Sometimes Access Point are setup with the SSID broadcasting disabled and this could become painfull if you need to do further penetration testing on that AP and there aren’t clients connected to it. In this article I will show you a little python script I created to attempt to “brute force” the (E)SSID name of Access Points that are configured to hide its SSID.What you need is:1) the aircrack-ng suite;
2) a wifi card capable of doing injection (I reccomend an ALFA AWUS036H);
3) a list of well known SSIDs that you can get here or create yourself.What I did was trying to do a fake authentication to the Access Point using the names present in a file that I submit to the script and check if I got authenticated or not.First of all you need to create a monitor interface using airmon-ng and launch airodump-ng to identify the AP with the hidden SSID. Once you have done this write down the channel and the bssid (mac address) of the AP. Destroy the monitor interface and recreate it on the channel the AP you are targeting is working.

The script works by passing the bssid (mac address) you identified previously and the file containing the (E)SSIDs to probe against as parameters

./hidden_ssid <mac_address> <file_name>

The script works trying to do a fake authentication to the AP using all the (E)SSIDs present in the file and checking if it gets correctly authenticated. This is the command line I use to do the test

aireplay-ng –fakeauth 0 -T 1 -a bssid -e essid mon0

the -T 1 option tells aireplay-ng to try only one fake authentication.

The script works assuming that mon0 is the interface to be used but, if needed, it’s trivial to modify this.

Following is the script.



# script created by Tony ‘albatr0ss’ Di Bernardo, October 2011
# you are free to re-use the code as long as you give credit to the author in you works

import sys, binascii, re
from subprocess import Popen, PIPE

if (len(sys.argv) < 3):
print ‘Usage: ‘ + sys.argv[0] + ‘ bssid essid_list’

bssid = sys.argv[1]
essid_list = sys.argv[2]

print ‘Searching name for Access Point ‘ + bssid + ‘ using file ‘ + essid_list

f = open(essid_list, ‘r’)

for temp in f:
essid =  re.sub(r’\W+’, ”, temp)
print ‘Trying Essid: ‘ + essid

          c = Popen(['aireplay-ng', '--fakeauth', '0', '-T 1','-a',  bssid, '-e', essid, 'mon0'], stdout=PIPE)
output =

          finalresult = output.split(‘\n’)[6]

          if finalresult.find(‘Association successful’) != -1 :
print ‘\nFound! Access Point ‘ + bssid + ‘ Essid is ‘ + essid

print ‘\nEssid not in file ‘ + essid_list + ‘ for Access Point ‘ + bssid


You can download it here. You have to decompress it and set the executable flag with

tar xfvz hidden_ssid.tar.gz
chmod +x hidden_ssid.

Be wise and use this only on AP you are previously authorized to do a pentest :-)

On Securitytube you can find a video that shows the script in action.

Tagged with:

9 Responses to Find and identify hidden SSIDs without clients

  1. zimmaro says:

    i miei complimenti per il tuo “blog” lo trovo molto interessante! ciao! e grazie!

  2. albatr0ss says:

    Grazie a te ;-)

  3. Ciao,
    ma funziona anche in caso di wpa2

    • albatr0ss says:

      L’SSID (Service Set Identifier) rappresenta il nome dell’Access Point. In questo caso il tipo di cifratura non entra in gioco. Quando configuri un AP puoi scegliere se fare in modo che l’AP si annuncia ai client oppure no. Nel primo caso un qualsiasi dispositivo che effettua una ricerca per reti wifi lo troverà e sarà in grado di collegarvisi a patto di avere le chiavi necessarie (qualora fosse protetto con WEP/WPA). Nel secondo caso l’AP non verrà rilevato dai normali client ma questo sarà possibile solo con appositi software che comunque non individueranno il nome fintanto che non vi si collega almeno un client. Questo script serve invece ad individuare il nome qualora non vi siano client collegati all’AP.
      Il video dovrebbe essere abbastanza esemplicativo.

    • albatr0ss says:

      Ciao andrea,
      Si funziona con tutti i sistemi di cifratura infatti identifica solo il nome dell’AP e non trova la chiave.

      Ancora scusa per il delay

  4. taher says:

    there is no file essid.list plz tell me from where could i get this file, thank u..

    • albatr0ss says:


      Sorry for the delay my mail got nuts :-/

      You can generete the file by yourself it’s a plain txt file with the name you want to try as SSID

  5. me says:

    Hi, nice script.But I might be wrong but it looks like it needs a little adjust$
    Here is what I mean.
    If I have names of the ssids in a ssid-file-list like that:

    This is a free wifi

    Then the script will try to authenticate with
    “SSID” – which is fine
    “WIFI” – which is fine as well
    “Thisisafreewifi” – which is totally wrong.It does not recognize the spaces bet$
    It should try to authenticate with “This is a free wifi” but it does not.

  6. 4ever says:

    thank you very much very important

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Set your Twitter account name in your settings to use the TwitterBar Section.