Saturday, March 26, 2011

#3 - Wireless Cards for Penetration Testing

Previously, we discussed a quick short list of wireless chipsets to research in order to best handle packet injection. And packet injection, my friends, is what it's all about. Our main goal, when dealing with wireless, is being able to inject enough packets into the stream in order to generate the information we need to break the encryption key. We'll discuss this in depth later on. For now, we need to select an affordable card that can handle three main key elements of wireless sniffing:

  1. The cards need to be able to handle the spectrum of frequencies we want to monitor: 802.11B, 802.11G and 802.11N. There are other types of wireless in use today, but these are the three main types of wireless you find “out in the wild”.
  2. The cards must be able to be placed into “monitor mode”, the ability of a card to “listen” to a network, rather than just “speak” to it.
  3. The cards must be able to handle “packet injection”, the ability to inject packets, thus creating enough viable packets for us to crack WEP encryption
So, our short list of viable cards included:
  • Atheros (AR5XXX, AR9XXX)
  • Broadcom (B43XX Family)
  • Intel Pro Wireless and Intel Wifi Link (Centrino)
  • Ralink (RT2X00)
  • Realtek (RTL8187)

If you were to purchase a brand-new laptop and were able to do a little research prior to purchase, you  might find that your internal wireless card actually has one of those chipsets on board. The ASUS K52F that I use for writing, email and other boring technical activities has an atheros-based wireless card. What does this mean? Well, I can do any of the tips and tricks we'll discuss later on on my shiny ASUS laptop. For just starting out and just for learning, this is a fine thing. If you were lucky enough to purchase a new laptop for learning how to do Penetration Testing, then I would recommend you start out with a card like this. All the exercises we'll go through later will be just as applicable.

However, if you're putting together your Essential Toolkit, already have a laptop that doesn't have a wireless card or you're serious about doing wireless surveillance, you're eventually going to want to get a wireless card with one of these chipsets AND an external antenna connector. Why? Well, there are lots of applications for a wireless card with an external antenna. Some hackers have been able to hook them up to powerful antennae, potato chip cans, and even old satellite dishes (you know, for Satellite Dish Cable in your home) to gain some absolutely wonderful distance on their surveillance. You, too, will probably eventually want to tinker with applications like this. So I think it would be best to add a USB wireless card (with an external antenna connector) to your Essential Toolkit.

Let's discuss this a bit.

I've done quite a bit of research and the cards that I find give you the best bang for the buck is a pair of cards from a company called 'Alfa Network'. They have 2 cards that are inexpensive and use the Ralink chipset. There are two models that are most prevalent.

  • Alfa AWUS036NEH – 1000mW USB Wifi Adapter (with threaded RP-SMA) Antenna Jack
  • Alfa AWUS036H – 2000mW USB Wireless Adapter (with threaded RP-SMA) Antenna Jack

RP-SMA, for those of you who don't know, designates the kind of threaded adapter that you can screw on. For our purposes, this connector for the antenna is just fine. You can see it very clearly in the top right picture shown here:




So, you've got a the 36NEH which is slightly less powerful than the 36H. They both handle 802.11 B/G/and N, so you get the best coverage for wireless networks. And here's the kicker: the 2000mW version comes in at approximately $30 + shipping while the 1000mW version (which, frankly is just as useful as the 2000mW version) can be had for a stunningly low $20.

You can pick up either of these cards through a number of places, if you use Google's Shopping site. Amazon carries them and a few others. However, I picked up my AWUS036NEH at Data Alliance (http://www.data-alliance.net/-strse-61/alfa-500mW-USB-Wireless/Detail.bok) but you could also pick up the 2000mW version from them here: http://www.data-alliance.net/-strse-158/Alfa-AWUS036NH-2000mW-1000mW/Detail.bok

The reason I decided to spend the $20 on an external USB wireless card is because of the ease of use when it comes to getting things working in BackTrack. Here's my $20 Alfa AWUS036NEH:


The Ralink chipset in the AWUS036NEH works just this easy:

  1. Plug your wicked-looking Alfa card into the USB Port




  2. The kernel recognizes the hardware and you can verify this by running 'lsmod | grep -i 80211' to ensure that the RT modules were loaded up. You should see the RT2X00 module loaded in memory.


  3. Run 'iwconfig' to make sure the card is seen in the OS


  4. And to make sure your new wireless card can be put into monitor mode (and therefore, be an easy tool to crack WEP and other wireless tricks later), run 'airmon-ng start wlan0'.




Once that is run, if the right driver is loaded and all is well, you will see a message saying '(monitor mode enabled on mon0)' or something close to that. If you see monitor mode is enabled, you have the right card, the right drivers and everything's set for you to work wireless magic later on. If you don't see that, then you might need to do a little googling and find exactly what card, what chipset you have and see if there are any known issues with that card in the BackTrack forums.


For more information, you can check out the aircrack-ng website. They maintain a compatibility list that details wireless cards, chipsets and the like. You can find that compatibility list here: http://www.aircrack-ng.org/doku.php?id=compatibility_drivers . By perusing that list and doing a little bit of research, you may be able to find another card that best suits your needs. For me and for the lessons we'll be covering, I find the $20 Alfa card to be a best buy.

Just make sure, that if you decided to go with an external USB wireless card, you should always get one with an external antenna. This lets you have the most flexibility in your wireless sniffing. Once you get deeper into wireless sniffing and cracking, you'll be most disappointed by NOT having an external antenna.

Next up, we'll discuss the few small items we want to include in our Essential Toolkit and wrap up making our kit. Then we'll start to work out our penetration testing methodology.

17 comments:

  1. Hello I have k54 L Asus laptop and of course it came with an Atheros wireless card which quite frankly seems to have trouble finding the occasional errant signal. My question is will it have the flexibility you described earlier my card is an AR9285. Thank you Ozzy

    ReplyDelete
    Replies
    1. Ozzy:

      I have an Asus K52, which is similar in spec. I would say that if you're looking to learn the Aircrack suite in BackTrack, your built-in Atheros card will work with the utilities just fine. You'll learn everything you need to about cracking wifi.

      However, I've found the internal card is limited in the distance you can cover (meaning, you can't consistently grab packets from APs if their too far away). However, if you're standing up a wifi AP in your house for playing around with in a lab environment, you're going to be fine.

      Delete
  2. Hello, I purchased the Alfa AWUS036NEH 1000mW 1W 802.11g/n High Gain USB Wireless G / N Long-Rang WiFi Network Adapter., I cannot get it to work with Cain and Abel in monitor/promiscuous mode for packet capture and injection. I appreciate any feedback on how to fix this problem.

    ReplyDelete
    Replies
    1. Anonymous in May:

      I found several videos on youtube that demonstrate how to use Cain and Abel for wifi capture. If you're determined to move forward with Cain and Abel, I would definitely reference some of them.

      However, my personal recommendation would be to ditch Windows entirely, boot up BackTrack and start to use the Aircrack suite. The Alfa adapter you have purchased is well supported in Linux and it is really just so easy to use in BackTrack. If you want easy success in minutes, get your hands on that.

      That may not be the answer you're entirely looking for. Sorry.

      Delete
  3. thx for yr document i have one question i buy dell n5110 laptob ist suitable for hacking wireless because i want to start learning
    and if i want to buy wireless card which type i must have adaper or access point or wireless modem because i go to computer market and dnt know exactly

    ReplyDelete
  4. Question - can one do this on a VMWare image running Ubuntu inside of a Win7 host? I am guessing not, because all traffic still goes through the Windows drivers

    ReplyDelete
  5. Steve you can connect your cards usb into backtrack with vmware and seperate it from the windows drivers.

    Vmware will disconnect the card from windows and connect it through itself which works just fine when loaded with ubuntu backtrack or what ever distro people prefer.

    ReplyDelete
  6. Here is the issue with Cain and Abel if you actually know what to look for you would see that the software starts sniffing your own network and starts to dial home. Explicit Warning when using the application. Stick to linux when pentesting.

    ReplyDelete
  7. Hi, I got the AWUS036NEH dongle and I'm currently using it with Backtrack5 R2 gnome 64 bits, the thing is working because I was able to crack WPA2, however it seems that it has an awful working range, I am only able to get two wifi connections with it (and one it's mine :S), and around eight to ten with the built-in wifi adapter of my laptop.
    Do you have any advise for me? Maybe some configuration I could try? I've already tried boosting the power to 30db, didn't change anything.

    ReplyDelete
    Replies
    1. There seems to be some information (and similar notes to yours about range) here: http://www.backtrack-linux.org/forums/showthread.php?t=32993 Don't know if this will help but there's some info on it there.

      Delete
  8. ASUSTeK Computer Inc Product Name: K54L comes stock with
    Atheros Communications Inc. AR9285 Wireless Network Adapter (PCI-Express) 8gigs ram 500gb HD perfect for injection using Kali linux $329.00 out the door. sweet for on the go

    ReplyDelete
  9. I built one of these as I live in the catskills anyway after a little soldering and a useless dish and a few bucks I was able to receive over 4000 connections averaging 10 miles away no joke. http://www.engadget.com/2005/11/15/how-to-build-a-wifi-biquad-dish-antenna/

    ReplyDelete
  10. I got the AWUS036NEH and I am using Kali Linux.
    The dongle won't work on the newest Kali Linux version. I had to get the .deb package firmware-ralink for wheezy and install it.
    But it seems the firmware with that doesn't support monitoring, any suggestions?
    I really searched the web for hours, reading forums, articles and so on. But I cannot find a working solution.
    I hope you might help.

    ReplyDelete
  11. I have a HP G series with a ralink rt5390 802.11b/g/n wifi adapter and cant get backtrack 5 to recognise it in when i pull up my term, any suggestions? I did check to make sure the software was updated on the driver, and its the most up to date there is, just kinda lost as to what I as what i should do next should i just go and buy another adapter and be done with it?

    ReplyDelete
  12. checking the systems for the vulnerabilities is penetration testing, and if you don.t have high quality wi fi than its very hard to do this. so have good wi fi connection
    enlace wifii

    ReplyDelete
  13. Thanks for sharing. Learn a lot from your Blog.I have read your blog about it-security-matter It is very help full.I really enjoyed reading it, you may be a great author.I must say you've done a wonderful job by sharing your article with us.Penetration Testing UK

    ReplyDelete