Hacking Wi-Fi networks is a topic of interest to both cybersecurity experts and ordinary users looking to test their own router's vulnerability. The central element of this process is Wi-Fi handshake — the exchange of packets between the device and the access point during authentication. Without intercepting and decrypting them, cracking the password becomes virtually impossible.
This article does not encourage illegal activity. We are discussing the process for educational purposes only—for testing purposes. own Network resilience testing. Handshake decryption allows us to identify weaknesses in our defenses and strengthen them before attackers do. It's important to understand: using these methods against other people's networks violates the laws of most countries, including Article 272 of the Russian Criminal Code ("Unauthorized access to computer information").
If you're a network administrator or just want to make sure your Wi-Fi is secure, this guide will help you understand the technical details. We'll cover tools like Kali Linux, Wireshark And Aircrack-ng, as well as alternative methods of traffic analysis. Let's get started!
What is a Wi-Fi handshake and why is it important to decipher it?
Handshake (from English. handshake — "handshake") is the exchange of service packets between a client (for example, your smartphone) and an access point (router) at the moment of connection. It occurs when WPA/WPA2 authentication and contains encrypted information needed to verify the password. Without successfully intercepting this exchange, hacking the network is impossible.
Why is this important for security?
- 🔍 Stability testingIf you can decrypt your network's handshake, it can be hacked. This is a sign to change your password or configure your router.
- 🛡️ Identifying vulnerabilities: Handshake analysis helps to detect weak ciphers (for example,
TKIPinstead ofAES) or outdated protocols. - 📡 Connection control: Knowing how the process works will help you track down suspicious connection attempts to your network.
A handshake consists of four packets (sometimes called 4-way handshake):
- The access point sends to the client
ANonce(random number). - The client responds with his own
SNonceand the password hash. - The access point checks the hash and sends an acknowledgement.
- The client completes the process.
Necessary tools: what you will need for the job
To intercept and decrypt a handshake, you'll need specialized software and hardware. Most tools are freely available, but some require some command-line skills.
| Tool | Purpose | Where to get |
|---|---|---|
| Kali Linux | An operating system with pre-installed security testing tools | Official website (free) |
| Aircrack-ng | Packet sniffing and password cracking | Included in Kali Linux |
| Wireshark | Network traffic analysis | wireshark.org (free) |
Wi-Fi adapter with support monitor mode |
Intercepting packets in the air | Aliexpress, Amazon (from 1000 rubles) |
Pay special attention when choosing a Wi-Fi adapter. Not all devices support it. monitor mode — a mode required for packet interception. Popular models:
- 📶 Alfa AWUS036ACH — supports dual-band (2.4/5 GHz) and has an external antenna.
- 📶 TP-Link TL-WN722N — a budget option, but only for 2.4 GHz.
- 📶 Panda PAU09 - compact, with support
packet injection.
⚠️ Attention: Using adapters with modified drivers (for example, for packet injection) may violate the manufacturer's license agreements. Before purchasing, check compatibility with Kali Linux on the official forums.
Step 1: Put your Wi-Fi adapter into monitor mode
The first step is to prepare the equipment. You need to switch the Wi-Fi adapter to monitor mode, so that it can "listen" to all packets on the air, and not just those addressed to your device.
Open a terminal in Kali Linux and run the following commands:
# View available network interfacesiwconfig
Stopping the process that is interfering with work (NetworkManager)
sudo systemctl stop NetworkManager
Switch the adapter to monitor mode (replace wlan0 with your interface)
sudo airmon-ng start wlan0
Checking that the mode is enabled
iwconfig
After executing the command iwconfig you should see a line Mode:Monitor next to your adapter. If you see instead Mode:Managed, then something went wrong. Possible reasons:
- 🔌 The adapter does not support
monitor mode(check the model). - 🔄 Drivers are not loaded (in Kali Linux, most drivers are installed by default).
- 🚫 Another process is blocking the interface (eg. wpa_supplicant).
Disable NetworkManager
Check interface name (iwconfig)
Switch to monitor mode (airmon-ng start)
Make sure the mode is activated (Mode:Monitor)-->
Step 2: Scanning Networks and Selecting a Target
Now that the adapter is ready, you can scan the air for Wi-Fi networks. To do this, use the utility airodump-ng, which will show all available access points and devices connected to them.
Run the scan with the command:
sudo airodump-ng wlan0mon
A table with networks will appear in the terminal. Note the columns:
BSSID— MAC address of the access point.PWR— signal level (the higher, the better for interception).CH— the channel on which the network operates.ENC— encryption type (we are interested inWPAorWPA2).
Select the target network and write it down BSSID and the channel (CH). For example, if the network is operating on channel 6, narrow your scan:
sudo airodump-ng --bssid [BSSID] -c 6 --write capture wlan0mon
Flag --write capture saves captured packets to a file capture.cap, which can then be analyzed in Wireshark.
⚠️ Attention: If there are no active connections on the network, the handshake won't be intercepted. To initiate it, you can disconnect and reconnect one of the devices to the network (for example, your smartphone).
Step 3: Capturing Handshakes with Aircrack-ng
When did you launch airodump-ng, it will log all network traffic to a file. We need to wait for a handshake to occur—for example, when a new device is connected. In the terminal, this will look like this message: WPA handshake: [BSSID] in the upper right corner.
If a handshake does not occur naturally, it can be induced by aireplay-ngTo do this:
- Open a new terminal (without closing it) airodump-ng).
- Run the deauthentication command:
sudo aireplay-ng --deauth 10 -a [BSSID] wlan0monHere
--deauth 10means sending 10 deauthentication packets, which will force the devices to reconnect.
After successfully intercepting the handshake, you can stop airodump-ng (click Ctrl+C). File capture.cap now contains the required data. It can be opened in Wireshark for visual analysis or immediate use in Aircrack-ng to crack the password.
What to do if the handshake is not intercepted?
If after several attempts the handshake fails to intercept, check:
1. Signal level — if PWR is below -80, the adapter may not catch packets.
2. Channel - Make sure you specified the correct channel in airodump-ng.
3. Device activity — there must be connected clients in the network.
4. Adapter drivers — some models require patched drivers for packet injection.
Step 4: Deciphering the handshake and cracking the password
Now we have a file with a handshake (capture.cap). To decrypt it, you'll need a password dictionary—a text file containing a list of possible combinations. The larger the dictionary, the higher the chances of success, but it will also take more time.
To select a password we use Aircrack-ng:
sudo aircrack-ng -w [dictionary_path] -b [BSSID] capture.cap
Examples of sources for dictionaries:
- 📄 RockYou.txt — classic dictionary (14 million passwords, available in Kali Linux on the way)
/usr/share/wordlists/rockyou.txt.gz). - 📄 SecLists — a collection of dictionaries from the project SecLists (github).
- 📄 Own dictionaries — can be generated taking into account personal data (dates of birth, names, etc.).
The process can take anywhere from a few minutes to a day, depending on the password's strength and the speed of your computer. If the password isn't found, try:
- 🔄 Use a different dictionary.
- 🔧 Add password mutation rules (for example, using John the Ripper).
- 📊 Analyze the handshake in Wireshark for errors.
Alternative methods: Wireshark and Hashcat
If Aircrack-ng If it didn't work, you can try other tools. For example, Wireshark allows you to manually analyze the handshake, and Hashcat — speed up password guessing using GPU.
Method 1: Wireshark Analysis
- Open the file
capture.capV Wireshark. - Enter in the filter
wlan.addr == [BSSID] && eapol. - Find packages with type
EAPOL(there should be 4 of them). - Export them to a separate file via
File → Export Specified Packets.
Method 2: Using Hashcat
Hashcat works faster Aircrack-ng, since it uses the video card. First, convert .cap in format .hccapx:
sudo aircrack-ng capture.cap -J output
sudo hcxpcapngtool -o hash.hc22000 capture.cap
Then start the selection:
hashcat -m 22000 hash.hc22000 [dictionary_path]
To speed things up, you can use mutation rules (flag -r) or masks (flag -a 3). For example, if you know that the password consists of 8 digits:
hashcat -m 22000 -a 3 hash.hc22000 ?d?d?d?d?d?d?d?d
How to protect your network from handshake hijacking
If you've read this article to the end, you already understand how vulnerable networks with weak passwords are. Here are some ways to strengthen your security:
- 🔐 Complex password: Use a combination of 12+ characters with uppercase letters, numbers, and special characters. Example:
kL9#pQ2!xY7$mN1. - 🔄 Changing your password regularly: Change it every 3-6 months.
- 📛 Hiding the SSID: Disable network name broadcasting in your router settings (this won't protect you from professionals, but it will reduce the number of random attacks).
- 🛡️ WPA3: If your router supports
WPA3, enable it - this protocol is resistant to offline handshake attacks. - 🚫 MAC address filtering: Allow only known devices to connect (not a panacea, but an additional barrier).
It's also worth turning off WPS (Wi-Fi Protected Setup) - this protocol has critical vulnerabilities and allows a network to be hacked in a few hours even without a handshake.
⚠️ Attention: Some routers use simple passwords by default likeadminor12345678Check your device settings - they are often available at192.168.1.1or192.168.0.1(logins/passwords are indicated on the router sticker).
FAQ: Frequently Asked Questions about Handshake Interpretation
❓ Is it possible to decrypt a handshake without Kali Linux?
Yes, but it's more complicated. You'll need to install Aircrack-ng and drivers for monitor mode Manually on another OS (for example, Ubuntu). Kali Linux already contains all the necessary tools out of the box, making it the most convenient option.
❓ How long does it take to crack a password?
Depends on the complexity of the password and the power of the computer. A simple password (for example, qwerty123) can be picked up in a few seconds. Complex (for example, 7h!5P@ssw0rdI$Str0ng) - years or never at all.
❓ Is it legal to test other people's networks?
No. In most countries, intercepting traffic and hacking into other people's networks is considered a crime. You are only allowed to test your own networks or networks for which you have written permission from the owner.
❓ Is it possible to hack a network without a handshake?
Theoretically yes, but this requires exploitation of other vulnerabilities (for example, in WPS or legacy protocols like WEP). Modern networks with WPA2/WPA3 It's almost impossible to hack without a handshake.
❓ Why can't I intercept a handshake?
There may be several reasons:
- The adapter does not support
monitor modeorpacket injection. - The network uses
802.11w(Protected Management Frames), which makes deauthentication more difficult. - There are no active clients in the network initiating handshake.
- You are too far from the router (the signal is weak).