Linux Wi-Fi Cheat Sheet: Tips and Troubleshooting

Table of contents

1. Linux Wi-Fi Problems and Errors

2. Recipes of popular Wi-Fi actions in Linux

How to ask a question about a problem with a Wi-Fi adapter

3. Common Linux Wi-Fi Errors

4. Linux Wi-Fi FAQ

5. Drivers and firmware


Linux Wi-Fi Problems and Errors

This article is a collection of Wi-Fi issues you may encounter on Linux. The issues covered include both wireless security auditing and Wi-Fi connectivity.

If you can’t find a solution for your Wi-Fi problem, then ask in the comments. This article will be updated with a description of new Wi-Fi problems and their solutions.

Recipes of popular Wi-Fi actions in Linux

How to find out the name of the wireless interface

iw dev

The name of the interface in the “Interface” line:

If you get an error:

bash: iw: command not found

Then run this command with sudo:

sudo iw dev

How to stop programs that interfere with Wi-Fi security auditing

It is strongly recommended that before you set the Wi-Fi interface in monitor mode, run the following two commands:

sudo systemctl stop NetworkManager
sudo airmon-ng check kill

If you have strange errors when using monitor mode, be sure to run these commands.

After stopping NetworkManager, the Internet will disappear, to return it, put the wireless interface in managed mode and run the command to start NetworkManager:

sudo systemctl start NetworkManager

Note: See also the next section, “Disable NetworkManager for a particular interface”.

Disable NetworkManager for a particular interface

It is not necessary to completely stop NetworkManager, you can prevent NetworkManager from controlling an interface.

To make NetworkManager ignore a wireless card temporarily, run a command like this:

nmcli dev set <INTERFACE> managed no

To prevent NetworkManager from touching the network interface immediately after starting the service and to keep this setting after a reboot, you need to use the keyfile method. To do this, open the /etc/NetworkManager/NetworkManager.conf file:

sudo gedit /etc/NetworkManager/NetworkManager.conf

And add lines like this there:

[keyfile]
unmanaged-devices=mac:00:11:22:33:44:55;mac:66:77:88:99:00:aa

Or, using the following syntax, you can specify the names of the network interfaces:

[keyfile]
unmanaged-devices=interface-name:eth*,except:interface-name:eth0;interface-name:wlan*

Save your changes and restart the service:

sudo systemctl restart NetworkManager

Let's check:

nmcli dev status

How to put a card in monitor mode before starting a Wi-Fi security audit on Linux

sudo ip link set <INTERFACE> down
sudo iw <INTERFACE> set monitor control
sudo ip link set <INTERFACE> up

How to return the adapter to managed mode

sudo ip link set <INTERFACE> down
sudo iw <INTERFACE> set type managed
sudo ip link set <INTERFACE> up

How to change the channel of the Wi-Fi adapter

You can set channels only when the adapter is in monitor mode:

sudo iw dev <INTERFACE> set channel <NUMBER>

How to check Wi-Fi adapter supports wireless injection

sudo aireplay-ng -9 <INTERFACE>

How to find out what frequencies the adapter supports and other specifications

iw list

How to change the region to increase TX power

To check the current value:

sudo iw reg get

To set a new region:

sudo iw reg set BZ

To increase power:

sudo ip link set <INTERFACE> down
sudo iw dev <INTERFACE> set txpower fixed 30mBm
# sudo iw <INTERFACE> set monitor control # if necessary, put it into monitor mode
sudo ip link set <INTERFACE> up

See the article “How to increase TX-Power of Wi-Fi adapters” for details.

How to scan APs on the command line

To scan access points:

sudo iw dev <INTERFACE> scan

To scan and display only APs names:

sudo iw dev <INTERFACE> scan | grep SSID

How to check wireless information at the data link layer

To display information at the Data Link Layer:

iw dev <INTERFACE> link

How to connect to a Wi-Fi Access Point on the command line

We need to create a configuration file. This is done by the command:

wpa_passphrase AP_NAME PASSWORD > CONF_FILE

Connect to the access point:

wpa_supplicant -B -i <INTERFACE> -c CONF_FILE

To obtain automatic settings via DHCP (assigned IP address, gateway IP address and IP address of DNS servers), run the command:

dhclient <INTERFACE>

How to connect to a Wi-Fi Access Point on the command line knowing the WPS pin

See the article “Reaver cracked WPS PIN but does not reveal WPA-PSK password (SOLVED)”.

How to see all APs

sudo airodump-ng <INTERFACE> --manufacturer --uptime --wps

How to search for AP on 5 GHz

sudo airodump-ng --channel 36-165 INTERFACE

Automated handshake capture

 

How to convert handshake in Hashcat hash (.hccapx)

  • To convert to 22000 mode format hash for password cracking (Hashcat v6.0.0+) using hcxpcapngtool (hcxtools package):
hcxpcapngtool -o hash.hc22000 -E wordlist dumpfile.pcapng
  • To convert to a HCCAPX format hash for password cracking (Hashcat v3.6+) using cap2hccapx (hashcat-utils package):
cap2hccapx HANDSHAKE.pcap HASH.hccapx
  • To convert to a HCCAPX hash for password cracking (Hashcat v3.6 +) using aircrack-ng:
aircrack-ng -j HASH HANDSHAKE.pcap

How to crack Wi-Fi password in Hashcat

  • Dictionary attack:
hashcat --force --hwmon-temp-abort=100 -D 1,2 -a 0 -m 22000 HASH.hc22000 DICTIONARY.txt
  • Mask attack:
hashcat --force --hwmon-temp-abort=100 -D 1,2 -a 3 -m 22000 HASH.hc22000 ?d?d?d?d?d?d?d?d

In the example above, the mask is passwords of numbers 8 characters long.

Built-in character sets:

  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  h | 0123456789abcdef
  H | 0123456789ABCDEF
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s

See also:

How to convert handshake in John the Ripper hash

If you want to hack all handshakes at once, then run the command:

wpapcap2john wpa.cap > wi-fi.hash

You can convert the handshake for a specific access point, you need to specify it with the -m option, you need to specify the BSSID – in other words, the MAC address.

To save the handshake only for a specific AP, run a command like this:

wpapcap2john -m '<MAC ADDRESS>' wpa.cap > wi-fi.hash

How to crack Wi-Fi password in John the Ripper

To launch a dictionary attack using the central processor (CPU), run a command like:

john --format=wpapsk --wordlist=/PATH/TO/DICTIONARY --fork=CORES /PATH/TO/wi-fi.hash

To launch a dictionary attack using a video card (GPU), run the command:

john --format=wpapsk-opencl --wordlist=/PATH/TO/DICTIONARY /PATH/TO/wi-fi.hash

To try all passwords containing only numbers and length from 8 to 10 characters and perform calculations on the CPU, run a command like:

john --format=wpapsk --fork=CORES --mask='?d' --min-length=8 --max-length=10 /PATH/TO/wi-fi.hash

To try all passwords consisting only of numbers and from 8 to 10 characters long and perform calculations on GPU, run a command like this:

john --format=wpapsk-opencl --mask='?d' --min-length=8 --max-length=10 '/PATH/TO/wi-fi.hash'

To try all passwords consisting of numbers, as well as uppercase and lowercase letters, 8 characters long and perform calculations on the CPU, run a command like:

john --format=wpapsk --fork=CORES -1=?l?u?d --mask='?1' --min-length=8 --max-length=8 /PATH/TO/wi-fi.hash

To iterate over all passwords consisting of numbers, as well as large and small letters, 8 characters long and perform calculations on a video card, run a command like this:

john --format=wpapsk-opencl -1=?l?u?d --mask='?1' --min-length=8 --max-length=8 /PATH/TO/wi-fi.hash

How to add a virtual interface in monitor mode

To add a new virtual interface in monitor mode:

sudo iw INTERFACE interface add NEW_INTERFACE type monitor

To add a new virtual interface in monitor mode and set its MAC address:

sudo iw INTERFACE interface add NEW_INTERFACE type monitor addr MAC_ADDRESS

For details, see the article “Virtual Wi-Fi interfaces for simultaneous use of a Wi-Fi adapter in different modes”.

How to create an AP on a computer

With create_ap you can make the Access Point into one command. Thanks to the AP, all your devices can use one wired connection, or you can amplify the signal from a remote Access Point.

For example, to create an AP named MyAccessPoint and password PASSWORD1 on the wireless interface wlan0, the Internet connection will be provided through interface eth0:

sudo create_ap wlan0 eth0 MyAccessPoint PASSWORD1

How to strengthen (amplify) Wi-Fi signal from a remote AP

You can strengthen the signal from a remote Access Point if you have two or at least one Wi-Fi adapter. For details, see the article “Virtual Wi-Fi interfaces for simultaneous use of a Wi-Fi adapter in different modes”.

How to change the MAC address of a Wi-Fi adapter

Since there are unobvious nuances with changing the MAC address, it is recommended to get started with the article “How to change MAC address in Linux, how to enable and disable automatic MAC change (spoofing) in Linux”.

To spoof a MAC address to a completely arbitrary address:

sudo macchanger -r wlan0

How to ask a question about a problem with a Wi-Fi adapter

First, specify the name of the Wi-Fi adapter.

Indicate the essence of your problem, examples:

  • I don’t know how to connect to Wi-Fi in Linux
  • It can’t be set in monitor mode
  • I can't capture a handshake, etc.

The more detailed the information, the more chances for help.

Also show the output of the following commands:

# For USB Wi-Fi adapter
lsusb

# For PCI Wi-Fi adapter
lspci

For any adapters:

sudo iw dev
sudo airmon-ng
rfkill
uname -a

You can try to solve the problem yourself by running one of the following commands and trying to perform the actions you need:

iw event
ip monitor
journalctl -f

At the very least, the information output by these commands can give you a hint about the cause of the problem or report at least some errors if your problem is not accompanied by an output of errors.

Common Linux Wi-Fi Errors

Error “Operation not permitted (-1)”

Example:

command failed: Operation not permitted (-1)

It means insufficient privileges, run the iw command with sudo.

Device or resource busy (-16)

Example:

command failed: Device or resource busy (-16)

This error occurs, for example, if you try to set the Wi-Fi adapter to a certain channel, but it is not in monitor mode and/or is not in up state. Start by setting the card in monitor mode, put the wireless card in the up state, and then set the desired channel. For example:

sudo ip link set wlp0s20f0u2 down
sudo iw wlp0s20f0u2 set monitor control
sudo ip link set wlp0s20f0u2 up
sudo iw dev wlp0s20f0u2 set channel 64
# OR you can specify the frequency:
sudo iw wlp0s20f0u2 set freq 5320

Another reason for the error may be that you are trying to set a network interface in monitor mode or in a managed mode that is in the “up” state.

Error “command failed: Network is down (-100)” while scanning “iw dev INTERFACE scan”

If while scanning networks using the “iw dev INTERFACE scan” command:

sudo iw dev wlan0 scan | grep SSID

you got the following error:

command failed: Network is down (-100)

then it means that the network adapter is in the “down” mode, that is, not activated. To activate it, run the command:

sudo ip link set wlan0 up

If this does not help, then check if the interface is blocked:

rfkill

If the interface is locked, then unlock it, and then put it back into “up” mode.

rfkill unblock all

Error “command failed: Operation not supported (-95)” while scanning “iw dev wlan0 scan”

If, when scanning networks with iw

sudo iw dev wlan0 scan | grep SSID

you got the following error

command failed: Operation not supported (-95)

then its reason may be that the network interface is currently in monitor mode, to fix the error, put it in managed mode.

Error “command failed: Device or resource busy (-16)” while scanning “iw dev wlan0 scan”

If, when scanning networks with iw

sudo iw dev wlan0 scan | grep SSID

you got the following error

command failed: Device or resource busy (-16)

Its reason is that the network device is already in use by another program. Try scanning later, or try to find out which program is using the network interface.

Cannot start AP mode in 5Ghz band

Apparently with the special country code 00 (global), all usable frequencies in the 5Ghz band will have the no-ir (no-initiating-radiation) flag set, which will prevent hostapd from using them. You will need to have crda installed and have your country code set to make frequencies allowed in your country available for hostapd.

Wi-Fi 5GHz AP Mode: What does “no IR” means?

cfg80211 has a feature called beacon hinting to assist cfg80211 in allowing a card to lift passive-scan and no-beaconing flags. Passive-scan flags are used on channels to ensure that an interface will not issue a probe request out. The no-ir flag exists to allow regulatory domain definitions to disallow a device from initiating radiation of any kind and that includes using beacons, so for example AP/IBSS/Mesh/GO interfaces would not be able to initiate communication on these channels unless the channel does not have this flag. If either of these flags are present on a channel a device is prohibited from initiating communication on cfg80211.

Old regulatory rule flags like passive-scan and no-beaconing were originally invented to help with World Roaming, these two are now combined into the one and only no-ir, for no-initiating-radiation. If you do not know what country you are in you can still behave as an 802.11 STA interface but can wait to enable active scans until you see a beacon from an AP, if the channel being used is not a DFS channel and not channels 12-14 on the 2.4 GHz band. The same can be said for initiating communication, so both the old passive-scan and no-beaconing, now consolidated in modern kernels as one flag no-ir can be lifted if an AP is found beaconing on a non-DFS channel and if the channel is also not channels 12-14 on the 2.4 GHz band. cfg80211 takes advantage of this bit of logic to lift both of these flags if and only if the wiphy device is world roaming.

Sourse: https://wireless.wiki.kernel.org/en/developers/regulatory/processing_rules#post_processing_mechanisms

Wi-Fi interface is not visible in the system

  • Make sure the Wi-Fi adapter is connected.
  • If you use Linux in a virtual machine, you have to connect USB device in the settings of the virtual machine. In a virtual machine, it is possible to use only USB adapters.
  • Check whether the operating system can see them:
# For USB
lsusb

# For PCI
lspci

Your Wi-Fi card driver or firmware is not installed. In addition to installing the driver, on Linux, you need to install the device firmware. Users may be confused by the fact that even installing a driver does not guarantee the operation of the device until the firmware is installed for it. Firmware is required for all devices, including Realtek, Atheros, Intel and Mediatek chipsets, they do not work properly or do not work at all in Linux. Firmware packages are named differently on different distributions, they can contain both firmware for one device and for a large number of devices, see the section “Drivers and Firmware” for details.

The wireless interface is visible but cannot be used

Check if the wireless interfaces are blocked:

rfkill

If they are locked, enable them with the command:

rfkill unblock all

The device sometimes disappears or appears strange in the system

If the device driver does not display correctly (for example, like ??????), and the chipset information is not displayed correctly, approximately as in this screenshot:

Then

  • try a different cord and a different USB jack
  • do not use USB hubs
  • unplug the device from the socket and plug it again

If none of this helps, then the cause may be a hardware problem. Especially if sometimes the device shows up normally, and sometimes it disappears or is displayed incorrectly – the device itself or a bad contact are probably not working properly.

Unable to connect to Access Point

If no other problems have been identified, but you cannot connect to the AP, then try connecting to another AP. If you have only one router, then start the AP on your mobile phone and connect to it.

If the connection succeeds, then there is some problem in the incompatibility of Wi-Fi protocols. Try not to use or vice versa to force some standards (N, AC). Try forcing another channel or set automatic channel selection. Check your passwords again carefully.

I managed to connect to the AP, but there is no Internet

With the help of the command, you can see if the connection is really made (look for the line that starts with “ssid”):

iw dev

Check if the interface has an IP address:

ip a

Determine the IP address of the router:

ip route show default

And ping the router, for example, the address of my router is 192.168.0.1, then the command:

ping 192.168.0.1

If the router does not respond, then the problem is connecting to it – for example, the signal to the AP is too weak or the IP address is not configured (the DHCP service is not running).

If you have a connection to the router, then try pinging the public IP:

ping 8.8.8.8

If the ping failed (but the router itself responds), then there is a problem with connecting the router to an external (WAN) network. Go into the settings of the router and check there.

Try to trace the path – if the trace breaks outside the router, then this may mean that your Internet provider or a higher provider has problems.

traceroute 8.8.8.8

If the router ping succeeded, then try ping by host name:

ping google.com

If ping by host name failed, then there is a problem in setting up the DNS server. These settings can be both at the system level (for example, incorrect settings in NetworkManager), and in the router.

To see which DNS server is in use, run the command:

dig google.com

Find the line that begins with “;; SERVER”- this line will contain the name server address.

;; SERVER: 8.8.8.8#53(8.8.8.8)

Can't set Wi-Fi adapter into monitor mode in Windows Subsystem for Linux (WSL) / Cygwin / Docker

In Windows Subsystem for Linux (WSL), as well as in Cygwin and Docker, there is no direct access to hardware. You will not be able to use a Wi-Fi adapter (as well as a video card, etc.) in these software products.

If you are a Windows user, then the best option is for you: install Kali Linux or Arch Linux (BlackArch) in VirtualBox and connect a USB Wi-Fi adapter to this virtual machine.

If you only have a PCI (built-in) Wi-Fi adapter, install Linux on an external USB drive or on a USB flash drive and boot from it.

There are bugs and offers to send reports in Ubuntu when setting a wireless card in monitor mode

Choose any other distribution – Kali Linux, Debian, Arch Linux, BlackArch or even Linux Mint – everything works fine there.

Linux Wi-Fi FAQ

Why does the MAC address change even if the program is not used for this?

Many modern distributions are configured to constantly change the MAC address. It is normal now, but you can disable (or enable) it if you wish.

How to find out if a Wi-Fi card will be supported for auditing Wi-Fi networks

The easiest option is to choose an adapter from this list: “USB Wi-Fi Adapters with monitor mode and wireless injection”.

Modern Wi-Fi cards for wireless auditing

Dual-band wireless adapters with support for monitor mode and wireless injection, as well as supporting the AC standard:

Any of these adapters will be relevant for many more years.

How to see what happens with wireless interfaces

The following commands will help you see absolutely everything that happens behind the scenes during, for example, failed connections.

You can use the output of the following commands to solve any problems with Wi-Fi.

The following command in real time will show everything that is happening on your system – for example, when you connect a wireless adapter, it will show which driver is loaded or what problems have occurred. Messages from applications will also be displayed:

journalctl -f

The output of the program is very extensive, but its study may suggest the causes of the problem.

The following command will tell about everything that happens at the level of the Internet protocol – how IP addresses are assigned to interfaces and what routes are set in the system:

ip monitor

And this command will show all events related to wireless network interfaces:

iw event

These three commands are the most important source of information for resolving unobvious problems. Delve into their output or provide the output of these commands if you are trying to jointly resolve your Wi-Fi problem.

How to see events happening in NetworkManager and wpa_supplicant

To see what is happening in the NetworkManager in real time:

sudo journalctl -f _COMM=NetworkManager

To see events from wpa_supplicant:

sudo journalctl -f _COMM=wpa_supplicant

How to find out how much traffic was transferred

ip -s -h a show <INTERFACE>

Why are channels between 64 and 100 unavailable on 5 GHz Wi-Fi

With the command

iw list

you can see what frequencies your Wi-Fi card supports.

Output example:

One more example:

The set of channels is slightly different, but in any case, frequencies in the range of 64-100 channels are completely unavailable. That is, they are not even disabled, but no matter how they simply do not exist.

Perhaps you are also curious as to why there is a gap between channel 64 and 100 in Wi-Fi 5 GHz?

Answer 1:

Various applications are listed in the 5.35-5.46 GHz band, including “Aeronautical radionavigation”. There will be channels 68 through 96. Obviously they don't want Wi-Fi enabled equipment to be turned on even by accident, which could interfere with the aircraft's navigation.

Answer 2:

These channels are used in conjunction with meteorological radar. A router using these channels should check for the presence of a weather radar. If a weather radar is detected, the router should switch to another channel that does not have a weather radar. I don't remember how quickly the router should stop using the channel. It could be 10 minutes.

If the router switches WiFi channels, clients usually don't switch. Anything connected loses its connection. I think the controller can switch clients to the new channel before the old one goes down, but again I'm not sure.

This could be corporate equipment. Consumers cannot afford it.

So

The absence of a mention of the channel in the list of supported frequencies, as well as the following entry mean that your Wi-Fi device is not capable of working on this channel:

5340 MHz [68] (disabled)

You can also see entries with “no IR”:

5180 MHz [36] (22.0 dBm) (no IR)

The no-ir (no-initiating-radiation) flag, that is, the channel can in principle be used, but cannot be the first to send any data, that is, it will be activated only if it receives beacons from the router to these frequencies.

You can also see entries with “no IR, radar detection”:

5260 MHz [52] (22.0 dBm) (no IR, radar detection)

We have already figured out no IR, and “radar detection” apparently means that if a radar is detected at adjacent frequencies, then this frequency also ceases to be used - but this is rather a guess, if you know a more correct answer, then write it in the comments.

Is it possible to use old adapters supporting only B and G standards for hacking Wi-Fi?

Yes, such adapters are capable of carrying out almost all attacks, even against APs operating on the N standard. For details, see the article “What attacks are old Wi-Fi adapters suitable for?”.

Drivers and firmware

Wi-Fi drivers in Linux. Support for Wi-Fi adapters in Linux

Linux currently supports most Wi-Fi cards and drivers for them are already pre-installed on the system (they are part of the kernel). That is, when you buy a new Wi-Fi adapter or install Linux on a laptop in the vast majority of cases, no action is required – the Wi-Fi adapter will just work.

In rare cases, you need to install a driver and/or firmware from standard repositories.

In exceptional cases, you need to compile the driver from the source code.

You will find a list of installed drivers in the folder

echo /usr/lib/modules/`uname -r`/kernel/drivers/net/wireless

Output drivers by manufacturer:

tree /usr/lib/modules/`uname -r`/kernel/drivers/net/wireless

If for some reason the driver has not yet included in the kernel, then it may be present in the standard repositories as separate packages:

So, the drivers for most Wi-Fi adapters are built into the kernel and, therefore, are already installed on any Linux. Start by connecting your wireless card and trying to connect.

If you have problems, look in the repositories for the driver and/or firmware for your device.

Firmware for Linux drivers

If you are familiar with the “Linux kernel modules” article, then you know that many devices need two things to work properly: a driver and firmware. The driver requests firmware from the file system in /lib/firmware. This is a special file necessary for hardware, it is not a binary file. Then the diver does what it takes to download the firmware to the device. The firmware performs programming of the equipment inside the device.

In addition to complete inoperability, when the system does not see the Wi-Fi device and wireless networks, the lack of firmware can lead to partial inoperability, when the system sees the device, but cannot use it.

Examples of problems that missing firmware can cause:

Installing the main firmware packages required for the operation of Wi-Fi devices is performed by the following commands.

On Kali Linux:

sudo apt install kali-linux-firmware

On Debian:

sudo apt install firmware-linux firmware-misc-nonfree firmware-iwlwifi firmware-ath9k-htc

On Ubuntu, Linux Mint:

sudo apt install linux-firmware firmware-iwlwifi firmware-ath9k-htc

On Arch Linux, Manjaro, BlackArch:

sudo pacman -S linux-firmware

For details, see the article “Firmware files for drivers in Linux”.

How to check which driver is used

# To list only USB devices and their drivers
usb-devices

# To list only PCI devices and their drivers
lspci -k

# To list both USB and PCI devices and their drivers
sudo lshw

Recommended for you:

2 Comments to Linux Wi-Fi Cheat Sheet: Tips and Troubleshooting

  1. john says:

    Using the usb-ac68 (ubuntu 5.4 kernel - 88XXau [v5.7.0_34085.20200313])

    I've recently being playing around with setting channels whilst in monitor mode,

    now whenever I turn on my hotspot from mobile phone (5 Ghz range), it seems to pick up other channels on 5ghz range, but never my phone on say channel 149.

     

    is there a way to reset channels to default ? hopefully it's something easy I missed to let it re-scan changed automatically and efficiently.

     

    thanks

  2. shaji says:

    Hi,

    I have a DLINK D-Link_DWA-172_rev_A1 USB adapter which is having Realtek RTL8811AU chipset

    Bus 002 Device 002: ID 2001:3318 D-Link Corp. 11ac adapter.

    Which is the best driver for Kali 2020.4 ?

    Does this adapter support monitor and injection for both 2.4 and 5GHZ?

    Thanks & Regards

    Shaji

Leave a Reply to shaji Cancel reply

Your email address will not be published. Required fields are marked *