How to Capture a WiFi Handshake in Kali Linux: A Pro Guide

The process of auditing wireless network security is inextricably linked to the ability to intercept service packets, known as handshakeIt is this four-way key exchange between the client and the access point that contains the encrypted information needed to perform a brute-force password check. In the environment Kali Linux This process is automated and perfected thanks to a powerful set of utilities available by default.

To successfully complete this task, you'll need an adapter that supports monitor mode and packet injection. Standard built-in laptop modules often fail to handle this task, so professionals use external USB chips. Atheros or RealtekWithout hardware support, software methods will be useless, regardless of the software used.

In this article, we'll delve into the technical aspects of interception, examine command-line tools, and analyze common mistakes made by beginners. Understanding the physics of the process will allow you to go beyond simply following instructions and actually diagnose problems while scanning the airwaves.

Theoretical foundations of the 4-way handshake

Protocol WPA2 Uses a four-way handshake to mutually authenticate the client and access point. Upon connection, the device and router exchange random numbers (nonces), which are used to generate a temporary encryption key. It is critically important that the WiFi password itself is never transmitted over the air in clear text.

By capturing this packet, a security specialist gains offline brute-force capabilities. An attacker can test millions of password combinations locally without creating noise or overloading the target network. This is what the interception method does. handshake the main attack vector on home and corporate networks.

The exchange process is as follows: the access point sends an ANonce, the client generates an SNonce and sends it back along with a MIC (message integrity code). The access point verifies the MIC and confirms the connection. If even one of these frames is lost or corrupted, the key cannot be recovered.

⚠️ Please note: Interception of traffic and attempts to hack networks are permitted only on your own equipment or with the written consent of the infrastructure owner. Unauthorized access to computer information is punishable by law.

Modern routers can use protection WPA3, which implements the SAE (Simultaneous Authentication of Equals) protocol. Unlike a classic handshake, SAE prevents offline dictionary attacks, making handshake interception useless for classic brute-force attacks.

Preparation of equipment and interfaces

The first step is to put the network interface into monitor mode. In this mode, the card stops filtering frames not destined for its MAC address and begins recording all traffic on the selected frequency. Standard mode Managed is absolutely not suitable for this task.

To manage wireless interfaces in Kali Linux The most commonly used utility is airmon-ngIt allows you to easily switch driver operating modes and kill processes that may interfere with packet capture, such as wpa_supplicant or NetworkManager.

Run the command to stop interfering processes:

sudo airmon-ng check kill

Then enable monitoring mode on your interface (usually wlan0):

sudo airmon-ng start wlan0

After a successful launch, a new device will appear in the list of interfaces, often with a suffix mon (For example, wlan0mon). This is what we'll be working with next. If the interface doesn't appear, your driver may not support monitoring mode.

Scanning the airwaves and selecting a target

Before you begin capturing, you need to identify the target network. This is done using a tool airodump-ng, which displays all available access points within range, their channels, signal strength and encryption types.

Run a scan on the monitoring interface:

sudo airodump-ng wlan0mon

In the list that opens, pay attention to the column ENCWe are interested in networks marked WPA2 or WPA. The parameter is also important PWR (signal strength) - the closer the value is to 0 (for example, -40), the more stable the connection will be and the higher the chances of successful capture.

Write it down BSSID (router MAC address) and channel number (CH) of the selected network. This data will be needed for traffic filtering. Without channel assignment, you'll collect junk data from all networks at once, complicating analysis.

📊 What signal level (PWR) do you consider optimal for handshake capture?
-30..-50 dBm
-50..-70 dBm
-70..-80 dBm
Below -80 dBm

Setting up packet capture

Now we need to start recording packets specifically for the selected network. We'll use the same tools, but add filters by BSSID and channel. This will allow us to save the file in a compact format and immediately see the handshake status.

The command to start recording looks like this:

sudo airodump-ng --bssid [router_mac] --channel [channel] --write target_capture wlan0mon

Instead of [MAC_ROUTER] And [CHANNEL] Please enter your target data. Parameter --write Specifies the name of the file where the data will be saved. In the upper right corner of the terminal, you will see a counter of captured handshakes.

While recording is in progress, the status will be displayed at the top of the screen. WPA handshake: 00:00:00:00:00:00As soon as a client appears on the network and attempts to connect (or reconnect), the counter will change to 1, and the process can be terminated.

☑️ Check before launching the capture

Completed: 0 / 5

Methods for speeding up the handshake process

Waiting for a real user to connect to the network can take hours. To speed up the process, we use deauthentication. We send control frames on behalf of the router to the client (or vice versa), forcibly disconnecting the connection.

To implement the attack, a utility is used aireplay-ng. In a new terminal window (without closing airodump-ng) execute:

sudo aireplay-ng --deauth 10 -a [ROUTER_MAC] -c [CLIENT_MAC] wlan0mon

Parameter --deauth 10 means sending 10 deauthentication packets. If there are multiple clients, you can omit the parameter -c, and the disconnection will occur for all connected devices. Typically, the device automatically tries to reconnect within a few seconds, generating the necessary handshake.

Keep an eye on the window airodump-ngAs soon as the successful handshake message appears, the attack can be stopped. File target_capture-01.cap (or with another extension specified at startup) is ready for analysis.

⚠️ Warning: Sending deauthentication packets in bulk may cause a temporary denial of service (DoS) for all devices on the network. Use this feature with caution and only for testing purposes.

There are also passive methods, such as waiting for the device to automatically reconnect when it leaves the router's range and returns. However, the active method aireplay-ng remains the fastest way to obtain data.

Analysis and verification of captured data

Once the capture is complete, you need to make sure the file contains valid data. Not every file with the extension .cap Suitable for brute-force attacks. Sometimes the interception occurs incorrectly, and key parts of the handshake are missing.

A built-in script is used for checking. aircrack-ngRun it by specifying the file and dictionary (even if the dictionary is fake, the program will check the structure):

aircrack-ng target_capture-01.cap -w /usr/share/wordlists/rockyou.txt

If there is a handshake in the file, the program will immediately notify you with a message KEY FOUND! (if the password worked) or Passphrase not in dictionary, but it will confirm the presence of the handshake. If you see an error No valid WPA handshakes found, which means the capture was unsuccessful.

Why might a handshake be invalid?

Often, the cause is a poor signal (packet loss), the use of WPA3, or the client connecting via WPS rather than the standard method. The issue could also be with the WiFi adapter driver, which truncates long frames.

Further work with the file outside of Kali Linux (for example, for transferring it to a GPU cluster) often requires format conversion. The utility wpaclean helps remove unnecessary data from the file, leaving only a clean handshake, which speeds up subsequent iteration.

Comparison of gripping tools

There are several tools available in the Linux ecosystem for working with wireless networks. Although airodump-ng is the de facto standard, sometimes it is useful to know the alternatives, especially if the standard set aircrack-ng It works unstable with your adapter.

Below is a comparison of the main features of popular utilities:

Tool Main function Complexity WPA3 support
airodump-ng Scanning and Capturing Average Partial
Wireshark Deep Packet Inspection High Yes
Bettercap Harvester for attacks High Yes
wifite2 Automation Low No

Wireshark It allows you to visually break down each bit of the handshake, which is useful for learning, but not convenient for quick grasp. Bettercap — is a powerful MITM attack framework that also enables deauthentication. Wifite2 automates the entire process, but often works less reliably than manual commands.

The choice of tool depends on your goal: for a quick audit, a combination of airmon-ng + airodump-ng, for deep research of protocols - Wireshark.

Frequently Asked Questions (FAQ)

Is it possible to get a handshake if no one is connected to the network?

No, the handshake is only generated when a client connects. If there are no active devices on the network, there's nothing to intercept. However, you can wait for someone to connect, or use saved profiles on devices that attempt to connect automatically.

Which WiFi adapter is best for Kali Linux?

Adapters based on the Atheros AR9271 and Realtek RTL8812AU chipsets are considered the most compatible. They support monitor mode and packet injection out of the box or with minimal driver installation. Integrated Intel cards often experience instability in monitor mode.

How long does it take to brute force a password after receiving a handshake?

The time depends on the password complexity and hardware performance. Simple passwords (up to 8 characters) can be found in seconds on modern GPUs. Complex passwords of 12+ characters using special characters can take years or even centuries to crack.

Does this method work on WPA3?

The classic method of capturing a handshake and then brute-forcing it offline doesn't work on WPA3 due to the use of the SAE protocol. WPA3 requires other attack methods, such as Dragonblood, that exploit implementation vulnerabilities rather than weaknesses in the handshake itself.