Modern wireless network auditing methods require a deep understanding of data transmission processes. WiFi Scanning is the first and critical step in assessing infrastructure security. Without detailed information about the presence of networks, their encryption, and clients, further analysis becomes impossible.
Kali Linux provides a powerful set of tools for these purposes. Unlike standard operating systems, here we work at the driver and radio channel level. Aircrack-ng suite and other utilities allow you to not only view the list of SSIDs, but also intercept packets, analyze handshakes, and identify vulnerabilities in WPA2/WPA3 protocols.
Before moving on to practice, it is necessary to understand the legal and technical aspects. Network audit Scanning without the owner's written permission is illegal. Furthermore, successful scanning requires a network card that supports monitor mode, which often becomes a stumbling block for beginners.
Preparing equipment and checking drivers
The foundation of successful scanning is a compatible Wi-Fi adapter. Built-in laptop modules often don't support necessary features, such as Monitor Mode And Packet InjectionThis is why professionals use external USB adapters based on Atheros, Ralink, or Realtek chips.
The first step after connecting a device is to check whether it is recognized by the system. The command iwconfig or more modern ip link will display a list of interfaces. You need to identify your wireless adapter, which is usually labeled as wlan0, wlan1 or wlx....
It's critical to ensure the driver is loaded correctly. Some adapters require additional packages from the Kali repositories. If the device is visible but can't be monitored, the problem lies with the driver software.
- 🔌 Connect an external Wi-Fi adapter to a USB 3.0 port for maximum throughput.
- 💻 Run the command
lsusbto check the visibility of the device at the bus level. - 📡 Make sure the interface is not blocked programmatically by a command
rfkill list. - 🛠 Install the package firmware-realtek or firmware-atheros if necessary.
⚠️ Note: Some modern Wi-Fi 6 (802.11ax) adapters may not work correctly with older versions of audit tools. Always check the chipset compatibility with your Kali Linux kernel version.
After the physical preparation, we move on to the logical interface setup. The standard operating mode is Managed — is designed for connecting to access points. We need a mode that allows us to hear the entire broadcast, not just the traffic addressed to us.
Activating monitoring mode
Monitoring mode (Monitor Mode) turns your network card into a passive receiver. In this state, the card stops filtering packets and passes all radio signals in the selected frequency range to the processor. This is a key condition for scan the WiFi network effectively.
To switch the mode, use the utility airmon-ngBefore running the scan, you need to kill processes that may conflict with the wireless interface, for example, NetworkManager or wpa_supplicantThis will prevent sudden connection drops or packet capture errors.
sudo airmon-ng check kill
sudo airmon-ng start wlan0
After executing the command, the interface name often changes by adding a suffix mon (For example, wlan0mon). This is the new interface name that scanning tools will use. If the interface doesn't switch, check to see if it's blocked by system services.
☑️ Checking the monitoring mode
It's important to understand the difference between active and passive scanning. In monitoring mode, you don't send probe requests, but only listen for beacon frames from access points. This makes your presence on the network less noticeable, although it doesn't guarantee complete anonymity.
Basic Scanning with Airodump-ng
The main tool for visualizing the etheric space is airodump-ngThis utility displays all available networks, their channels, signal strengths (PWR), encryption types, and connected clients. It launches with the monitoring interface specified.
sudo airodump-ng wlan0mon
At the top of the screen you will see a list of access points (AP). Column PWR shows the signal strength: the lower the value (closer to 0 or -1), the closer the point is. Column ENC will indicate the security type: WPA2, WEP or open network (OPN).
The bottom section displays the clients (STATION) connected to these networks. The presence of an active client is the "golden ticket" for further analysis, as it is through this that a handshake can be intercepted. If a network exists but no clients, analyzing its traffic is practically useless.
| Parameter | Description | Importance |
|---|---|---|
| BSSID | MAC address of the access point | High (for targeting) |
| PWR | Signal level (dBm) | Average (definition of closeness) |
| CH | Broadcast channel | Critical (for setup) |
| ENC | Encryption type | High (vulnerability identification) |
| #Data | Number of captured packets | Average (network activity) |
To examine a specific network in detail, stop the scan (Ctrl+C) and restart it with filtering by BSSID and channel. This will save all packets to a file for later analysis or brute-force attacks.
Why can PWR be -1?
A value of -1 in the PWR column often means that the network card driver isn't transmitting signal strength information in a format understandable by airodump-ng, or the card is too far from the source. This is typical for some Realtek chips.
Analysis of hidden networks and clients
Administrators often hide the SSID (network name) believing that this will ensure security. However, hidden networks continue to transmit control frames that contain the real BSSID. Kali Linux tools easily detect such "invisible" devices.
When a client with a known SSID connects to a hidden network, the access point is forced to transmit the network name in the response frame. Airodump-ng Automatically adds the SSID to the list as soon as it detects this situation. If the network is empty, deauthentication methods can be used to force clients to reconnect.
- 🕵️ Hidden networks are displayed with the tag
or an empty SSID field. - 📡 The real name appears only when there is active data exchange.
- ⚡ Usage
aireplay-ngAllows you to speed up the appearance of SSID. - 📂 Saving logs allows you to analyze the history of network appearances.
⚠️ Warning: Forced client deauthentication (deauthentication attack) is an active attack on the network. Unlike passive scanning, this action can be considered an attack and is easily detected by IDS/IPS systems.
Client analysis allows you to understand which devices are using the network. The MAC address (OUI part) can be used to identify the manufacturer: Apple, Samsung, Intel, or IoT devices. This helps you profile the target network and assess potential risks associated with specific vendors.
Using Kismet and Wireshark for Deep Analysis
Although airodump-ng Great for a quick overview, but deeper analysis requires more powerful tools. Kismet — is a wireless network detector that operates as a server-client and provides more detailed information, including GPS location and device classification.
Indispensable for analyzing the contents of packets Wireshark. Having saved the traffic dump in the format .cap or .pcap You can open it in Wireshark using airodump-ng. Protocol filters (EAPOL, DHCP, DNS) allow you to reconstruct the network structure and see unencrypted data, if any.
Using these tools together provides a complete picture. Kismet can work in the background, collecting data on all networks in the area, while you focus on manually analyzing specific packets in Wireshark. This approach is called passive reconnaissance.
sudo kismet -c wlan0mon
It's important to note that modern networks with WPA3 and OWE (Opportunistic Wireless Encryption) encrypt even some of the service frames, making it difficult to identify SSIDs and clients during passive scanning. In such cases, analysis capabilities are limited to metadata.
Common mistakes and troubleshooting
The scanning process doesn't always go smoothly. One of the most common issues is the "device or resource busy" error. This means that another process (often NetworkManager) has seized control of the adapter. The solution is to forcefully stop services or temporarily disable network management.
Another problem is low receiver sensitivity. If you see few networks, even though they're definitely there, you may not be getting enough signal boost. Using a USB extension cable to extend the adapter or connecting an external antenna can make a big difference.
It's also worth mentioning the "channel" issue. If you're scanning channel 6, but the network is operating on channel 11, you won't see it. Airodump-ng By default, it jumps between channels, but for stable capture of a handshake, you need to fix a specific channel.
- ❌ Error: "Interface not in monitor mode." Solution: Recheck the command
airmon-ng start. - ❌ Error: "Unable to translate MAC address." Solution: Update the OUI database or ignore it.
- ❌ Error: "No such file or directory" when saving. Solution: Check write permissions for the current directory.
- ❌ Error: The adapter is overheating. Solution: Provide cooling or take a break.
⚠️ Note: Interfaces and commands may change depending on the Linux kernel version and aircrack-ng package updates. Always consult the official documentation (man pages) if the standard commands don't work.
Stable operation also depends on the quality of the USB port itself. The power supplied by the port must be sufficient to operate a powerful adapter. Using a powered USB hub often resolves issues with sudden card disconnections during scanning.
FAQ: Frequently Asked Questions
Is it possible to scan a WiFi network on Kali Linux without an external adapter?
Technically, it's possible if the integrated card supports monitoring mode and the driver allows it to be activated. However, in 90% of cases, integrated modules (especially Intel and Broadcom) are unstable or don't support packet injection, making an external adapter necessary for full auditing.
Does Kali Linux see 5GHz networks when scanning?
Yes, it does, but only if your Wi-Fi adapter supports the 5 GHz band (802.11a/n/ac/ax standard). Many cheap adapters only work at 2.4 GHz. Be sure to check the chipset specifications for dual-band support before purchasing.
Is it legal to use airodump-ng for scanning?
Passive scanning (snooping) is not a crime in most countries, as you don't connect to the network or disrupt its operation. However, using the obtained data for hacking or active actions (deauthentication) without the network owner's permission is strictly prohibited by law.
Why doesn't airodump-ng show any networks?
Possible causes: the interface isn't set to monitor mode, you're out of range, the adapter is incompatible, or a conflicting process is running. Also, check whether the wireless module is blocked by a switch on the laptop or by the rfkill command.