To hack a Wi-Fi network, you need your wireless card to support monitor mode and packet injection. Not all wireless cards can do this, but you can quickly test one you already own for compatibility, and you can verify that the chipset inside an adapter you're thinking of purchasing will work for Wi-Fi hacking.
Wireless cards supporting monitor mode and packet injection enable an ethical hacker to listen in on other Wi-Fi conversations and even inject malicious packets into a network. The wireless cards in most laptops aren't very good at doing anything other than what's required to establish a basic Wi-Fi connection.
While some internal cards may offer some support for monitor mode, it's more common to find that your card isn't supported for tools included in Kali Linux. I found the card in a Lenovo laptop I use to support both, so sometimes it's possible to save by using your internal laptop card for practice when appropriate. If the internal one doesn't support the modes, an external one will be needed.
External network adapters average between $15 and $40 per card. While this may not seem like much, making a mistake in purchasing a network adapter can add up quickly and be discouraging when first learning about Wi-Fi security.
These devices may seem a little complicated at first, but they're pretty simple. Each wireless network adapter has a chip inside of it that contains its own CPU. This chip, along with the other circuitry in the adapter, translates signals from your computer into radio pulses called "packets," which transfer information between devices. Choosing a Wi-Fi adapter requires you to know about a few things, such as the chipset inside, the antenna in use, and the types of Wi-Fi that the card support.
If you haven't yet purchased the wireless network card you're considering, there are several ways you can check to see if it supports monitor mode and packet injection before committing to a purchase. Before we dive into those, however, you need to know the difference between manufacturers, so there's no confusion.
The seller is, you guess it, the manufacturer selling the network adapter. Examples include TP-link, Panda Wireless, or Alfa. These manufacturers are responsible for the physical layout and design of the adapter but do not produce the actual CPU that goes inside the adapter.
The second manufacturer is the one that makes the chip that powers the adapter. The chip is what controls the behavior of the card, which is why it's much more important to determine the chipset manufacturer than the adapter manufacturer. For example, Panda Wireless cards frequently use Ralink chipsets, which is the more critical piece of information to have.
Certain chipsets are known to work without much or any configuration needed for getting started, meaning that you can expect an adapter containing a particular supported chipset to be an easy choice.
A good place to start when looking up the chipset of a wireless network adapter you're considering buying is Aircrack-ng's compatibility pages. The older "deprecated" version still contains a lot of useful information about the chipsets that will work with Aircrack-ng and other Wi-Fi hacking tools.
The newer version of the Aircrack-ng guide is also useful for explaining the way to check newer cards for compatibility, although it lacks an easy-to-understand table for compatibility the way the deprecated page does.
Aside from Aircrack-ng's website, you can often look up card details on a resource like the WikiDevi database, which allows you to look up details on most wireless network adapters. Another resource is the list of officially supported Linux drivers, which includes a handy table showing which models support monitor mode.
Atheros chipsets are especially popular, so if you suspect your device contains an Atheros chipset, you can check an Atheros-only guide.
Having a hard time finding the chipset of a card you're looking for? You can find a picture of the FCC ID number on the sticker of the device. The number can be input into websites like FCCID.io which include internal photos of the chipsets in use.
Once you've determined the chipset of the device you're considering, you should be able to predict its behavior. If the chipset of the wireless network adapter you're considering is listed as supporting monitor mode, you should be good to go.
To make things easy on you, the following chipsets are known to support monitor mode and packet injection per our testing:
- Atheros AR9271: The Alfa AWUS036NHA is my favorite long-range network adapter and the standard by which I judge other long-range adapters. It's stable, fast, and a well-supported b/g/n wireless network adapter. There's also the TP-Link TL-WN722N, a favorite for newbies and experienced hackers alike. It's a compact b/g/n adapter that has one of the cheapest prices but boasts surprisingly impressive performance. That being said, only v1 will work with Kali Linux since v2 uses a different chipset.
- Ralink RT3070: This chipset resides inside a number of popular wireless network adapters. Of those, the Alfa AWUS036NH is a b/g/n adapter with an absurd amount of range. It can be amplified by the omnidirectional antenna and can be paired with a Yagi or Paddle antenna to create a directional array. For a more discreet wireless adapter that can be plugged in via USB, the Alfa AWUS036NEH is a powerful b/g/n adapter that's slim and doesn't require a USB cable to use. It has the added advantage of retaining its swappable antenna. If you need a stealthier option that doesn't look like it could hack anything, you might consider the g/n Panda PAU05. While small, it's a low profile adapter with a strong performance in the short and medium range, a reduced range for when you want to gather network data without including everything within several blocks.
- Ralink RT3572: While the previous adapters have been 2.4 GHz only, the Alfa AWUS051NH v2 is a dual-band adapter that is also compatible with 5 GHz networks. While slightly pricier, the dual-band capacity and compatibility with 802.11n draft 3.0 and 802.11a/b/g wireless standards make this a more advanced option.
- Realtek 8187L (Wireless G adapters): The Alfa AWUS036H USB 2.4 GHz adapters use this older chipset that is less useful and will not pick up as many networks. These cards still will work against some networks, thus are great for beginners, as there are a ton around for cheap.
- Realtek RTL8812AU: Supported in 2017, the Alfa AWUS036ACH is a beast, with dual antennas and 802.11ac and a, b, g, n compatibility with 300 Mbps at 2.4 GHz and 867 Mbps at 5 GHz. It's one of the newest offerings that are compatible with Kali, so if you're looking for the fastest and longest range, this would be an adapter to consider. To use it, you may need to first run "apt update" followed by "apt install realtek-rtl88xxau-dkms" which will install the needed drivers to enable packet injection.
Aircrack-ng also lists a few cards as best in class on its site, so if you're interested in more suggestions, check it out (some of the ones listed above are also on its list). Also, check out our head-to-head test of wireless network adapters compatible with Kali Linux.
Aside from the chipset, another consideration is the frequency on which the adapter operates. While most Wi-Fi devices, including IoT devices, operate on the older 2.4 GHz band, many newer devices also offer 5 GHz networks. These networks are generally faster and can transfer more data, but are also usually paired with a 2.4 GHz network. The question when purchasing then becomes, is it worth it to invest the extra money in a 2.4/5 GHz antenna that can detect (and attack) both?
In many cases, unless the point of your attack is to probe all of the available networks in an area, a 2.4 GHz card will be fine. If 5 GHz is important to you, there are many 5 GHz Wi-Fi cards that support monitor mode and packet injection, an example being the Panda Wireless Pau09.
Another important factor is determining whether you need to mount a specialized antenna. While most omnidirectional antennas will be fine for a beginner, you may want to switch to an antenna with a directional pattern to focus on a particular network or area rather than everything in a circle around you. If this is the case, look for adapters with antennas that can be removed and swapped with a different type.
If you already have a wireless network adapter, you can check pretty easily if the chipset inside supports monitor mode and packet injection. To start, plug in the network adapter and then open a terminal window. You should be able to determine the chipset of the network adapter by simply typing lsusb -vv into the terminal window and looking for an output similar to below.
lsusb -vv Bus 001 Device 002: ID 148f:5372 Ralink Technology, Corp. RT5372 Wireless Adapter Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x148f Ralink Technology, Corp. idProduct 0x5372 RT5372 Wireless Adapter bcdDevice 1.01 iManufacturer 1 Ralink iProduct 2 802.11 n WLAN iSerial 3 (error) bNumConfigurations 1
In my example, I'm looking at a Panda Wireless PAU06 network adapter, which reports having an RT5372 chipset from Ralink, which is listed as supported! Once you know the chipset of your card, you should have a rough idea of what it can do.
Now, let's move on to more active testing of the adapter's capabilities.
For this step, we'll break out Airmon-ng, but before that, you'll need to locate the name of the interface. On your system, run the command ifconfig (or ip a) to see a list of all devices connected. On Kali Linux, your card should be listed as something like wlan0 or wlan1.
ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255 inet6 fe80::a00:27ff:fe59:1b51 prefixlen 64 scopeid 0x20<link> ether 86:09:15:d2:9e:96 txqueuelen 1000 (Ethernet) RX packets 700 bytes 925050 (903.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 519 bytes 33297 (32.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 20 bytes 1116 (1.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 20 bytes 1116 (1.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether EE-A5-3C-37-34-4A txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Once you have the name of the network interface, you can attempt to put it into monitor mode by typing airmon-ng start wlan0 (assuming your interface name is wlan0). If you see the output below, then your card appears to support wireless monitor mode.
airmon-ng start wlan0 Found 3 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to run 'airmon-ng check kill' PID Name 428 NetworkManager 522 dhclient 718 wpa_supplicant PHY Interface Driver Chipset phy1 wlan0 rt2800usb Ralink Technology, Corp. RT5372 (mac80211 monitor mode vif enabled for [phy1]wlan0 on [phy1]wlan0mon) (mac80211 station mode vif disabled for [phy1]wlan0)
You can confirm the results by typing iwconfig, and you should see the name of your card has changed to add a "mon" at the end of your card's name. It should also report "Mode:Monitor" if it has been successfully put into monitor mode.
iwconfig wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm Retry short long limit:2 RTS thr:off Fragment thr:off Power Management:off
Testing for packet injection is fairly straightforward to test thanks to tools included in Airplay-ng. After putting your card into monitor mode in the last step, you can run a test to see if the wireless network adapter is capable of injecting packets into nearby wireless networks.
Starting with your interface in monitor mode, make sure you are in proximity to a few Wi-Fi networks so that the adapter has a chance of succeeding. Then, in a terminal window, type aireplay-ng --test wlan0mon to start the packet injection test.
aireplay-ng --test wlan0mon 12:47:05 Waiting for beacon frame (BSSID: AA:BB:CC:DD:EE) on channel 7 12:47:05 Trying broadcast probe requests... 12:47:06 Injection is working! 12:47:07 Found 1 AP 12:47:07 Trying directed probe requests... 12:47:07 AA:BB:CC:DD:EE - channel: 7 - 'Dobis' 12:47:08 Ping (min/avg/max): 0.891ms/15.899ms/32.832ms Power: -21.72 12:47:08 29/30: 96%
If you get a result like above, then congratulations, your network card is successfully injecting packets into nearby networks. If you get a result like the one below, then your card may not support packet injection.
aireplay-ng --test wlan0mon 21:47:18 Waiting for beacon frame (BSSID: AA:BB:CC:DD:EE) on channel 6 21:47:18 Trying broadcast probe requests... 21:47:20 No Answer... 21:47:20 Found 1 AP 21:47:20 Trying directed probe requests... 21:47:20 74:85:2A:97:5B:08 - channel: 6 - 'Dobis' 21:47:26 0/30: 0%
Finally, we can put the above two steps into practice by attempting to capture a WPA handshake using Besside-ng, a versatile and extremely useful tool for WPA cracking, which also happens to be a great way of testing if your card is able to attack a WPA network.
- Don't Miss: Automating Wi-Fi Hacking with Besside-ng
To start, make sure you have a network nearby you have permission to attack. By default, Besside-ng will attack everything in range, and the attack is very noisy. Besside-ng is designed to scan for networks with a device connected, then attack the connection by injecting deauthentication packets, causing the device to momentarily disconnect. When it reconnects, a hacker can use the information exchanged by the devices to attempt to brute-force the password.
Type the besside-ng -R 'Target Network' wlan0mon command, with the -R field replaced with the name of your test network. It will begin attempting to grab a handshake from the victim network. For this to work, there must be a device connected to the Wi-Fi network you're attacking. If there isn't a device present, then there is no one to kick off the network so you can't try to capture the handshake.
besside-ng -R 'Target Network' wlan0mon [21:08:54] Let's ride [21:08:54] Resuming from besside.log [21:08:54] Appending to wpa.cap [21:08:54] Appending to wep.cap [21:08:54] Logging to besside.log
If you get an output like below, then congratulations! Your card is capable of grabbing handshakes from WPA/WPA2 networks. You can also check out our guide on Besside-ng to understand more about what a Besside-ng attack is capable of.
besside-ng wlan0mon [03:20:45] Let's ride [03:20:45] Resuming from besside.log [03:20:45] Appending to wpa.cap [03:20:45] Appending to wep.cap [03:20:45] Logging to besside.log [03:20:56] TO-OWN [DirtyLittleBirdyFeet*, Sonos*] OWNED  [03:21:03] Crappy connection - Sonos unreachable got 0/10 (100% loss) [-74 dbm] [03:21:07] Got necessary WPA handshake info for DirtyLittleBirdyFeet [03:21:07] Run aircrack on wpa.cap for WPA key [03:21:07] Pwned network DirtyLittleBirdyFeet in 0:04 mins:sec [03:21:07] TO-OWN [Sonos*] OWNED [DirtyLittleBirdyFeet*]
A powerful wireless network adapter with the ability to inject packets and listen in on Wi-Fi conversations around it gives any hacker an advantage over the airwaves. It can be confusing picking the right adapter for you, but by carefully checking the chipset contained, you can ensure you won't be surprised when you make your purchase. If you already have an adapter, putting it through its paces before using it in the field is recommended before you rely on it for anything too important.
I hope you enjoyed this guide to testing your wireless network cards for packet injection and wireless monitor mode. If you have any questions about this tutorial on Kali-compatible wireless network adapters or you have a comment, feel free to reach me on Twitter @KodyKinzie.
Want to help support Null Byte and start making your own money as a white hat hacker? Jump start your White-Hat Hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from Ethical Hacking Professionals.