Driven by the latest NextG 820.11n High Speed USB Wi-Fi dongle with a built-in RF amplifier, this slim and handy USB-Yagi directional antenna delivers a remarkable horse power of 2200mW at a top speed of 300Mbps.

Unlike most Yagi antennae with long broom and numerous director elements, the design of the NextG USB-Yagi aims at reducing the overall length of the antenna and whilst exceeding the isotropic gain with a wide 56 deg HPBW (half power beam width) beaming aperture to pick up the Wi-Fi signal nearby and afar, blending the best of both worlds.

See the excellent antenna performance below.

It is also slim and light weight that you could carry it in a traveller bag.

From a technical standpoint, no antenna can be designed with purely trial and error, let alone the ones without calibration and tuning which turn out to make a hugh difference in performance.

We use computer aided design (CAD) to engineer the seamless integration of the BALUN (the antenna's driving element) and the USB dongle (radio), a critical differential advantage for matching the impedance in the light of maximizing the signal transmission and penetration without incurring power loss in coaxial cable.

The antenna is made of rigid metal frame and elements so that its geometry, particularly the driver loop element, stays intact against transportation or normal usage for peak performance

As a result, it instantly improves your computer's Wi-Fi reception capability beyond the built-in standard factory gears.

It works within minutes. Simpy plug in the USB2.0 cable of the NextG USB-Yagi antenna to the laptop or desktop PC followed by a few simple clicks for CD-ROM driver installation - There is absolutely no need to worry about the cable compatibility issue.

What's more? You could construct a High Power Universal Wi-Fi Repeater with the additional 11N USB-Omni AP/Repeater kit. Typical application is to pick up Wi-Fi signal from ashore and let other computers share the Internet simultaneously.

Here's how it works. Use the USB-Yagi to catch the remote signal and share it amongst the other Wi-Fi PC clients with the 11N USB-Omni AP/Repeater. It works with all brands of (remote) wireless router, including OPEN or secured WEP, WAP/WAP2 PSK AES TKIP and 802.1x RADIUS server such as BT Openzone and Free Wi-Fi. Detailed Universal Repeater setup manual is included in the 11N USB-Omni AP/Repeater kit.

Simply faster and more powerful!!



Installation of Kali Linux on Windows 10 computer for testing WiFi Password Recovery Apps

Many buyers have come to us enquiring about the way in which they could utilize their 2200mW NextG USB-Yagi TurboTenna for packet monitoring and injection in the light of testing the security of their own WiFi network.

KALI Linux and 2200mW NextG USB-Yagi TurboTenna

What is packet injection?

Packet injection is a computer networking term which refers to sending a packet on a network into an already established connection. This is accomplished by crafting a packet using raw sockets for testing and improving the security of the wireless network.

Older generation chipsets have lower RF output and are confined to detecting the 802.11b and 802.11b/g wireless networks only; whereas the chipset incorporated in the family of High Power TurboTenna Plug & Play antennae work with both the older and the current 802.11n 802.11ac wireless standards.

Why do you need the High Power antenna?

Apart from the obvious reasons, you need to detect both the 802.11n wireless router, as well as the client stations that usually have lower signal output.

We've done that in our lab with KALI Linux and its attack tools (evolved from BackTrack), which is fully compatible with the 2200mW NextG USB-Yagi TurboTenna.

The KALI is a Debian based Linux distribution whose desktop version resembles pretty much similar to the Windows environment, in which you could use the mouse to natvigate over various applications. You may spend a Sunday afternoon to explore and refresh this powerful Linux OS both in desktop style and command line level. We are pretty sure that you'd have great fun like we did.

Although playing with Linux is not as straight forward as Windows, yet it is where the attack software tools and utilities are created - and for this reason Linux is both challenging and rewarding.

KALI Linux Download

To begin with, we chose to install KALI Linux on our Windows 10 64-bit Intel i5 computer with 8GB RAM using the Oracle VirtualBox. VirtualBox is a cross-platform virtualization application that allows KALI to run alongside with Windows 10. This is greatly convenient from the experimental standpoint because you don't have to invest in a dedicated computer for KALI and you can completely wipe off KALI once it is no longer needed.

KALI Linux 64 bit Version 2018.1 (kali-linux-2018.1-amd64) Size 2.81GB

Oracle VirtualBox (VirtualBox-5.2.8-121009-Win) Size 101MB

KALI Linux Installation

Oracle VirtualBox was downloaded and installed on Windows 10 followed by installing the disc image (kali-linux-2018.1-amd64) of KALI. It was crucial to plug in the 2200mW NextG USB-Yagi TurboTenna before started loading up KALI on VirtualBox and running the network configuration to put it online, otherwise you won't be able to update and upgrade KALI later which means that you'd be stuck with the old WPA/WPA2 Brute-Force dictionary.

We successfully created the KALI on VituralBox with 4096MB of RAM and 30GB Dynamic HD.

Update and Upgrade Linux commands:

apt-get update && apt-get full-upgrade

apt-get autoremove

We had also tried installing KALI Linux VirtualBox Image Version 2018.1 (kali-linux-2018.1-vbox-amd64) Size 3.3GB, hoping to save some installation setup procedures but failed. It was found to be incompatible with newer VirtualBox-5.2.8. Both the fresh KALI image and KALI VurtualBox image were supposed to be the same. So save yourself some time by going after the fresh KALI installation.

Packet monitoring and injection mode

Once we started KALI on VituralBox, the first thing we did was to map the 2200mW NextG USB-Yagi TurboTenna as the USB Device by selecting "Ralink 802.11 n WLAN [0101]"

On the command line terminal, we entered the commands below.

Check the presence of the 2200mW NextG USB-Yagi TurboTenna (wlan0):

ifconfig -a

Packet monitoring and injection commands:

airmon-ng check kill

airmon-ng check

airmon-ng start wlan0

airodump-ng wlan0mon

REAVER - WPS Pin Attack

WiFi Protected Setup (WPS) is a convenient feature that allows the user to configure a client device against a wireless network by simultaneously pressing a button on both the WiFi router and the client device (the client side “button” is often in software) at the same time. The devices exchange information, and then set up a secure WPA link.

Reaver was designed to brute-force the WPA handshaking process remotely, even if the physical WPS button hadn’t been pressed on the WiFi router.

While some newer devices are building in protection against this specific attack, the Reaver WPS exploit remains useful on many networks in the field.

In particular, WPS is the vulnerable system in this case, not WPA. If a network has WPS disabled (which they should, given the existence of tools such as this), it will be immune to the following attack.

To generate a list of WiFi networks that shows the status of WPS Locked:

wash -i wlan0mon

The “WPS Locked” column in the list is far from a definitive indicator, but those WPS Unlocked WiFi networks are much more susceptible to brute forcing.

To launch Reaver against WiFi network with <BSSID> 11:22:33:44:55:66 :

reaver -i wlan0mon -b 11:22:33:44:55:66 -vv -K 1

It may take several hours and perhaps even longer to run because better designed WiFi router are getting smarter in terms of rejecting repeated attacks, longer and irregular timeout periods, illogical checksum and NULL pin.

Ideally, the above command works and the attack progresses as expected. But in reality, manufacturers implement smarter protections against Reaver-style attacks, and additional options may be required to get the attack moving.

As a countermeasure, a few optional switches can be added to get Reaver working on more picky devices:

reaver -i wlan0mon -c 11 -b 11:22:33:44:55:66  -vv -L -N -d 10 -T .5 -r 4:20


-c 11 is channel 11

-L ignores locked WPS state

-N Don’t send NACK packets when errors are detected

-d 10 Delay 10 seconds between PIN attempts

-T .5 sets timeout period to half a second

-r 4:20 after 4 attempts, sleep for 20 seconds

Simply type reaver if you to look for more options to experiment:


Reaver is armed with a pin "12345670" that appears not changing but in fact it is the starting point followed by subsequent variations to attack the router. Knowing that it is only a matter of time to strike a successful hit, clever designers put a NULL pin for which the traditional Reaver programmer had never expected. A patched version of reaver-wps-fork-t6x emerged in 2017 in the light of combating the NULL pin.

Installation was pretty straight forward on a newly created Reaver diractory:

mkdir reaver

cd reaver

git clone

apt-get install -y libpcap-dev

cd src


make && make install

The -p option becomes available to foster a NULL pin or a digit sequence of various lengths.

NULL pin:

reaver -i wlan0mon -b 11:22:33:44:55:66 -vv -K 1 -p ""

Pin with a length of 4 digits:

reaver -i wlan0mon -b 11:22:33:44:55:66 -vv -K 1 -p "4321"

The verdict:

Nothing is unbreakable unless one gives up too early. The best defense is disable WPS on the WiFi router and create a sophticated password and change it as often as possible.


Brute-Force Dictionary Attack

Next we moved on to the Brute-Force toolkit.

While Reaver kept bombarding WiFi router with continuous retries, Brute-Force captured successful client handshakes from which a LOCK was crafted to be opened by the keys in a dictionary until a match was found. Rather than meddling with the router like forever, the brief encounter ended by a handshake that transcended into a much longer journey of lonely data processing.

The dictionay such as rockyou.txt was a text file that contained commonly-used passwords or combinations of letters and numbers. A good dictionary thus needed to have "ALL" combinations imaginable. Ours contained 144344394 passwords that was a huge list. So an attack of this nature was time consuming. Success was based on computing power and the number of combinations tried rather than an ingenious algorithm.

Having put the 2200mW NextG USB-Yagi TurboTenna into the packet monitoring and injection mode, we opened two command line terminals. One for capturing the handshake data and the other kept provoking for client handshakes.

To launch Brute-Force against WiFi network with <BSSID> 11:22:33:44:55:66 and <ESSID> MyWiFi at channel 2:

airodump-ng -c 2 11:22:33:44:55:66 -w /root/Desktop/MyWiFi wlan0mon

To provoke client handshakes:

aireplay-ng -0 0 -a 11:22:33:44:55:66 wlan0mon

These processes were stopped once a successful handshake was found. KALI Linux has a dictionary residing in /usr/share/wordlists/rockyou.txt.gz

To make sure that we had the latest update and installed the dictionary on Desktop:

apt-get update && apt-get full-upgrade

cd Desktop

gunzip /usr/share/wordlists/rockyou.txt.gz

To try opening MyWiFi-01.cap with keys in the dictionary rockyou.txt:

aircrack-ng -1 rockyou.txt MyWiFi-01.cap

We edited rockyou.txt to put in our password to verify that these processes actually worked. The key was found in seconds!

To edit rockyou.txt:

nano /root/Desktop/rockyou.txt

The verdict:

Nothing comes out of nothing. Time waster if the key is not there. The best defense is restrict further attempts after a few unsuccessful logins and make the password uncommonly sophicated.



The articles herein are intended for experience sharing and IT education purposes. No part of these experiments should be applied to a WiFi network other than your own without consent of your family members.