For wireless penetration testing, war-driving, or research into the 802.11 protocol many researchers will be purchasing newer USB enabled wireless cards. In 2018 many of the Realtek chipsets for wireless USB cards are some of the most common devices. However, these wireless adapters will support 5 Ghz, but might not work with the easy to use airmon-ng commands in Kali Linux. This post will be a brief overview of configuring your newly purchased 5 GHz card manually.
The first step will to be to make sure your Kali operating system is able to distinguish the USB device. As you can see below the lsusb command will show the different USB devices currently plugged in.
$ lsusb
Bus 001 Device 002: ID 148f:3572 Ralink Technology, Corp. RT3572 Wireless Adapter
# airmon-ng start wlan0Before installing the drivers for the specific device we should make sure our current Kali Linux system is updated with the latest patches.
#history
1 apt-get update && apt-get upgrade
2 apt-get dist-upgrade
root@kali:~#uname -ar
Linux kali 4.14.0-kali3-amd64 #1 SMP Debian 4.14.12-2kali1 (2018-01-08) x86_64 GNU/LinuxNow that the system is fully updated we can install the latest Realtek drivers straight from the aptitude package manager.
apt install realtek-rtl88xxau-dkmsThe commands below show the manual process of bringing down the wireless interface, setting the mode to monitor, and then bringing the interface back up. The three commands are essentially what the airmon-ng command will do.
# Set interface down
$ ifconfig wlan0 down
# Set monitor mode
$ iwconfig wlan0 mode monitor
# Set interface up
$ ifconfig wlan0 upThis will put the physical device into monitor mode. If you would prefer to create a virtual interface that will be used for monitor much like airmon-ng would create you can run the following before setting the monitor mode.
# Create a virtual interface with wlan0
iw dev wlan0 interface add wlan0mon type monitorThe command prompt below shows how to change the channels using the iw command.
# Set channel 6, width 40 MHz:
$ iw wlan0 set channel 6 HT40-
# Set channel 149, width 80 MHz:
$ iw wlan0 set freq 5745 80 5775The command below will show you how to change the power output of the wireless interface.
$ iwconfig wlan0 txpower 30
# Or you could use
$ iw wlan0 set txpower fixed 3000In order to test the wlan0 device with airodump-ng you will need to run the following command:
$ airodump-ng wlan0 --band abgThe command below is a more encompassing variant which will look for all bands across the 2.4 and 5 GHz. As well looking for the manufacturer IEEE OUI, the best guess of the uptime of the wireless access point, and finally beacons to be captured in a file.
$ airodump-ng wlan0 --band abg -M -U --wps --beacons -w wireless_output_file
# ifconfig wlan0
# aireplay-ng wlan0 -9
# 10:09:24 Trying broadcast probe requests..The final command discussed in this blog post is how to use aireplay-ng to test the packet injection of our newly purchased Alfa card. The options of aireplay-ng are shown below.
root@kali:~# aireplay-ng |more
Aireplay-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe
https://www.aircrack-ng.org
usage: aireplay-ng <options> <replay interface>
Filter options:
-b bssid : MAC address, Access Point
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-u type : frame control, type field
-v subt : frame control, subtype field
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-w iswep : frame control, WEP bit
-D : disable AP detectionThe command below will test the injection of a particular SSID from the wlan0 that we setup earlier.
kali:~# aireplay-ng -D --test -e ssid -a P4:E4:E4:92:60:71 wlan0
10:53:27 Trying broadcast probe requests...
10:53:29 No Answer...
10:53:29 Found 1 AP
10:53:29 Trying directed probe requests...
10:53:29 P4:E4:E4:92:60:71 - channel: 0 - 'shameless-karma!'
10:53:29 Ping (min/avg/max): 0.914ms/2.795ms/5.201ms Power: -37.61
10:53:29 28/30: 93%
10:53:29 Injection is working!This was meant to be a quick post to discuss manual configuration of the wireless card when airmon-ng fails to work with newer chipsets. Hopefully you will be able to utilize this as a reference post going further. Until next time, keep grabbing all the packets from the air!
