Topics: Security

Scanning WiFi networks

This is the second article on the UNIX Health Check blog that discusses security awareness.

This article is all about WiFi security, and the ability of others to scan WiFi network information. For the purpose of this article, we'll be using Kali Linux. In the first article we discussed setting up a Kali Linux Live USB environment for this purpose.

Kali Linux, generally regarded as the de facto standard package of tools used to facilitate penetration testing to secure data and voice networks, comes with many pre-installed tools. One of those tool-sets is AirCrack-ng, which is a complete suite of tools to assess WiFi network security. We'll be looking at and using some of these tools in this article.

To prepare, start up a computer with the Kali Linux Live USB operating system.

Also make sure that the computer has a functional wireless interface. For purposes of using the AirCrack-ng tools, a good wireless interface is required. Please note that not all wireless devices are the same. The capabilities of a wireless device differ very much on the chipset used within a wireless device. A good and relatively cheap wireless interface is the Alpha AWUS036NH, which comes with a USB interface that can easily be plugged into any computer. This particular WiFi USB device is capable of high transmit power, and also allows to be configured in so-called Master mode, allowing it to function as an Access Point, which we'll be using in future articles. A good overview of wireless devices and their capabilities can be found at

Once the Kali Live system has booted, investigate which wireless interfaces are available. Good tools for this purpose are airmon-ng and iwconfig:

# airmon-ng

PHY   Interface   Driver      Chipset

phy0  wlan0       iwlwifi     Intel Corporation Wireless 7260 (rev 73)
phy1  wlan1       rt2800usb   Ralink Technology, Corp. RT2870/RT3070
phy2  wlan2       rt2800usb   Ralink Technology, Corp. RT5370
In the output above you can see there are 3 wireless devices. The first one, listed as phy0, is the internal WiFi device of the computer. The other two are using a USB driver, and are two USB WiFi devices that have been inserted. The Alpha AWUS036NH WiFi device is actually device phy2 in the output above.

Now run "iwconfig":
# iwconfig
wlan0   IEEE 802.11  ESSID:off/any
        Mode:Managed  Access Point: Not-Associated   Tx-Power=22 dBm
        Retry short limit:7  RTS thr:off   Fragment thr:off
        Encryption key:off
        Power Management:off

wlan1   IEEE 802.11  ESSID:off/any
        Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm
        Retry short  long limit:2  RTS thr:off   Fragment thr:off
        Encryption key:off
        Power Management:on

wlan2   IEEE 802.11  ESSID:off/any
        Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm
        Retry short  long limit:2  RTS thr:off   Fragment thr:off
        Encryption key:off
        Power Management:off
The "iwconfig" command above provides us with some more information, for example, if the interface is associated with any Access Point (a.k.a. router), and what the transmit power (Tx-Power) of the device is currently set to. Similar information can be retrieved by running the "iw dev" command, however that command will also display the MAC address of each device.

For the purpose of these security articles, we have equipped the computer with 3 WiFi devices. The first device, wlan0, will be used to regularly connect to a working WiFi Access Point for Internet connectivity. The second interface, wlan1, will be used to monitor WiFi networks. And the third interface, wlan2, will be used in a later article to set up our own Access Point. Having several WiFi interfaces gives us the capability to do multiple things.

WiFi network traffic is similar to radio signals. One can simply tune in the "radio" to listen to what is going on. This is the main reason why using Open (non-encrypted) WiFi networks is a security risk. Yet, many people use Open WiFi networks frequently.

Similar to radio signals, the location of where you are listening, and the equipment used to listen to it, matters. The closer you are to an Access Point, the stronger and more reliable the signals are. Also, the better the WiFi network device, or the larger the antenna used, the more likely it is that you will receive a good signal.

To start listening to WiFi traffic, it is useful to set one of the WiFi interfaces into Monitor mode. The airodump-ng command, that we'll we using to monitor WiFi network traffic will set a device in monitor mode itself, so you won't have to do it yourself. But if you do wish to configure a WiFi interface in Monitor mode, you can do so as follows, for example, for WiFi interface wlan1:
# ifconfig wlan1 down
# iwconfig wlan1 mode monitor
# ifconfig wlan1 up
# iwconfig wlan1
wlan1   IEEE 802.11  Mode:Monitor  Frequency:2.462 GHz  Tx-Power=20 dBm
        Retry short  long limit:2  RTS thr:off   Fragment thr:off
        Power Management:off
In the output of the "iwconfig" command above, you can now see that the wlan1 interface is in Monitor mode, and that the frequency is set to 2.462 GHz (configured to listen to the 2.4 GHz WiFi band).

Another way of configuring a WiFi network interface in Monitor mode is by running:
# airmon-ng start wlan1
However, when using the airmon-ng command, keep in mind that the interface used, in the example above: wlan1, will be renamed to wlan1mon.

When setting a WiFi network interface in Monitor mode, you may encounter a failure. If this happens, then most likely another process is using the WiFi network interface. To check this, run:
# airmon-ng check wlan1
If you want to stop all the other processes using the wireless device, simply run:
# airmon-ng check kill
A good example of a process using a wireless device is NetworkManger. By default, this process will be active on Kali Linux. To verify that, run:
# systemctl status NetworkManager
You can stop NetworkManager, you can run:
# systemctl stop NetworkManager
If you wish to keep on using NetworkManager, but just have NetworkManager not managed a specific wireless device, then do the following:

First determine the MAC address of the wireless device, by running "iw dev". Assuming that the MAC address of wireless device is 00:0f:60:01:07:4c, then add the following to the bottom of /etc/NetworkManager/NetworkManager.conf:
Then restart NetworkManager:
# systemctl restart NetworkManager
From now on, NetworkManager will no longer manage the wireless device with MAC address 00:0f:60:01:07:4c, and you should not see any issues when running commands against the wireless device and having NetworkManager managing it at the same time.

Now you can start monitoring the WiFi networks, by running:
# airodump-ng wlan1
The output shown by the airodump-ng command is divided in two parts. On the top you can see all the BSSIDs. These are the Access Points / routers found. For each BSSID, you'll see the MAC address of the Access Point, the transmit power (PWR), the channel it is transmitting on (CH), the encryption used (ENC) and the ESSID (The name of the WiFi network). At the bottom, you can see the clients, also called stations. These are devices, such as computers and phones connected to an Access Point, or when listed as "not associated", devices that are not connected to any Access Point, but looking to connect. If a device is connected to an Access Point, then it will list both the MAC address of the BSSID (Access Point) and that of the client (Station). In the left-most column you can see information about "Probes", meaning clients that probe for a certain WiFi network name.

The airodump-ng command has some very useful commands, described in a lot of detail at For example, the "a" key can be used to cycle through different parts of the output, which may come in handy if there is too much information to fit on the screen. The "s" and "r" keys can be used to sort the output per column and the TAB key can be used to highlight/select specific BSSIDs.

A note about MAC addresses: The MAC address alone doesn't provide any information about what kind of device it is, but some information can be derived from the MAC address. A MAC address consists of 6 parts, divided by colons. The first 3 parts determine the vendor of the device. You can take these first three parts, and look up which vendor it is, for example by typing in these 3 parts at For example, if you do so for MAC address B0:26:80:AA:CB:20, by taking the first three parts (BO:26:80) and enter that on, it will tell you it is a Cisco device. When retrieving MAC address vendor information, you may discover a lot of China-based vendors that manufactured the wireless devices in computers, phones and other devices. So, it may not always be immediately clear what type of device is using a certain MAC address.

At the top of the airodump-ng command you will notice that it cycles through all the channels constantly, which is the default behavior. This way it is scanning all channels for WiFi networks. If you wish to look at a specific Access Point (or BSSID), then copy the MAC address of that BSSID, and take a note of the channel it uses.

For example, in the top output you may see a line for an Access Point/BSSID as follows:
BSSID               PWR  Beacons  #Data  #/s  CH   MB   ENC  CIPHER  AUTH  ESSID
B0:26:80:83:79:C0   -28      248     40    0   6  195  WPA2    CCMP   PSK  attwifi
This means that a WiFi network with the name "attwifi" is running at channel 6, with MAC address B0:26:80:83:79:C0.

To only look at this specific access point, start airmon-ng as follows:
# airmon-ng --channel 6 --bssid B0:26:80:83:79:C0 wlan1
So far for this article. At this point you have learned how to scan for WiFi networks using Kali Linux, and how to see all the different WiFi networks in the vicinity, and to see what clients (stations) are either associated to or probing for an Access Point.

If you found this useful, here's more on the same topic(s) in our blog:

UNIX Health Check delivers software to scan Linux and AIX systems for potential issues. Run our software on your system, and receive a report in just a few minutes. UNIX Health Check is an automated check list. It will report on perfomance, capacity, stability and security issues. It will alert on configurations that can be improved per best practices, or items that should be improved per audit guidelines. A report will be generated in the format you wish, and the report includes the issues discovered and information on how to solve the issues as well.

Interested in learning more?