The following is a small guide on how to check if your Linux environment supports packet injection & capturing (via monitor mode)
The most important feature required for wireless penetration testing is to determine whether your Wi-Fi card supports monitor mode and packet injection. Generally, the monitor mode is disabled on the built-in Wi-Fi card provided by the desktop or laptop manufacturer.
To understand what a monitor mode is, you need to turn on the adapter’s operation in the “normal” (it is called “managed mode”) into monitor mode.
Monitor mode enables a wireless network card to passively capture packets without associating with an access point. Think of it like listening to people’s conversations while you walk down the street.
Packet injection allows you to craft and inject or send data to wireless devices and networks nearby. Packet injection is commonly used in man-in-the-middle attacks and denial-of-service attacks.
Determining the Chipset
The chipset is important as it will determine if the wireless adapter can support monitor mode and packet injection.
The best one which is used by most Wi-Fi pentesters is Atheros AR9271. This chipset supports packet injection monitor mode and master mode which allows this to be used as an access point to create fake hotspots for evil twin attacks.
The Alfa AWUS036NHA USB adapter has the Atheros AR9271 chipset. It’s stable, fast, and a well-supported wireless network adapter.
There’s also the TP-Link TL-WN722N wireless adapter which has one of the cheapest prices but boasts surprisingly impressive performance. That being said, only v1 has the Atheros chipset since v2 uses a different chipset.
Put Your Card in Monitor Mode
For this step, we’ll use Airmon-ng, but before that, you’ll need to locate the name of the interface. On your system, run the command ifconfig on the terminal. On your Linux system, your card should be listed wlan0 or wlan1.
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:fe59:1b52 prefixlen 64 scopeid 0x20<link>
ether 86:09:15:d2:9e:97 txqueuelen 1000 (Ethernet)
RX packets 700 bytes 925050 (903.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 519 bytes 33297 (32.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether EE-A5-3C-37-34-4A txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Once you have the name of the network interface, you can attempt to put it into monitor mode by typing airmon-ng start wlan0 (assuming your interface name is wlan0).
airmon-ng start wlan0
You can confirm the results by typing iwconfig, and you should see the name of your interface has changed to wlan0mon. It should also report “Mode:Monitor”
iwconfig
wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off
Test Your Card for Packet Injection
After putting your card into monitor mode, you can run a test to see if the wireless network adapter is capable of injecting packets into nearby wireless networks.
So, in a terminal window, type aireplay-ng — test wlan0mon to start the packet injection test.
aireplay-ng --test wlan0mon
12:47:05 Waiting for beacon frame (BSSID: AA:BB:CC:DD:EE) on channel 6
12:47:05 Trying broadcast probe requests...
12:47:06 Injection is working!
12:47:07 Found 1 AP
12:47:07 Trying directed probe requests...
12:47:07 AA:BB:CC:DD:EE - channel: 6- 'Dobis'
12:47:08 Ping (min/avg/max): 0.891ms/15.899ms/32.832ms Power: -21.72
12:47:08 29/30: 97%
If you get a result like above, then congratulations, your network card is successfully injecting packets into nearby networks.
Conclusion
In this guide, you have learned how to test your wireless network adapter for packet injection and monitor mode.
Thank you for reading!