The question is how to hack someone else's Wi-Fi by using Kali Linux, regularly appears in search engines. But behind this formulation lie two fundamentally different goals: illegal penetration into other people's networks (which is punishable under Article 272 of the Criminal Code of the Russian Federation) and legal security testing of one's own infrastructureThis article is dedicated exclusively to the second option - we will analyze how Kali Linux helps identify vulnerabilities in yours Wi-Fi networks so you can take them down before they can be used by hackers.
It is important to understand: Kali Linux - this is a professional tool for ethical hackers and cybersecurity specialists. Its capabilities (such as aircrack-ng, Wireshark or Reaver) are designed to audit networks with the owner's permission. If you plan to use this knowledge to hack other people's access points— This is a crime and we strongly condemn such actions.In the article, all examples are given for working with your own network or networks for which you have written consent to test.
What you will learn from this article:
- 🔍 How do common Wi-Fi vulnerabilities (WPA2, WPS, PMKID) work?
- 🛠️ A step-by-step process for testing your network security with Kali Linux
- ⚠️ Legal risks and ethical standards when working with wireless networks
- 🔒 How to strengthen your Wi-Fi network after identifying vulnerabilities
1. How Wi-Fi security works: weaknesses of WPA2 and WPA3 protocols
Before we talk about testing, we need to understand What exactly are we testing?Modern Wi-Fi networks are protected by protocols WPA2 (the most common) and WPA3 (new standard). Both have vulnerabilities, but the attacks against them are fundamentally different.
WPA2 uses a mechanism 4-way handshake (four-way handshake) for device authentication. When a client connects to an access point, packets are exchanged that contain an encrypted key. If an attacker intercepts this exchange (handshake), he can try to guess the password offline using a dictionary. This is the most popular attack implemented through aircrack-ng.
WPA3 was supposed to fix this problem, but vulnerabilities were discovered in 2019 Dragonblood, allowing you to lower your protection to the level WPA2. In addition, many routers still support outdated WPS (Wi-Fi Protected Setup) is a protocol with critical vulnerabilities that can be hacked in a few hours even on weak hardware.
| Protocol | Main vulnerability | Difficulty of attack | Time to hack (note) |
|---|---|---|---|
| WPA2 (AES) | Handshake interception + brute force | Average | From hours to weeks (depending on the password) |
| WPA2 (TKIP) | Outdated encryption algorithm | Low | Minutes (with a vulnerable router) |
| WPS | The 8-digit PIN is vulnerable to brute force. | Low | 2–10 hours |
| WPA3 | Dragonblood (downgrade to WPA2) | High | Depends on implementation |
⚠️ Attention: If your router supports WPS, disable this feature in the settings (Admin Panel → Wireless → WPS). Even if you don't actively use it, attackers can exploit the vulnerability to gain network access.
2. Preparing Kali Linux: What You Need for Testing
To start testing, you will need:
- 💻 Laptop or PC with Kali Linux (you can use a Live USB or a virtual machine)
- 📡 Wi-Fi adapter with support monitor mode (recommended models: Alfa AWUS036ACH, TP-Link TL-WN722N v1)
- 🔋 Power supply (testing may drain the battery in 1-2 hours)
- 📝 Permission to test the network (if it's not your network)
If you are using a virtual machine (eg. VirtualBox or VMware), make sure the Wi-Fi adapter is connected directly to the guest OS. To do this:
- Open the virtual machine settings.
- Go to the section
USB. - Add a filter to your adapter.
- Launch Kali Linux and check if the adapter is detected by the command:
iwconfig
If the adapter doesn't support monitor mode, you'll see an error when you try to enable it. In this case, you'll need to purchase a compatible device—most built-in Wi-Fi modules in laptops aren't suitable for this type of use.
Installed Kali Linux (Live USB or VM)|Checked Wi-Fi adapter compatibility|Disabled WPS on the router|Obtained permission to test (if not my network)|Created a backup of the router settings-->
3. Handshake Hijacking: How the WPA2 Attack Works
The most famous attack on WPA2 - this is an interception handshake (handshake) followed by password guessing. It only works if:
- 🔑 There is at least one connected device on the network (for example, your smartphone).
- 📶 You are within the network coverage area (the signal must be stable).
- ⏳ You have time to brute force (from a few minutes to weeks).
The interception process consists of several stages:
- Enabling monitor mode on the Wi-Fi adapter:
sudo airmon-ng start wlan0(Where
wlan0— the name of your adapter, check it with the commandip a) - Scanning the airwaves to search for the target network:
sudo airodump-ng wlan0mon(remember
BSSIDand the channelCHyour network) - Targeted interception handshake for a specific network:
sudo airodump-ng -c [channel] --bssid [BSSID] -w capture wlan0mon - Forced client shutdown (to initiate a new handshake):
sudo aireplay-ng --deauth 10 -a [BSSID] -c [Client-MAC] wlan0mon
After successful interception, a file will appear in the folder capture-01.capIt can be opened in Wireshark or use for brute force using aircrack-ng:
aircrack-ng -w [dictionary_path] capture-01.cap
⚠️ Attention: Deauthentication attack (aireplay-ng --deauth) may interrupt the operation of devices on the network. Do not perform this on production or critical networks without prior warning to users.
What is a brute force dictionary?
A dictionary is a text file (.txt) containing possible passwords (one per line). Effective dictionaries include:
- Popular passwords (qwerty, 12345678, admin)
- Combinations based on network owner data (names, dates of birth, phone numbers)
- Specialized kits (for example, rockyou.txt from Kali Linux)
The larger the dictionary, the higher the chances of success, but the longer the selection will take.
4. Attacks on WPS: Why this protocol is dangerous
Wi-Fi Protected Setup (WPS) was intended to simplify connecting devices to the network without entering long passwords. Instead, it used an 8-digit PIN code that could be entered on the router or device. However, this mechanism proved catastrophically insecure:
- 🔢 The PIN code consists of 8 digits, but the last digit is a checksum, which reduces the space for brute-force attack to 107 combinations.
- ⏱️ Many routers do not block PIN entry attempts, allowing them to be tried at a rate of 1–2 per second.
- 🔓 The vulnerability allows the PIN to be split into two parts and attacked separately, speeding up the process by 2 times.
To attack WPS in Kali Linux the tool is used Reaver or its improved version Wash + ReaverThe process looks like this:
- Check if WPS is enabled on the target router:
sudo wash -i wlan0mon(we are looking for networks marked
WPS Locked: No) - Let's launch the attack:
sudo reaver -i wlan0mon -b [BSSID] -vv
On average, the search takes from 2 to 10 hours, but some routers (for example, older models) TP-Link or D-Link) are surrendered within 1-2 hours. A successful attack yields a PIN code, and then a Wi-Fi password.
5. PMKID Attack: Handshake Bypass in Modern Networks
In 2018, a new attack method was discovered WPA2, which does not require handshake interception. It exploits a protocol feature RSN (Robust Security Network), at which the access point can issue PMKID (Pairwise Master Key Identifier) even without a connected client.
The advantages of this method:
- 🕒 No need to wait for someone to connect to the network.
- 📡 Works even if there are no active devices on the network.
- 🔍 Less noise in the air (no deauthentication required).
The PMKID attack uses a tool hcxdumptool + hcxpcapngtoolStep by step process:
- Install dependencies:
sudo apt install hcxdumptool hcxtools - Let's start intercepting PMKID:
sudo hcxdumptool -o test.pcapng -i wlan0mon --enable_status=1(wait for the line to appear
FOUND PMKID) - Extracting PMKID from the dump:
hcxpcapngtool -o hash.txt test.pcapng - We select the password using
hashcat:hashcat -m 16800 hash.txt [dictionary_path]
This attack is considered one of the most effective to date, as it bypasses deauthentication protection and works even on networks with hidden SSID.
⚠️ Attention: Some modern routers (for example, ASUS RT-AX88U or Netgear Nighthawk) patch the PMKID vulnerability in new firmware. Before testing, update your router firmware to the latest version.
6. Protecting Your Network: How to Fix Vulnerabilities
If you've tested your network and found vulnerabilities, here's concrete steps to eliminate them:
| Vulnerability | How to fix | Example (for a router) TP-Link Archer C7) |
|---|---|---|
| Weak WPA2 password | Set a password of at least 12 characters long with letters, numbers, and special characters | Wireless → Wireless Security → Password |
| WPS enabled | Disable WPS in settings | Advanced → WPS → Disable WPS |
| Legacy protocol (TKIP) | Switch to AES or WPA3 | Wireless → Security → Version: WPA2/WPA3, Encryption: AES |
| PMKID vulnerability | Update your router's firmware | System Tools → Firmware Upgrade |
Additional security measures:
- 🔄 Update your router firmware regularly (once every 3-6 months).
- 📛 Disable remote administration (
Admin Panel → Remote Management → Disable). - 🔗 Use a guest network for IoT devices (smart bulbs, cameras).
- 🕵️ Enable logging of connection attempts and check the logs periodically.
7. Legal aspects: what the law says
In Russia and most countries of the world unauthorized access to computer information (including Wi-Fi networks) is classified as a crime:
- 📜 Article 272 of the Criminal Code of the Russian Federation — "Unauthorized access to computer information" (fine up to 200,000 rubles or imprisonment for up to 2 years).
- 📜 Article 273 of the Criminal Code of the Russian Federation — "Creation, use and distribution of malware" (if specialized hacking tools are used).
- 📜 Article 138 of the Criminal Code of the Russian Federation — "Violation of correspondence privacy" (if the hack is used to intercept traffic).
Legal uses Kali Linux:
- 🏠 Testing own networks.
- 💼 Professional security audit under contract with the company.
- 🎓 Training within the framework of certified courses (for example, Offensive Security Certified Professional, OSCP).
If you find a vulnerability in someone else's network (for example, your neighbor's), don't try to exploit itThe most you can do is:
- Report the problem to the network owner (anonymously if you are afraid of conflicts).
- If this is an organization's network, contact their security service.
⚠️ Attention: Even if you were "simply checking" someone else's network without malicious intent, actual access to it is already a violation of the law. Courts classify such actions based on the fact, not the intent.
FAQ: Frequently Asked Questions about Wi-Fi Testing
❓ Is it possible to hack Wi-Fi without Kali Linux?
Technically yes, there are mobile apps (for example, WIFI WPS WPA TESTER for Android) or online services, but:
- They only work against legacy protocols (WEP, WPS).
- Most of these tools contain malicious code.
- Less efficient than dedicated tools in Kali.
For serious testing Kali Linux remains the de facto standard.
❓ How long does it take to crack a password?
Time depends on:
- Password complexity:
qwerty123- seconds,Tr0ub4dour&3— years. - PC power: on the CPU (for example, Intel i5) — 100–1000 hashes/sec, on GPU (NVIDIA RTX 3080) — 100,000+ hashes/sec.
- Dictionary size:
rockyou.txt(14 million passwords) is checked in 1-2 days on an average PC.
To speed things up, distributed systems are used (for example, Hashcat with multiple GPUs) or cloud services (but this is expensive and illegal for other people's networks).
❓ Why can't I intercept a handshake?
Common causes:
- 📶 Weak signal - check the level with
airodump-ng --signal(must be ≥ -70 dBm). - 🔄 The router channel changes automatically (use
--channel-hopor fix the channel in the router settings). - 🔒 The router blocks deauthentication (some models) Ubiquiti or MikroTik have protection against such attacks).
- 🖥️ Your Wi-Fi adapter driver does not support packet injection (check compatibility on official aircrack-ng website).
❓ How can I protect myself from PMKID attacks?
The PMKID attack exploits a protocol feature WPA2, so it's impossible to get rid of it completely. But you can make it more difficult for an attacker:
- 🔄 Update your router firmware (manufacturers have released patches for many models).
- 🔒 Use WPA3 (if your devices support it).
- 📵 Disable the feature
802.11r(Fast Transition) in the router settings - it simplifies the interception of PMKID. - 🕶️ Turn on MAC filtering (although this is not a panacea, since MAC addresses are easy to forge).
❓ Is it legal to use Kali Linux in Russia?
By itself Kali Linux — it's a legal tool, like a screwdriver or a hammer. A crime becomes its application:
- ✅ Allowed: testing your network, learning, conducting audits with the owner's permission.
- ❌ Prohibited: hacking other people's networks, distributing obtained data, or using tools to cause harm.
There is no licensing in Russia for Kali Linux, but if you plan to do pentesting professionally, it is worth getting certifications (for example, OSCP or CEH), which will confirm your qualifications.