Wi-Fi Security Testing on Linux: Methods and Protection

Questions about how to access someone else's network often arise from users wanting to test the strength of their own security perimeter. It's important to set boundaries right away: unauthorized access to someone else's network is illegal and punishable by law. However, knowledge of attack methods is essential for system administrators and Linux enthusiasts to audit their own infrastructure. The Linux operating system provides powerful tools for radio channel analysis that exceed the standard capabilities of Windows or macOS.

The security testing process is based on handshake analysis and dictionary attacks, as well as on studying the vulnerabilities of the WPS protocol. Modern distributions, such as Kali Linux or Parrot OS, contain pre-installed packages for working with wireless interfaces. Understanding the operating principles of these tools allows you not only to identify vulnerabilities but also to properly configure your router's security, eliminating the possibility of easy intrusion from the outside.

In this article, we'll examine the technical aspects of working with wireless interfaces in monitoring mode. We won't advocate breaking the law, but will instead focus on educational aspects and protection methods. Ethical hacking This requires written permission from the network owner to conduct any test attacks. Without this permission, any actions to intercept traffic or infiltrate the network are considered a violation.

⚠️ Warning: All methods described below should only be used on your own networks or as part of a legal penetration test with the owner's written consent. Unauthorized access to computer information is prohibited by criminal law.

Preparation of equipment and interfaces

The foundation for any wireless network analysis is compatible hardware. Built-in Wi-Fi modules in laptops often don't support the required operating modes, particularly monitor mode and packet injection. For full functionality, an external USB adapter based on chipsets from Atheros, Ralink or RealtekThese chips have open documentation and are well supported by drivers in the Linux kernel.

After connecting the adapter, you need to put it into monitor mode. Unlike management mode, which is used for a regular connection to an access point, monitor mode allows the card to capture all packets passing through the air, regardless of whether they are addressed to your device or not. A utility is most often used to manage the interface. airmon-ng, included in the package Aircrack-ng.

The process of activating the monitoring mode requires stopping processes that may conflict with the network interface. System services such as NetworkManager or wpa_supplicant, often attempt to automatically manage the connection, which interferes with the operation of specialized scanners. Therefore, before starting work, it is necessary to run the command airmon-ng check kill, which will forcibly terminate interfering processes.

☑️ Preparing Linux for Wi-Fi Analysis

Completed: 0 / 4

WPA2 Handshake Analysis and Password Brute-Force

The most common method for testing password strength is an attack on the four-way handshake. When a client device (smartphone, laptop) connects to a secure WPA2 network, it exchanges encrypted data with the router. If an attacker intercepts this exchange, they will obtain a hash that can then be decrypted offline.

A tool is used for interception airodump-ngThe operator scans the airwaves, waiting for the target network to appear. Once the network is found, the program records the MAC addresses and channel. To speed up the handshake process, a deauthentication method is often used. A special packet aireplay-ng sends a disconnect command to the client device, causing it to automatically reconnect and generate a new handshake.

The resulting handshake file (.cap or .hccapx) is useless without a dictionary. A brute-force or dictionary attack involves trying millions of combinations. The speed of the attack depends on the hardware: modern GPUs can check hundreds of thousands of passwords per second. If the password is complex and long, containing special characters, this method may be ineffective.

What is deauthentication?

Deauthentication is an IEEE 802.11 control frame that forcibly terminates the connection between the client and the access point. In legitimate networks, it's used for load balancing, but in the hands of a tester, it becomes a tool for generating handshaking traffic.

Vulnerabilities of WPS technology

The WPS (Wi-Fi Protected Setup) protocol was created to simplify device connections by allowing an 8-digit PIN code to be entered instead of a complex password. However, the protocol's architecture contains a critical vulnerability: PIN verification occurs in two stages. First, the first half of the code (4 digits) is checked, then the second. This reduces the number of possible combinations from 100 million to approximately 11,000, making brute-force testing a trivial task.

Tool reaver or its more modern version bullseye Automate this process. The program connects to the access point and begins a sequential PIN search. If the router doesn't have brute-force protection (limiting the number of attempts) or lockout after several unsuccessful attempts, the password will be recovered in a few hours, or sometimes even minutes.

Modern routers often have WPS disabled by default or are equipped with security mechanisms such as a response delay or complete blocking of the function after several login attempts. However, on older equipment or devices with factory settings, this attack vector remains one of the simplest and most effective ways to compromise a network.

Parameter WPA2 Personal WPS (PIN) WPA3
Attack method Dictionary / Brute-force PIN brute force (2 stages) Dragonfly handshake
Difficulty of hacking High (depending on password) Low (without protection) Very high
Time required Hours / Years Minutes / Hours Almost impossible
Recommendation Long password Disable WPS Use WPA3

Rainbow table attacks

Rainbow Tables are pre-computed hash tables that significantly speed up password recovery. Instead of calculating a hash for each word in the dictionary in real time, the system simply searches for a match in a pre-built database. This requires a huge amount of disk space (hundreds of gigabytes or terabytes), but saves processor time.

In the context of Wi-Fi attacks, rainbow tables are used less frequently than brute-force attacks due to the specific nature of the salt used in WPA2. The salt in this case is the network's SSID. Since the SSID can be anything, it is impossible to pre-compute a table for all possible network names. However, if the network has a standard name (e.g., TP-LINK_1234 or Beeline_XXXX), the use of precomputed tables becomes efficient.

There are projects such as Pyrit, which optimize the process of creating and using such tables by distributing calculations across multiple CPUs. This allows for the creation of specialized databases for popular providers or standard router configurations whose (factory) SSIDs are known in advance.

Methods for protecting your home network

Understanding attack methods allows you to formulate clear defense rules. The first and most important step is to disable WPS. This feature creates more problems than it's worth. In your router settings, find the WPS section and set the switch to "Off." Disable or OffThis will close the easiest door for entry.

The second level of protection is the use of an encryption protocol WPA3, if your hardware supports it. WPA3 uses the SAE (Simultaneous Authentication of Equals) protocol, which makes it impossible to intercept a handshake for subsequent offline brute-force attacks. Even if an attacker intercepts packets, they won't be able to launch a dictionary attack, since each communication session uses unique parameters independent of the password.

The third aspect is password complexity. Passwords should be longer than 12 characters and contain mixed-case letters, numbers, and special characters. Using simple words, birthdays, or keyboard sequences makes the network vulnerable to dictionary attacks. Regularly changing your password is also a good practice, although with WPA3 and a complex password, this is less necessary.

⚠️ Important: Updating your router's firmware is a critical security step. Manufacturers regularly patch software vulnerabilities. Check the latest firmware version in your manufacturer's account or through the official support source for your model.

Additional security measures and filtering

In addition to encryption, there are additional access control measures. MAC address filtering allows connections only to trusted devices. However, this method is not foolproof, as MAC addresses can be easily spoofed if an attacker is already on the network or has intercepted traffic. Nevertheless, it does create an additional barrier to unauthorized access.

Hiding the SSID (network name) is also often considered a security measure. The router stops broadcasting the network name in broadcast packets, making it invisible to regular users. However, for a professional scanner, this isn't a problem: the network name is easily deciphered from the service packets the device is forced to transmit when connecting. Hiding the SSID only complicates life for legitimate users, but doesn't deter hackers.

The most effective strategy is a comprehensive approach: using WPA3, disabling WPS, regularly updating the firmware, and setting a strong password. Combining these measures makes hacking the network economically and temporarily unfeasible for an attacker, forcing them to look for easier prey.

Frequently Asked Questions (FAQ)

Is it possible to hack Wi-Fi from an Android phone?

Theoretically possible, but extremely difficult in practice. It requires root access, a special Wi-Fi module with monitor mode support (usually an external USB), and terminal emulation. Standard apps from the Play Market that promise a "one-click hack" are scams and don't work.

How long does it take to crack an 8-character password?

The time depends on the complexity of the characters. If the password consists only of numbers, it will take seconds. If it's a mix of letters and numbers, it could take several hours on modern equipment. If special characters and case-sensitive characters are included, the time could stretch to weeks or months.

Will WPA3 completely replace WPA2?

In the long term, yes, but the transition will take years. Older devices (IoT gadgets, older smartphones) may not support WPA3. Therefore, routers often operate in mixed mode, which theoretically leaves loopholes, but for home use, the security level of WPA3-WPA2 Transitional is quite high.

Is monitor mode dangerous for my Wi-Fi adapter?

No, monitor mode is a default driver feature. However, continuous operation in this mode may cause the adapter to overheat or driver instability, requiring a kernel module reboot. To permanently use the adapter as the primary access point, you must return it to managed mode.