Hacking WPA/WPA2 without dictionary/bruteforce : Fluxion

Fluxion (linset)

I hadn't ventured into Hackforums since a while, and this time when I went there I saw a thread about a script called Fluxion. It's based on another script called linset (actually it's no much different from linset, think of it as an improvement, with some bug fixes and additional options). I did once think about (and was asked in a comment about) using something like a man in the middle attack/ evil twin attack to get WPA password instead of going the bruteforce/dictionary route, but never looked the idea up on the internet nor spent much time pondering over it. However, once I saw the thread about this cool script, I decided to give it a try. So in this post I'll show you how I used Fluxion, and how you can too.
Disclaimer : Use this tool only on networks you own .Don't do anything illegal.

Contents

• Checking if tool is pre-installed, getting it via github if it isn't.
• Running the script, installing dependencies if required.
• Quick overview of how to use Fluxion.
• Detailed walk-through and demonstration with text explanation and screenshots
• Video demonstration (not identical to the written demo, but almost the same)
• Troubleshooting section

Just double checking

The first thing I did was make sure that Kali doesn't already have this tool. Maybe if you are reading this post a long time after it was written, then you might have the tool pre-installed in Kali. In any case, try this out:

fluxion

I, personally tried to check if linset or fluxion came pre-installed in Kali (though I didn't expect them to be there).

Getting the script

Getting the script is just a matter of cloning the github repository. Just use the git command line tool to do it.
git clone https://github.com/deltaxflux/fluxion

If you have any problems with this step, then you can just naviagate to the repostitory (updated link) and manually download the stuff.

Update : There seems to be some legal trouble with Fluxion. The creator of the script has removed the source code of the tool, and uploaded code that is supposed to delete fluxion from your computer. I don't know the specifics of what is going on, but will provide updates ASAP.

Update 2: Now the repository is gone altogether!
What this means : As of now, this tutorial is useless. If you can find the source code for Fluxion, then you can use it and continue with the tutorial. Otherwise, not much can be done without the tool.


Update 3!
You can try this repo - https://github.com/wi-fi-analyzer/fluxion. It's an old version, might or might not work.

git clone https://github.com/wi-fi-analyzer/fluxion

Update 4

<!--Update_begins-->

Now you can find the latest version of Fluxion here. There shouldn't be any further issues at all.-

git clone https://github.com/FluxionNetwork/fluxion

At the time of updating this post, the latest version was v2 rev 8. Make sure you also have the same or later revision if one has been released. In case any new issues arise with the repository, I'll update you guys again! Meanwhile, I have tested the installation part and written the updated instructions for it below the instructions for older version. However, I haven't got the opportunity to test the application. If any of the steps in the new version have changed compared to old version, please comment and I'll update the tutorial ahead at the earliest possible. Thanks :)
<!--Update_ends-->

There are 4 dependencies that need to be installed

Running the script

Just navigate to the fluxion directory or the directory containing the scripts in case you downloaded them manually. If you are following the terminal commands I'm using, then it's just a simple change directory command for you:

cd fluxion

Now, run the script.

sudo ./fluxion

Dependencies (for older version)

If you have any unmet dependencies, then  run the installer script.

sudo ./Installer.sh

I had 4 unmet dependencies, and the installer script run was a buggy experience for me (though it might be becuase I have completely screwed up my system, editing files I wasn't supposed to and now I can't get them back in order) .It got stuck multiple times during the process, and I had to ctrl+c my way out of it many times (though ctrl+c didn't terminate the whole installer, just the little update popup). Also, I ran the installer script twice and that messed up with some of the apt-get settings. I suggest that after installation is complete, you restore your /etc/apt/sources.list to it's original state, and remove the bleeding edge repositories (unless you know what you're doing). To know what your repository should look like, take a look here.

Anyways, one way or the other, your unmet dependencies will be resolved, and then you can use Flexion.
PS: For those trying to use apt-get to install the missing stuff - some of the dependencies aren't available in the default Kali repos, so you'll have to let the script do the installation for you, or manually add the repos to /etc/apt/sources.list (look at the script to find out which repos you need to add)

Dependencies (for newer version)

The only difference lies in the directory structure and name of script. The install.sh script is in the fluxion/install/ directory and not fluxion/ (and is called install.sh instead of Installer.sh) . Basically you just have to change one line. Run the below command on terminal and wait for it to finish executing. Then proceed.

sudo ./install/install.sh

Fluxion

Once again, type the following:

sudo ./fluxion

This time it should run just fine, and you would be asked a few very simple questions.

• For the wireless adapter, choose whichever one you want to monitor on. For the channels question, choose all, unless you have a specific channel in mind, which you know has the target AP.
• Then you will see an airodump-ng window (named Wifi Monitor). Let it run while it looks for APs and clients. Once you think you have what you need, use the close button to stop the monitoring.



Fluxion using airodump-ng

• You'll then be prompted to select target.
• Then you'll be prompted to select attack.
• Then you'll be prompted to provide handshake.
• If you don't have a handshake captured already, the script will help you capture one. It will send deauth packets to achieve that.
• After that, I quit the procedure (I was using the script in my college hostel and didn't want to cause any troubles to other students).

If you are with me so far, then you can either just close this website, and try to use the tool on your own (it look intuitive enough to me), or you can read through the test run that I'm going to be doing now.

Getting my wireless network's password by fooling my smartphone into connecting to a fake AP

So, in this example run, I will try to find out the password of my wireless network by making my smartphone connect to a fake AP, and then type out the password in the smartphone, and then see if my Fluxion instance on my Kali machine (laptop) gets the password. Also, for the handshake, I will de-authenticate the same smartphone.

PS: You can probably follow this guide without having any clue how WPA works, what handshake is, what is actually going on, etc., but I suggest you do read up about these things. Here are a few links to other tutorials on this website itself that would prove useful (the first two are theoretical, yet nice, the third one is a pretty fun attack, which I suggest you try out, now or later):

1. Things you should know about Wireless Hacking - Beginner Level Stuff
2. Things you should know about Wireless Hacking Part II - Intermediate Level Stuff
3. Evil Twin Attack

This is the theoretical stuff. Experience with tools like aircrack-ng, etc. would also be useful. Take a look at the navigation bar at the top and look at the various tutorials under the "Wireless Hacking" category.

Anyways, with the recommended reading material covered, you can comfortably move on to the actual hacking now:

The real stuff begins!

This section is going to be a set of pictures with captions below them explaining stuff. It should be easy to follow I hope.

Select language

After selecting language, this step shows up.
Note how I am not using any external wireless card, but my laptop's internal card.
However, some internal cards may cause problems, so it's better to use an
external card (and if you are on a virtual machine you will have to use an external card).

The scanning process starts, using airodump-ng.

You get to choose a target. I'm going after network number 21, the one my smartphone
is connected to.

You choose an attack. I am going to choose the Hostapd (first one) attack.

If you had already captured a 4-way handshake, then you can specify the location
to that handshake and the script will use it. Otherwise, it will capture a handshake
in the next step for you. (A tutorial on capturing the handshake separately)

If you didn't capture a handshake beforehand, then you get to choose which
tool to use to do that. I'm go with aircrack-ng.

Once you have a handshake captured (see the WPA Handshake: [MAC Address] on top, if it's
there, then you have the handhake), then type 1 and enter to check the handshake. If everything's fine,
you'll go to the next step.

Use the Web Interface method. I didn't try the bruteforce thing, but I guess it's just
the usual bruteforce attack that most tools use (and thus no use to us, since that's
not what we are using this script for).

This offers a variety of login pages that you can use to get (phish) the
WPA network's password. I went with the first choice.

After making your decision, you'll see multiple windows. DHCP and DNS requests are being handled in
left two windows, while the right two are status reporting window and deauth window (to get users
off the actual AP and lure them to our fake AP)

In my smartphone, I see two network of the same name. Note that while the original network is WPA-2
protected, the fake AP we have created is an open network (which is a huge giveaway stopping most people
from making the mistake of connecting to it). Anyways, I connected to the fake AP, and the DNS and DHCP windows
(left ones), reacted accordingly.

After connecting to the network, I got a notification saying that I need to login to the wireless network.
On clicking that, I found this page. For some people, you'll have to open your browser and try to open a website (say facebook.com) to get this page to show up. After I entered the password, and pressed submit, the script ran the
password against the handshake we had captured earlier to verify if it is indeed correct. Note how the
handshake is a luxury, not a necessity in this method. It just ensures that we can verify if the password
submitted by the fake AP client is correct or not. If we don't have the handshake, then we lose this ability,
but assuming the client will type the correct password, we can still make the attack work.

Aircrack-ng tried the password again the handshake, and as expected, it worked.
We successfully obtained the password to a WPA-2 protected network in a matter of minutes.

Video Demonstration

PS: The creator of the video has forked the Fluxion repository, and in the video he cloned from it instead. You may choose to fork from either of those. The original repository being more updated, and forked one being more stable (but less frequently updated). As of the time of creation of the video, both the repositories were the same, so it doesn't make a different which one you clone, but this may not always be the case. In case of any issues, you can probably try cloning both and see which one works for you.

Troubleshooting

Since fluxion and Kali both are constantly evolving (you might be using a different rolling release of Kali, as well as a different version of Fluxion. There are times when the tool break, and there's an interval of time for which it stays broken. Look at the issues page, and you will most probably find a fix for your problem. Note that the issue may as well be in closed issues (it would most probably be in closed issue).

For those who are able to follow the guide to the second last step, but don't get any Login page on their device, this issue suggests a solution. [Dated : 17th September 2016, if you're reading this much later then this might not be relevant, and some other issue would be]

Update : There are some important things mentioned in the README.file on the github repository. See if that helps.
https://github.com/deltaxflux/fluxion/blob/master/README.md

As of 1st November, 2016 (again, might not be relevant if you read this much later), the README suggested this for the no fake login page problem (which seems quite common)-

FakeSites don't work
There might be a problem with lighttpd. The experimental version is tested on lighttpd 1.439-1. There are some problems with newer versions of lighttpd. If you problems use the stable version. Check the fix out.

Again, as I said, it all breaks down to one of two things-

1. You are doing some step wrong (easy to fix, follow the tutorial again).
2. There is a dependency issue somewhere (some tool has it's wrong version installed). This can be a pain to fix, and there's no guidance I can provide for it really. You'll have to filter through all the issues on the github page of the tool. Hopefully, as the tool grows popular, it'll get more full time developers, and then get integrated in the Kali repository, till then, these problems will continue. 

What now?

I illustrated one possible scenario. This script can work with other devices (laptops for example) too as the fooled clients (not just smartphones). One possible short-coming to this attack is that most smartphones/laptops these days don't automatically connect to open networks (unless they have before), and hence the user has to do it manually. If your fake AP has more signal strength than the real one, then a person who doesn't know about WPA and open networks could very easily end up connecting to your network instead. So, overall this attack has a fair chance of succeeding.

Have any problems/comments/suggestions, leave them in the comments below.

Read More

WPA/WPA2 cracking using Dictionary attack with Aircrack-ng

WPA cracking involves 2 steps-

1. Capture the handshake
2. Crack the handshake to get the password

We have already covered WPA-handshake capture in a lot of detail. In this tutorial we will actually crack a WPA handshake file using dictionary attack. Our tool of choice for this tutorial will be aircrack-ng. We will not bother about the speed of various tools in this post. However, in the next post, we will compare various CPU and GPU algorithms for WPA hash cracking. I'd like to add that I already know the password of the network so I'll simply put it into the dictionary that I'm using. A full fledged dictionary attack is quite time consuming.

Also, a lot of people are facing problems with monitor mode in Kali 2.0. I have a post regarding that coming soon.
PS: If you stumbled on this post out of nowhere and find it hard to follow, I recommend you go through some of the easier posts first. How to use this site is a good place to begin.

Read More

Hack WPA/WPA2 PSK Capturing the Handshake

 WPA password hacking

Okay, so hacking WPA-2 PSK involves 2 main steps-

1. Getting a handshake (it contains the hash of password, i.e. encrypted password)
2. Cracking the hash.

Read More

Wifite : Hacking Wifi The Easy Way : Kali Linux

Wifite

While the aircrack-ng suite is a well known name in the wireless hacking , the same can't be said about Wifite. Living in the shade of the greatness of established aircrack-ng suite, Wifite has finally made a mark in a field where aircrack-ng failed. It made wifi hacking everyone's piece of cake. While all its features are not independent (eg. it hacks WPS using reaver), it does what it promises, and puts hacking on autopilot. I'm listing some features, before I tell you how to use wifite (which I don't think is necessary at all, as anyone who can understand simple English instructions given by Wifite can use it on his own).

Features Of Wifite

• Sorts targets by signal strength (in dB); cracks closest access points first
• Automatically de-authenticates clients of hidden networks to reveal SSIDs
• Numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
• Customizable settings (timeouts, packets/sec, etc)
• "Anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks are complete
• All captured WPA handshakes are backed up to wifite.py's current directory
• Smart WPA de-authentication; cycles between all clients and broadcast deauths
• Stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit
• Displays session summary at exit; shows any cracked keys
• All passwords saved to cracked.txt
• Built-in updater: ./wifite.py -upgrade

I find it worth mentioning here, that not only does it hack wifi the easy way, it also hack in the best possible way.  For example, when you are hacking a WEP wifi using Wifite, it uses fakeauth and uses the ARP method to speed up data packets (I wrote a full length post about something which it does automatically!).

Hacking WEP network

If you've followed my previous posts on Hacking Wifi (WEP), you know there's a lot of homework you have to do before you even start hacking. But not here. With Wifite, its as easy and simple as a single command.

wifite -wep

You might even have used the command

wifite

If you see any error at this stage move to the bottom of the page for troubleshooting tips. If your issue is not listed please comment. We reply within a day.
The -wep makes it clear to wifite that you want to hack WEP wifis only. It'll scan the networks for you, and when you think it has scanned enough, you can tell it to stop by typing ctrl+c. It'll then ask you which wifi to hack. In my case, I didn't specify -wep so it shows all the wifis in range.

 You can also select all and then go take a nap (or maybe go to sleep). When you wake up, you might be hacking all the wifi passwords in front of you. I typed one and it had gathered 7000 IVs (data packets) within 5 mins. Basically you can except it to hack the wifi in 10 mins approx. Notice how it automatically did the fake auth and ARP replay.

Here are a few more screenshots of the working of Wifite, from their official website (./wifite.py is not something that should bother you. You can stick with the simple wifite. Also, specifying the channel is optional so even the -c 6 was unnecessary. Notice that instead of ARP replay, the fragmentation attack was used, using -frag) -

 Hacking WPS wasn't fast (it took hours), but it was easy and didn't require you to do anything but wait.

 Note, the limitation that many reader on my blog are beginners forbid me from introducing too many attacks. I made a tutorial about ARP replay attack, and that too was detailed as hell. However, Wifite makes it possible for you to use any method that you want to use, by just naming it. As you saw in the screenshot above, the fragmentation attack was carried out just by typing -frag. Similarly, many other attacks can be played with. A good idea would be to execute the following-

wifite -help

This will tell you about the common usage commands, which will be very useful. Here is the list of WEP commands for different attacks-
    WEP
-wep         only target WEP networks [off]
-pps <num>   set the number of packets per second to inject [600]
-wept <sec> sec to wait for each attack, 0 implies endless [600]
-chopchop   use chopchop attack      [on]
-arpreplay   use arpreplay attack     [on]
-fragment   use fragmentation attack [on]
-caffelatte use caffe-latte attack   [on]
-p0841       use -p0841 attack        [on]
-hirte       use hirte (cfrag) attack [on]
-nofakeauth stop attack if fake authentication fails    [off]
-wepca <n>   start cracking when number of ivs surpass n [10000]
-wepsave     save a copy of .cap files to this directory [off]

As you can see, its the same thing as is there on the help screenshot. Play around with the attacks and see what you can do. Hacking WPA without WPS wouldn't be that easy, and while I don't usually do this, I'm providing a link to an external website for the tutorial . This is the best WPA cracking tutorial I've seen, and I can't write a better one. It's highly detailed, and I'm just hoping I don't lose my audience to that website. Here is the tutorial - Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux

Troubleshooting

Wifite quits unexpectedly, sating "Scanning for wireless devices. No wireless interfaces were found. You need to plug in a wifi device or install drivers. Quitting."

You are using Kali inside a virtual machine most probably. Virtual machine does not support internal wireless card. Either buy an external wireless card, or do a live boot / side boot with Windows. Anything other than Virtual machine in general.

Another attack automating script : Fluxion

Wifite is cool and all, but doesn't do much against the invincible WPA-2 networks. Using a combination of evil-twin and man in the middle sort of attacks, fluxion tries to fool a client into giving you the key to the WPA-2 protected access point. Sounds interesting? Take a look.

Hacking WPA/WPA-2 without dictionary/bruteforce : Fluxion

Read More

Speeding Up WEP Hacking : ARP request replay attack

Now if you have followed the basic WEP hacking tutorial, and optionally have also read the basic troubleshooting guide, then you are ready to proceed to the stage where you follow an intermediate level hacking tutorial. In this tutorial, we will look at the intricate details of what is happening and approach the complicated methods and concepts.




To start with, I'll address a common question which was asked on my previous posts.

14 March 2014 19:28

i couldn't find any wlan when i write ifconfig in terminal

1. 
   
   
   
   
   
   
   
   
   Are you using Kali Linux on a virtual machine. Please note that a wireless adapter can only be used by only one machine at a time. Your host machine has access to the wireless adapter, not the virtual machine. This question has been discussed at length on superuser forums. The conclusion is that you can't directly connect internal wifi card using any Virtual machine software-
   "Unfortunately no virtualization software allows for direct access to hardware devices like that.
   
   Compare VirtualBox with VMware Fusion and Parallels for Mac. All 3 of those programs behave the same way. The only devices that can be directly accessed are usb devices. Everything else is abstracted though the virtualization engine. (Though you could argue that the vm has lower level access to cd rom's and storage devices).
   
   I wish I could give you a better answer, than simply to buy a usb wireless card."
   Basically you have to buy an external wireless card. They aren't very expensive. I personally use two of them myself. If you want to see what I use, take a look here, http://kalitutorials.net/2014/02/creating-dummy-wifi-for-hacking.html

So basically you have 2 choices. First, you can buy a new external wireless adapter (no referral links here). Secondly, you can side install Kali with Windows or run it via a USB. A virtual machine can only use computer hardware if it is externally connected via USB. Now there is another catch here. The internal adapters, almost all of them, don't support injection. This is extremely important for speeding up wireless hacking. So if you really want to go in depth of wireless hacking, then its time to buy an external adapter or two (the more the better). If that's not a possibility, you might want to spend hours trying to get a driver which might make your internal adapter support injection (I don't know anyone who succeeded in this, but it might be possible).

Kali Linux

I don't know why it needs mention here, but still, if you don't have Kali Linux (or Backtrack) installed yet, you will have to install it before you can start this tutorial. Here is the tutorial on Kali Linux hacking.

Check Injection Support

Aircrack-ng has a comprehensive article related to checking injection support. You might check their website out for it. I am just providing the commands which will be enough to find out whether injection is working or not. 

airmon-ng start wlan0  [or wlan1]

(Puts your wireless adapter in monitor mode. From now we'll refer to wlan0/wlan1 as mon0

airserv-ng -d mon0

 aireplay-ng -9 127.0.0.1:666

This basically sets up a temporary server sort of thing that is waiting for you to test your injection capabilities. The second command actually tries to inject the server, and succeeds. 127.0.0.1 is the IP which is reserved for loopback. It is always used when you are carrying out some command on yourself. 666 is the port we are using. Most of the time, what follows an IP and a colon is the port. The general form is somewhat like IP:port. So finally you have checked your injection capabilities, and the last line - "Injection is working!" should bring a smile to your face. If not, you'll have to buy a card which supports injection, or see some forum posts which will help you figure something out.

Check Signal Strength

While the basic hacking methods from the previous post don't have any real strength restriction, you need to be physically close to the access point in order to inject packets. There is information regarding the same in the same aircrack-ng tutorial. Again, I'm gonna summarize what you have to do here.

First, we will use airodump-ng mon0 to see the list of networks in range. See the one you want to hack.

Airodump-ng lists the networks in range.

Now we will hack the digisol network. Make a note of the BSSID of the network you want to hack.  A good practice is to store all the information gathered in any text editor. We should, at this stage, take a note of following:-

• ESSID -  DIGISOL
• BSSID - 00:17:7C:22:CB:80
• CH (channel) - 2
• Mac address of genuine users connected to the network:
• Interface : wlan1 - referred to as mon0

You should gather the equivalent information for the network you will be working on. Then just change the values whenever I use them in any of the commands

Note : We need at least one user (wired or wireless) connected to the network and using it actively. The reason is that this tutorial depends on receiving at least one ARP request packet and if there are no active clients then there will never be any ARP request packets.

Now, to check whether the signal strength will be sufficient, we will simply execute the following code-

airodump-ng [interface] -c [channel]

airodump-ng mon0 -c 2

This will make the wireless card only read packets in the channel no. 2, on which our target network is.

Now to test the network, type the following code-

aireplay-ng --test -e DIGISOL -a 00:17:7C:22:CB:80 mon0 

 The last time we checked whether the wireless card had the capability to inject packets. We tested it on our own computer. This time, we actually injected packets into the target computer. If this worked, then it's pretty good news, and it means that you are most probably going to be able to hack this network. The last line 30/30 : 100% determines how good the strength of the signal is. A very high percentage is a good sign, and 100 is ideal.

Capture Packets

Now we have already run airodump-ng a couple of times. However, this time we will pass the -w command which will instruct airodump-ng to save the output to a file.

airodump-ng -c [channel] --bssid [bssid]-w [file_name] [interface]

airodump-ng -c 2 --bssid 00:17:7C:22:CB:80 -w dump mon0

 Now the output will be saved in a file  dump-01.cap
Now we can keep this terminal running and it will keep saving the packets.  [In the previous tutorial we did only 2 things, capture the packet, i.e this step, and crack it, i.e. the step we are going to do last. While it makes our work easier to just follow two steps, it also makes the process much more time consuming, since we are simply a passive packet listener, who is not doing anything]

Speeding Things Up

Fake Authentication

Now to speed things up, we will inject the network. We will thus obtain ARP packets. These packets will fill up the data column of our airodump-ng capture, and data is what will help us obtain the password. As soon as we have 10000 data packets, we can start attempting to get the password using aircrack-ng.

Now to make the AP pay attention to your injected packets, you either have to be a connected client, or have to pretend to be one. You can either mask your mac address to one of the already connected clients, or use the fake authentication feature. We will do the latter. (If you see an error like the AP is on channel x and mon0 is on channel y then go to the bottom of the post for troubleshooting)

aireplay-ng -1 0 -e DIGISOL -a  00:17:7C:22:CB:80 mon0

Authenticated and capturing packets

 ARP request replay mode

ARP packets are your best bet at getting a lot of IVs or data. Without IVs you can't hack a network. Enter the following code to make aireplay-ng listen to the AP for ARP packets, and inject them as soon as they find one. This will create a lot of data very fast. This is the real speeding step. 

aireplay-ng -3 -b [BSSID] mon0

This is what the final code will look like-

aireplay-ng -3 -b  00:17:7C:22:CB:80 mon0

This is what it'll look like in the beginning

 Now you'll have to wait for some time till it gets an ARP request. As soon as it gets one, the terminal will sort of explode. And the data packets will start filling in with Godspeed. Now this is the part where an active user on the network is absolutely necessary.

Slow start

Everything got fine after some time

After some time I had enough packets to crack almost any network

The data filled in VERY fast

The video shows how fast the IVs flowed in after ARP injection started.

Cracking the network

Cracking the network is as easy as typing the following into the console

aircrack-ng name_of_file-01.cap

In our case, the command will be

aircrack-ng dump-01.cap

 After pressing enter, you will have a list of networks and you'll be prompted to select which one of them to hack. In my case there was just one network, so I couldn't get that screen, or a screenshot. The password was cracked in less than a second.

I have blurred out the password and some random stuff.

So finally you have obtained the password of the network you were trying to hack.

Troubleshooting

A person commented on another wireless hacking post. This is the problem he faced.

whenever i try to use aireplay-ng, with the options, always fail saying that mon0 is in channel -1 and the target is in other channel. How can i fixed this? i looked a lot for a real answer but nobody know what is this.

This is a possible solution

Okay, try the following-
1) When you start the monitor mode, specify the channel - 
usage: airmon-ng [channel or frequency]
Your code : airmon-ng start wlan0 6
Substitute 6 with the required channel.
2) While starting airodump, specify the channel
airodump-ng mon0 -c 6

I was facing this problem when my mon0 kept hopping from one channel to the other, and the second step alone solved my problem. If your airmon-ng assigns itself a fixed channel on its own will, without you even specifying it, then the problem might be more complicated. If the above steps don't solve the problem, take a look here - http://ubuntuforums.org/showthread.php?t=1598930

Read More