How I Used Monitor Mode on TP-Link WN722N for Fun

Here's a little demo of using monitor mode to capture wireless traffic and use it to your advantage.
Warp Terminal

As a kid, I used to be amazed by those movie scenes where someone would tap a few keys on their computer and say, "I'm in!".

That fascination is what got me into wireless network security, back when WPA2 was the standard, and things were much easier to bypass.

I remember looking up Wi-Fi adapters, and the Alfa models were way out of my budget, especially as a student.

After some research, I went for the TP-Link WN722N V1, hoping for the Atheros chipset, only to end up with the V2/V3 version using the Realtek RTL8188EUS chipset.

The good news? You can still enable monitor mode on it!

📋
Monitor mode allows the device to monitor all traffic received on a wireless channel. You don't need to be connected to the access point. This can be used to get data from unsecured channels (that's why we should use https) and attempt to crack router password (I'll demo it later).

In this guide, I'll show you how to get the right driver and start monitoring wireless networks ;)

Driver Installation

🚧
I used Raspberry Pi in this setup. And I did all this for fun to experiment with monitor mode and wifi signals. Don't try it on your main Linux system as it involves driver changes and manual installations. If things don't go your way, you may end up with broken system. And certainly don't try it for illegally snooping on your neighbor's WiFi.

To enable monitor mode, the correct drivers are needed. And the installation needs an updated system.

sudo apt update && sudo apt upgrade -y

Next, I installed the build essential tools for building and compiling the driver from source:

sudo apt install dkms build-essential linux-headers-$(uname -r) git bc

Here's the breakdown of the command:

  • dkms: Manages kernel modules.
  • build-essential: Includes compilation tools like gcc and make.
  • linux-headers-$(uname -r): Installs the headers matching your current kernel version.
  • git: Used to clone repositories, essential for downloading the driver source code.
  • bc: A calculator language, sometimes required during driver compilation for mathematical operations.
Installing build essentials on Pi

Now comes the important part and it is to download the 'Realtek RTL8188EUS' driver. Thankfully, Kali Linux's official repository has it:

git clone https://gitlab.com/kalilinux/packages/realtek-rtl8188eus-dkms.git
Get drivers from Kali Linux GitHub

Once the repository is cloned, the next step is to compile the driver from source.

Navigate into the cloned directory and run the following command to build the driver:

cd realtek-rtl8188eus-dkms
make && sudo make install

The build process will take a few seconds depending on your CPU.

Disabling Conflicting Drivers

Now that the driver is installed, I blocked any previously running drivers that might have interfered.

echo 'blacklist r8188eu' | sudo tee -a '/etc/modprobe.d/realtek.conf'
  • echo 'blacklist r8188eu': Creates a line of text to block the r8188eu driver.
  • | sudo tee -a '/etc/modprobe.d/realtek.conf': Appends that text to the file /etc/modprobe.d/realtek.conf with superuser privileges, ensuring the driver is blacklisted.
Blacklist old drivers

A reboot is required to apply the changes. After restarting the Linux system, the new adapter should come online and be ready for use.

Enabling Monitor Mode

At this stage, the adapter is still in managed mode (the default for typical Wi-Fi use).

sudo iwconfig
iwconfig

I will use aircrack-ng tool to enable monitor mode. It allows capturing packets from nearby networks.

Run the following command to kill any processes that might interfere:

sudo airmon-ng check kill

Bring the interface down:

sudo ip link set <interface> down

Set the adapter to monitor mode:

sudo iw dev <interface> set type monitor

Bring the interface back up:

sudo ip link set <interface> up
using wifi adapter in monitor mode

Now it is in 'monitor' mode:

Monitor mode for wifi adapter

Great! The adapter is now in monitor mode!

But what's the fun in stopping here? Let’s test it on a live network and really see what it can do!

Using monitor mode for to recover forgotten WiFi password

Let me share a good usecase of this monitor mode where I recovered the forgotten WiFi password.

So, here's my setup: I’m using a Raspberry Pi 3B+ and accessing it via SSH.

Raspberry Pi with WiFi

And the target - my classic old DSL router (not connected to the Internet):

D Link router

Now, in a stroke of sheer bad luck, I’ve forgotten the Wi-Fi password, which we’ll try to recover today using wifite2, one of the popular Kali Linux tools.

It's a tool that automates the process of capturing WPA/WPA2 handshakes and cracking password keys.

I prefer wifite2 over aircrack-ng because of its user-friendly interface and automated features, which simplify the process significantly.

Quest: Finding Lost Password

I’m not covering the installation process for wifite2 here.

🚧
Warning: This content is for educational purposes only. Unauthorized use of these techniques may violate laws and ethical guidelines. Please respect the privacy and security of others and follow the cyber security law of your country.

To use wifite2, run the following command:

sudo wifite --kill --random-mac --dict ~/wifite2/wordlist-top4800-probable.txt
  • --kill: Stops interfering processes (like network managers) to ensure smooth operation.
  • --random-mac: Randomizes your MAC address for anonymity.
  • --dict /wifite2/wordlist-top4800-probable.txt: Specifies a custom wordlist for password cracking.
Using wifite

You can see our VICTIM router here.

Once you’ve entered the target, wifite2 will automatically start performing a series of attacks.

Since I only have one attack installed (WPA handshake capture), wifite2 will handle everything from here.

The image above might look a little confusing; let me explain what's happening up there:

  1. Send Deauth Signals: Wifite2 disconnects clients from the network to force a reconnect.
  2. Capture Handshake: It tries to captures the WPA handshake, which is a verification process between the router and client.
  3. Handshake Captured: Confirmation that the handshake data has been successfully collected.
  4. Save Handshake: The handshake is saved in a file named something like handshake_DLinkVICTIM_00-00-00-00-2024.cap.
  5. Crack Password: Wifite2 uses the wordlist you provided to crack the password.
  6. Password Revealed: The cracked Wi-Fi password admin123.
📋
Since this was for a demo purpose, I used word list feature and had a simple password on the router. Unsurprisingly, in a real world scenario, that is likely not to be the case.

Conclusion

So, I shared how I enabled monitor mode on a budget TP-Link adapter and a thing or two about wireless networks and their vulnerabilities.

Remember, while this knowledge is powerful, it's crucial to use it responsibly. Always respect the privacy of others and only test networks that you have explicit permission to access.

These little experiments are a fun way to improve your knowledge. At least, that's what I think. What do you say?

About the author
Abhishek Kumar

Abhishek Kumar

I'm definitely not a nerd, perhaps a geek who likes to tinker around with whatever tech I get my hands on. Figuring things out on my own gives me joy. BTW, I don't use Arch.

Become a Better Linux User

With the FOSS Weekly Newsletter, you learn useful Linux tips, discover applications, explore new distros and stay updated with the latest from Linux world

itsfoss happy penguin

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to It's FOSS.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.