João Freitas

The following is a small guide on how to check if your Linux environment supports packet injection & capturing (via monitor mode)

The most important feature required for wireless penetration testing is to determine whether your Wi-Fi card supports monitor mode and packet injection. Generally, the monitor mode is disabled on the built-in Wi-Fi card provided by the desktop or laptop manufacturer.

To understand what a monitor mode is, you need to turn on the adapter’s operation in the “normal” (it is called “managed mode”) into monitor mode.

Monitor mode enables a wireless network card to passively capture packets without associating with an access point. Think of it like listening to people’s conversations while you walk down the street.

Packet injection allows you to craft and inject or send data to wireless devices and networks nearby. Packet injection is commonly used in man-in-the-middle attacks and denial-of-service attacks.

Determining the Chipset

The chipset is important as it will determine if the wireless adapter can support monitor mode and packet injection.

The best one which is used by most Wi-Fi pentesters is Atheros AR9271. This chipset supports packet injection monitor mode and master mode which allows this to be used as an access point to create fake hotspots for evil twin attacks.

The Alfa AWUS036NHA USB adapter has the Atheros AR9271 chipset. It’s stable, fast, and a well-supported wireless network adapter.

There’s also the TP-Link TL-WN722N wireless adapter which has one of the cheapest prices but boasts surprisingly impressive performance. That being said, only v1 has the Atheros chipset since v2 uses a different chipset.

Put Your Card in Monitor Mode

For this step, we’ll use Airmon-ng, but before that, you’ll need to locate the name of the interface. On your system, run the command ifconfig on the terminal. On your Linux system, your card should be listed wlan0 or wlan1.

    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500  
            inet  netmask  broadcast  
            inet6 fe80::a00:27ff:fe59:1b52  prefixlen 64  scopeid 0x20<link>  
            ether 86:09:15:d2:9e:97  txqueuelen 1000  (Ethernet)  
            RX packets 700  bytes 925050 (903.3 KiB)  
            RX errors 0  dropped 0  overruns 0  frame 0  
            TX packets 519  bytes 33297 (32.5 KiB)  
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0  
    wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500  
            ether EE-A5-3C-37-34-4A  txqueuelen 1000  (Ethernet)  
            RX packets 0  bytes 0 (0.0 B)  
            RX errors 0  dropped 0  overruns 0  frame 0  
            TX packets 0  bytes 0 (0.0 B)  
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Once you have the name of the network interface, you can attempt to put it into monitor mode by typing airmon-ng start wlan0 (assuming your interface name is wlan0).

airmon-ng start wlan0

You can confirm the results by typing iwconfig, and you should see the name of your interface has changed to wlan0mon. It should also report “Mode:Monitor”

    wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm  
            Retry short  long limit:2   RTS thr:off   Fragment thr:off  
            Power Management:off

Test Your Card for Packet Injection

After putting your card into monitor mode, you can run a test to see if the wireless network adapter is capable of injecting packets into nearby wireless networks.

So, in a terminal window, type aireplay-ng — test wlan0mon to start the packet injection test.

    aireplay-ng --test wlan0mon  
    12:47:05  Waiting for beacon frame (BSSID: AA:BB:CC:DD:EE) on channel 6  
    12:47:05  Trying broadcast probe requests...  
    12:47:06  Injection is working!  
    12:47:07  Found 1 AP  
    12:47:07  Trying directed probe requests...  
    12:47:07  AA:BB:CC:DD:EE - channel: 6- 'Dobis'  
    12:47:08  Ping (min/avg/max): 0.891ms/15.899ms/32.832ms Power: -21.72  
    12:47:08  29/30:  97%

If you get a result like above, then congratulations, your network card is successfully injecting packets into nearby networks.


In this guide, you have learned how to test your wireless network adapter for packet injection and monitor mode.

Thank you for reading!

#reads #frost #linux #packet capturing #wifi