Questions about how to gain unauthorized access to someone else's wireless network often arise in the context of checking one's own security or recovering a forgotten password. However, it's important to clarify the legal framework: unauthorized access to computer information and traffic interception are strictly prohibited by law in the Russian Federation and many other countries and are covered by criminal code articles. Therefore, in this article, we will not publish instructions on hacking other people's networks, but will focus on legal methods. security audit, which allow administrators and enthusiasts to test the security of their own perimeter.
operating system Linux is the de facto standard for information security professionals due to its flexibility, open source code, and powerful utilities for working with network interfaces. Distributions like Kali Linux or Parrot OS Contain a pre-installed set of tools necessary for pentesting. Understanding how these tools work is critical to building a robust defense, as only by understanding the attack methods can one effectively counter them.
The main purpose of this guide is educational: we will analyze the theoretical basis of protocol vulnerabilities WPA2 And WPA3We'll explore the process of putting a network card into monitoring mode and analyze the logic behind popular vulnerability scanners. This will allow you to assess the risks associated with weak passwords or outdated encryption algorithms and take steps to mitigate them in your home or office infrastructure.
β οΈ Warning: All actions described in this article should be performed exclusively on networks owned by you or as part of an officially approved security audit. Unauthorized access to other people's Wi-Fi networks is illegal.
Legal aspects and ethics of testing
Before delving into technical details, it's important to clearly understand legal liability. In Russia, actions aimed at violating the confidentiality of computer information or creating conditions for unauthorized access can be classified under Articles 272 and 273 of the Russian Criminal Code. Even the mere presence of specialized software on a computer isn't a crime, but using it on objects not owned or without the owner's written permission is.
Professional ethical hackers always work within the framework of a contract, which clearly defines the scope of work for testing. This document specifies the IP addresses, domain names, and time periods during which active work is permitted. Any deviation from these boundaries can lead to serious legal consequences and reputational risks for the specialist.
There's a common misconception that if a network isn't password-protected or uses a weak key, it's "public." Legally, this isn't true. The absence of a Wi-Fi password doesn't grant anyone the right to intercept user traffic or use the channel to distribute illegal content. The owner of an open access point is also responsible for any actions taken through their equipment, making security issues even more pressing.
β οΈ Please note: Cybersecurity legislation is constantly evolving. Before beginning any work, please check the current laws in your jurisdiction and obtain written consent from the infrastructure owner.
Necessary equipment and preparation of the environment
Standard built-in Wi-Fi modules in laptops are often insufficiently functional for effective wireless network analysis. Most built-in cards do not support the Monitor Mode (monitoring mode), which is necessary for monitoring all over-the-air traffic, not just that addressed to a specific device. Furthermore, packet injection support is required for robustness testing (deauthentication).
The optimal solution for beginners and professionals is to use external USB adapters based on chipsets from Atheros (for example, AR9271), Ralink (RT3070) or RealtekThese chipsets have excellent support in the Linux kernel and drivers, allowing you to switch the card to the required modes with a single command. When choosing hardware, it's also worth considering support for the 2.4 GHz and 5 GHz bands, as modern networks are increasingly migrating to the 5 GHz frequency.
It is recommended to use specialized distributions as a software platform. Kali Linux Provides the most comprehensive set of tools out of the box, including drivers for a wide range of hardware. Installation can be done using a virtual machine (VirtualBox, VMware), but using a Wi-Fi adapter requires redirecting a USB device to the guest OS, which can sometimes cause stability issues. A more reliable option is to run from a Live USB or install to a separate disk partition.
βοΈ Preparing for a security audit
Monitoring and injection mode in Linux
A key preparation step is putting the network interface into monitor mode. In normal mode (Managed Mode), the network card filters packets and processes only those destined for its MAC address. Monitor mode allows the card to become "invisible" to the network (it doesn't respond to association requests) and capture all radio signals within range on the selected frequency.
To manage the interface in Linux, the utility is traditionally used airmon-ng, included in the package aircrack-ng. Before starting monitoring, you must stop processes that may conflict with the network card, such as NetworkManager or wpa_supplicantThis can be done through the command airmon-ng check kill, which will automatically terminate interfering processes.
sudo airmon-ng start wlan0
After executing the command, the interface name usually changes, for example to wlan0mon. It is with this new interface name that further scanning tools will work. It is important to note that some modern drivers (especially for chips) Realtek) may require manual use of the utility iw to switch modes, as the old methods through airmon-ng may not work correctly.
What should I do if the monitoring mode does not turn on?
If the airmon-ng command returns an error, try manually disabling the interface (ip link set wlan0 down), then enabling monitor mode via iw (iw dev wlan0 set type monitor), and then re-enabling the interface. You may also need to disable the kernel module blocking the card.
Vulnerability analysis and network scanning
Once the monitoring mode is successfully activated, the reconnaissance phase begins. The main tool for this is airodump-ngIt displays a list of all available access points (APs), their channels, signal strengths (PWR), encryption types, and the number of connected clients. Analyzing this data allows you to identify potential targets for scanning: networks with a weak signal, outdated WEP/WPA encryption, or a large number of active clients.
The table below lists the main parameters to pay attention to when scanning:
| Parameter | Description | Security implications |
|---|---|---|
| ENC | Encryption type | WPA3 > WPA2 > WPA > WEP |
| PWR | Signal level | The lower the number (closer to 0), the better the signal. |
| #Data | Number of packages | The increase in numbers indicates network activity. |
| MB | Connection speed | Low speeds may indicate interference or range |
For deeper analysis and automation of vulnerability search, the tool is often used Wifite2This is a wrapper script that automates the processes of scanning, target selection, and launching attacks (for example, handshake brute-force or WPS attacks). While Wifite2 is convenient for quick testing, professionals prefer manual work with airodump-ng And aireplay-ng, since automation may behave unpredictably in difficult conditions of noisy airwaves.
Methods for testing the strength of passwords and WPS
One of the most common attack vectors is an attempt to recover a password using a captured handshake. When a client connects to an access point, a key exchange occurs. If an attacker records this exchange, they can attempt to brute-force the password offline using wordlists. Popular dictionaries such as rockyou.txt, contain millions of frequently used passwords.
Another vulnerability is technology WPS (Wi-Fi Protected Setup), designed to simplify device connections. The WPS PIN consists of 8 digits, but due to a design flaw in the protocol, it is verified in sections, making it possible to brute-force it in a few hours. reaver or bully In Linux, this vulnerability is effectively exploited if it is not blocked on the router.
To protect against such attacks, it's critical to use complex passwords containing mixed-case letters, numbers, and special characters, at least 12-15 characters long. It's also important to disable the WPS function in your router settings, as even changing the Wi-Fi password doesn't always completely disable WPS on some router models.
β οΈ Warning: Using brute-force password guessing tools creates a high network load and may be interpreted by the provider or owner as a DDoS attack or hacking attempt. Use only on your own equipment.
Protecting your wireless network from unauthorized access
Understanding attack methods allows us to formulate clear defense rules. The first step is to avoid using the protocol. WEP and mixed WPA/WPA2 modes. It is recommended to force the mode WPA2-AES or, if the equipment allows, WPA3TKIP encryption is considered obsolete and vulnerable.
The second important aspect is client isolation. Enabling the function AP Isolation (or Client Isolation) prevents devices within the network from communicating with each other. This is especially relevant for guest networks and public access points, where users shouldn't be able to scan their neighbors' Wi-Fi ports.
Regularly updating your router firmware is a must. Manufacturers often patch security holes related to remote code execution or buffer overflows through updates. Ignoring this rule leaves the network open to known exploits, which are easily found by automated scanners.
Frequently Asked Questions (FAQ)
Is it possible to hack Wi-Fi from an Android phone?
Technically, this is possible, but requires root access and a special external adapter that supports monitor mode (via OTG). Built-in Wi-Fi modules in smartphones rarely support the necessary packet injection features. Furthermore, mobile operating systems have strict security restrictions that make it difficult to run tools like aircrack-ng without extensive system modification.
Which adapter is best for Kali Linux?
Adapters based on the Atheros AR9271 (for 2.4 GHz) and Realtek RTL8812AU (for 5 GHz and AC support) chips are considered the gold standard. They have stable drivers in the Linux kernel and are guaranteed to support packet injection and monitor mode.
Is it safe to use public Wi-Fi networks?
Public networks are extremely dangerous because traffic is often unencrypted between the client and the access point, allowing attackers to intercept data. For security, always use a VPN connection, which will create a secure tunnel even on an unsecured network.
What is deauthentication and how to protect yourself from it?
Deauthentication is an attack method in which an attacker sends disconnect packets on behalf of the router to the client (or vice versa), breaking the connection. Defending against this is difficult, as the frame control protocol does not require encryption. Using WPA3, which has mechanisms to protect against such attacks, and monitoring the network for abnormal activity can help.