← Back to Systems Hub
PRIVATE -- NOT FOR DISTRIBUTION

Kali Live USB Troubleshooting

ALFA AWUS036AXM + Kali Linux Live -- Exhaustive Field Reference
Last updated: 2026-03-22

Quick Jump

01 ALFA Not Detected 02 Monitor Mode Setup 03 USB Power Issues 04 Network Manager Conflicts 05 ALFA AWUS036AXM Chipset 06 APT Update Errors 07 Bluetooth Troubleshooting 08 Audio (Bluetooth Headset) 09 WiFi / Phone Hotspot 10 HDMI / External Display 11 Persistence Issues 12 Screen Lock / Power Mgmt 13 File Sharing (Kali ↔ Windows) 14 Capturing Evidence 15 Wireshark on Kali 16 Claude Code on Kali 17 ProtonVPN on Kali 18 USB Drive Access 19 Common Kali Live Issues 20 Emergency: Nothing Works
1 ALFA AWUS036AXM Not Detected

Step 1: Check if USB bus sees the device

lsusb

Look for: 0e8d:7961 MediaTek Inc. Wireless_Device

SUCCESS output (device detected):
Bus 002 Device 003: ID 0e8d:7961 MediaTek Inc. Wireless_Device Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
FAILURE output (device missing):
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 002: ID 8087:0026 Intel Corp. AX201 Bluetooth Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
IF 0e8d:7961 appears in lsusb:
--> USB sees it. Skip to "If IN lsusb but not in iwconfig" below.
IF 0e8d:7961 does NOT appear:
--> Physical / power problem. See steps below.

If NOT in lsusb -- physical troubleshooting

  1. Unplug the ALFA completely, wait 5 seconds
  2. Try a different USB-A port (rear ports preferred on desktops -- more power)
  3. Try without any extension cable or hub -- plug directly into the laptop
  4. Try a powered USB hub if available (see Section 3: USB Power Issues)
  5. Check if the adapter's LED lights up at all when plugged in
  6. Try the adapter on a different machine to rule out dead hardware

Check kernel messages for USB errors:

dmesg | tail -40
Common error messages and what they mean:
usb 2-1: device descriptor read/64, error -71 <-- USB cable/port issue usb 2-1: device not accepting address 4, error -71 <-- power delivery problem usb 2-1: USB disconnect, device number 3 <-- adapter losing power usb 2-1: Cannot enable. Maybe the USB cable is bad? <-- bad cable or port

More detailed USB diagnostics:

# Show all USB devices with details
lsusb -v 2>/dev/null | grep -A5 "MediaTek"

# Show USB device tree (hierarchical view)
lsusb -t

# Check USB errors in kernel ring buffer
dmesg | grep -i "usb\|error\|fail\|disconnect" | tail -20

# Show USB power info
cat /sys/bus/usb/devices/*/power/control 2>/dev/null

If IN lsusb but not in iwconfig

USB sees it but the WiFi driver hasn't loaded. Load the driver manually:

# Load the mt7921u driver
sudo modprobe mt7921u

# Check what happened
sudo dmesg | tail -30

# Verify the interface appeared
iwconfig
iw dev
ip link show
IF dmesg shows "firmware not found" or "Direct firmware load for mediatek/... failed":
--> Firmware is missing. See firmware fix below.
IF dmesg shows "mt7921u ... firmware ... loaded" and iwconfig shows wlan1:
--> You're good. Proceed to monitor mode (Section 2).
IF dmesg shows nothing at all:
--> Module might not exist. Run: modinfo mt7921u

If firmware is missing

# Install firmware package
sudo apt update --allow-insecure-repositories
sudo apt install --allow-unauthenticated firmware-misc-nonfree

# Reload the driver
sudo modprobe -r mt7921u && sudo modprobe mt7921u

# Check if it worked
sudo dmesg | tail -20
iwconfig

Verify the firmware files exist on disk:

# These files MUST exist for the adapter to work
ls -la /lib/firmware/mediatek/WIFI_MT7961_patch_mcu_1_2_hdr.bin
ls -la /lib/firmware/mediatek/WIFI_RAM_CODE_MT7961_1.bin

# Also check alternate paths
find /lib/firmware -name "*mt7961*" -o -name "*MT7961*" 2>/dev/null
SUCCESS -- firmware files present:
-rw-r--r-- 1 root root 786432 Jan 15 2026 /lib/firmware/mediatek/WIFI_MT7961_patch_mcu_1_2_hdr.bin -rw-r--r-- 1 root root 1048576 Jan 15 2026 /lib/firmware/mediatek/WIFI_RAM_CODE_MT7961_1.bin

If firmware files don't exist and apt can't install them (no internet on Kali):

# Download from another machine, put on USB, then:
# Option 1: Get from linux-firmware git
# https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/mediatek
# Copy WIFI_MT7961_patch_mcu_1_2_hdr.bin and WIFI_RAM_CODE_MT7961_1.bin

# From USB drive:
sudo cp /media/kali/USBDRIVE/WIFI_MT7961_patch_mcu_1_2_hdr.bin /lib/firmware/mediatek/
sudo cp /media/kali/USBDRIVE/WIFI_RAM_CODE_MT7961_1.bin /lib/firmware/mediatek/
sudo modprobe -r mt7921u && sudo modprobe mt7921u

Verify adapter is fully ready

# All three of these should show the adapter
iwconfig
iw dev
ip link show

# Check supported modes (look for "monitor")
iw phy phy1 info | grep -A8 "Supported interface modes"

# Check current state
iw dev wlan1 info
SUCCESS -- adapter ready for monitor mode:
wlan1 IEEE 802.11 ESSID:off/any Mode:Managed Access Point: Not-Associated Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on
2 Monitor Mode Setup

RECOMMENDED method (iw -- keeps internet alive on wlan0)

DO NOT use airmon-ng check kill unless absolutely necessary

airmon-ng check kill kills NetworkManager, which manages ALL adapters including your internet on wlan0. Use the manual method below to ONLY affect the ALFA adapter.

# Put ONLY wlan1 (ALFA) into monitor mode -- wlan0 internet stays up
sudo ip link set wlan1 down
sudo iw dev wlan1 set type monitor
sudo ip link set wlan1 up

# Verify monitor mode is active
iwconfig wlan1
SUCCESS -- monitor mode active (internet still working):
wlan1 IEEE 802.11 Mode:Monitor Frequency:5.18 GHz Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on wlan0 IEEE 802.11 ESSID:"Praxis" Mode:Managed Frequency:2.437 GHz Access Point: XX:XX:XX:XX:XX:XX

Note: With this method, the interface stays named wlan1 (NOT wlan1mon). Use wlan1 in all capture commands.

To stop monitor mode and return to managed:

sudo ip link set wlan1 down
sudo iw dev wlan1 set type managed
sudo ip link set wlan1 up

Fallback method (airmon-ng -- WILL drop internet)

Only use this if the manual method above fails.

# WARNING: This kills NetworkManager -- internet WILL drop
sudo airmon-ng check kill
sudo airmon-ng start wlan1

# Immediately restore internet on wlan0
sudo systemctl start NetworkManager
sleep 3
nmcli device wifi connect "Praxis" password "YOUR_PASSWORD" ifname wlan0

# Verify both adapters
iwconfig
SUCCESS -- monitor mode active:
wlan1mon IEEE 802.11 Mode:Monitor Frequency:2.412 GHz Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on
FAILURE -- still in managed mode:
wlan1 IEEE 802.11 ESSID:off/any Mode:Managed Access Point: Not-Associated

If airmon-ng says "no such device"

# Find the actual interface name -- it might not be wlan1
iw dev

# Common names: wlan0 (if internal WiFi not loaded), wlan1, wlp0s20f3
# Use whatever name iw dev shows
sudo airmon-ng start [YOUR_INTERFACE_NAME]

If airmon-ng says "Found processes that could cause trouble"

# Kill them all manually if airmon-ng check kill didn't work
sudo systemctl stop NetworkManager
sudo systemctl stop wpa_supplicant
sudo killall dhclient 2>/dev/null
sudo killall wpa_supplicant 2>/dev/null

# Verify nothing is left
sudo airmon-ng check

# Try monitor mode again
sudo airmon-ng start wlan1

If both methods fail -- nuclear option

# Kill everything, reload driver, try again
sudo systemctl stop NetworkManager
sudo systemctl stop wpa_supplicant
sudo killall dhclient 2>/dev/null
sudo modprobe -r mt7921u
sudo modprobe mt7921u
sleep 2
sudo ip link set wlan1 down
sudo iw dev wlan1 set type monitor
sudo ip link set wlan1 up

# Verify
iwconfig wlan1
# Should now show Mode:Monitor

# Set to specific channel
sudo iw dev wlan1 set channel 157

If monitor mode starts but won't capture (0 packets)

# Check if the interface is actually UP
ip link show wlan1mon
# Look for "state UP" vs "state DOWN"

# Bring it up if down
sudo ip link set wlan1mon up

# Check if it's on the right channel
iw dev wlan1mon info
# Should show channel 157 (5785 MHz)

# Manually set channel if wrong
sudo iw dev wlan1mon set channel 157

# Check for TX power (should be non-zero)
iwconfig wlan1mon | grep "Tx-Power"

Stopping monitor mode (when done)

# Stop monitor mode
sudo airmon-ng stop wlan1mon

# OR if using iw method:
sudo ip link set wlan1 down
sudo iw dev wlan1 set type managed
sudo ip link set wlan1 up

# Restart networking
sudo systemctl start NetworkManager
sudo systemctl start wpa_supplicant
3 USB Power Issues

Symptoms

  • Adapter LED flickers or blinks erratically
  • Adapter shows in lsusb briefly then disappears
  • dmesg shows repeated "USB disconnect" and "new USB device found" cycles
  • Adapter works for a few minutes then drops out mid-capture
  • Works in one port but not another

USB-A vs USB-C power delivery differences

  • USB-A 2.0: 500mA max (2.5W) -- often NOT enough for the ALFA
  • USB-A 3.0: 900mA max (4.5W) -- usually works, look for blue port
  • USB-C: Up to 3A (15W) -- most reliable, but needs USB-A to USB-C adapter
  • The ALFA AWUS036AXM draws ~400-600mA under load -- right at the edge for USB 2.0

Check current USB power status

# Check USB autosuspend settings (should be "on" for active use)
cat /sys/bus/usb/devices/*/power/control

# Check power usage per USB device
for d in /sys/bus/usb/devices/*/; do
  if [ -f "$d/idVendor" ]; then
    vendor=$(cat "$d/idVendor" 2>/dev/null)
    product=$(cat "$d/idProduct" 2>/dev/null)
    power=$(cat "$d/power/control" 2>/dev/null)
    maxpower=$(cat "$d/bMaxPower" 2>/dev/null)
    echo "$d: $vendor:$product power=$power maxpower=$maxpower"
  fi
done

# Check for USB power-related errors
dmesg | grep -i "over-current\|power\|usb.*error\|disconnect" | tail -20

Disable USB autosuspend (prevents adapter from sleeping)

# Disable autosuspend for ALL USB devices (immediate, non-persistent)
echo on | sudo tee /sys/bus/usb/devices/*/power/control

# Verify it took effect
cat /sys/bus/usb/devices/*/power/control
# Should all show "on" instead of "auto"

Persistent fix via kernel parameter

# Add kernel parameter (for persistence-enabled live USB)
# Edit GRUB config:
sudo nano /etc/default/grub
# Find GRUB_CMDLINE_LINUX_DEFAULT and add: usbcore.autosuspend=-1
# Example: GRUB_CMDLINE_LINUX_DEFAULT="quiet usbcore.autosuspend=-1"
sudo update-grub

# OR for immediate effect without reboot (current session only):
echo -1 | sudo tee /sys/module/usbcore/parameters/autosuspend

Powered USB hub workaround

  • Use a USB hub with its own power supply (wall adapter)
  • Plug the ALFA into the powered hub, hub into the laptop
  • This completely eliminates laptop USB power as a variable
  • Even a cheap $15 powered hub works -- just needs its own power brick
IF adapter flickers or cycles in dmesg:
--> Power problem. Try USB 3.0 (blue) port or powered hub.
IF adapter works then drops during capture:
--> Autosuspend. Disable it (echo on | sudo tee ...)
IF adapter works in one port but not another:
--> Use the working port. The other one is likely USB 2.0 or damaged.
4 Network Manager Conflicts

NetworkManager and wpa_supplicant actively fight with monitor mode. They will try to reconnect the adapter to managed-mode networks, causing captures to fail silently or the interface to flip back to managed mode.

The problem

  • NetworkManager: Constantly scans for and connects to WiFi networks. It will grab your ALFA and try to connect it to something.
  • wpa_supplicant: Manages WPA authentication. It holds a lock on the wireless interface.
  • dhclient: DHCP client that requests IP addresses. Can interfere with raw captures.

Properly kill everything BEFORE monitor mode

# Method 1: airmon-ng (usually sufficient)
sudo airmon-ng check kill

# Method 2: Manual kill (if airmon-ng misses something)
sudo systemctl stop NetworkManager
sudo systemctl stop wpa_supplicant
sudo killall dhclient 2>/dev/null
sudo killall wpa_supplicant 2>/dev/null
sudo killall dhcpcd 2>/dev/null

# Verify nothing is left
sudo airmon-ng check
# Should say: "No processes that could cause trouble were found"
SUCCESS -- clean environment:
No processes that could cause trouble were found
FAILURE -- processes still running:
Found 2 processes that could cause trouble: PID Name 847 NetworkManager 903 wpa_supplicant

If processes refuse to die

# Nuclear kill (force)
sudo kill -9 $(pidof NetworkManager) 2>/dev/null
sudo kill -9 $(pidof wpa_supplicant) 2>/dev/null
sudo kill -9 $(pidof dhclient) 2>/dev/null

# Prevent them from restarting automatically
sudo systemctl mask NetworkManager
sudo systemctl mask wpa_supplicant

# Verify
sudo airmon-ng check

Restart everything AFTER capture (to get networking back)

# Stop monitor mode first
sudo airmon-ng stop wlan1mon

# If you masked the services earlier, unmask them
sudo systemctl unmask NetworkManager
sudo systemctl unmask wpa_supplicant

# Restart networking
sudo systemctl start NetworkManager
sudo systemctl start wpa_supplicant

# Verify networking is back
nmcli device status
nmcli device wifi list
IF monitor mode keeps flipping back to managed mode:
--> NetworkManager is still running. Kill it harder (kill -9, then mask).
IF you lose internet on the internal WiFi after killing processes:
--> Expected. You killed NetworkManager. Restart it when done capturing.
IF you need internet DURING capture (e.g., for updates):
--> Use phone USB tethering on a separate interface, or set up internal WiFi manually with iwctl/wpa_cli before killing NM.
5 ALFA AWUS036AXM Specific Issues (mt7921au)

Chipset details

  • Chipset: MediaTek MT7921AU (USB version of MT7921)
  • Driver: mt7921u (in-kernel since Linux 5.18)
  • Bands: 2.4 GHz + 5 GHz (WiFi 6 / 802.11ax)
  • USB ID: 0e8d:7961
  • Monitor mode: Supported in-kernel (no patched drivers needed)
  • Packet injection: Limited support -- some kernels/firmware versions work, some don't

Check firmware version and driver status

# Check what kernel sees about the mt7921
sudo dmesg | grep -i mt7921

# Check driver module info
modinfo mt7921u

# Check loaded firmware version
sudo dmesg | grep -i "firmware"

# Check which kernel module is bound to the device
lsusb -v -d 0e8d:7961 2>/dev/null | head -30

# Check driver version
cat /sys/module/mt7921u/version 2>/dev/null || echo "version file not found"
SUCCESS -- firmware loaded:
[ 12.345678] mt7921u 2-1:1.0: HW/SW Version: 0x8a108a10, FW Version: 0x26010901 [ 12.345679] mt7921u 2-1:1.0: WM Firmware Version: ____010901, Build Time: 20231201 [ 12.456789] mt7921u 2-1:1.0: WLAN MADR: ab:cd:ef:12:34:56

Required firmware files

# These files MUST be in /lib/firmware/mediatek/
ls -la /lib/firmware/mediatek/WIFI_MT7961_patch_mcu_1_2_hdr.bin
ls -la /lib/firmware/mediatek/WIFI_RAM_CODE_MT7961_1.bin

# If missing, install firmware package
sudo apt update --allow-insecure-repositories
sudo apt install --allow-unauthenticated firmware-misc-nonfree

# Or manually download from linux-firmware git repo
# https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/mediatek

Known issues with mt7921au

  • Power save causes drops: The adapter's power save mode can cause it to stop capturing. Always disable it.
  • 5 GHz channel restrictions: Some channels may be blocked by regulatory domain settings.
  • Firmware crashes: Older firmware versions can crash under heavy capture load. Update firmware if possible.
  • Monitor mode channel hopping: Can be slow compared to Atheros-based adapters.

Disable power save (critical for reliable capture)

# Disable power save on the adapter
sudo iw dev wlan1 set power_save off

# Verify it's off
iw dev wlan1 get power_save
# Should say: Power save: off

# If in monitor mode already:
sudo iw dev wlan1mon set power_save off

Fix regulatory domain (if 5 GHz channels are blocked)

# Check current regulatory domain
iw reg get

# Set to US (allows channel 157)
sudo iw reg set US

# Verify channel 157 (5785 MHz) is now available
iw phy phy1 channels | grep -A2 "5785"

# If channel 157 shows "no IR" or "disabled":
# The regulatory database might be locked. Try:
sudo apt install --allow-unauthenticated wireless-regdb
sudo iw reg set US

If the adapter firmware crashes during capture

# Symptoms: capture stops, dmesg shows "ASSERT" or "reset" messages
sudo dmesg | grep -i "assert\|reset\|crash\|firmware" | tail -10

# Recovery: unload and reload the driver
sudo airmon-ng stop wlan1mon 2>/dev/null
sudo modprobe -r mt7921u
sleep 2
sudo modprobe mt7921u
sleep 3
iwconfig
# Should show wlan1 again. Restart monitor mode.
6 APT Update Errors (Unsigned Repos)

Quick fix (bypass signature check)

sudo apt update --allow-insecure-repositories

Common error messages

GPG key errors:
W: GPG error: http://http.kali.org/kali kali-rolling InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ED444FF07D8D0BF6 E: The repository 'http://http.kali.org/kali kali-rolling InRelease' is not signed.

Fix properly (install archive key)

# Download and install the Kali archive key
sudo wget https://archive.kali.org/archive-key.asc -O /etc/apt/trusted.gpg.d/kali-archive-key.asc
sudo apt update

# If wget fails (no internet yet), try curl:
sudo curl -fsSL https://archive.kali.org/archive-key.asc -o /etc/apt/trusted.gpg.d/kali-archive-key.asc
sudo apt update

If apt is completely broken

# Check sources list
cat /etc/apt/sources.list

# It should contain:
# deb http://http.kali.org/kali kali-rolling main contrib non-free non-free-firmware

# Fix sources list if wrong:
echo "deb http://http.kali.org/kali kali-rolling main contrib non-free non-free-firmware" | sudo tee /etc/apt/sources.list

# Clear apt cache and retry
sudo apt clean
sudo apt update --allow-insecure-repositories

Installing packages without apt (dpkg method)

# If you downloaded .deb files manually:
sudo dpkg -i /path/to/package.deb

# Fix broken dependencies after dpkg install:
sudo apt install -f --allow-unauthenticated

Force install with broken dependencies

# Force install ignoring authentication
sudo apt install --allow-unauthenticated PACKAGE_NAME

# Force install ignoring broken deps (last resort)
sudo apt install --fix-broken --allow-unauthenticated PACKAGE_NAME
7 Bluetooth Detailed Troubleshooting

Background: Killer AX1650i = Intel AX201

The Killer AX1650i is a rebranded Intel AX201. It has both WiFi and Bluetooth on the same chip (CNVi). The Bluetooth controller uses the Intel firmware loaded via btintel/btusb kernel modules.

Step 1: Install required packages

sudo apt update --allow-insecure-repositories
sudo apt install --allow-unauthenticated bluetooth bluez blueman firmware-iwlwifi

Step 2: Load kernel modules

sudo modprobe btusb
sudo modprobe btintel

Step 3: Unblock and start Bluetooth service

# Check if Bluetooth is soft-blocked or hard-blocked
rfkill list

# Unblock if blocked
sudo rfkill unblock bluetooth

# Start and enable the service
sudo systemctl start bluetooth
sudo systemctl enable bluetooth

# Verify service is running
sudo systemctl status bluetooth
SUCCESS -- rfkill shows unblocked:
0: hci0: Bluetooth Soft blocked: no Hard blocked: no
FAILURE -- Bluetooth blocked:
0: hci0: Bluetooth Soft blocked: yes Hard blocked: no

Step 4: Pair and connect a device

# Use bluetoothctl interactive shell
bluetoothctl

# Inside bluetoothctl:
power on
agent on
default-agent
scan on
# Wait for your device to appear. Note its MAC address (XX:XX:XX:XX:XX:XX)
# When you see it:
pair XX:XX:XX:XX:XX:XX
# Accept pairing on the device if prompted
connect XX:XX:XX:XX:XX:XX
trust XX:XX:XX:XX:XX:XX
# Type quit when done:
quit

If bluetoothctl says "No default controller available"

This means the Bluetooth firmware failed to load. The controller hardware exists but can't initialize.

# Check what firmware is failing
sudo dmesg | grep -i "bluetooth\|btusb\|btintel\|firmware"

# Look for lines like:
# "bluetooth hci0: Direct firmware load for intel/ibt-0041-0041.sfi failed"
# The file name tells you what's missing

# Check if firmware files exist
ls /lib/firmware/intel/ibt-*

# If missing, install firmware
sudo apt install --allow-unauthenticated firmware-iwlwifi

# Reload Bluetooth modules
sudo modprobe -r btusb btintel
sudo modprobe btusb
sudo modprobe btintel
sudo systemctl restart bluetooth

# Check again
sudo hciconfig -a
SUCCESS -- hciconfig shows controller:
hci0: Type: Primary Bus: USB BD Address: XX:XX:XX:XX:XX:XX ACL MTU: 1021:4 SCO MTU: 96:6 UP RUNNING PSCAN ISCAN
FAILURE -- no output from hciconfig:
(empty -- no Bluetooth controllers found)

If hci0 shows DOWN instead of UP RUNNING

# Bring it up manually
sudo hciconfig hci0 up

# If that fails with "Can't init device hci0: Connection timed out"
# The firmware didn't load. Check dmesg for firmware errors.
sudo dmesg | grep -i firmware | tail -10

GUI alternative: Blueman

# Launch Blueman GUI (easier for pairing)
blueman-manager &
8 Audio Issues (Bluetooth Headset/Speaker)

Install PulseAudio with Bluetooth support

sudo apt install --allow-unauthenticated pulseaudio pulseaudio-module-bluetooth pavucontrol
pulseaudio --start

If Bluetooth device connects but no audio

# Restart PulseAudio with Bluetooth module
pulseaudio --kill
pulseaudio --start

# Check if Bluetooth audio sink is available
pactl list sinks short

# Set Bluetooth device as default output
# Find the sink name from the list above, then:
pactl set-default-sink bluez_sink.XX_XX_XX_XX_XX_XX.a2dp_sink

# Open PulseAudio volume control GUI (easier)
pavucontrol &

If PulseAudio module fails to load

# Load Bluetooth module manually
pactl load-module module-bluetooth-discover
pactl load-module module-bluetooth-policy

# If it says "Module load failed":
pulseaudio --kill
sudo rm -rf ~/.config/pulse/*
pulseaudio --start

Built-in laptop speakers (no Bluetooth)

# Check if ALSA sees the sound card
aplay -l

# Test audio
speaker-test -c 2 -t wav

# If no sound card found, load Intel audio driver
sudo modprobe snd-hda-intel
9 WiFi (Internal) -- Connect to Phone Hotspot

Using nmcli (command line)

# Make sure NetworkManager is running
sudo systemctl start NetworkManager

# List available networks
nmcli device wifi list

# Connect to hotspot
nmcli device wifi connect "SSID_NAME" password "PASSWORD"

# Verify connection
ip addr show wlan0
ping -c 3 8.8.8.8
curl -s ifconfig.me
# Should show your public IP

If nmcli says "Error: No Wi-Fi device found"

# Check device status
nmcli device status

# If wlan0 shows "unmanaged":
sudo nmcli device set wlan0 managed yes

# If wlan0 doesn't appear at all:
rfkill list
# Check if WiFi is soft or hard blocked
sudo rfkill unblock wifi

# Check if internal WiFi driver is loaded
lspci -k | grep -A3 -i wireless
# For Intel AX201: should show "Kernel driver in use: iwlwifi"

# Load driver if missing
sudo modprobe iwlwifi

If hotspot doesn't appear in scan

  • Make sure hotspot is enabled on your phone and broadcasting
  • iPhone: Settings > Personal Hotspot > Allow Others to Join
  • Android: Settings > Connections > Mobile Hotspot
  • Try rescanning: nmcli device wifi rescan
  • Check if the hotspot is 5 GHz only -- some internal adapters default to 2.4 GHz scanning

Alternative: USB tethering (more reliable than WiFi hotspot)

# Plug phone in via USB cable, enable USB tethering on phone
# iPhone: requires trust prompt first
# Android: Settings > Connections > Mobile Hotspot > USB Tethering

# Check for new network interface
ip link show
# Look for usb0, enp0s*, or eth* (new interface)

# Get an IP via DHCP
sudo dhclient usb0
# Or whatever the interface name is

# Verify
ping -c 3 8.8.8.8

If NetworkManager was killed for monitor mode

# You can use the internal WiFi for internet while the ALFA is in monitor mode
# But NetworkManager must be running for the internal adapter

# Selective approach: only kill processes on the ALFA, not the internal WiFi
# Start monitor mode manually instead of using airmon-ng check kill:
sudo ip link set wlan1 down
sudo iw dev wlan1 set type monitor
sudo ip link set wlan1 up

# This leaves NetworkManager running for wlan0 (internal)
10 HDMI / External Display

Check connected displays

xrandr
SUCCESS -- HDMI connected:
eDP-1 connected primary 1920x1080+0+0 HDMI-1 connected 1920x1080+1920+0
HDMI connected but no signal:
eDP-1 connected primary 1920x1080+0+0 HDMI-1 connected (normal left inverted right x axis y axis) 1920x1080 60.00 + 1280x720 60.00

Enable external display

# Auto-detect and enable
xrandr --output HDMI-1 --auto

# Extend to the right
xrandr --output HDMI-1 --auto --right-of eDP-1

# Extend to the left
xrandr --output HDMI-1 --auto --left-of eDP-1

# Mirror (same on both screens)
xrandr --output HDMI-1 --auto --same-as eDP-1

# External only (laptop screen off)
xrandr --output eDP-1 --off --output HDMI-1 --auto

If HDMI-1 not showing at all in xrandr

# Check kernel messages for HDMI
sudo dmesg | grep -i "hdmi\|drm\|display"

# Install kernel headers (needed for some GPU drivers)
sudo apt install --allow-unauthenticated linux-headers-$(uname -r)

# Check GPU driver
lspci -k | grep -A3 -i "vga\|display\|3d"

# For Intel GPU (most common in laptops):
sudo modprobe i915

# For NVIDIA (if applicable):
sudo apt install --allow-unauthenticated nvidia-driver
# Reboot after installing

Set specific resolution

# List available modes for a display
xrandr --output HDMI-1 --verbose

# Set specific resolution
xrandr --output HDMI-1 --mode 1920x1080 --rate 60

# If desired resolution isn't listed, add it manually:
cvt 1920 1080 60
# Copy the Modeline output, then:
xrandr --newmode "1920x1080_60.00" [paste modeline values here]
xrandr --addmode HDMI-1 "1920x1080_60.00"
xrandr --output HDMI-1 --mode "1920x1080_60.00"
11 Kali Live Persistence Issues

How persistence works

  • Kali Live USB has 2-3 partitions: boot partition (ISO), EFI partition, and a persistence partition
  • The persistence partition must be ext4 formatted and labeled "persistence"
  • It must contain a file called persistence.conf with the content "/ union"
  • The boot menu must include the "persistence" option (Rufus does this automatically)

Check if persistence is active

# Check if persistence partition is mounted
mount | grep persistence

# Check boot parameters (should include "persistence")
cat /proc/cmdline

# Check partition layout
sudo fdisk -l

# Check partition labels
sudo blkid
SUCCESS -- persistence active:
/dev/sda3 on /run/live/persistence/sda3 type ext4 (rw,noatime) BOOT_IMAGE=/live/vmlinuz boot=live persistence quiet splash
FAILURE -- no persistence:
(mount shows nothing for persistence) BOOT_IMAGE=/live/vmlinuz boot=live quiet splash (no "persistence" keyword in cmdline)

If persistence partition exists but not mounting

# Find the persistence partition
sudo fdisk -l
# Look for a partition that's NOT the ISO and NOT EFI
# Usually /dev/sda3 or /dev/sdb3

# Check its label
sudo e2label /dev/sda3
# Should say "persistence"

# If label is wrong or missing:
sudo e2label /dev/sda3 persistence

# Mount it and check the config file
sudo mkdir -p /mnt/usb
sudo mount /dev/sda3 /mnt/usb
cat /mnt/usb/persistence.conf
# Should contain exactly: / union

# If persistence.conf is missing or wrong:
echo "/ union" | sudo tee /mnt/usb/persistence.conf
sudo umount /mnt/usb

# Reboot to activate
sudo reboot

If you need to create persistence from scratch

# WARNING: This modifies the USB drive. Back up first.
# Find the right device (BE CAREFUL -- wrong device = data loss)
sudo fdisk -l

# If there's free space after the ISO partitions, create partition:
sudo fdisk /dev/sda
# n (new), p (primary), 3 (partition number), defaults for start/end
# w (write)

# Format as ext4 with persistence label
sudo mkfs.ext4 -L persistence /dev/sda3

# Mount and create config
sudo mkdir -p /mnt/usb
sudo mount /dev/sda3 /mnt/usb
echo "/ union" | sudo tee /mnt/usb/persistence.conf
sudo umount /mnt/usb

# Reboot and select "Live USB Persistence" from boot menu
sudo reboot

Test if persistence is working

# Create a test file
echo "persistence test $(date)" > ~/persistence-test.txt

# Reboot
sudo reboot

# After reboot, check if the file survived:
cat ~/persistence-test.txt
12 Screen Lock / Power Management

For a monitoring station, you don't want the screen going blank mid-capture. Disable everything.

Disable screen blank and power management (command line)

# Disable screensaver
xfce4-screensaver-command --deactivate 2>/dev/null

# Disable DPMS (Display Power Management Signaling)
xset s off
xset -dpms
xset s noblank

# Verify settings
xset q | grep -A5 "Screen Saver"
xset q | grep -A5 "DPMS"
SUCCESS -- all screen blanking off:
Screen Saver: prefer blanking: no allow exposures: yes timeout: 0 cycle: 0 DPMS (Energy Star): DPMS is Disabled

Disable via XFCE GUI (if available)

  • Settings > Power Manager > Display tab > set all timeouts to "Never"
  • Settings > Power Manager > System tab > set all to "Do nothing"
  • Settings > Screensaver > disable everything

Prevent system sleep/suspend

# Disable all sleep/hibernate
sudo systemctl mask sleep.target
sudo systemctl mask suspend.target
sudo systemctl mask hibernate.target
sudo systemctl mask hybrid-sleep.target

# Prevent lid close from suspending (for laptops)
sudo sed -i 's/#HandleLidSwitch=suspend/HandleLidSwitch=ignore/' /etc/systemd/logind.conf
sudo sed -i 's/#HandleLidSwitchExternalPower=suspend/HandleLidSwitchExternalPower=ignore/' /etc/systemd/logind.conf
sudo systemctl restart systemd-logind

Keep screen on with caffeine (alternative)

# Use caffeinate to keep system awake (blocks sleep while running)
# Just leave this running in a terminal:
while true; do xdotool key --clearmodifiers shift; sleep 60; done &
13 File Sharing Between Kali and Windows

Access Windows NTFS partition from Kali (dual-boot)

# List all partitions
sudo fdisk -l

# Find the Windows partition (usually the largest NTFS partition)
# Common: /dev/nvme0n1p3, /dev/sda2, /dev/sda3

# Mount it
sudo mkdir -p /mnt/windows
sudo mount -t ntfs-3g /dev/nvme0n1p3 /mnt/windows

# Browse files
ls /mnt/windows/Users/

# Copy files
cp /mnt/windows/Users/rober/Desktop/somefile.txt ~/

If Windows partition won't mount ("Windows is hibernated")

# Windows Fast Startup leaves the partition "dirty"
# Option 1: Mount read-only
sudo mount -t ntfs-3g -o ro /dev/nvme0n1p3 /mnt/windows

# Option 2: Force mount (risky -- can corrupt if Windows is actually hibernated)
sudo mount -t ntfs-3g -o remove_hiberfile /dev/nvme0n1p3 /mnt/windows

# Best fix: Boot Windows, disable Fast Startup, then shut down (not restart)
# Windows: Control Panel > Power Options > Choose what power buttons do > 
# Uncheck "Turn on fast startup"

Access USB drives

# USB drives usually auto-mount to /media/kali/
ls /media/kali/

# If not auto-mounted:
lsblk
# Find the USB device (e.g., /dev/sdc1)
sudo mkdir -p /mnt/usb
sudo mount /dev/sdc1 /mnt/usb
ls /mnt/usb

Transfer files to/from phone

# Android MTP: Install gMTP
sudo apt install --allow-unauthenticated gmtp
gmtp &

# Or use simple-mtpfs (command line)
sudo apt install --allow-unauthenticated simple-mtpfs
mkdir -p ~/phone
simple-mtpfs ~/phone
ls ~/phone
# When done:
fusermount -u ~/phone

# iPhone: much harder on Linux. Easiest to use AirDrop alternative or cloud.
# Or email the files to yourself.

Quick network file sharing (Python HTTP server)

# Share files from Kali to any device on the same network
# From the directory you want to share:
cd ~/evidence
python3 -m http.server 8080

# On the other device, browse to: http://KALI_IP:8080
# Find Kali's IP:
ip addr show wlan0 | grep "inet "
14 Capturing Evidence -- Detailed Walkthrough

Pre-capture checklist

  1. ALFA adapter detected (lsusb shows 0e8d:7961)
  2. Power save disabled (sudo iw dev wlan1 set power_save off)
  3. Interfering processes killed (sudo airmon-ng check kill)
  4. Monitor mode active (iwconfig shows Mode:Monitor)
  5. Enough disk space (df -h -- captures can be large)

Full capture sequence (copy-paste ready)

# === SETUP ===
# Kill interfering processes
sudo airmon-ng check kill

# Start monitor mode on ALFA
sudo airmon-ng start wlan1

# Disable power save
sudo iw dev wlan1mon set power_save off

# === CAPTURE (Channel 157 -- CTS-A 5GHz) ===
# -w = output file prefix
# --channel 157 = lock to channel 157 (5785 MHz)
# --band a = 5 GHz only
sudo airodump-ng wlan1mon --channel 157 --band a -w evidence_ch157

# === WHEN DONE (Ctrl+C to stop capture) ===
# Stop monitor mode
sudo airmon-ng stop wlan1mon

# Restart networking
sudo systemctl start NetworkManager
sudo systemctl start wpa_supplicant

Understanding airodump-ng output columns

The top half shows Access Points (APs):

  • BSSID: MAC address of the access point
  • PWR: Signal power in dBm. -30 = very strong, -70 = moderate, -90 = very weak
  • Beacons: Number of beacon frames received. Increases over time. Low count + high PWR = something is wrong
  • Data: Number of data frames. Active network = lots of data
  • CH: Channel number the AP is on
  • MB: Maximum speed supported
  • ENC: Encryption (WPA2, WPA3, OPN, WEP)
  • ESSID: Network name. This is what you're looking for: CTS-A

The bottom half shows Clients (Stations):

  • STATION: MAC address of the client device
  • BSSID: Which AP the client is connected to (or "(not associated)")
  • PWR: Signal strength of the client
  • Rate: Data rate
  • Frames: Total frames from this client
  • Probe: SSIDs the client is probing for (looking for)

What to look for: Deauthentication attack indicators

  • Sudden spike in "Lost" column: Clients losing frames = possible deauth flood
  • Clients rapidly disconnecting and reconnecting: Station appears, disappears, appears again
  • Unknown MAC addresses: A device not in the office sending frames
  • High frame count from unknown station: Attack tool sends thousands of deauth frames

Capture specifically for deauth frames

# Capture with verbose output to see deauth in real-time
# This writes the capture AND shows management frame types
sudo airodump-ng wlan1mon --channel 157 -w deauth_capture --output-format pcap,csv

# In a second terminal, watch for deauth frames specifically:
sudo tcpdump -i wlan1mon -e 'type mgt subtype deauth' -c 100

# This will print each deauth frame as it arrives
# Example output of an attack:
# 16:23:15.123456 SA:xx:xx:xx:xx:xx DA:ff:ff:ff:ff:ff:ff DeAuthentication
# SA = Source Address (attacker), DA = ff:ff:ff:ff:ff:ff (broadcast = all clients)

Scan all channels (general survey)

# Scan all 5 GHz channels
sudo airodump-ng wlan1mon --band a -w survey_5ghz

# Scan all 2.4 GHz channels
sudo airodump-ng wlan1mon --band bg -w survey_2ghz

# Scan ALL channels (2.4 + 5 GHz)
sudo airodump-ng wlan1mon --band abg -w survey_all

How long to capture

  • Signal mapping: Minimum 5 minutes per location. Stay still. Note your position.
  • Active attack detection: At least 15-30 minutes on the target channel.
  • Baseline survey: 10 minutes per band (2.4 GHz and 5 GHz separately).
  • Evidence quality: Longer is better. 1 hour captures give the best statistical picture.

File naming convention for evidence

# Format: location_channel_YYYYMMDD_HHMM
# Examples:
sudo airodump-ng wlan1mon --channel 157 -w office_ch157_20260322_1430
sudo airodump-ng wlan1mon --channel 149 -w office_ch149_20260322_1500
sudo airodump-ng wlan1mon --band a -w parking_5ghz_20260322_1530

Output files explained

  • .cap / .pcap: Raw packet capture. Open in Wireshark for analysis.
  • .csv: Comma-separated summary. Easy to import into spreadsheets.
  • .kismet.netxml: XML format with detailed AP and client data.
  • .kismet.csv: Additional CSV with Kismet-compatible data.
  • .log.csv: Logging data.

Check disk space before/during capture

# Check free space
df -h /

# Check size of capture files so far
ls -lh evidence_ch157*

# Rule of thumb: ~1-5 MB per minute on a quiet channel
# Can be 50-100 MB per minute on a busy channel or during an attack
15 Wireshark on Kali

Install and configure

# Install Wireshark
sudo apt install --allow-unauthenticated wireshark

# Allow non-root capture (select "Yes" when prompted)
sudo dpkg-reconfigure wireshark-common

# Add kali user to wireshark group
sudo usermod -aG wireshark kali

# Apply group change (or log out and back in)
newgrp wireshark

Open a capture file

# Open capture in Wireshark GUI
wireshark evidence_ch157-01.cap &

# Or from command line (tshark) for quick analysis
tshark -r evidence_ch157-01.cap | head -50

Key display filters for deauth investigation

# Show ONLY deauthentication frames
wlan.fc.type_subtype == 0x000c

# Show ONLY disassociation frames
wlan.fc.type_subtype == 0x000a

# Show ALL management frames (includes deauth, disassoc, auth, assoc)
wlan.fc.type == 0

# Show deauth frames targeting a specific MAC address
wlan.fc.type_subtype == 0x000c && wlan.da == C0:A8:10:42:67:7E

# Show deauth frames FROM a specific MAC address (attacker)
wlan.fc.type_subtype == 0x000c && wlan.sa == XX:XX:XX:XX:XX:XX

# Show broadcast deauth (targets ALL clients -- classic attack pattern)
wlan.fc.type_subtype == 0x000c && wlan.da == ff:ff:ff:ff:ff:ff

# Show deauth reason codes
wlan.fc.type_subtype == 0x000c

# Combine: deauth OR disassoc (both used in attacks)
wlan.fc.type_subtype == 0x000c || wlan.fc.type_subtype == 0x000a

# Show frames from CTS-A network BSSID
wlan.bssid == XX:XX:XX:XX:XX:XX

# Show authentication frames (see devices reconnecting after deauth)
wlan.fc.type_subtype == 0x000b

Deauth reason codes (what they mean)

  • Reason 1: Unspecified -- generic, often used by attack tools
  • Reason 2: Previous authentication no longer valid
  • Reason 3: Station leaving -- legitimate disconnect
  • Reason 4: Inactivity -- AP hasn't heard from client
  • Reason 6: Class 2 frame from non-authenticated station
  • Reason 7: Class 3 frame from non-associated station
  • Attack signature: Many deauth frames with Reason 1 or Reason 7 in rapid succession from same source = attack

Command-line analysis with tshark

# Count deauth frames in a capture
tshark -r evidence_ch157-01.cap -Y "wlan.fc.type_subtype == 0x000c" | wc -l

# Show deauth frames with timestamps, source, destination
tshark -r evidence_ch157-01.cap -Y "wlan.fc.type_subtype == 0x000c" \
  -T fields -e frame.time -e wlan.sa -e wlan.da -e wlan.fixed.reason_code

# Count deauth frames per source MAC (find the attacker)
tshark -r evidence_ch157-01.cap -Y "wlan.fc.type_subtype == 0x000c" \
  -T fields -e wlan.sa | sort | uniq -c | sort -rn

# Export deauth frames to a separate file (for evidence preservation)
tshark -r evidence_ch157-01.cap -Y "wlan.fc.type_subtype == 0x000c" \
  -w deauth_frames_only.pcap

# Show frame rate over time (spot burst patterns)
tshark -r evidence_ch157-01.cap -Y "wlan.fc.type_subtype == 0x000c" \
  -T fields -e frame.time_epoch | \
  awk '{t=int($1); a[t]++} END {for (i in a) print i, a[i]}' | sort -n

Export specific frames as evidence

# Export filtered frames to new pcap file
tshark -r evidence_ch157-01.cap -Y "wlan.fc.type_subtype == 0x000c" -w deauth_evidence.pcap

# Export to CSV for spreadsheet analysis
tshark -r evidence_ch157-01.cap -Y "wlan.fc.type_subtype == 0x000c" \
  -T fields -E header=y -E separator=, \
  -e frame.number -e frame.time -e wlan.sa -e wlan.da -e wlan.bssid \
  -e wlan.fixed.reason_code > deauth_evidence.csv

# Export as text (human-readable detailed dump)
tshark -r evidence_ch157-01.cap -Y "wlan.fc.type_subtype == 0x000c" -V > deauth_detail.txt
16 Install Claude Code on Kali

Install

# Install Claude Code CLI
curl -fsSL https://claude.ai/install.sh | sh

# Launch
claude

If install fails (Node.js issues)

# Claude Code requires Node.js. If not installed:
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs

# Verify
node --version
npm --version

# Try Claude install again
curl -fsSL https://claude.ai/install.sh | sh

If curl can't connect (no internet)

You need internet first. See Section 9 (WiFi/Hotspot) or use USB tethering.

17 Install ProtonVPN on Kali
# Install ProtonVPN CLI
sudo apt update --allow-insecure-repositories
sudo apt install --allow-unauthenticated protonvpn-cli

# Login (opens browser or prompts for credentials)
protonvpn-cli login

# Connect to fastest server
protonvpn-cli connect --fastest

# Check status
protonvpn-cli status

# Disconnect
protonvpn-cli disconnect

If ProtonVPN fails to connect

# Check if OpenVPN is installed (ProtonVPN uses it)
sudo apt install --allow-unauthenticated openvpn

# Check for DNS issues
cat /etc/resolv.conf
# If empty or wrong, add Google DNS:
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf

# Try connecting to specific server
protonvpn-cli connect --cc US
18 USB Drive Access (FAT32/NTFS/exFAT)

List connected drives

# Show all block devices
lsblk

# More detailed partition info
sudo fdisk -l

# Show filesystem types
sudo blkid
Typical lsblk with USB drive:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 1 28.9G 0 disk <-- Kali USB |-sda1 8:1 1 3.6G 0 part /run/live/... |-sda2 8:2 1 1M 0 part `-sda3 8:3 1 25.3G 0 part <-- persistence sdb 8:16 1 14.5G 0 disk <-- YOUR USB DRIVE `-sdb1 8:17 1 14.5G 0 part /media/kali/USBDRIVE

Mount if not auto-mounted

# Create mount point
sudo mkdir -p /mnt/usb

# Mount FAT32
sudo mount /dev/sdb1 /mnt/usb

# Mount NTFS
sudo mount -t ntfs-3g /dev/sdb1 /mnt/usb

# Mount exFAT
sudo apt install --allow-unauthenticated exfat-fuse exfat-utils
sudo mount /dev/sdb1 /mnt/usb

# Browse
ls /mnt/usb

# Safely unmount when done
sudo umount /mnt/usb

Copy evidence files to USB

# Copy all capture files to USB drive
cp ~/evidence_ch157* /mnt/usb/
cp ~/deauth_evidence* /mnt/usb/

# Verify copy
ls -la /mnt/usb/

# Safely eject
sudo umount /mnt/usb
# Wait for the light to stop blinking before pulling the drive
19 Common Kali Live Issues

Keyboard layout wrong

setxkbmap us

Screen resolution wrong

# List available resolutions
xrandr

# Set specific resolution
xrandr --output eDP-1 --mode 1920x1080

# If 1920x1080 isn't listed:
xrandr --output eDP-1 --mode 1366x768

Root vs kali user

Default creds: kali / kali

# Get root shell
sudo su

# Or run individual commands with sudo
sudo whoami

# Change kali password (if persistence is enabled)
passwd kali

# Set root password
sudo passwd root

Time zone wrong

# Check current time
date
timedatectl

# Set Central Time
sudo timedatectl set-timezone America/Chicago

# Sync time from internet
sudo timedatectl set-ntp true

# Manual time set (if no internet)
sudo date -s "2026-03-22 14:30:00"

DNS not resolving (can ping IPs but not domains)

# Check current DNS
cat /etc/resolv.conf

# If empty or wrong, set Google DNS
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
echo "nameserver 8.8.4.4" | sudo tee -a /etc/resolv.conf

# Test
ping -c 3 google.com

Terminal font too small on HiDPI screen

# Scale the display (2x for HiDPI)
xrandr --output eDP-1 --scale 0.8x0.8

# Or change terminal font size
# Edit > Preferences > Appearance > Font (in terminal emulator)

sudo says "kali is not in the sudoers file"

# This shouldn't happen on default Kali, but if it does:
# Switch to root directly (if you know root password):
su -

# Then add kali to sudo group:
usermod -aG sudo kali

# If you don't know root password, reboot into recovery or
# edit the live USB persistence to fix /etc/sudoers

Clipboard not working (can't copy/paste)

# Install clipboard manager
sudo apt install --allow-unauthenticated xclip

# Copy from terminal: Ctrl+Shift+C
# Paste to terminal: Ctrl+Shift+V
# (Regular Ctrl+C/V won't work in terminal)

File manager won't open / crashes

# Use command-line file management instead
ls -la ~/
cd /path/to/directory
cp source destination
mv source destination

# Or install a lightweight file manager
sudo apt install --allow-unauthenticated pcmanfm
pcmanfm &
20 Emergency: Nothing Works

Level 1: Soft reset

# Unplug the ALFA adapter
# Wait 10 seconds
# Plug it back in
# Check if it's detected
lsusb
dmesg | tail -20

# Reload the driver from scratch
sudo modprobe -r mt7921u
sleep 3
sudo modprobe mt7921u
sleep 3
iwconfig

Level 2: Full service restart

# Stop everything wireless-related
sudo airmon-ng stop wlan1mon 2>/dev/null
sudo airmon-ng stop wlan0mon 2>/dev/null
sudo systemctl stop NetworkManager
sudo systemctl stop wpa_supplicant
sudo killall dhclient 2>/dev/null

# Unload all wireless modules
sudo modprobe -r mt7921u
sudo modprobe -r iwlmvm
sudo modprobe -r iwlwifi

# Wait
sleep 5

# Reload everything
sudo modprobe iwlwifi
sudo modprobe mt7921u
sleep 3
sudo systemctl start NetworkManager

# Check
iwconfig
iw dev
nmcli device status

Level 3: Reboot

# Save any open work first!
# If captures are running, Ctrl+C to stop them first

# Reboot
sudo reboot

# After reboot, start fresh:
lsusb
iwconfig
sudo airmon-ng check kill
sudo airmon-ng start wlan1

Level 4: Re-flash the Kali Live USB

  • If the live USB itself is corrupted, no amount of troubleshooting will fix it
  • Signs: random crashes, filesystem errors, boot failures
  • Use Rufus on Windows to re-flash the Kali ISO to the USB drive
  • Download latest Kali: https://www.kali.org/get-kali/
  • In Rufus: select "DD Image mode" if ISO mode doesn't work, enable persistence partition
  • WARNING: This erases the USB drive. Save any captures to a different drive first.

Level 5: Fallback -- Windows-based capture

If Kali is completely unusable, you can still do basic RF analysis from Windows. It won't capture management frames (no deauth detection), but it can show channel utilization and signal mapping.

# On Windows:
# 1. Install Wireshark (wireshark.org) -- can capture on internal WiFi
#    NOTE: Windows Wireshark can't capture 802.11 management frames
#    without special NDIS drivers. It shows TCP/IP layer only.
# 
# 2. Install NetSpot (netspotapp.com) -- RF survey tool
#    Shows channel utilization, signal strength heatmaps
#    Free version is limited but still useful
# 
# 3. Use built-in: netsh wlan show networks mode=bssid
#    Shows all visible networks with signal strength and channels
#    Run in a loop: while (1) { netsh wlan show networks mode=bssid; sleep 5 }
# 
# 4. WiFi Analyzer from Microsoft Store (free)
#    Visual channel overlap and signal strength

Getting help

  • This page should have every answer. But if something truly bizarre happens:
  • Copy the error message exactly (screenshot or dmesg | tail -30 > /mnt/usb/error.txt)
  • Note what you were doing when it broke
  • Note which USB port the ALFA is in
  • Check uname -r for kernel version -- some issues are kernel-specific
Robert Cleaver (w/ AI pair programming partner Claude Code by Anthropic)