Remote Monitoring Station

This station converts Robert's work desktop into a persistent, passive WiFi monitoring post. It captures all 802.11 traffic on channel 157 (the attack channel) 24/7, with remote access from home.

Architecture

• Two NICs, two jobs -- internal Realtek (wlan0) connects to CTS-A for internet; ALFA adapter (wlan1) runs in monitor mode on channel 157
• Boot media -- Kali Live on SSK 256GB USB-C SSD with 100GB persistence partition
• Remote access -- ZoHo Assist (or alternatives: AnyDesk, Tailscale+SSH) for unattended monitoring from home
• Evidence -- pcap/csv captures auto-saved to persistence partition, daily file rotation
• Stealth -- AIO form factor means no external monitor. ALFA adapter hidden behind/under desk. From outside, looks like a normal locked desktop

Hardware Summary

Boot from SSK SSD

• Plug SSK SSD into a USB-C or USB-A port (via adapter if needed)
• Power on the HP AIO and press F9 for boot menu (or F2 / Esc for BIOS)
• Select the SSK SSD from the boot device list
• If the SSD doesn't appear, enter BIOS and disable Secure Boot (Security tab)

ALFA Adapter Placement

• Plug ALFA into a USB-A 3.0 port via the 6ft USB extension cable
• Route the extension cable along the desk leg or behind furniture -- keep it tidy and inconspicuous
• Hide the adapter: tape to the back of the desk, tuck behind the monitor stand, or place in a cable management tray
• The adapter's antenna should have line of sight to the office area if possible -- avoid burying it inside a metal cabinet

Boot into Kali

• Select "Live (persistence)" from the Kali boot menu
• Default login: kali / kali -- change this immediately on first boot (see Section 10)

Verify Persistence Works

# Create a test file
touch /home/kali/test_persist

# Reboot
sudo reboot

# After reboot, check if file survived
ls -la /home/kali/test_persist

If test_persist exists after reboot, persistence is working. If not, the boot menu selection was wrong or the persistence partition wasn't set up correctly on the SSD.

Set Timezone

sudo timedatectl set-timezone America/Chicago
# Verify
date

Identify Interfaces

iwconfig

You should see two wireless interfaces:

• wlan0 -- Realtek RTL8822BE (internal) -- this connects to CTS-A for internet
• wlan1 -- ALFA AWUS036AXM (mt7921au) -- this stays in monitor mode

Connect Internal WiFi to CTS-A

nmcli device wifi connect "CTS-A" password "[PLACEHOLDER]"

Verify Internet

ping -c 3 8.8.8.8

Verify Both Interfaces

# wlan0 should show ESSID:"CTS-A"
# wlan1 should show no ESSID (unassociated)
iwconfig

Manual Start

sudo airmon-ng check kill
sudo airmon-ng start wlan1

This creates wlan1mon. Note: airmon-ng check kill stops NetworkManager and wpa_supplicant processes that might interfere -- your wlan0 internet connection may drop. If it does, reconnect wlan0 after starting monitor mode.

Startup Script (Survives Reboots)

Create /home/kali/start-monitor.sh:

#!/bin/bash
# /home/kali/start-monitor.sh
# Starts monitor mode on ALFA and begins capture on channel 157

sleep 10  # wait for boot and USB enumeration

# Kill interfering processes on wlan1 only
airmon-ng check kill

# Start monitor mode
airmon-ng start wlan1

# Restart NetworkManager so wlan0 reconnects to CTS-A
systemctl start NetworkManager
sleep 5
nmcli device wifi connect "CTS-A" password "[PLACEHOLDER]"

# Begin capture
DATE=$(date +%Y%m%d_%H%M%S)
mkdir -p /home/kali/captures
airodump-ng wlan1mon --channel 157 \
  -w "/home/kali/captures/cap_${DATE}" \
  --output-format pcap,csv &

Make Executable and Add to Crontab

chmod +x /home/kali/start-monitor.sh

# Add to root's crontab (needs root for airmon-ng)
sudo crontab -e
# Add this line:
@reboot /home/kali/start-monitor.sh

Capture Script with Daily Rotation

Create /home/kali/auto-capture.sh:

#!/bin/bash
# /home/kali/auto-capture.sh
# Starts a new capture file with timestamp

DATE=$(date +%Y%m%d_%H%M%S)
OUTDIR="/home/kali/captures"
mkdir -p "$OUTDIR"

airodump-ng wlan1mon --channel 157 \
  -w "${OUTDIR}/cap_${DATE}" \
  --output-format pcap,csv

chmod +x /home/kali/auto-capture.sh

Daily Rotation via Cron

Restart the capture at midnight each day so files stay manageable:

# Add to root's crontab (sudo crontab -e)
0 0 * * * pkill airodump-ng; sleep 2; /home/kali/auto-capture.sh &

Disk Space

• Passive captures on a single channel are small: 50-500 MB/day depending on traffic
• 100GB persistence partition = months of continuous capture
• Check space: df -h /home/kali

Deauth Detection Script

Create /home/kali/alert-deauth.sh -- checks recent captures for deauthentication frames and sends a notification:

#!/bin/bash
# /home/kali/alert-deauth.sh
# Scans the latest capture for deauth frames

# Find the most recent pcap file
LATEST=$(ls -t /home/kali/captures/*.cap 2>/dev/null | head -1)

if [ -z "$LATEST" ]; then
    exit 0
fi

# Count deauth frames (subtype 0x0c)
COUNT=$(tshark -r "$LATEST" -Y "wlan.fc.type_subtype == 0x000c" 2>/dev/null | wc -l)

if [ "$COUNT" -gt 0 ]; then
    # Send alert via Slack webhook (replace with your URL)
    curl -s -X POST "https://hooks.slack.com/services/YOUR/WEBHOOK/URL" \
        -H 'Content-type: application/json' \
        -d "{\"text\":\"ALERT: $COUNT deauth frames detected on ch157 at $(date)\"}"

    # Also log locally
    echo "$(date): $COUNT deauth frames in $LATEST" >> /home/kali/captures/alerts.log
fi

chmod +x /home/kali/alert-deauth.sh

# Run every 5 minutes (add to root crontab)
*/5 * * * * /home/kali/alert-deauth.sh

Option 1: ZoHo Assist Unattended Agent

# Download the Linux unattended agent from your ZoHo Assist dashboard
# The exact URL comes from: assist.zoho.com > Unattended Access > Deploy
wget "https://assist.zoho.com/install/linux-unattended-agent" -O zoho-assist.sh
chmod +x zoho-assist.sh
sudo ./zoho-assist.sh

ZoHo Assist's Linux support varies. If the unattended agent doesn't work on Kali, use one of the alternatives below.

Option 2: AnyDesk (Native Linux Support)

# AnyDesk has solid Linux support and unattended access
wget -qO - https://keys.anydesk.com/repos/DEB-GPG-KEY | sudo apt-key add -
echo "deb http://deb.anydesk.com/ all main" | sudo tee /etc/apt/sources.list.d/anydesk-stable.list
sudo apt update
sudo apt install -y anydesk

# Launch and set unattended password
anydesk

Option 3: Tailscale (Zero-Config VPN)

# Install Tailscale -- creates a private mesh VPN
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

# After auth, this machine gets a 100.x.x.x IP
# SSH from any device on your tailnet:
ssh kali@[tailscale-ip]

Tailscale is the cleanest option for SSH access -- no port forwarding, no dynamic DNS, works behind any NAT. Install it on your home machine too and you get a private network between them.

Option 4: SSH Tunnel (Manual)

# Requires port forwarding on the office router or a reverse tunnel
# From home:
ssh kali@[office-public-ip] -p [forwarded-port]

Daily Checks

Connect via your chosen remote access method (ZoHo/AnyDesk/Tailscale+SSH) and run:

Is the capture running?

ps aux | grep airodump

View live capture output

# Find latest CSV and tail it
ls -t /home/kali/captures/*.csv | head -1 | xargs tail -f

Check disk space

df -h /home/kali

Check for alerts

cat /home/kali/captures/alerts.log 2>/dev/null || echo "No alerts yet"

Download captures for analysis

# From your home machine (via Tailscale or direct)
scp kali@[station-ip]:/home/kali/captures/*.cap ~/evidence/

# Or just today's captures
scp kali@[station-ip]:/home/kali/captures/cap_$(date +%Y%m%d)* ~/evidence/

Check adapter health

iwconfig wlan1mon

Change Default Password

passwd kali

Auto-Lock Screen

# Lock immediately (before walking away)
xfce4-screensaver-command --lock

Disable Auto-Sleep (Keep Station Running 24/7)

# Disable screen blanking and power management
xset s off
xset -dpms
xset s noblank

# Prevent system from sleeping/suspending
sudo systemctl mask sleep.target suspend.target hibernate.target

Physical Security Notes

• If someone reboots the machine without the USB SSD selected, it boots into Windows normally -- Kali only loads when the USB is present and selected in the boot menu
• If Secure Boot was disabled, consider re-enabling it when the investigation concludes
• The USB SSD can be physically removed to instantly stop all monitoring -- keep that in mind for the ALFA cable routing (don't make the SSD easily accessible)

Regular Tasks

• Daily: Check capture is running (ps aux | grep airodump)
• Daily: Check disk space (df -h /home/kali)
• Weekly: Download and back up captures to a separate drive
• Weekly: Move old captures to external storage if space is getting tight
• Monthly: Update Kali packages

Update Kali

sudo apt update && sudo apt upgrade -y

If the ALFA Adapter Disappears

1. Check the USB connection -- reseat the extension cable at both ends
2. Check kernel messages: dmesg | tail -30
3. Check if the device is on the bus: lsusb | grep MediaTek
4. Try a different USB port
5. If still missing, reboot: sudo reboot

If the Capture Stops

# Check if airodump is running
ps aux | grep airodump

# If not, restart the capture manually
sudo /home/kali/auto-capture.sh &

# Or restart the full monitor mode chain
sudo /home/kali/start-monitor.sh

When the investigation is complete and monitoring is no longer needed:

Step 1: Stop Monitoring

# Stop the capture
sudo pkill airodump-ng

# Stop monitor mode
sudo airmon-ng stop wlan1mon

Step 2: Preserve Evidence

# Copy all captures to external drive
# Plug in a USB drive and mount it
sudo mount /dev/sdb1 /mnt
cp -r /home/kali/captures /mnt/monitoring-captures-backup
sudo umount /mnt

Step 3: Shut Down and Remove Hardware

1. Shut down Kali: sudo shutdown -h now
2. Remove the SSK USB SSD
3. Remove the ALFA adapter and USB extension cable
4. Power on the machine -- it boots into Windows normally
5. If Secure Boot was disabled, re-enable it in BIOS (F2 on boot)