Chris Avants

WiFi Pentesting with Kali – Must Learn Commands – Part 1

|

Currently working on the new Lab Workbook for WLAN Security Professionals @WiFiTraining, and as I share some details to the community wanted to share some details about getting WLAN Pen Testing/hacking setup and working for most users or at least little things I think would be helpful to students based off issues I am seeing when students jump into labs…

A big reason students lose interest or get frustrated learning Wireless Pen-Testing is not having the proper H/W, Code, and many of my students are not familiar with Linux either.

First, if you’re not using the correct WLAN adapters, well it’s going to be quite challenging getting them working if your new at this and your not on devices that are proven to work well with the drivers and tools we use like Aircrack-NG, Hostapd, and others.

If your booting into Linux on enterprise hardware, integrated chipsets seem to work really well right off the bat for most business, enterprise vendors, and that’s because of most of these companies Lenovo, Dell, HP, ASUS (biz), are using Intel/Broadcom chipsets for their WLAN adapters. For external WLAN adapters and running Linux/Kali in a VM, finding the right USB WLAN adapter can be fun, especially looking for ones with modern 802.11 PHY support like 802.11ac, or 802.11ax.

One of my go-to WLAN adapters to use for wireless pen-testing is the Realtek RTL8812AU.

They come in two forms, the Comfast, integrated antennas. and the Yellow adapter dozens of companies rebrand and sell as just RTL8812AU (name of the chipset).

RTL8812AU USB 3.0 WLAN Adapter 1200Mbps 2.4GHz(300Mbps) 5GHz (867Mbps) USB 3.0, 802.11 abgn+ac, MIMO 2x2 WiFi USB Adapter for Kali Linux/Windows XP/Vista/7/8/8.1/10 (32/64bits) MAC OS X/Monitor injec COMFAST Wireless WiFi Adapter USB 3.0, 1200Mbps Dual Band 2.4G/5.8G WiFi Neckwork Adapter for Desktop Laptop, Compatible with Windows 7/8/8.1/10/XP, MAC OS 10.11/10.10/10.9/10.8/10.7/10.6

  • iw list * detailed output shown below
  • lsusbDisplays USB devices seen by the kernel
  • lspci internal chipsets
  • ifconfigShows interfaces seen by the kernel, and lists their status
  • iwconfigShows wireless interfaces and their status
  • iwconfig wlanX mode (managed, ad-hoc, master, ap)
  • Service NetworkManager kill
  • rfkill unblock wlanX
  • AirCrack-NG Suite – Go-to Suite of wireless tools for security professionals. Tools to get you started (Airmon-NG, Airodump-NG, Aircrack-NG, Airbase-ng) there are several others. Check out http://aircrack-ng.org

To get your adapter in 802.11 monitor mode it’s as simple as

  • $ ifconfigverify you see WLAN adapters (wlan0, wlan1) etc.
    • If you don’t see WLAN adapters, be sure the adapter is mapped if running Linux in a VM and check iwconfig, and lsusb to see if it’s seen at all.
  • $ service NetworkManager stop – case sensitive on NetworkManager
  • $ airmon-ng check killkills any processes running on the WLAN adapter
  • $ airmon-ng start wlan0 (channel) – use channel if you need to start listening on a specific channel, to use with Wireshark. ie airmon-ng start wlan0 40
  • $ airodump-ng wlan0scan’s ISM channels 1-13 looking for 802.11 management frames and dumps them to the screen. Very capable, and feature-rich tool. 
  • $ airodump-ng
    • –band a – Scan’s only 5GHz channels
    • –channelScans only a specific channel
    • –w writes what is captured to a file (-w /Desktop/captures/filename for example.
    • –help (lol, don’t forget there’s help with these tools)

If your looking to capture WPA handshakes, for example

Step 1 – Place the WLAN adapter in monitor mode

  • airmong-ng check kill
  • service NetworkManager stop
  • airmon-ng start wlan0

Step 2 – Start the capture on a specific channel (after you surveyed the area), and log the frames

  • airodump-ng -c 40 -w WPACap1 wlan0

When you are done with the capture.

  • $ arimon-ng stop wlan0
  • $ service NetworkManager start

You now have a normal WLAN interface.

There are other methods to achieve monitor mode from your WLAN adapters, will be featuring much more in detail in the new Lab Workbook for WLAN Security Professionals and CWSP at https://store.wifitraining.com

Does my WLAN adapter support Monitor Mode and Soft AP functionality, will it perform Packet Injection?  Is it dual-band, and can it support the PHY level being used in my test environment?

Use the command $ iw list

root@win10k194:# iw list
Wiphy phy0
max # scan SSIDs: 9
max scan IEs length: 2304 bytes
max # sched scan SSIDs: 0
max # match sets: 0
max # scan plans: 1
max scan plan interval: -1
max scan plan iterations: 0
Retry short limit: 7
Retry long limit: 4
Coverage class: 0 (up to 0m)
Supported Ciphers:
* WEP40 (00-0f-ac:1)
* WEP104 (00-0f-ac:5)
* TKIP (00-0f-ac:2)
* CCMP-128 (00-0f-ac:4)
* CMAC (00-0f-ac:6)
Available Antennas: TX 0x2 RX 0x2
Supported interface modes:
* IBSS
* managed
* AP
* monitor
Band 1:
Capabilities: 0x1a72
HT20/HT40
Static SM Power Save
RX Greenfield
RX HT20 SGI
RX HT40 SGI
RX STBC 2-streams
Max AMSDU length: 7935 bytes
DSSS/CCK HT40
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
Minimum RX AMPDU time spacing: 16 usec (0x07)
HT Max RX data rate: 300 Mbps
HT TX/RX MCS rate indexes supported: 0-15
Bitrates (non-HT):
* 1.0 Mbps
* 2.0 Mbps
* 5.5 Mbps
* 11.0 Mbps
* 6.0 Mbps
* 9.0 Mbps
* 12.0 Mbps
* 18.0 Mbps
* 24.0 Mbps
* 36.0 Mbps
* 48.0 Mbps
* 54.0 Mbps
Frequencies:
* 2412 MHz [1] (20.0 dBm)
* 2417 MHz [2] (20.0 dBm)
* 2422 MHz [3] (20.0 dBm)
* 2427 MHz [4] (20.0 dBm)
* 2432 MHz [5] (20.0 dBm)
* 2437 MHz [6] (20.0 dBm)
* 2442 MHz [7] (20.0 dBm)
* 2447 MHz [8] (20.0 dBm)
* 2452 MHz [9] (20.0 dBm)
* 2457 MHz [10] (20.0 dBm)
* 2462 MHz [11] (20.0 dBm)
* 2467 MHz [12] (20.0 dBm) (no IR)
* 2472 MHz [13] (20.0 dBm) (no IR)
* 2484 MHz [14] (20.0 dBm) (no IR)
Band 2:
Capabilities: 0x1a72
HT20/HT40
Static SM Power Save
RX Greenfield
RX HT20 SGI
RX HT40 SGI
RX STBC 2-streams
Max AMSDU length: 7935 bytes
DSSS/CCK HT40
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
Minimum RX AMPDU time spacing: 16 usec (0x07)
HT Max RX data rate: 300 Mbps
HT TX/RX MCS rate indexes supported: 0-15
VHT Capabilities (0x03c031a2):
Max MPDU length: 11454
Supported Channel Width: neither 160 nor 80+80
short GI (80 MHz)
TX STBC
SU Beamformee
+HTC-VHT
VHT RX MCS set:
1 streams: MCS 0-9
2 streams: MCS 0-9
3 streams: not supported
4 streams: not supported
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
VHT RX highest supported: 867 Mbps
VHT TX MCS set:
1 streams: MCS 0-9
2 streams: MCS 0-9
3 streams: not supported
4 streams: not supported
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
VHT TX highest supported: 867 Mbps
Bitrates (non-HT):
* 6.0 Mbps
* 9.0 Mbps
* 12.0 Mbps
* 18.0 Mbps
* 24.0 Mbps
* 36.0 Mbps
* 48.0 Mbps
* 54.0 Mbps
Frequencies:
* 5180 MHz [36] (30.0 dBm)
* 5200 MHz [40] (30.0 dBm) (no IR)
* 5220 MHz [44] (30.0 dBm) (no IR)
* 5240 MHz [48] (30.0 dBm)
* 5260 MHz [52] (30.0 dBm) (no IR)
* 5280 MHz [56] (30.0 dBm) (no IR)
* 5300 MHz [60] (30.0 dBm) (no IR)
* 5320 MHz [64] (30.0 dBm) (no IR)
* 5500 MHz [100] (30.0 dBm) (no IR)
* 5520 MHz [104] (30.0 dBm) (no IR)
* 5540 MHz [108] (30.0 dBm) (no IR)
* 5560 MHz [112] (30.0 dBm) (no IR)
* 5580 MHz [116] (30.0 dBm) (no IR)
* 5600 MHz [120] (30.0 dBm) (no IR)
* 5620 MHz [124] (30.0 dBm) (no IR)
* 5640 MHz [128] (30.0 dBm) (no IR)
* 5660 MHz [132] (30.0 dBm) (no IR)
* 5680 MHz [136] (30.0 dBm) (no IR)
* 5700 MHz [140] (30.0 dBm) (no IR)
* 5720 MHz [144] (30.0 dBm) (no IR)
* 5745 MHz [149] (30.0 dBm) (no IR)
* 5765 MHz [153] (30.0 dBm)
* 5785 MHz [157] (30.0 dBm)
* 5805 MHz [161] (30.0 dBm)
* 5825 MHz [165] (30.0 dBm) (no IR)
* 5845 MHz [169] (30.0 dBm) (no IR)
* 5865 MHz [173] (30.0 dBm)
* 5885 MHz [177] (30.0 dBm)
Supported commands:
* new_interface
* set_interface
* new_key
* start_ap
* new_station
* set_bss
* join_ibss
* set_pmksa
* del_pmksa
* flush_pmksa
* remain_on_channel
* frame
* set_channel
* connect
* disconnect
Supported TX frame types:
* IBSS: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* managed: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* AP: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* AP/VLAN: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-client: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-GO: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
Supported RX frame types:
* IBSS: 0xd0
* managed: 0x40 0xb0 0xd0
* AP: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
* AP/VLAN: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
* P2P-client: 0x40 0xd0
* P2P-GO: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
WoWLAN support:
* wake up on anything (device continues operating normally)
software interface modes (can always be added):
* monitor
interface combinations are not supported
Device supports SAE with AUTHENTICATE command
Device supports scan flush.
Supported extended features:

Leave a Comment