Steps to attack Hidden SSIDs
1) Sniff the packets using airodump as it has already been discussed.
2) You can apply filter to narrow down your scope, you can sniff on only that channel and only on the specific MAC(BSSID of the AP)
3) To do this in the terminal write airodump-ng mon0 --channel 1 --bssid 00:F3:D3:02:23:d2 .The value here is a random MAC address, you should replace the MAC address of the access point that you want to sniff upon.
4) Now that we are sniffing on the network whenever a new client connects to the network the probe response and the association response would give away the SSID.
5) The other way is that we can break the connection between the client and the AP ,when the client will try to connect back, we can get the SSID from the probe response and the association response packet.
As we know from the state machine diagram of an AP and client, if the client or AP sends a deauthentication packet the connection between the two gets broken and it goes back to the first state. After reaching the first state the client would try to connect again to the AP .There is a particular management packet known as deauthentication packet . When the client gets a deauthentication packet from the AP it disconnects to the AP and retries again to connect back.
The tool we are going to use to generate the deauthentication packet here is called aireplay- ng. Aireplay-ng has a lot of other features as well, and you should try out and see what it can do. But for our purpose we will just try to generate a deauthentication packet. Now the deauthentication packet can be a broadcast deauth that means we can disconnect all the clients connected to the AP or it can be a simple deauth packet breaking the client AP pair.
7) Assuming that we are already running our airodump-ng ,open up a new terminal and run aireplay-ng.
8) We are currently interested in is generating the deauthentication packet. To do that we can type in aireplay-ng --deauth 0 -a 00:F3:D3:02:23:d2 mon0
9) Now we can see it starts sending deauthentication packets on behalf of the AP,so all the clients connected to it get disconnected.
10)Now when they will connect back,we can easily figure out the SSID of the network.