|Standard Network||Hidden Network||Device||Action|
|1||Access point||Hi, I’m a hidden SSID Wi-Fi network.|
|2||Client||Hey, “Tarlogic” network, are you there?|
|3||Access point||Hi, I’m “Tarlogic” network.|
|1||4||Client||I want to connect.|
|2||5||Access point||What’s the password?|
|3||6||Client||Here is the password.|
|4||7||Access point||Great! You’re now connected!|
How to find out a hidden network’s name?
As we have seen, as long as we do not know the name of the network we are trying to connect to, we won’t be able to connect to the network since having the network name is required as the first filter to establish connection.
However, in the third step for a client device to establish connection to a hidden wireless network, the access point confirms to the client device that it is broadcasting the wireless network under that name. A wireless card operating in normal mode that is controlled by an operating system does not analyze this notification, and the network will still be displayed as hidden. However, on monitor mode, we will be able to see these access point confirmation packets, among others, which confirm the network name.
Acrylic Wi-Fi Professional, thanks to its monitor mode capture driver, can intercept all the data packets to then analyze them and obtain the network name so that the interface will no longer appear to be “[Hidden]”, but this time the actual network name will be displayed in the selected color to differentiate it from the other networks:
As we have seen, if you are capturing on monitor mode, you will be able to obtain the network name in the following cases:
- When a client device connects to a hidden network
- When a client device asks if a SSID is available, being this a hidden network