How to Catch Handshake WiFi in Kali Linux: A Complete Guide

Capture handshakes The wireless network handshake is a fundamental step in the Wi-Fi security audit process. This four-way key exchange between the client and the access point contains the hashed version of the password, which can later be decrypted. In the operating system Kali Linux For this purpose, a powerful set of utilities included in the package is used Aircrack-ng, which allows you to intercept packets and analyze traffic.

The process doesn't always go smoothly the first time, as success depends on many factors: distance to the target, noise level in the air, and client activity. Monitoring Channel capture requires precise configuration of a network adapter that supports monitor mode. Below, we'll detail the technical nuances of preparing the equipment, the algorithm for intercepting packets, and methods for verifying successful data capture.

It is important to understand that this information is provided solely for educational purposes, for testing one's own networks or networks for which the owner has given written permission to audit them. Illegally intercepting third-party traffic is a violation of the law. Ethical hacking involves strict adherence to legal regulations and the use of acquired skills to strengthen the protection of infrastructure.

Preparing equipment and selecting an adapter

The first and most critical step is choosing the right wireless adapter. Standard built-in laptop modules often don't support necessary features, such as monitor mode And packet injectionFor successful operation in Kali Linux, it is recommended to use external USB devices based on chipsets Atheros AR9271, Ralink RT3070 or more modern Realtek RTL8812AU.

After connecting the device, you need to make sure that the operating system has identified it correctly. Command iwconfig or ip link will allow you to see a list of network interfaces. Wireless adapters are usually labeled as wlan0, wlan1 and so on. If the device is not displayed, additional drivers may need to be installed, which is a common issue with newer card models.

⚠️ Note: Some virtual machines do not forward USB devices to the guest OS by default. Ensure that your Wi-Fi adapter is connected to the Kali virtual machine, not the host OS, using the virtualizer's device menu.

A key part of preparation is checking for injection support. Without this feature, you'll only be able to listen to the broadcast, but you won't be able to send deauthenticating packets that are necessary to force a client reconnect and obtain a handshake. This can be verified using the utility airmon-ng, which will also help to switch the card to the desired operating mode.

Activating monitor mode and stopping processes

Before scanning the airwaves, you must put the network interface into monitor mode. In this state, the adapter stops ignoring packets not addressed to it and begins recording all radio frequency traffic within range. The standard command for this action is airmon-ng start wlan0, Where wlan0 — the name of your interface.

However, before launching the monitor, it is critical to stop background processes that may be using the network card. System services such as NetworkManager or wpa_supplicant, often conflict with audit tools, causing errors or instability. Utility airmon-ng has a built-in cleaning mechanism activated by the command airmon-ng check kill.

☑️ Pre-launch check

Completed: 0 / 4

After executing the command airmon-ng start The interface name often changes, for example to wlan0monThis new name will need to be used in all subsequent commands for sniffers and scanners. Ignoring the name change will result in utility startup errors, as the old interface wlan0 in monitor mode it no longer functions as a normal device.

What to do if the monitor mode does not turn on?

If the airmon-ng start command returns an error, try manually disabling the interface with the ifconfig wlan0 down command, then restarting the mode and re-enabling it. Removing the kernel module that controls the card with the rmmod command may also help, but this requires knowing the exact driver name.

Scanning the airwaves and selecting a target

To detect available networks, a utility is used airodump-ng. Running the command airodump-ng wlan0mon (or your current interface name) will start a continuous stream of data about all access points and clients within range. The screen will display information about BSSID (MAC address of the access point), channel, encryption and signal level.

When choosing a target for analysis, several parameters should be taken into account. First, networks with the type of encryption are of interest. WPA2 or WPA3, since for WEP There are faster hacking methods that don't require a handshake. Secondly, the signal strength is important (RSSI): The closer to zero the value is (e.g. -40 is better than -80), the more stable the packet capture will be.

Parameter Description Importance for capture
BSSID MAC address of the router Critical (target ID)
CH Broadcast channel High (need per channel)
PWR Signal strength High (affects stability)
#Data Number of packages Average (activity indicator)
MB Transfer speed Low (technical reference)

Particular attention should be paid to the column #Data and a list of clients. If at least one client (STA) is connected to the access point, the chances of successfully capturing a handshake increase significantly. If there are no clients or they are inactive, the process may drag on indefinitely. Ideally, you should find a network with active data exchange.

📊 What signal level is considered optimal for stable capture?
-30 dBm (Very close)
-50 dBm (Good signal)
-70 dBm (Acceptable, but losses are possible)
-90 dBm (Too weak)

Handshake

After selecting the target network, you need to lock the scan to a specific channel and save the output to a file. The command looks like this: airodump-ng -c [CHANNEL] --bssid [ROUTER_MAC] -w [FILE_NAME] wlan0mon. Flag -w (write) specifies that all packets should be written to files with the prefix you specify. This will allow you to analyze the traffic later.

The most difficult part is waiting for the client to connect. If the client is already connected, it won't continuously transmit a full handshake. This is where a deauthentication attack comes in. Using the utility aireplay-ng, you can send a special control frame that will forcibly terminate the client's connection to the router. The client, attempting to reconnect, will automatically perform the procedure 4-way handshake, which we will intercept.

aireplay-ng -0 10 -a [ROUTER_MAC] -c [CLIENT_MAC] wlan0mon

In this command the flag -0 indicates the type of attack (deauthentication), the number 10 — the number of deauthentication packets sent. Option -a indicates the address of the access point, and -c — the address of a specific client. Failure to specify the client's address will result in the connection being lost for all connected devices, which may arouse suspicion among the network owner.

⚠️ Warning: Excessive use of deauthentication packets may temporarily block the network adapter or be interpreted by security systems (IDS/WIPS) as a DoS attack. Use the minimum number of packets necessary to achieve results.

At the time of execution of the attack in the window airodump-ng, running in a parallel terminal, a message should appear in the upper right corner WPA Handshake: [BSSID]. This means that the goal has been achieved. The files where the recording was made (with the extension .cap or .pcap), now contain the necessary data for further work.

Analysis and verification of the obtained data

Once you receive a file with traffic, don't immediately start brute-forcing passwords. First, you need to ensure that the handshake was captured correctly and the file is not corrupted. For this, use the following utility: aircrack-ng with the check flag. Run the command aircrack-ng -0 file.cap, Where -0 means the handshake validity checking mode.

If the file contains a valid handshake, the program will display a message KEY FOUND! (In verification mode, this will indicate a valid handshake) or simply confirm the presence of one handshake. If the file is empty or contains only beacon frames without the authorization process, the program will report no handshakes. In this case, the procedure will have to be repeated, possibly changing the antenna position or selecting a different target.

It's also worth paying attention to the file size. Files with captured handshake messages are usually small, but if you've been recording traffic for a long time, the size can reach tens of megabytes. To speed up subsequent searches, you can clear the file of unnecessary junk, leaving only the handshake packets, using a utility. wpaclean or similar tools from the set Aircrack-ng.

Alternative methods and new standards

The traditional method of intercepting 4-way handshake becomes less effective with the introduction of the standard WPA3 and protection mechanisms such as PMF (Protected Management Frames). In networks with PMF enabled, deauthentication frames may be ignored by clients, making forced reconnection impossible using the traditional method. In such cases, specialists turn to analyzing the EAPOL handshake, which occurs when a device first connects.

There is also a capture method through PMKID (Pairwise Master Key Identifier). This method is notable for the fact that it doesn't require a connected client at all. Simply send an association request to the access point itself, and it can return a PMKID hash, which is also suitable for offline brute-force attacks. hcxdumptool significantly simplifies working with PMKID and is often more effective than the classic one aireplay-ng in modern conditions.

To work with new standards and speed up the process, it is recommended to use a bundle hcxdumptool And hashcatThese tools not only allow for more stealthy data capture but also enable brute-force attacks using GPUs, which increases the speed of brute-force attacks hundreds of times compared to CPU-based methods. Evolving security standards require a constant update to a pentester's arsenal.

⚠️ Note: The interfaces and functionality of the tools may change as Kali Linux repositories are updated. Always check the help (--help flag) for the specific version of the utility installed on your system, as the command syntax may differ from that described in older manuals.

Frequently Asked Questions (FAQ)

Why doesn't airodump-ng see any networks?

The most likely cause is that you're on the wrong channel or the interface isn't set to monitor mode. Also, check if your antivirus or firewall is blocking the network card. Try manually switching channels using the -c flag or running a scan of all channels.

Is it possible to catch a handshake if there are no active clients nearby?

The classic deauthentication method doesn't work, since there's no one to "ping." However, you can try the PMKID method, which allows you to obtain a hash directly from the router without involving client devices, if the access point supports this feature.

Which adapter is best for Kali Linux for a beginner?

Adapters based on the Atheros AR9271 chipset are ideal for beginners. They offer excellent out-of-the-box compatibility, maintain stable monitor mode, and support packet injection without the need to compile complex drivers.

How long does it take to brute force a password after capture?

The time it takes depends on the password's complexity and the power of your hardware. A simple 6-digit password can be brute-forced instantly, while a complex 12-character password with case-sensitive and special characters can take years to crack, even on powerful graphics cards.