ALFA AWUS036AXML – (802.11ax) 2×2 6 GHz

AWUS036AXML is the WiFi 6/6E (802.11ax) 2×2 6 GHz and Bluetooth 5.2 high-performance USB adapter.

It comes with a 2-in-1 USB-C / USB-A cable. The RP-SMA antenna connector allows changing the higher gain antenna to increase the connection distance.






Laptop with two 6GHz adapters. phy 1 – wlan1 is the Alfa adapter with the MediaTek chipset.


Set reg domain

$ sudo iw reg set US

Verify reg domain


Alfa card to an Aruba MC cluster

(MM) [mynode] #show global-user-table list

Verify the MAC address of the Alfa card and BSSID of the AP


Verify the SSID > Band > HT-Mode > channel width > Channel > EIRP

(MC0003) [MDC] #show ap bss-table 

The Alfa adapter’s MAC address ends in 74:a9


Put the device in monitor mode

└─$ sudo airmon-ng check kill   

Killing these processes:

    PID Name
   4212 wpa_supplicant
─$ sudo airmon-ng start wlan1 5975


PHY     Interface       Driver          Chipset

phy0    wlan0           iwlwifi         Intel Corporation Wi-Fi 6 AX210/AX211/AX411 160MHz (rev 1a)
phy1    wlan1           mt7921u         MediaTek Inc. Wireless_Device
                (mac80211 monitor mode vif enabled for [phy1]wlan1 on [phy1]wlan1mon)
                (mac80211 station mode vif disabled for [phy1]wlan1)
└─$ sudo airodump-ng -C 5975 wlan1mon -w ALFA6GHZ --output-format 
csv,pcap 

Checking available frequencies, this could take few seconds.
Done.
19:56:29  Created capture file "ALFA6GHZ-01.cap".

Wireshark capture


QoS Data


Kismet > check Bluetooth > 6GHz adapter

functionality; this can use more RAM.
INFO: Registered PHY handler 'IEEE802.11' as ID 0
INFO: Registered PHY handler 'RTL433' as ID 1
INFO: Registered PHY handler 'Z-Wave' as ID 2
INFO: Registered PHY handler 'Bluetooth' as ID 3
INFO: Registered PHY handler 'UAV' as ID 4
INFO: Registered PHY handler 'NrfMousejack' as ID 5
INFO: Using default rates of 10/min, 1/sec for alert 'BLEEDINGTOOTH'
INFO: Registered PHY handler 'BTLE' as ID 6
INFO: Registered PHY handler 'METER' as ID 7
INFO: Indexing ADSB ICAO db
INFO: Completed indexing ADSB ICAO db, 322278 lines 6446 indexes
INFO: Registered PHY handler 'ADSB' as ID 8
INFO: Registered PHY handler '802.15.4' as ID 9
INFO: Registered PHY handler 'RADIATION' as ID 10
INFO: Serving static file content from /usr/share/kismet/httpd/
INFO: Enabling channel hopping by default on sources which support channel 
      control.
INFO: Setting default channel hop rate to 5/sec
INFO: Enabling channel list splitting on sources which share the same list 
      of channels
INFO: Enabling channel list shuffling to optimize overlaps
INFO: Sources will be re-opened if they encounter an error
INFO: Saving datasources to the Kismet database log every 30 seconds.
INFO: Launching remote capture server on 127.0.0.1 3501
INFO: No data sources defined; Kismet will not capture anything until a 
      source is added.
INFO: Opened kismetdb log file './/Kismet-20230324-00-37-57-1.kismet'
INFO: Saving packets to the Kismet database log.
INFO: GPS track will be logged to the Kismet logfile
ALERT: ROOTUSER Kismet is running as root; this is less secure.  If you 
       are running Kismet at boot via systemd, make sure to use `systemctl 
       edit kismet.service` to change the user.  For more information, see 
       the Kismet README for setting up Kismet with minimal privileges.
INFO: Starting Kismet web server...
INFO: HTTP server listening on 0.0.0.0:2501



Testing injection

Injection does not appear to be working with the current driver

└─$ sudo aireplay-ng --test wlan0mon

20:53:12  Trying broadcast probe requests...
20:53:13  No Answer...
20:53:13  Found 0 APs
                                                                                                                                                                                        

└─$ sudo aireplay-ng --test wlan1mon           
 
20:53:20  Trying broadcast probe requests...
20:53:21  No Answer...
20:53:21  Found 0 APs

card-to-card injection appears to work

└─$ sudo aireplay-ng --test wlan1mon -i wlan0mon

20:52:09  Trying broadcast probe requests...
Testing injection 20:52:11  No Answer...
20:52:11  Found 0 APs

20:52:11  Trying card-to-card injection...
20:52:11  Attack -0:           OK
20:52:11  Attack -1 (open):    OK
20:52:11  Attack -1 (psk):     OK
20:52:11  Attack -2/-3/-4/-6:  OK
20:52:11  Attack -5/-7:        OK
20:52:11  Injection is working!
                                 

Useful links

Linux Wireless

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.