Restoring access to your own wireless network or conducting a security audit are tasks that many system administrators and Linux enthusiasts face. Operating system Ubuntu provides powerful tools for traffic analysis and testing the security of encryption protocols. Understanding the principles of hacking algorithms allows you not only to regain access to a forgotten key but, more importantly, to assess the actual vulnerability of your home or corporate infrastructure.
The process of "hacking" in this context is a complex technical process of intercepting the handshake between the client and the access point and then selecting the hash. Kali Linux While Ubuntu is often considered the standard, a standard Ubuntu installation with installed repositories offers no less capabilities for professional work. It's important to understand that all actions must be performed exclusively on networks you own or have written permission to perform the work.
The key to success in security testing is a proper understanding of wireless network architecture. IEEE 802.11WEP protocols are long gone, and modern WPA2 and WPA3 standards rely on complex mathematical calculations. However, the human factor, manifested in the creation of weak passwords, remains the weakest link. The methods described below, based on data packet analysis, are aimed at checking password strength.
Preparing the environment and installing the necessary software
Before taking any active steps, you need to prepare the software environment. The standard set of utilities in Ubuntu doesn't include all the necessary components for in-depth analysis, so you'll need to install a specialized package. aircrack-ngThis toolkit is the de facto industry standard for wireless network auditing and includes drivers, sniffers, and decryption software.
Open a terminal and run the command to update the package lists, then install the core tools. For some features to work correctly, you may also need to install wireless packages, such as iw And wireless-toolsMake sure your network adapter supports monitor mode, as without this feature, intercepting other people's packets is impossible.
⚠️ Warning: Installing and using these tools on other people's networks without the owner's permission is illegal. Use this information only for legal security testing of your own devices.
After installing the main package, it's recommended to check the version and command availability. Some Ubuntu distributions may require additional drivers for your specific Wi-Fi adapter model, especially for external USB devices. It's best to search for drivers on the manufacturer's website or in specialized repositories, such as GitHub, where the community posts patches. RTL8812AU or other popular chipsets.
☑️ Preparing Ubuntu for Audit
Setting up a wireless adapter in monitor mode
A key step in traffic analysis is putting the network card into monitor mode. In normal operation, the adapter ignores all packets not addressed to it, making it impossible to eavesdrop on the broadcast. Monitor mode allows the card to capture all signals passing through the air, regardless of their destination, which is critical for collecting handshake data.
To get started, you need to identify the name of your interface. In modern versions of Ubuntu, names may differ from what you're used to. wlan0 and look like wlp2s0 or similar combinations. Use the command ip link or iwconfig to get the exact name of the device that will be used in further commands.
Switching the mode requires stopping interfering processes. In Ubuntu, background services like NetworkManager often attempt to automatically manage the connection, which can disrupt interface settings. Therefore, the first step should always be to forcefully terminate these processes to regain full control of the device.
- 📡 Run the command
sudo airmon-ng check killto stop conflicting processes. - 🔄 Activate monitor mode with the command
sudo airmon-ng start [interface_name]. - ✅ Make sure that a new interface has appeared, usually with a suffix
mon, For example,wlan0mon.
After successfully switching to monitor mode, the interface may change its name. All subsequent commands must be addressed specifically to the new virtual interface. If errors occur during the process, try manually disabling the interface with the command ip link set [interface] down, change mode through iw and turn it on again.
What to do if the monitor mode does not turn on?
If the command doesn't work, your driver may not support monitor mode or be blocked by a kernel module. Try removing the module with rmmod and reloading it, or use an external card with an Atheros or Ralink chip, which are known for their better Linux compatibility.
Scanning the airwaves and searching for the target network
After setting up the equipment, it is necessary to detect the target network among the many surrounding signals. Tool airodump-ng Allows you to visualize the airwaves in real time, displaying the SSID, signal strength, channel used, and encryption type. Selecting the correct target is the key to successful subsequent operations.
When you start the scan, you'll see a list of all available access points. We're interested in networks with the following encryption type: WPA or WPA2, as these are the most common. Pay attention to the PWR (signal strength) column: the closer the value is to 0 (or a smaller negative number, for example, -40 is better than -90), the more stable the connection will be and the higher the chance of successfully intercepting packets.
Launching a scan on a specific channel allows you to focus on the desired frequency range without constantly switching. This is especially important in apartment buildings, where the airwaves are oversaturated with neighboring signals. Channel locking also speeds up the data collection process.
sudo airodump-ng --bssid [target_MAC_address] --channel [channel_number] -w [file_name] [monitor_interface]
In this command the parameter --bssid filters the output, leaving only packets from the desired access point. Option -w Specifies a prefix for the saved files where all intercepted traffic will be recorded. These files will subsequently become the source of data for analysis.
| Parameter | Description | Example of meaning |
|---|---|---|
| --bssid | MAC address of the target access point | AA:BB:CC:11:22:33 |
| --channel | Broadcast channel number | 6 |
| -w | File name for saving logs | home_wifi |
| interface | Interface name in monitor mode | wlan0mon |
Intercepting a handshake
The most crucial moment in the entire process is capturing the four-way handshake. This is the moment when the client device (laptop, smartphone) authenticates to the access point. It is during this short period of time that the hashes required for subsequent password verification are broadcast. Without this packet, further brute-force attacks are impossible.
In the running window airodump-ng The handshake status is displayed in the upper right corner. Until the text appears there WPA handshake: [MAC address], the process cannot be considered complete. The problem is that devices may not connect to the network for hours even if they were previously connected and are simply within range.
To speed up the process, we use a deauthentication method. We send a special control frame to the client device, forcibly breaking its connection to the router. The device, attempting to re-establish the connection, automatically initiates the reconnection process, generating the required handshake.
To implement this attack, a utility is used aireplay-ngYou need to open a new terminal (without closing the scan window) and execute the command, specifying the victim's MAC address and access point. The attack can be performed once or repeatedly.
sudo aireplay-ng --deauth 10 -a [router_MAC] -c [client_MAC] [monitor_interface]
Parameter --deauth 10 This means sending 10 deauthentication packets. This is usually enough to disrupt the connection of any active device. If there are no active clients on the network, intercepting the handshake won't work, as there's no one generating it. In such cases, you have to wait for a user to connect naturally.
⚠️ Warning: Deauthentication causes a brief connection interruption for network users. This may be noticed and raise suspicion, so use this method only when testing your own network.
Brute-force password analysis and selection
After successfully capturing the handshake, the cryptanalysis phase begins. We have a packet file containing the password hash. The task now is to find a string that, when hashed, will yield an identical result. For this, a combination of aircrack-ng and a dictionary of words.
A wordlist is a text file containing millions of common passwords. The principle is simple: the program takes a word from the list, applies a hashing algorithm, and compares the result with the intercepted hash. A match means the password has been found. The speed of the brute-force attack depends on the processor's power and the password's complexity.
Ubuntu may not have large dictionaries by default, but the basic one rockyou.txt These can often be found in packages or downloaded separately. There are also specialized dictionaries for specific regions or services. The smarter and more specific the dictionary, the higher the chances of success.
- 🔑 Run the command
aircrack-ng -w [dictionary_path] [handshake_file]. - ⏳ Wait for the process to complete; the time depends on the dictionary size and password length.
- 🎉 If successful, a line will appear in the terminal KEY FOUND! with the decrypted password.
If a standard dictionary doesn't work, you can use brute-force mode if the password format is known (e.g., 8 digits). However, this takes significantly longer and requires computing resources. GPU (video card) technologies are often used to speed up the process, but setting up such combinations in Ubuntu requires additional effort and installation of specific libraries, such as Hashcat.
Protecting and Improving WiFi Security
Understanding hacking methods dictates protection methods. If your password can be cracked using a dictionary search in five minutes, it's not strong enough. The main recommendation is to use long passwords (more than 12 characters) containing a random mix of letters, numbers, and special characters.
In addition to password complexity, the encryption protocol plays an important role. WPA3 Currently, it is the most secure standard, implementing protection against brute-force attacks at the protocol level (SAE – Simultaneous Authentication of Equals). If your equipment supports WPA3, it is highly recommended to upgrade to it.
It's also worth paying attention to the WPS (Wi-Fi Protected Setup) function. Despite the convenience of connecting using a PIN code, this protocol has critical vulnerabilities that allow the router password to be recovered within a few hours. WPS should be disabled in the router settings.
⚠️ Important: Update your router firmware regularly. Manufacturers often patch software vulnerabilities that can allow security to be bypassed without having to brute-force a password.
An additional security measure is MAC address filtering. While not foolproof (addresses are easily spoofed), it does create an additional barrier to unauthorized neighbors. Hiding the SSID (network name) is more effective, making the network invisible to regular users but not to professional traffic analyzers.
Is it possible to hack WiFi without a dictionary, only by brute force?
Theoretically, yes, this is called a brute-force attack. However, for an 8-character alphanumeric password, this would take years even on powerful hardware. A dictionary attack is effective because people are predictable in their password creation.
Does this method work on WPA3?
The described method of intercepting a handshake and a dictionary attack on WPA3 doesn't work in its classic form. The WPA3 protocol uses a SAE mechanism that prevents offline password guessing. Cracking WPA3 requires other, much more complex implementation vulnerabilities or social engineering.
Do you need an internet connection to crack a password?
No, the packet interception and handshake process occurs locally between your adapter and router. Internet access is only required when downloading dictionaries or drivers. The password cracking itself (unless you use cloud services) also occurs locally on your PC's processor.