One common challenge is dealing with Access Points (APs) that conceal their presence by not broadcasting their Service Set Identifier (SSID, or the WIFI name). This article goes into techniques for locating the MAC addresses of such APs, a fundamental step in the penetration testing of WiFi networks, using various tools and techniques to detect these APs, including passive and active scanning methods.

I was recently in an engagement with an incredibly crowded wireless environment (I’m talking about >50 in range! half of which are hidden), given the target has a hidden SSID, this made it surprisingly tricky to identify the right AP and its MAC address (or BSSID) for further testing, which inspired this article.

This article assumes basic knowledge of WIFI technologies and the aircrack-ng suite, and you have some idea of what the SSID might be (I hope you’re not testing some completely random network).

When using airodump, a hidden network can show up as this:

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
 24:F5:32:D3:32:5B   -6      554      178    0 149  780   WPA2 CCMP   PSK  <length:  9>

Or this if the SSID length is hidden altogether:

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
 24:F5:32:D3:32:5B   -6      554      178    0 149  780   WPA2 CCMP   PSK  <length:  0>

And we might see a lot of stations in range but no WIFI names, so how do we identify the right AP? Here are a few methods, and they can be combined for maximum effectiveness.

Method 1: Listen and Wait

This method is good for making a list of potential targets when you have no information at all.

From the output of airodump, gather a list of suspects to be filtered. If the length of ESSID is broadcasted, you might be able make an educated guess on which is the right AP, then focus the capture on a few channels or or the specific BSSID:

airodump-ng wlan1 --band a --channel 149
airodump-ng wlan1 --band a --bssid 24:F5:32:D3:32:5B

If you’re lucky, you might catch some devices trying to connect to the AP, this should reveal the SSID and the right AP, and you’re good to go. I have also seen some connections with the right SSID, but BSSID shows (not associated), since the goal is to acquire the BSSID, this is where method 2 comes in handy.

Method 2: Manual Connection

This method can be used when you have the SSID, but can’t pin point the AP.

If you know the SSID, or see it popping up in airodump but without BSSID like this, which can happen if the device is searching for the network, but not connected:

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 (not associated)   3F:7F:24:6C:B4:23  -34    0 - 6      2        4         john_cena

You can try to manually connect to the AP using another device with a random password, the goal is to capture the initial handshake where the MAC address of the AP will be exposed. Filter by the SSID so that the results are easier to see:

airodump-ng wlan1 --band a --essid john_cena
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 24:F5:32:D3:32:5B   -7 100       73       12    1 149  780   WPA2 CCMP   PSK  john_cena
 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 24:F5:32:D3:32:5B  3F:7F:24:6C:B4:23  -22    0 - 6e     0       18         john_cena

The handshake will be captured, but since the password will be wrong, this capture cannot be used for hash cracking.

Method 3: Deauth

This method can be used when you have the BSSID, but want to make sure the AP and its SSID is correct.

Once you have some potential BSSIDs to test, you can filter by those and deauth one of the clients, wait for the client to reconnect, which will reveal the SSID and BSSID of the AP. Of course, this method is a lot more noisy than the other ones. Start capturing on the specific BSSID:

airodump-ng wlan1 --band a --bssid 24:F5:32:D3:32:5B -c 44
 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID  

 24:F5:32:D3:32:5B   -4      153       72    0  44  780   WPA2 CCMP   PSK  <length:  9>                       

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 24:F5:32:D3:32:5B  3F:7F:24:6C:B4:23  -22    0 - 6e     0       18   

Deauth the client:

aireplay-ng --deauth 44 -a 24:F5:32:D3:32:5B -c 3F:7F:24:6C:B4:23 wlan1

Wait for it to reconnect, and the BSSID and SSID should appear:

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 24:F5:32:D3:32:5B   10 100      359      108   23  44  780   WPA2 CCMP   PSK  john_cena                      

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 24:F5:32:D3:32:5B  3F:7F:24:6C:B4:23  -26    6e- 6e   139     2877  PMKID

This also captures the WPA handshake, which can be used for cracking.

Method 4: Bruteforce

This method can be used when you have the BSSID, but you don’t want to deauth any clients and/or have a list of possible SSIDs.

Using the MDK4 tool, we can bruteforce the SSID using a wordlist, this is useful when you have a list of potential SSIDs, but couldn’t find a connected client, or don’t want to deauth any. Let’s say you’re pentesting EvilCorp’s WIFI networks, the wordlist could be:


Or in this case, we know the AP owner is a big WWE fan:

mdk4 wlan1 p -t 24:F5:32:D3:32:5B -f ssids.txt
Waiting for a beacon frame from target to get its SSID length.
SSID length is 9
Trying SSID: bert_hart                                           
Packets sent:      1 - Speed:    1 packets/sec

Wordlist completed.
Probe Response from target AP with SSID john_cena                
Job's done, have a nice day :)

MDK4 also has a full bruteforce mode where character sets can be specified, but this is not recommended unless the SSID length is short, and it wouldn’t work if the length is unknown altogether.