Restoring access to your own wireless network or conducting a security audit are tasks that any system administrator or advanced user will sooner or later face. When standard methods, such as accessing the router's sticker or logging into the web interface, are unavailable, command-line tools for Linux-based operating systems come to the rescue. Using the terminal provides direct access to the network adapter and allows for low-level traffic analysis.
However, it's important to immediately clarify the limits of what is permitted: hacking into someone else's network without the owner's written permission is illegal. Ethical hacking This involves using this knowledge exclusively to test the security of one's own perimeter or as part of a legal penetration test. In this article, we'll examine the technical side of the process using a popular snail kit. Aircrack-ng, which is the industry standard for testing wireless networks.
The process of obtaining an encryption key is based on intercepting a special service data packet known as a "handshake." This packet contains the password hash, which is then subjected to cryptanalysis. Understanding how this data exchange between the client and the access point occurs is the foundation for a successful audit.
⚠️ Warning: All actions described below should only be performed on networks you own or have explicit written permission to conduct penetration tests. Violating information security laws carries serious penalties.
Preparing the environment and necessary tools
To get started, you will need a computer with a Linux operating system installed, preferably a distribution Kali Linux or Parrot OS, as they already contain all the necessary utilities. A key requirement is an external USB Wi-Fi adapter that supports monitoring mode and packet injection. Modules built into laptops often lack the necessary functionality or have proprietary drivers.
Before running complex scripts, you need to ensure that your network interface is correctly detected by the system. To do this, use the command ip link or ifconfig, which will list all available network devices. A wireless adapter is typically labeled as wlan0, wlp2s0 or similar, while a wired connection will have the name eth0.
- 📡 USB Wi-Fi adapter with Atheros, Ralink, or Realtek chipset that supports monitor mode.
- 🐧 Linux distribution with pre-installed package Aircrack-ng.
- 🔋 An external power source or a fully charged battery is required, as the process can be energy intensive.
- 📱 A smartphone or laptop client for generating traffic (optional, but recommended).
Make sure you have root privileges, as managing network interfaces requires elevated privileges. All commands in the terminal must be run as root. root or with a prefix sudoFailure to obtain the necessary rights will result in an error accessing the device and the inability to switch the adapter's operating modes.
Activating monitor mode and scanning the airwaves
The first critical step is to switch your Wi-Fi adapter from the standard Managed mode to Monitor mode. In its normal state, the network card filters packets destined only for your MAC address, ignoring all other traffic. Monitor mode allows the card to capture all radio packets within range, whether they're addressed to you or not.
A utility is often used to perform this operation. airmon-ngBefore starting monitoring mode, it is recommended to close processes that may conflict with the network adapter, such as network managers or DHCP services. This can be done with the command airmon-ng check kill, which will automatically terminate interfering processes.
sudo airmon-ng start wlan0
After the command is successfully executed, the interface name will change, usually a suffix will be added to it mon, For example, wlan0monNow you can start scanning the surrounding space. Utility airodump-ng allows you to see all available access points, their channels, signal strength and, most importantly, the encryption type.
- 🔍 BSSID — the unique MAC address of the access point, which will be needed for targeting.
- 📶 PWR — signal level; the closer the value is to 0, the better the connection quality.
- 🔒 ENC — encryption type; we're interested in networks with WPA2 or WPA3.
- 📡 CH — the channel on which the network operates, important for fixing the adapter.
The scanner is launched by the command airodump-ng wlan0monIn the list that opens, find the target network and note its BSSID and channel number. Pay attention to the column #Data: If there are zeros, it means that there is no active data exchange on the network right now, and it will be impossible to intercept the handshake without connected clients.
⚠️ Note: Interfaces may change their names after rebooting or reconnecting. Always check the current interface name with the command
iwconfigbefore running capture utilities to avoid running the process on the wrong device.
WPA/WPA2 Handshake Capture
The most important part of the process is capturing the four-way handshake. The key exchange occurs when the client connects to the network, and if we manage to capture this packet, we have the necessary data for further work. Without this packet, all subsequent actions are pointless.
For capturing we use the same utility airodump-ng, but with specific parameters: channel, BSSID of the target network, and file name to save the result. The command will look like this:
sudo airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capture wlan0mon
In this example -c 6 fixes the channel, --bssid points to a specific router, and -w capture sets the prefix for the file being saved. After launching, the terminal will go into standby mode. You will see an indicator in the upper right corner of the screen. WPA handshake: [BSSID], as soon as someone connects to the network.
If no one is connecting to the network, a handshake may not be forthcoming. In such cases, security administrators use deauthentication. By sending a special deauthentication frame, you forcibly terminate the client's connection to the router, and the device automatically attempts to reconnect, generating the required handshake.
☑️ Packet Capture Checklist
Attack on the encryption key and brute force
After successfully receiving the handshake file (usually extension .cap or .pcap) the cryptanalysis phase begins. The password hash itself doesn't reveal the secret phrase, but it does allow guessed variants to be tested. This is done using a dictionary attack using the utility aircrack-ng.
The effectiveness of this method directly depends on the quality of the dictionary used. A dictionary is a text file containing millions of common passwords, word and number combinations. Popular dictionaries such as rockyou.txt, contain millions of password leaks and are often effective against weak user settings.
sudo aircrack-ng -w /path/to/dictionary.txt capture-01.cap
The brute-force attack can take anywhere from a few seconds to several days, depending on the password's complexity and your processor's power. If the password consists of simple words or short combinations, it will be found quickly. Complex passwords, containing a random set of characters, numbers and registers, are almost impossible to crack using this method in a reasonable time.
It's important to understand that modern encryption standards, such as WPA3, implement protection against such attacks, rendering an intercepted handshake useless for offline brute-force attacks. Therefore, this method is primarily relevant for networks using legacy protocols or improperly configured WPA2-Personal networks.
Why might brute force not work?
If the password isn't in a dictionary and is long, the success rate is close to zero. Modern GPUs can try millions of combinations per second, but they're powerless against the entropy of 12+ characters.
Attack Method Comparison: Effectiveness Table
There are several approaches to wireless network resilience testing, each with its own limitations and applications. The choice of method depends on the target network configuration, the presence of active clients, and the time you're willing to invest in the process.
Below is a comparison of the main methods used by security professionals. Understanding the differences will help you choose the right audit strategy.
| Method | Necessary condition | Password complexity | Probability of success |
|---|---|---|---|
| WPS Pixie Dust | Vulnerable router | Any | High (if vulnerable) |
| Dictionary Attack | Dictionary with password | Low/Medium | Depends on the dictionary |
| Brute-force | Powerful GPU/Time | Short (up to 8 characters) | Low for long |
| Evil Twin | User interaction | Any | High (social) |
As the table shows, the most vulnerable point is often not the mathematical strength of the encryption, but the human factor or outdated equipment. Protocol WPS (Wi-Fi Protected Setup) has long been a security scourge, allowing PIN recovery in a matter of hours, no matter how complex the main Wi-Fi password.
Modern routers often have protection against WPS attacks or lack this feature entirely. However, such devices are still found in corporate and older home networks. Always check for active WPS when conducting an audit, as this is the fastest way to gain access.
Network protection and hacking prevention
Knowing how easy it is to intercept a handshake and try to guess a password, it's essential to take steps to protect your infrastructure. The first and most important step is to stop using encryption protocols. WEP and outdated WPA/TKIPThe only relevant standard at the moment is WPA2-AES or new WPA3.
Password length and complexity play a crucial role. A password of 8 random characters can be cracked in a few days using modern equipment. Increasing the length to 12-15 characters using special characters makes brute-force attacks virtually impossible in the foreseeable future. Regularly changing passwords also reduces risks, although it does create inconvenience for users.
- 🛡️ Disable the WPS function in your router settings if you are not using it.
- 📉 Reduce the transmitter power so that the signal does not go beyond the controlled area.
- 👁️ Monitor connected devices through router logs or IDS systems.
- 🔄 Update your router firmware regularly to patch vulnerabilities.
Network segmentation is also recommended. The guest network should be isolated from the main network, where your personal devices and files are located. This will ensure that your primary data remains confidential even if the guest key is compromised.
⚠️ Please note: Router manufacturers regularly release security updates. If your device model no longer receives firmware updates from the vendor, consider replacing it, as it may contain unpatched vulnerabilities.
Frequently Asked Questions (FAQ)
Is it possible to find out a neighbor's Wi-Fi password from their phone?
Theoretically, it's possible if the phone is rooted (Android) or jailbroken (iOS) and supports monitor mode with an external adapter. However, in practice, mobile processors are too weak for effective brute-force attacks, and the lack of a user-friendly interface makes this method extremely inconvenient.
Will this method work against hidden networks (Hidden SSID)?
Yes, hiding the network name (SSID) is not an encryption method. When a legitimate client connects, the network name is transmitted in cleartext in control frames. Scripts like airodump-ng automatically display the network name as soon as it becomes active.
How long does it take to crack a password?
The time depends on the password's complexity and the hardware's performance. A simple dictionary password can be found in seconds, while a 10-character password can take years to crack. The key factor is whether the password is in the dictionary being used.
Is monitor mode dangerous for my computer?
No, monitor mode is a built-in feature of the network card. It doesn't damage the hardware or software. However, while in this mode, you temporarily lose the ability to connect to the internet through this adapter until you return it to managed mode.
What to do if you can't intercept a handshake?
Make sure you're close enough to the signal source. Check if there are active clients on the network. Try deauthentication. It's also possible that the network is using protection against such attacks or the WPA3 protocol.