AP client state machine
The AP client state machine describes different stages a client and an AP go through, the client is first in the unauthenticated and unassociated phase. The client sends an authentication packet to which if the AP responds this packet with a authentication response packet then both move to the next phase which is the authenticated and unassociated phase, else they remain in the same phase. The client then sends an association response packet and if the AP responds with an association response as well, then the connection will be authenticated and will start transmitting data or else they remain in the same state. While operating in the authenticated and associated phase if the client receives an deauthentication request it again jumps back to unauthenticated and unassociated phase.
Hidden SSID :-
As we know SSID is just a name given to the access point so that a client can recognize it. Also we know that any access point broadcasts its presence by the help of beacon frames. The problem with this is that anybody in the vicinity would come to know that there is a network whose SSID is "xyz". He can connect to it, map the network and could do a lot more things later on.
A concept of hidden SSID comes in, in which the SSID broadcasts in beacon frame is turned off. That means the SSID parameter is just null in the broadcasted beacon frames. This technique is not at all a security measure to safeguard your network from an attacker.
However, in actual it’s very easy to discover hidden networks and also once we have discovered them it is up to the attacker what he wants to do with the network.
As already being said that this concept of hidden SSID is a concept of security through obscurity, it’s easy to discover the SSID of the network even though it is not being broadcasted in the beacon frames. The probe response and the association response packets contain the SSID of the network.
So we can find the SSID in two simple ways, either we can keep monitoring the packets and see if any client tries to connect to the network. In this process of connecting to the AP the probe response and the association response packet would actually contain the SSID of the network.
The other way is we can disconnect a client who is already connected to the network and then when he connects back we can find the SSID mentioned in the probe response and the association response packet. In the probe response and the association response packets the SSID cannot be masked as it is required for a legitimate connection to take place.