Wi-Fi Security Audit in Ubuntu

Questions related to wireless network security testing often arise among system administrators and information security enthusiasts. Operating system Ubuntu It's one of the most popular Linux distributions for network interface auditing due to its flexibility and powerful tools. It's important to clarify: hacking into someone else's network without the owner's written permission is illegal and punishable by law.

Modern diagnostic methods allow us to identify weaknesses in router configurations and encryption protocols used. Ethical hacking The aim of this article is to find vulnerabilities before they are exploited. This article will cover the technical aspects of working with wireless interfaces, analyzing captured packets, and methods for testing password strength, for educational purposes only.

⚠️ Attention: All actions described in this article should only be performed on your own equipment or as part of an approved pentest audit. Unauthorized access to computer information is prohibited by Russian law (Article 272 of the Criminal Code) and international standards.

To get started, you need to prepare the software environment. The standard Ubuntu repositories contain most of the necessary utilities, but full functionality with Wi-Fi adapters often requires installing additional drivers. Particular attention should be paid to support for monitor mode, which allows the network card to receive all traffic over the air, not just traffic addressed to it.

Preparing equipment and drivers for audit

The foundation of any security audit is properly selected hardware. Built-in Wi-Fi modules in laptops often have limited functionality and don't support the necessary low-level commands. For professional work, external USB adapters based on chipsets are used. Atheros AR9271, Ralink RT3070 or Realtek RTL8812AUThese devices are capable of switching to monitor mode and performing packet injection.

After connecting the adapter, you need to make sure that the system has identified it correctly. Command lsusb will display a list of connected USB devices, where you can find the vendor and model of your adapter. If the device is displayed but doesn't work correctly, you may need to install proprietary drivers from repositories or source code. GitHub.

sudo apt update

sudo apt install linux-headers-$(uname -r) build-essential git

The key is switching the interface to monitoring mode. The standard "Managed" mode is designed for a regular connection to the access point, while "Monitor" allows you to listen to the broadcast. A utility is often used to manage the interface. airmon-ng, included in the package aircrack-ngIt automatically disables processes that may interfere with the network card, such as NetworkManager or wpa_supplicant.

☑️ Checking adapter readiness

Completed: 0 / 4

Not all adapters work equally well in a Linux environment. Some models require manual compilation of kernel modules, which can be challenging for beginners. Before beginning a thorough analysis, always check your hardware specifications for packet injection support.

Installing and configuring tools for traffic analysis

The Ubuntu operating system provides convenient tools for installing specialized software. The package aircrack-ngIt includes tools for sniffing, deauthentication, creating fake access points, and password checking. Installation is done through a standard package manager.

sudo apt install aircrack-ng wireshark tshark

In addition to the basic set, for deep traffic analysis, the following is often used: Wireshark with a console utility tsharkThese tools allow you to examine in detail the frame structure, packet headers, and the contents of transmitted data (if they are not encrypted). Utilities for working with WPA/WPA2 handshakes are also useful. hashcat or john (John the Ripper) for offline hash checking.

It's important to understand the difference between active and passive scanning. Passive scanning merely listens to the airwaves without revealing the scanner's presence, while active scanning involves sending control frames. Deauthentication is an active method of influence that forcibly breaks the connection of clients to the router, which is necessary to capture the handshake.

Setting up the environment also includes creating a working directory for storing logs. Captured data can take up significant disk space, especially during long-term channel monitoring. It is recommended to use external drives or network storage for archiving results.

Monitor mode and WPA handshake capture

Switching to monitoring mode is the first step to analyzing the broadcast. Using the command airmon-ng start wlan0 (where wlan0 is the name of your interface) a virtual interface is created, usually called wlan0monIn this state, the network card ceases to be a regular network client and becomes a passive observer, capable of seeing all packets within range.

The primary goal of attacks on WPA2-PSK-encrypted networks is to capture the four-way handshake. This process occurs when a client connects to an access point. To force a connection, it's often necessary to forcibly disconnect already connected devices by sending deauthentication frames to the broadcast address or the client's specific MAC address.

⚠️ Attention: Sending deauthentication frames disrupts network operation and may be considered a Denial of Service (DoS) attack. Only use this method on test equipment under your control.

A utility is used to capture data airodump-ngIt displays a list of available networks, signal strength, channel, and the presence of connected clients. The command is run by specifying the channel and the name of the monitoring interface. During operation, the utility saves all packets to a file, which is then analyzed.

sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

In this command the parameter -c sets the channel, --bssid filters packets only from the target access point, and -w Specifies the filename prefix to save. After launching, you must wait for the handshake to appear. In the upper right corner of the interface airodump-ng The message "WPA handshake" will appear, indicating that the data has been successfully captured for further verification.

Why might a handshake not be captured?

The handshake only occurs upon connection. If there are no active clients on the network or they don't reconnect, the handshake won't occur. Sometimes waiting or using deauthentication methods to force a legitimate client to reconnect helps.

Analysis of vulnerabilities of encryption protocols

Wireless network security is directly dependent on the encryption protocol used. Historically, the standard has long been WEP (Wired Equivalent Privacy), which is currently considered completely broken and insecure. Its encryption algorithms allow the key to be recovered in minutes given enough packets.

Modern networks use the standard WPA2 and the newest WPA3WPA2 is based on the AES protocol, which is cryptographically secure. However, the vulnerability often lies not in the encryption algorithm itself, but in the weakness of the password used to generate the key. Brute-force attacks are aimed specifically at finding a password match, not at breaking the AES mathematics.

Protocol WPS (Wi-Fi Protected Setup), designed to simplify device connections, contains a critical design vulnerability. The WPS PIN consists of only 8 digits, with the last digit serving as a checksum. This reduces the number of possible combinations to 11,000, making it possible to brute-force them in a few hours even on a regular laptop. The utility Reaver or Bully are often used to check this parameter.

Protocol Encryption type Risk level Security status
WEP RC4 Critical Completely hacked
WPA (TKIP) TKIP High Not recommended
WPA2 (AES) AES-CCMP Average* Safe with a complex password
WPA3 SAE Short Current standard

When analyzing vulnerabilities, it's also important to consider the access point configuration. Disabling SSID broadcasting (hidden identifier) ​​is not a security measure, as the network name is easily read from management frames. MAC address filtering is also easily bypassed by spoofing the attacker's network card address.

Methods for checking password strength

After successfully capturing the handshake, the password verification phase begins. Since the password hash itself isn't transmitted over the network, only the resulting calculation, the verification occurs offline. This means the brute-force attack speed is limited only by the computing power of your hardware, not the network speed.

Wordlists are used for brute-force attacks—text files containing millions of frequently used passwords. The most well-known is the dictionary rockyou.txt, which is often included in pentesting distributions. If the password is a simple word or a common combination, it will be found instantly.

sudo aircrack-ng -w /path/to/wordlist.txt capture-01.cap

If simple dictionaries do not produce results, mask generation methods are used. Mask Describes the password structure, such as "8 digits" or "5 lowercase letters + 2 digits." This allows for brute-force attacks against all possible combinations of a given format. However, the time required for a full brute-force attack increases exponentially with the password's length and complexity.

📊 What Wi-Fi security method do you use at home?
WPA2 + complex password
WPA3
Hidden SSID
MAC address filtering
Default router password

Using graphics processing units (GPUs) significantly speeds up the matching process. Utilities like Hashcat Optimized for graphics cards and capable of checking millions of hashes per second, long and complex passwords containing special characters remain the only reliable defense against brute-force attacks.

Protecting your home network from unauthorized access

Understanding attack methods allows you to formulate effective defenses. The first and most important step is to stop using WEP and WPS. These features should be disabled in your router settings, even if your ISP or manufacturer claims they are secure.

Using the standard WPA3 is the best solution currently, as it protects against brute-force attacks even when using relatively simple passwords thanks to the SAE (Simultaneous Authentication of Equals) mechanism. If your hardware doesn't support WPA3, use WPA2-AES with a long password (more than 12 characters) containing mixed-case letters, numbers, and symbols.

⚠️ Attention: Update your router firmware regularly. Manufacturers often patch software vulnerabilities that could allow remote code execution or authentication bypass.

Network segmentation is an additional security measure. A guest network allows you to isolate visitor devices from your main local network, which may contain computers with sensitive data or network-attached storage (NAS). This limits the potential damage if one device is compromised.

Frequently Asked Questions (FAQ)

Is it possible to hack Wi-Fi from an Android phone?

Theoretically, it's possible if the phone is rooted and has a chipset that supports monitoring mode. However, in practice, this is extremely difficult to implement due to limitations in mobile device drivers. For a serious audit, it's always recommended to use a Linux PC with an external adapter.

How long does it take to crack a Wi-Fi password?

The time depends on the password's complexity and the hardware's performance. A simple six-digit password can be cracked in seconds. A 10-character random password can take years to crack, even on powerful graphics cards. The dictionary method takes seconds to minutes if the password is in the database.

Will hiding SSID replace network security?

No. Hiding the network name (SSID) does not encrypt data or prevent connections. The network name is easily detected by any traffic sniffers, as it is transmitted in clear management frames. This is a "security through obscurity" measure, not a true defense.

Which adapter is better for Kali Linux or Ubuntu?

Adapters based on the Atheros AR9271 (for 2.4 GHz) and Realtek RTL8812AU (for 5 GHz) chips are considered the most stable. They feature open-source drivers in the Linux kernel or easily installed modules, and fully support packet injection.