Summary:

1. Start wireless monitoring: airmon-ng

2. Discover the APs: airodump-ng

3. De-auth attack: aireplay-ng

Details:

1. Start wireless monitoring

check available airmon-ng interfaces

Turn on airmon-ng on wireless lan 0. Notice a new logical wireless interface wlan0mon is created. 

2. Discover the hidden APs by running airodump-ng

length: 0 - means someone is not broadcasting his SSID

in this example: user is hiding his SSID on channel 6

OPN: no password

Now, let's only focus on channel 6

Note, you might also see other channel numbers, which could be overlapping channels

3. Deauth attack

Sending exactly 2 packet to force wireless clients to re-authenticate

Now you see SSID: Gue2t

Don't forget to stop airmon-ng