Linux Wi-Fi Cheat Sheet: Tips and Troubleshooting

Table of contents

1. Linux Wi-Fi Problems and Errors

2. Recipes of popular Wi-Fi actions in Linux

How to ask a question about a problem with a Wi-Fi adapter

3. Common Linux Wi-Fi Errors

4. Linux Wi-Fi FAQ

5. Drivers


Linux Wi-Fi Problems and Errors

This article is a collection of Wi-Fi issues you may encounter on Linux. The issues covered include both wireless security auditing and Wi-Fi connectivity.

If you can’t find a solution for your Wi-Fi problem, then ask in the comments. This article will be updated with a description of new Wi-Fi problems and their solutions.

Recipes of popular Wi-Fi actions in Linux

How to find out the name of the wireless interface

iw dev

The name of the interface in the “Interface” line:

If you get an error:

bash: iw: command not found

Then run this command with sudo:

sudo iw dev

How to stop programs that interfere with Wi-Fi security auditing

It is strongly recommended that before you set the Wi-Fi interface in monitor mode, run the following two commands:

sudo systemctl stop NetworkManager
sudo airmon-ng check kill

If you have strange errors when using monitor mode, be sure to run these commands.

After stopping NetworkManager, the Internet will disappear, to return it, put the wireless interface in managed mode and run the command to start NetworkManager:

sudo systemctl start NetworkManager

Note: See also the next section, “Disable NetworkManager for a particular interface”.

Disable NetworkManager for a particular interface

It is not necessary to completely stop NetworkManager, you can prevent NetworkManager from controlling an interface.

To make NetworkManager ignore a wireless card temporarily, run a command like this:

nmcli dev set <INTERFACE> managed no

To prevent NetworkManager from touching the network interface immediately after starting the service and to keep this setting after a reboot, you need to use the keyfile method. To do this, open the /etc/NetworkManager/NetworkManager.conf file:

sudo gedit /etc/NetworkManager/NetworkManager.conf

And add lines like this there:

[keyfile]
unmanaged-devices=mac:00:11:22:33:44:55;mac:66:77:88:99:00:aa

Or, using the following syntax, you can specify the names of the network interfaces:

[keyfile]
unmanaged-devices=interface-name:eth*,except:interface-name:eth0;interface-name:wlan*

Save your changes and restart the service:

sudo systemctl restart NetworkManager

Let's check:

nmcli dev status

How to put a card in monitor mode before starting a Wi-Fi security audit on Linux

sudo ip link set <INTERFACE> down
sudo iw <INTERFACE> set monitor control
sudo ip link set <INTERFACE> up

How to return the adapter to managed mode

sudo ip link set <INTERFACE> down
sudo iw <INTERFACE> set type managed
sudo ip link set <INTERFACE> up

How to change the channel of the Wi-Fi adapter

You can set channels only when the adapter is in monitor mode:

sudo iw dev <INTERFACE> set channel <NUMBER>

How to check Wi-Fi adapter supports wireless injection

sudo aireplay-ng -9 <INTERFACE>

How to find out what frequencies the adapter supports and other specifications

iw list

How to change the region to increase TX power

To check the current value:

sudo iw reg get

To set a new region:

sudo iw reg set BZ

To increase power:

sudo ip link set <INTERFACE> down
sudo iw dev <INTERFACE> set txpower fixed 30mBm
# sudo iw <INTERFACE> set monitor control # if necessary, put it into monitor mode
sudo ip link set <INTERFACE> up

See the article “How to increase TX-Power of Wi-Fi adapters” for details.

How to scan APs on the command line

To scan access points:

sudo iw dev <INTERFACE> scan

To scan and display only APs names:

sudo iw dev <INTERFACE> scan | grep SSID

How to check wireless information at the data link layer

To display information at the Data Link Layer:

iw dev <INTERFACE> link

How to connect to a Wi-Fi Access Point on the command line

We need to create a configuration file. This is done by the command:

wpa_passphrase AP_NAME PASSWORD > CONF_FILE

Connect to the access point:

wpa_supplicant -B -i <INTERFACE> -c CONF_FILE

To obtain automatic settings via DHCP (assigned IP address, gateway IP address and IP address of DNS servers), run the command:

dhclient <INTERFACE>

How to connect to a Wi-Fi Access Point on the command line knowing the WPS pin

See the article “Reaver cracked WPS PIN but does not reveal WPA-PSK password (SOLVED)”.

How to see all APs

sudo airodump-ng <INTERFACE> --manufacturer --uptime --wps

Automated handshake capture

sudo besside-ng <INTERFACE> -W

With the -b option followed by a MAC (BSSID), you can set the program on one single target.

With the -R option, you can specify the name (ESSID) of the target. Moreover, you can use regular expressions – it is very convenient for the AP of a particular ISP.

And another option that may be useful is -c, after it you can specify the channel number, and Besside-ng will work only on this channel.

The program adds the captured handshakes to one file named wpa.cap.

Then follow the instructions “How to extract all handshakes from a capture file with several handshakes”.

How to convert handshake in Hashcat hash (.hccapx)

  • To convert to a HCCAPX format hash for password cracking (Hashcat v3.6+) using cap2hccapx (hashcat-utils package):
sudo cap2hccapx HANDSHAKE.pcap HASH.hccapx
  • To convert to a HCCAPX hash for password cracking (Hashcat v3.6 +) using aircrack-ng:
aircrack-ng -j HASH HANDSHAKE.pcap

How to crack Wi-Fi password in Hashcat

  • Dictionary attack:
hashcat --force --hwmon-temp-abort=100 -D 1,2 -a 0 -m 2500 HASH.hccapx DICTIONARY.txt
  • Mask attack:
hashcat --force --hwmon-temp-abort=100 -D 1,2 -a 3 -m 2500 HASH.hccapx ?d?d?d?d?d?d?d?d

In the example above, the mask is passwords of numbers 8 characters long.

Built-in character sets:

  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  h | 0123456789abcdef
  H | 0123456789ABCDEF
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s

See also:

How to convert handshake in John the Ripper hash

If you want to hack all handshakes at once, then run the command:

wpapcap2john wpa.cap > wi-fi.hash

You can convert the handshake for a specific access point, you need to specify it with the -m option, you need to specify the BSSID – in other words, the MAC address.

To save the handshake only for a specific AP, run a command like this:

wpapcap2john -m '<MAC ADDRESS>' wpa.cap > wi-fi.hash

How to crack Wi-Fi password in John the Ripper

To launch a dictionary attack using the central processor (CPU), run a command like:

john --format=wpapsk --wordlist=/PATH/TO/DICTIONARY --fork=CORES /PATH/TO/wi-fi.hash

To launch a dictionary attack using a video card (GPU), run the command:

john --format=wpapsk-opencl --wordlist=/PATH/TO/DICTIONARY /PATH/TO/wi-fi.hash

To try all passwords containing only numbers and length from 8 to 10 characters and perform calculations on the CPU, run a command like:

john --format=wpapsk --fork=CORES --mask='?d' --min-length=8 --max-length=10 /PATH/TO/wi-fi.hash

To try all passwords consisting only of numbers and from 8 to 10 characters long and perform calculations on GPU, run a command like this:

john --format=wpapsk-opencl --mask='?d' --min-length=8 --max-length=10 '/PATH/TO/wi-fi.hash'

To try all passwords consisting of numbers, as well as uppercase and lowercase letters, 8 characters long and perform calculations on the CPU, run a command like:

john --format=wpapsk --fork=CORES -1=?l?u?d --mask='?1' --min-length=8 --max-length=8 /PATH/TO/wi-fi.hash

To iterate over all passwords consisting of numbers, as well as large and small letters, 8 characters long and perform calculations on a video card, run a command like this:

john --format=wpapsk-opencl -1=?l?u?d --mask='?1' --min-length=8 --max-length=8 /PATH/TO/wi-fi.hash

How to ask a question about a problem with a Wi-Fi adapter

First, specify the name of the Wi-Fi adapter.

Indicate the essence of your problem, examples:

  • I don’t know how to connect to Wi-Fi in Linux
  • It can’t be set in monitor mode
  • I can't capture a handshake, etc.

The more detailed the information, the more chances for help.

Also show the output of the following commands:

# For USB Wi-Fi adapter
lsusb

# For PCI Wi-Fi adapter
lspci

For any adapters:

sudo iw dev
sudo airmon-ng
rfkill
uname -a

You can try to solve the problem yourself by running one of the following commands and trying to perform the actions you need:

iw event
ip monitor
journalctl -f

At the very least, the information output by these commands can give you a hint about the cause of the problem or report at least some errors if your problem is not accompanied by an output of errors.

Common Linux Wi-Fi Errors

Error “Operation not permitted (-1)”

Example:

command failed: Operation not permitted (-1)

It means insufficient privileges, run the iw command with sudo.

Device or resource busy (-16)

Example:

command failed: Device or resource busy (-16)

This error occurs, for example, if you try to set the Wi-Fi adapter to a certain channel, but it is not in monitor mode and/or is not in up state. Start by setting the card in monitor mode, put the wireless card in the up state, and then set the desired channel. For example:

sudo ip link set wlp0s20f0u2 down
sudo iw wlp0s20f0u2 set monitor control
sudo ip link set wlp0s20f0u2 up
sudo iw dev wlp0s20f0u2 set channel 64
# OR you can specify the frequency:
sudo iw wlp0s20f0u2 set freq 5320

 

Cannot start AP mode in 5Ghz band

Apparently with the special country code 00 (global), all usable frequencies in the 5Ghz band will have the no-ir (no-initiating-radiation) flag set, which will prevent hostapd from using them. You will need to have crda installed and have your country code set to make frequencies allowed in your country available for hostapd.

Wi-Fi 5GHz AP Mode: What does “no IR” means?

cfg80211 has a feature called beacon hinting to assist cfg80211 in allowing a card to lift passive-scan and no-beaconing flags. Passive-scan flags are used on channels to ensure that an interface will not issue a probe request out. The no-ir flag exists to allow regulatory domain definitions to disallow a device from initiating radiation of any kind and that includes using beacons, so for example AP/IBSS/Mesh/GO interfaces would not be able to initiate communication on these channels unless the channel does not have this flag. If either of these flags are present on a channel a device is prohibited from initiating communication on cfg80211.

Old regulatory rule flags like passive-scan and no-beaconing were originally invented to help with World Roaming, these two are now combined into the one and only no-ir, for no-initiating-radiation. If you do not know what country you are in you can still behave as an 802.11 STA interface but can wait to enable active scans until you see a beacon from an AP, if the channel being used is not a DFS channel and not channels 12-14 on the 2.4 GHz band. The same can be said for initiating communication, so both the old passive-scan and no-beaconing, now consolidated in modern kernels as one flag no-ir can be lifted if an AP is found beaconing on a non-DFS channel and if the channel is also not channels 12-14 on the 2.4 GHz band. cfg80211 takes advantage of this bit of logic to lift both of these flags if and only if the wiphy device is world roaming.

Sourse: https://wireless.wiki.kernel.org/en/developers/regulatory/processing_rules#post_processing_mechanisms

Wi-Fi interface is not visible in the system

Make sure the Wi-Fi adapter is connected.

If you use Linux in a virtual machine, you have to connect USB device in the settings of the virtual machine. In a virtual machine, it is possible to use only USB adapters.

Check whether the operating system can see them:

# For USB
lsusb

# For PCI
lspci

The wireless interface is visible but cannot be used

Check if the wireless interfaces are blocked:

rfkill

If they are locked, enable them with the command:

rfkill unblock all

The device sometimes disappears or appears strange in the system

If the device driver does not display correctly (for example, like ??????), and the chipset information is not displayed correctly, approximately as in this screenshot:

Then

  • try a different cord and a different USB jack
  • do not use USB hubs
  • unplug the device from the socket and plug it again

If none of this helps, then the cause may be a hardware problem. Especially if sometimes the device shows up normally, and sometimes it disappears or is displayed incorrectly – the device itself or a bad contact are probably not working properly.

Unable to connect to Access Point

If no other problems have been identified, but you cannot connect to the AP, then try connecting to another AP. If you have only one router, then start the AP on your mobile phone and connect to it.

If the connection succeeds, then there is some problem in the incompatibility of Wi-Fi protocols. Try not to use or vice versa to force some standards (N, AC). Try forcing another channel or set automatic channel selection. Check your passwords again carefully.

I managed to connect to the AP, but there is no Internet

With the help of the command, you can see if the connection is really made (look for the line that starts with “ssid”):

iw dev

Check if the interface has an IP address:

ip a

Determine the IP address of the router:

ip route show default

And ping the router, for example, the address of my router is 192.168.0.1, then the command:

ping 192.168.0.1

If the router does not respond, then the problem is connecting to it – for example, the signal to the AP is too weak or the IP address is not configured (the DHCP service is not running).

If you have a connection to the router, then try pinging the public IP:

ping 8.8.8.8

If the ping failed (but the router itself responds), then there is a problem with connecting the router to an external (WAN) network. Go into the settings of the router and check there.

Try to trace the path – if the trace breaks outside the router, then this may mean that your Internet provider or a higher provider has problems.

traceroute 8.8.8.8

If the router ping succeeded, then try ping by host name:

ping google.com

If ping by host name failed, then there is a problem in setting up the DNS server. These settings can be both at the system level (for example, incorrect settings in NetworkManager), and in the router.

To see which DNS server is in use, run the command:

dig google.com

Find the line that begins with “;; SERVER”- this line will contain the name server address.

;; SERVER: 8.8.8.8#53(8.8.8.8)

Can't set Wi-Fi adapter into monitor mode in Windows Subsystem for Linux (WSL) / Cygwin / Docker

In Windows Subsystem for Linux (WSL), as well as in Cygwin and Docker, there is no direct access to hardware. You will not be able to use a Wi-Fi adapter (as well as a video card, etc.) in these software products.

If you are a Windows user, then the best option is for you: install Kali Linux or Arch Linux (BlackArch) in VirtualBox and connect a USB Wi-Fi adapter to this virtual machine.

If you only have a PCI (built-in) Wi-Fi adapter, install Linux on an external USB drive or on a USB flash drive and boot from it.

There are bugs and offers to send reports in Ubuntu when setting a wireless card in monitor mode

Choose any other distribution – Kali Linux, Debian, Arch Linux, BlackArch or even Linux Mint – everything works fine there.

Linux Wi-Fi FAQ

Why does the MAC address change even if the program is not used for this?

Many modern distributions are configured to constantly change the MAC address. It is normal now, but you can disable (or enable) it if you wish.

How to find out if a Wi-Fi card will be supported for auditing Wi-Fi networks

The easiest option is to choose an adapter from this list: “USB Wi-Fi Adapters with monitor mode and wireless injection”.

Modern Wi-Fi cards for wireless auditing

Dual-band wireless adapters with support for monitor mode and wireless injection, as well as supporting the AC standard:

Any of these adapters will be relevant for many more years.

How to see what happens with wireless interfaces

The following commands will help you see absolutely everything that happens behind the scenes during, for example, failed connections.

You can use the output of the following commands to solve any problems with Wi-Fi.

The following command in real time will show everything that is happening on your system – for example, when you connect a wireless adapter, it will show which driver is loaded or what problems have occurred. Messages from applications will also be displayed:

journalctl -f

The output of the program is very extensive, but its study may suggest the causes of the problem.

The following command will tell about everything that happens at the level of the Internet protocol – how IP addresses are assigned to interfaces and what routes are set in the system:

ip monitor

And this command will show all events related to wireless network interfaces:

iw event

These three commands are the most important source of information for resolving unobvious problems. Delve into their output or provide the output of these commands if you are trying to jointly resolve your Wi-Fi problem.

How to find out how much traffic was transferred

ip -s -h a show <INTERFACE>

Drivers

Wi-Fi drivers in Linux. Support for Wi-Fi adapters in Linux

Linux currently supports most Wi-Fi cards and drivers for them are already pre-installed on the system (they are part of the kernel). That is, when you buy a new Wi-Fi adapter or install Linux on a laptop in the vast majority of cases, no action is required – the Wi-Fi adapter will just work.

In rare cases, you need to install a driver and/or firmware from standard repositories.

In exceptional cases, you need to compile the driver from the source code.

If you are familiar with the “Linux kernel modules” article, then you know that many devices need two things to work properly: a driver and firmware. The driver requests firmware from the file system in /lib/firmware. This is a special file necessary for hardware, it is not a binary file. Then the diver does what it takes to download the firmware to the device. The firmware performs programming of the equipment inside the device.

You will find a list of installed drivers in the folder

echo /usr/lib/modules/`uname -r`/kernel/drivers/net/wireless

Output drivers by manufacturer:

tree /usr/lib/modules/`uname -r`/kernel/drivers/net/wireless

If for some reason the driver has not yet included in the kernel, then it may be present in the standard repositories as separate packages:

You will also find firmware-* packages in standard repositories (for example, firmware-realtek, firmware-atheros, firmware-iwlwifi, and so on). If the firmware for your device is not installed, install it.

In Arch Linux (BlackArch), all firmwares are collected in one linux-firmware package. Some devices have separate driver packages (for example, r8168 and broadcom-wl).

So, the drivers for most Wi-Fi adapters are built into the kernel and, therefore, are already installed on any Linux. Start by connecting your wireless card and trying to connect.

If you have problems, look in the repositories for the driver and/or firmware for your device.

How to check which driver is used

# To list only USB devices and their drivers
usb-devices

# To list only PCI devices and their drivers
lspci -k

# To list both USB and PCI devices and their drivers
sudo lshw

Recommended for you:

One Comment to Linux Wi-Fi Cheat Sheet: Tips and Troubleshooting

  1. john says:

    Using the usb-ac68 (ubuntu 5.4 kernel - 88XXau [v5.7.0_34085.20200313])

    I've recently being playing around with setting channels whilst in monitor mode,

    now whenever I turn on my hotspot from mobile phone (5 Ghz range), it seems to pick up other channels on 5ghz range, but never my phone on say channel 149.

     

    is there a way to reset channels to default ? hopefully it's something easy I missed to let it re-scan changed automatically and efficiently.

     

    thanks

Leave a Reply

Your email address will not be published.