How to Decrypt Wi-Fi Handshakes in Kali Linux: A Complete Guide from Capturing to Decoding

Transcript Wi-Fi handshake — a key stage of wireless network security testing that allows identifying protocol vulnerabilities WPA/WPA2. IN Kali Linux This process is automated using specialized tools, but requires precise execution of steps and an understanding of authentication mechanisms. It is important to note that this procedure must be carried out exclusively on their own networks or with the owner's permission — Unauthorized interception of traffic is a violation of the law in most countries.

In this article, we will analyze the entire cycle: from preparing equipment and scanning the air to decoding the password using aircrack-ng, hashcat and other utilities. We'll pay special attention to common beginner mistakes, such as choosing the wrong adapter or ignoring the network channel, as well as optimizing the process by selecting a dictionary. If you're just starting out with Kali Linux, we recommend that you first familiarize yourself with the basics of the command line and how network protocols work.

Preparation of the system and equipment

Before you begin intercepting handshake, you need to make sure your system is ready to go. Kali Linux must be installed on a physical computer or a virtual machine (e.g. VirtualBox or VMware) with support enabled USB-passthrough for the network adapter. Virtual machines without direct access to the Wi-Fi adapter will not be able to scan the air.

The key component is - Wi-Fi adapter with monitoring mode supportNot all devices are suitable for this task. The best options are:

  • 🔹 Alfa AWUS036ACH - supports dual-band (2.4/5 GHz) and high transfer speeds.
  • 🔹 TP-Link TL-WN722N (version 1.0) - a budget option with a reliable chipset Atheros AR9271.
  • 🔹 Panda PAU09 - compact adapter with support 802.11ac.

Please check the adapter compatibility before purchasing. Kali Linux via command iwconfig or a list of supported devices on the official website aircrack-ngChipset adapters Realtek often cause problems with the monitoring mode.

⚠️ Attention: Using built-in Wi-Fi modules of laptops (for example, Intel AX200) is possible, but they may not support packet injection, which is critical for speeding up handshake interception.
📊 Which Wi-Fi adapter are you using for testing?
Alfa AWUS036ACH
TP-Link TL-WN722N
Panda PAU09
Another
Don't know

Installation and configuration of necessary tools

IN Kali Linux Most Wi-Fi utilities are pre-installed, but it's recommended to update them to the latest versions. Run the following commands:

sudo apt update && sudo apt upgrade -y

sudo apt install aircrack-ng reaver hashcat macchanger

The main tools we will need are:

  • 🔧 aircrack-ng — a package for intercepting and analyzing traffic, including handshakes.
  • 🔧 airodump-ng — scanning the air and capturing packets.
  • 🔧 aireplay-ng - packet injection to speed up handshake interception.
  • 🔧 hashcat — a utility for brute-forcing hashes (an alternative aircrack-ng with GPU support).

After installation, check the adapter's functionality in monitoring mode:

sudo airmon-ng check kill # Stop interfering processes

sudo airmon-ng start wlan0 # Start monitoring mode (replace wlan0 with your interface)

If the command runs without errors, the adapter is ready to use. To return it to normal mode, use sudo airmon-ng stop wlan0mon.

Scanning the airwaves and selecting a target

Run a scan for available networks using airodump-ng:

sudo airodump-ng wlan0mon

The terminal will display a list of networks with the following parameters:

  • 📶 BSSID — MAC address of the access point.
  • 🔄 PWR — signal level (the higher the better).
  • 🔒 ENC — encryption type (WPA2 — our option).
  • 📡 CH — network channel (important for fine tuning) airodump-ng).

Select the target network and write it down BSSID and channel. For example, if the network operates on a channel 6 With BSSID 00:11:22:33:44:55, run a targeted scan:

sudo airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capture wlan0mon

Flag -w capture saves captured packets to a file capture-01.cap.

What to do if the network is not displayed in airodump-ng?

If the target network is not visible, check:

1. Is the adapter in monitoring mode (iwconfig).

2. Does the adapter support the 5 GHz band (if the network operates in it).

3. Is the signal level sufficient (try moving closer to the router).

4. Does the network hide the SSID (use airodump-ng --band a to scan all channels).

WPA/WPA2 Handshake Capture

A handshake is the process of exchanging keys between a client and an access point that occurs when a device connects to the network. To intercept it, you need to wait for a client (smartphone, laptop) to connect to the network or forcefully disconnect an existing client.

To speed up the process, use aireplay-ng to send packets Deauthentication:

sudo aireplay-ng -0 5 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon

Where:

  • -0 5 — sends 5 deauth packets (enough to break the connection).
  • -a — MAC address of the access point (BSSID).
  • -c — Client MAC address (if unknown, can be omitted).

After sending packets in the window airodump-ng a message will appear WPA handshake: 00:11:22:33:44:55 - this means that the handshake has been successfully captured. Now you can stop scanning (Ctrl+C) and start deciphering.

⚠️ Attention: Overuse Deauthentication-attacks can disrupt network operation and raise suspicions among administrators. Limit attempts to 1-2.

Make sure that:

The capture-01.cap file has been created and is not empty|The airodump-ng output contains the line "WPA handshake: [BSSID]"|The .cap file size is greater than 10 KB (the minimum size for a handshake)|The network is using WPA/WPA2 (not WPA3 or open access)-->

Deciphering a Handshake with Aircrack-ng

To decode the password you will need a dictionary with possible combinations. Kali Linux There are built-in dictionaries in the directory /usr/share/wordlists/, but they are often insufficient. Popular sources:

  • 📄 rockyou.txt — classic dictionary (included in Kali, but compressed; unzip with command sudo gzip -d /usr/share/wordlists/rockyou.txt.gz).
  • 📄 SecLists — a collection of dictionaries from Daniel Miessler (install via sudo apt install seclists).
  • 📄 Customized dictionaries - for example, Crunch to generate combinations based on known target data.

Launch aircrack-ng specifying the capture file and dictionary:

sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 00:11:22:33:44:55 capture-01.cap

The process can take from a few minutes to hours depending on:

  • ⏱️ Password complexity (short dictionary passwords are cracked faster).
  • 💾 Dictionary size (the more words, the longer the search).
  • 🖥️ CPU performance (use for speed up) hashcat with GPU support).

If the password is found, it will be displayed in the terminal in the format KEY FOUND! [ khkhkhkhkhkhkhkh ]If not, try a different dictionary or optimize it (for example, add frequently used combinations for your region).

Alternative methods: hashcat and GPU acceleration

Hashcat — a more powerful brute-force tool that supports acceleration on video cards NVIDIA And AMDFirst, extract the hash from the file. .cap by using hcxtools:

sudo apt install hcxtools

hcxpcapngtool -o hash.hc22000 capture-01.cap

Now run it hashcat specifying the hash type (22000 for WPA-PBKDF2) and dictionary:

hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt -O

Flag -O Optimizes the process by skipping passwords that are too long.

Advantages hashcat:

Parameter aircrack-ng hashcat (with GPU)
Search speed ~500–2000 hashes/sec (CPU) ~20,000–100,000 hashes/sec (GPU)
Rules support Limited Flexible rules for modifying the dictionary
Types of attacks Dictionary only Dictionary, brute force, hybrid
Difficulty of setup Simple Requires knowledge of flags

For maximum effectiveness, combine both tools: use aircrack-ng for quick checking of small dictionaries and hashcat for deep analysis with GPU acceleration.

Common mistakes and their solutions

Even experienced users encounter problems deciphering handshakes. Let's look at the most common ones:

1. The adapter does not enter monitoring mode.

  • 🛠️ Check your drivers: lsusb → find the chipset model → install the corresponding driver.
  • 🛠️ Disable conflicting processes: sudo airmon-ng check kill.
  • 🛠️ Try a different adapter (for example, Alfa instead of the built-in module).

2. Handshake is not captured

  • 📡 Make sure clients are connected to the network (use airodump-ng --showack to display active devices).
  • 📡 Check the channel: if the network is working on 5 GHz, and the adapter only supports 2.4 GHz, the handshake will not be intercepted.
  • 📡 Increase signal strength: iwconfig wlan0mon txpower 30 (maximum depends on the adapter).

3. Aircrack-ng doesn't find the password

  • 🔍 Use a more relevant dictionary (for example, generate it through crunch taking into account known data about the target).
  • 🔍 Check file integrity .cap: wpaclean capture_clean.cap capture-01.cap (removes unnecessary packages).
  • 🔍 Try it hashcat with a flag -a 3 for brute force by mask (if part of the password is known).
⚠️ Attention: If the network uses WPA3, standard handshake interception methods won't work. Other approaches will be needed, such as an attack Dragonblood (vulnerability in the protocol).

FAQ: Frequently Asked Questions about Interpreting Handshakes

Is it possible to decipher a handshake without a dictionary?

Theoretically yes, but in practice it is extremely resource-intensive. The method brute force (trying all possible combinations) for a password of 8 characters using a-z, 0-9 would take millions of years even on a powerful GPU. Dictionary attacks remain the only realistic method.

The exception is if you know part of the password (for example, the prefix). Then you can use hashcat with a mask:

hashcat -m 22000 -a 3 hash.hc22000 "known_part?d?d?d"

Where ?d - number, ?l — small letter, etc.

How to protect your network from handshake hijacking?

Basic protective measures:

  • 🔐 Use WPA3 instead of WPA2 (if supported by devices).
  • 🔐 Install complex password (12+ characters, mixed case and special characters).
  • 🔐 Turn off WPS - This protocol is vulnerable to brute force.
  • 🔐 Set up MAC filtering (not a panacea, but will make the attacker's job more difficult).
  • 🔐 Update your router firmware regularly.

Additionally, you can reduce the signal strength to make the network less visible outside your premises.

Is it legal to test other people's networks without permission?

No, this is a violation of the law in almost all countries, including Russia (Article 272 of the Criminal Code of the Russian Federation "Unauthorized access to computer information") and EU countries (cybercrime directive). Legal testing is only possible:

  • 📜 On our own network.
  • 📜 With the owner's written permission (for example, as part of a company's penetration test).
  • 📜 On specially created laboratory stands (for example, Wi-Fi Pineapple).

Even if the network is "open" or poorly secured, unauthorized access is classified as a hack.

Is it possible to decipher a handshake on a phone?

Technically yes, but with serious limitations:

  • 📱 On Android you will need root access and specialized applications like Wifi Analyzer + Termux with installed aircrack-ng.
  • 🍎 On iOS This is practically impossible due to the closed nature of the system.

Mobile devices are not powerful enough for effective brute-force attacks, and adapters with monitoring mode for smartphones are rare. It's better to use Kali Linux on PC or Raspberry Pi.

What to do if the handshake is captured, but aircrack-ng returns an error?

Common mistakes and their solutions:

  • 🚨 "No networks found" → Make sure the file .cap contains handshake (check through wireshark).
  • 🚨 "Invalid argument" → Check the command syntax (for example, is it correct) BSSID).
  • 🚨 "No password found" → The password was not found in the dictionary. Try a different dictionary or hashcat.
  • 🚨 "Read error" → File .cap damaged. Repeat the capture.

For diagnostics use tshark -r capture-01.cap -Y "eapol" - this will show whether the file contains a handshake.