How to Scan a Wi-Fi Network in Kali Linux: A Step-by-Step Guide

Wireless network security diagnostics begin with a deep analysis of the airwaves, and the operating system Kali Linux is the industry standard for these tasks. To effectively scan the surrounding area for available access points, it's necessary not just to run a single command, but to properly prepare the hardware and software environment. Many beginners encounter problems as early as turning on the adapter, wondering why their network card can't see anything other than its own name.

Scanning process in Kali This is fundamentally different from a standard Wi-Fi scan in Windows or Android, as it requires switching the network interface to a special operating mode. Without this, you'll only see the tip of the iceberg, missing hidden networks and service packets. In this article, we'll detail how to turn your laptop into a powerful security audit tool using a standard set of utilities.

Before moving on to practical actions, it is worth noting that the success of the operation is 90% dependent on the compatibility of your Wi-Fi adapter with the drivers mac80211Built-in laptop cards often don't support the necessary packet injection features, so professionals prefer external USB modules on chips. Atheros or RealtekUnderstanding this nuance will save you hours of useless debugging.

Equipment preparation and compatibility testing

The first step should always be verifying the connected devices. The system should correctly detect your wireless adapter and assign it an interface name, usually starting with wlan or wlxTo get a list of all network devices in the terminal, use the command ip link or more specialized iwconfig, which will immediately show the status of wireless interfaces.

It's critical to ensure that the driver supports monitor mode, without which deep scanning is impossible. You can check your card's capabilities using this utility. iw list, which will display a detailed report on supported interfaces and frequencies. If the word "Supported interface modes" is missing in the "Supported interface modes" section, monitor, then your adapter will only be able to connect to networks as a client, but will not analyze the airwaves.

⚠️ Note: Some modern laptops with Wi-Fi 6 (802.11ax) may have issues switching to monitor mode when running older kernel versions. If the mode switching command returns an error, try updating the firmware or using an external adapter.

It's also worth checking whether the wireless module is blocked by software or hardware. Utility rfkill allows you to see the status of blocks. If you see the status "Soft blocked: yes", you need to remove the block with the command sudo rfkill unblock wifiHardware blocking ("Hard blocked") can only be resolved by a physical switch on the device's case or in the BIOS.

Configuring the network interface and monitor mode

After confirming compatibility, it is necessary to stop system processes that can intercept control of the adapter. Kali Linux the service is often responsible for this NetworkManager, which attempts to automatically connect to known networks, interfering with auditing tools. The service is stopped with the command sudo systemctl stop NetworkManager, which frees up the interface for manual control.

Next, you need to switch the interface to monitor mode. This can be done using the utility airmon-ng, which will automatically perform the necessary actions to disable interfering processes and create a virtual interface. Command sudo airmon-ng start wlan0 (Where wlan0 - the name of your interface) will create a new interface, often called wlan0mon.

An alternative, cleaner way is to use commands ip link set And iw devFirst, the interface needs to be disabled (ip link set wlan0 down), then change the type to monitor (iw dev wlan0 set type monitor) and turn it on again (ip link set wlan0 up). This method gives more control and is less dependent on wrapper scripts.

β˜‘οΈ Preparing the interface for scanning

Completed: 0 / 5

You will not be able to access the Internet through this same interface until you return it to the offline mode. managedTo return, use the command sudo airmon-ng stop wlan0mon or manual reset of the interface type via iw.

Basic scanning with iwlist and iw

For a quick overview of available networks without going into too much detail, you can use standard Linux tools. The utility iwlist is a classic way to get a list of access points. The command sudo iwlist wlan0 scanning will display a list of all visible networks, their MAC addresses (BSSID), signal strength and supported speeds.

A more modern analogue is the command iw dev wlan0 scanIt provides information in a more structured form, showing channel frequency, signal strength (in dBm), and SSID. However, these methods only work in managed mode and do not reveal hidden networks or client packets, limiting their usefulness for professional analysis.

Parameter iwlist iw scan airodump-ng
Opening hours Managed / Monitor Managed / Monitor Only Monitor
Hidden SSIDs Doesn't show Doesn't show Shows how
Detailing Average High Maximum
Data recording No No Yes (pcap)

If your goal is simply to find out what channel your neighbor is on so you can choose a free one for your router, these tools are quite sufficient. However, for security audit Packet collection is required, which is impossible without specialized software. Standard scanners update the network list every few seconds, skipping short-lived management frames.

Deep traffic analysis with Airodump-ng

The main scanning tool in Kali Linux is airodump-ng, included in the package aircrack-ng. It is launched by the command sudo airodump-ng wlan0monUnlike previous utilities, this program displays data in real time, showing not only access points (the top part of the screen), but also all clients connected to them (the bottom part).

In the column PWR The signal strength is displayed: the lower the number (closer to 0 or negative with a smaller modulus), the closer the source. Column #Data Shows the number of captured data frames, which is critical for cracking WPA keys. If you see a network with a hidden name, the ESSID column will show or similar until an authorized client connects to the network.

πŸ“Š What signal level do you consider normal for stable operation?
-30 to -50 dBm
-50 to -70 dBm
-70 to -85 dBm
Below -85 dBm

To filter the scan by a specific frequency range or channel, you can use arguments. For example, sudo airodump-ng --band a wlan0mon will scan only the 5 GHz band, ignoring the congested 2.4 GHz. You can also select a specific channel with the command --channel 6, which increases the efficiency of packet collection, since the adapter does not waste time switching frequencies.

⚠️ Warning: When scanning in monitor mode, you may see multiple networks with the same name (for example, "XfinityWiFi" or "BTWiFi"). These are legitimate public hotspots from carriers and are not necessarily a sign of an "Evil Twin" attack, although the methodology behind their creation is similar.

Data Visualization with Kismet and Wireshark

Although airodump-ng provides an excellent text summary, but for deeper analysis, graphical interfaces are often required. Kismet β€” is a powerful detector that operates as a server-client. It can scan the airwaves, create coverage maps, and even identify device types (IoT, phones, laptops) based on OUI analyzers.

Kismet is typically launched in Kali via sudo kismet in the terminal or through the application menu. Once launched, the web interface is accessible at localhost:2501. Kismet allows you to save all captured traffic in files of the following format: pcapdump or pcapng, which can then be opened in Wireshark for frame-by-frame study.

Wireshark itself can't put the card into monitor mode, but it does a great job of analyzing captured data. You can filter packets by protocol (for example, wlan.fc.type_subtype == 0x08 for data frames), look for WPA handshakes, or analyze Probe Requests that devices send out in search of familiar networks.

What is a Probe Request?

These are frames that the client device broadcasts, asking, "Is there a 'HomeWiFi' network here?" Even if you're not connected to any network, your phone constantly shouts about it, revealing your connection history and MAC address.

Graphic alternatives: Wifite and Fern

For those who find working with the command line complicated, Kali Linux has automated tools. Wifite2 - is a wrapper script that automatically runs airodump-ng, waits for clients to appear, deauthenticates, and attempts to obtain a password hash. Launching it is simple: sudo wifite.

Another option is Fern Wifi Cracker, which provides a fully functional graphical user interface (GUI). It allows you to select networks from a list and launch scans and attacks with a single click. However, automated tools are often less flexible than manual configuration and can be noisy on the network, immediately alerting the administrator to your presence.

Using such tools is justified for quickly testing your own network for resilience to known attacks. In professional pentesting, manual control of each stage is preferable, as automated testing may miss specific configurations or, conversely, cause instability in the client's equipment.

Legal aspects and ethics

It's important to understand that scanning wireless networks that don't belong to you may be subject to data protection laws. In most countries, intercepting traffic or attempting to authenticate without the network owner's permission is a criminal offense. Kali Linux tools are designed for security audits of your own networks or networks you have written permission to test.

Even passive scanning (listening to broadcasts) is interpreted ambiguously in some jurisdictions if it is conducted deliberately to collect data on specific users. Always act within the law and use the information gained solely for educational or protective purposes.

Is it possible to scan Wi-Fi without switching to monitor mode?

Yes, you can see a list of open networks and their basic parameters (channel, encryption) using commands iwlist or nmcli in normal mode. However, you won't see hidden SSIDs or client MAC addresses, and you won't be able to analyze service frames.

Why doesn't airodump-ng detect my Wi-Fi adapter?

Most likely, your card driver does not support monitor or injection mode. Try the command iw list And check the "Supported interface modes" section. If "monitor" isn't listed there, you won't be able to enable it programmaticallyβ€”you'll need to replace the adapter.

How to scan 5GHz networks in Kali Linux?

Make sure your adapter supports the 5 GHz band. When starting airodump-ng use argument --band a or specify a specific channel from the 5 GHz range (for example, --channel 36).

Is it safe to use Kali Linux for scanning?

Using the OS is safe for your hardware unless you use aggressive attacks. However, running audit tools may be detected by intrusion detection systems (IDS) if you're on a corporate network.