Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

Sorry Guest, you are banned from posting and sending personal messages on this forum.

This ban is not set to expire.

[CloudNine]

I am fairly new to aircrack-ng so please bear with me!

I am trying to set up a penetration testing environment using Kali and one aspect of this is testing our corporate WiFi. I am using a fairly 'standard' Lenovo laptop with i3 processor and a built in Intel WiFi adapter. Since the premise is that an attacker will not likely be tethered to a wired Ethernet connection, but will be roaming and using wireless technology, I am trying to emulate a MITM scenario by connecting as a client to the corporate WiFi while running a rogue AP on the laptop, using only the built in WiFi interface.

As indicated by iw list, the adapter seems to support mixed mode:

Code: [Select]

valid interface combinations:

     * #{ managed } <= 1, #{ ap } <= 1,
        total <= 2, #channels <= 1, STA/AP BI must match
     * #{ managed } <=2,
        total <=2, #channels <=1

Following research on the Internet, I am setting up two interfaces on the same WiFi adapter, a client (station mode) interface called 'wst' and an AP interface called 'wap' like this:

Code: [Select]

service network-manage stop
iw dev wlan1 del
iw phy phy0 interface add wst type station
service network manager start
iw phy phy0 interface add wap type __ap

ifconfig confirms that the interfaces are being created. The laptop automatically re-connects to my company wireless LAN using the 'wst' interface, I get an IP address from the DHCP server and I can successfully browse the internet.

Here is where things get tricky. I am now trying to run airmon-ng on the 'wap' interface.

Code: [Select]

airmon-ng start wap

This complains that it the interface 'wap' interface on phy0 cannot be placed in monitor mode. (Sorry I don't have the exact error message at this point, but please bear with me). So at this point I do:

Code: [Select]

airmon-ng check kill
airmon-ng start wap

which kills any interfering processes as expected, specifically wpa_supplicant. I can then successfully put the interface in monitor mode and also bring up the AP with something like:

Code: [Select]

airbase-ng -c 11 -e MYAPSSID -v wapmon

The problem is that 'airmon-ng check kill' also kills the station mode WiFi connection on interface 'wst'. I am assuming that this is because the wpa_supplicant has been being stopped. The question is, how do I run both modes concurrently as the two drivers appear to be in conflict?

[misterx]

This is kind of a special case. You might not want to use airmon-ng at all in this case and create a separate monitor mode interface (on top of wst and wap) using iw for phy0.

Let me know how it behaves. Out of curiosity, which driver and adapter are you using (airmon-ng output is good enough)?

[CloudNine]

This is kind of a special case. You might not want to use airmon-ng at all in this case and create a separate monitor mode interface (on top of wst and wap) using iw for phy0.

Let me know how it behaves. Out of curiosity, which driver and adapter are you using (airmon-ng output is good enough)?

Thanks. Its a work laptop so I will post the details when I'm back at work on Tuesday. The wifi adapter in the other laptop I am using at the moment supports only one mode at a time, but I can still work up a script to get the interfaces up using iw in the meantime. I also have a WiFi USB adapter (Alpha AWUS036AC) on order which will hopefully allow us to work around any limitations of the built in WiFi.

I also noticed this:

Code: [Select]

STA/AP BI must match
What does 'BI' mean?

[misterx]

It means Beacon Interval: http://lxr.linux.no/#linux+v4.6.4/include/uapi/linux/nl80211.h#L4070

[CloudNine]

Thanks for that.

As I mentioned I would get back to you with the driver info once I got back to work.

It was recognized in dmesg as – Intel ® Centrino ® Advanced-N 6205 AGN, REV0xB0
Other details (not sure how relevant they are):
L1 enabled, LTR disabled
Radio type=0x1-0x2-0x0

I don't know if I did this correctly, but I used iw to place the 'wap' interface in monitor mode and left 'wst' in managed (station) mode.

I figured out how to connect to our work WiFi and connected to it as a client using the 'wst' interface. I then ran
airbase-ng on the 'wap' interface which created the at0 interface as is usual which I can configure, bring up and capture from. The ap seemed to run and status messages (e.g. probe requests) were observed in the terminal, however the SSID was not being published. We looked at the available WiFi networks on both a Windows phone and a Samsung mobile phone.

Everything was cleared down and I tried again, but with the interfaces reversed. We set up the client connection on 'wap' and the ap on 'wst', placing 'wst' in monitor mode this time. All setup commands (now applied to the opposite interface) were executed successfully and again the ap now appeared to be running on 'wst' and status messages were observed in the terminal but still no SSID being advertised.

I then cleared the configuration again and reverted back to the default single 'wlan1' interface and fired up the ap again, but using eth3 as the internet link. This time, the ap came up and the SSID was advertised.

Basically I can set up an ap (or evil twin) with the adapter in a single mode and capture traffic while routing to the eth3 wired interface, but although this adapter allows me to configure and work in mixed mode, I does not seem to operate correctly while in this mode.

Incidentally, I noticed that iw/iwconfig commands behave in a somewhat erratic fashion when using the mixed mode, sometimes working and sometimes not. For example, I found sometimes although I could set an interface in monitor mode with 'iwconfig wap mode monitor', I could not then bring it up with 'ipconfig wap up', whereas I had no problem with 'ipconfig wap down' in the first place. I generally kept Network Manager off with 'service network-manager stop', but some examples show an 'service network-manager start' being issued after the interfaces have been created. I was not sure which way to go so tried both with it off and with it on. When it failed to come up, the usually a reboot was required to get back to sanity. Possibly I was doing something in the wrong order or network manager was messing things up?

Anyway, unless someone know different or has any other ideas, it looks like the internet connection will have to be via a wired interface or via a second WiFi adapter. I did a bit of research and found several adapters that would work with Linux, some quite dated and none supporting the ac standard or the 5GHz band. In the end I purchased an Alfa AWUS036AC thinking that because it was advertised as coming with Linux driver it would be OK, but here I was very wrong. Firstly, the adapter requires a USB 'Y' cable to work as it draws too much power from a single USB port (works OK on my PC though), and the Linux drivers refuse to compile. I spent some 4 hours last night on this. I tried both the ones supplied on the CD as well as the latest from their website. I found a modified version called awus036au on github and was able to compile this after first downloading the kernel headers and sources, configuring the kernel with 'make menuconfig' and finally compiling the kernel - which took a very long time and ate up a lot of disk space. Only then did the driver compile, but was limited to station and master mode - no monitor mode. Unfortunately this means I can't use it with Kali. Lesson learned. I should have stuck to the older cards with known supported chipsets. Today I also found that an AWUS051 will work with Kali, but I can't find one in stock anywhere so it looks like it will have to be an AWUS036H or TP-Link WN722N. Any thought on which is better and less demanding on battery life?

[misterx]

It's always better to use one wireless card, one mode at a time. Cards are half duplex (cannot send and receive at the same time), so when client is transmitting, the AP on the same card cannot receive.

Those are pretty good cards for now: (#1) 2.4GHz Alfa AWUS036NHA, or (#2) 2.4GHz TP-Link TL-WN722N, or (#3) 5GHz Alfa AWUS051NH v2
Best would be an ath9k but it's MiniPCIe (and bonus feature, some of them can do spectrum analyzer; check out linux-wireless wiki).

[CloudNine]

It's always better to use one wireless card, one mode at a time. Cards are half duplex (cannot send and receive at the same time), so when client is transmitting, the AP on the same card cannot receive.

I did wonder about how that mixed mode might work in practice. It is generally true of any radio medium that you cannot transmit and receive and the same time on the same frequency. You would have to run each mode on separate frequencies/channels, but then monitor mode is promiscuous across all channels. I guess some fancy firmware switching might be possible, but chopping between modes would likely adversely affect performance. The close proximity of the transmitted signal would make reception at the same time difficult if not impossible. This also makes sense of the problem I was getting. The radio was listening so I was getting status messages in the terminal, but it couldn't transmit at the same time, hence no SSID being broadcast. In short, although the software was letting me, I was trying to do the impossible!

Those are pretty good cards for now: (#1) 2.4GHz Alfa AWUS036NHA, or (#2) 2.4GHz TP-Link TL-WN722N, or (#3) 5GHz Alfa AWUS051NH v2
Best would be an ath9k but it's MiniPCIe (and bonus feature, some of them can do spectrum analyzer; check out linux-wireless wiki).

I'm sending the Alfa back and have have gone with (#2), the TL-WN722N, as quite apart from the price it also is supposed to have a AR9271 (ath9k_htc) chipset which seems to tick all of the boxes.