Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

Sorry Guest, you are banned from posting and sending personal messages on this forum.

This ban is not set to expire.

[Craig]

Greetings,

I am trying to do wireless captures on 5GHz using USB adapters. The USB constraint is because I'm wanting to montior multiple channels simultaneously, but I'm open to other cost-effective methods for simultaneous monitoring.

I can get some adapters to work for 802.11a and 2.4GHz 802.11n, but I have yet to find a solution for 5GHz 802.11n or 802.11ac. I've done extensive Google searching to try to find an adapter that will work, but to no avail. I then purchased a number of different devices with different chipsets hoping to find something that would work. Thus far, I have only negative results.

With this post, I am hoping to 1) inform the community on adapter chipsets that do not appear to work and 2) find out if anyone has suggestion on what will work.

The following are the pieces of hardware, each of which are dual band and support 5GHz, that I have tried with annotations describing what does not work:

1. Alfa Networks AWUS051NH (chipset: Ralink RT2770/Ralink RT2750)

It can see everything in 2.4 GHz very well. It also looks like it can see packets in 5GHz if they use 802.11a. It also appears to be able to see beacons and RTS/CTS control packets for 802.11n networks in 5GHz, but I have a hunch it is actually using 802.11a for those control packets. Oddly, if I target a Mac laptop using an 802.11n network on 5GHz, if I hold down the option key on the target and click on my WiFi icon in the system tray, I can see data carrying packets for that network (and they appear to be labeled as 802.11a in Wireshark). However, I otherwise do not see traffic for 802.11n in 5GHz.

2. TP-Link TL-WN821N (chipset: Atheros AR9002U-2NG)

Exact same behavior as in (1).

3. EDIMAX EW-7811UTC AC600 (chipset: Realtek RTL8811AU)

Exact same behavior as in (1).

4. Rosewill N900UBE (chipset: Ralink RT3573)

Using rt3573sta Linux driver, the device does not support monitor mode (gives "invalid argument" in "iwconfig (interface) mode monitor" command).

5. Rosewill AC1200UBE (chipset: Realtek RTL8812AU)

Using the 8812au Linux driver,  the device does not support monitor mode (gives "invalid argument" in "iwconfig (interface) mode monitor" command).


I'll note that the Realtek RTL8812AU chipset seems ubiquitous in the current 802.11ac USB WiFi adapters on the market, from the most inexpensive models to the rather pricey ones. But, it appears monitor mode is a no-go in it.

I was a little concerned that the hardware may not support a sufficient number of spatial streams for keeping up with the 5GHz traffic. However, when I check, the target device is using MCS index 15 in 5GHz, which has only two spatial streams, and is still not being seen. The Alfa adapter is listed as "abgn, 1x2:2" on https://wikidevi.com/wiki/ALFA_Network_AWUS051NH , which would seem to imply it has two streams. But, all of this is a bit out of my area, so correct me if I'm wrong.

Does anyone have any thoughts or suggestions?

Thanks,


-- Craig

[misterx]

Have you tried Kali/Pentoo and airmon-ng. Some of the adapter you mention got open source drivers in recent kernels.

[Craig]

Thanks misterx!

I am using Ubuntu 14.04, which should have a relatively recent kernel. I'm certainly willing to try a different distro, though. Are the drivers specific to the Kali/Pentoo distros or are they in-kernel? It is very possible that I'm not using the latest driver. Did you have a suggestion on which adapter/chipset I should focus on?

Thanks again!


-- Craig

[misterx]

If you install Kali and update it, it will have a 3.14 kernel which is more recent than on ubuntu (try a VM since those adapters are USB).

Make sure to use airmon-ng or airmon-zc since iwconfig is deprecated. If you want to use wireless tools, then use 'iw'.

[Craig]

Hi misterx et al.,

I've reached my next roadblock (a recognized adapter in monitor mode, but it sees nothing). Below is what I've tried.

I installed Kali 1.0.8 on a VM using VirtualBox. I updated with apt-get and indeed was running the 3.14 kernel (Ubuntu was 3.13). I obtained and compiled the latest Linux backports ( http://www.kernel.org/pub/linux/kernel/projects/backports/stable/v3.16-rc5/backports-3.16-rc5-1.tar.xz ), installed the latest Linux headers (apt-get install linux-headers-`uname -r`), and installed ncurses (apt-get install ncurses-dev) which is required to display the ncurses menu in the backports installation. I then followed the instructions to install the Backports ( https://backports.wiki.kernel.org/index.php/Documentation ). In the "make menuconfig" step, under Wireless LAN, there is "Ralink driver support" submenu, which has an experimental option under rt2800usb for the RT3573 chipset (matching the Rosewill N900UBE device I mentioned earlier). I selected it, completed the compilation/installation, and rebooted.

Upon reboot, I was able to see the device in ifconfig and it showed up without errors in dmesg. Using airmon-ng, I was able to successfully set it into monitor mode (which was the previous roadblock with the STA; apparently STA drivers never do). However, when I used "aireplay-ng -9" on the interface (I tried both "mon0" and "wlan0"), it was unable to see anything (Found 0 APs). Wireshark also showed nothing, despite being next to a very chatty wireless box on the same channel. Kali has a post dedicated to such issues ( http://docs.kali.org/troubleshooting/troubleshooting-wireless-driver-issues ), but I tried each of the steps indicated (e.g., ran "airmon-ng check kill" and looked for pending rfkill signals), but to no avail. It also suggests to "Check [...] any hardware switches and BIOS options" but gives no advice on what that means (and I saw nothing relevant in the VBox hypervisor settings). The only other possibly relevant point on that page was that "firmware might be missing" (listed in Step 2), but I don't know how to go about checking or remedying that, or even if that's at issue since I could set the adapter into monitor mode.

I seem to be stumped on the RT3573. I'm thinking about trying it outside a VM to see if VBox is somehow getting in the way on the USB connection.

It looks like backports has the driver for Ralink RT3573, but it does not (currently) have Realtek RTL8811AU or Realtek RTL8812AU support (the latter was previously discussed at http://forum.aircrack-ng.org/index.php?topic=330.0 , but the OP appeared to abandon the thread). It looks like the best option for that chipset may be via https://github.com/gnab/rtl8812au or https://github.com/abperiasamy/rtl8812AU_8821AU_linux/ . Some guys in the Raspberry Pi forum ( http://www.raspberrypi.org/forums/viewtopic.php?f=66&t=66499 ) reported some success with it, though an earlier comment indicated that it also may not support monitor mode. I'll give it another swing and see where I get.

I only need one of these to pan out and be able to capture the 802.11n 5GHz traffic. I do not need a resolution on both (hey, I'm not greedy). I'm becoming more and more convinced that the device needs to have at least as many spatial streams as the transmitter. If I'm trying to target my Macbook pro using MCS 15 (2 spatial streams), my monitoring device better have at least two spatial streams, e.g. 2x2:2 or 3x3:3 (viewers at home, decode 2x2:2 as "two transmit antennas, two receiver antennas, and two spatial streams" in that order; c.f. http://www.motorolasolutions.com/web/Business/_Documents/White%20Paper/_Static%20files/80211ac_White_Paper_0712-web.pdf ). But despite some rather extensive searching, I've not found any 2x2:2 or 3x3:3 USB chipsets/devices that have been shown to work. If anyone has ideas there, I'm all ears. Any solution for multi-stream on USB would seem to be a big win for the community.

Thoughts?


-- Craig

[Craig]

Hi all,

I continued my experiments with the Kali 1.0.8 VM and the Ralink RT3573 device. It experienced very strange behavior. After running airmon-ng check kill, If I started packet sniffing on channel 1 ("airmon-ng start wlan0 1"), it would see traffic on channel 1. But, if I did an injection test (e.g. "aireplay-ng 9 wlan0"), it would find things on Channel 1 and Channel 2. If I used wireshark on the mon0 it created, I would see packets associated with the wireless networks on Channel 1. So that seemed successful. However, when I moved to Channel 11, which is why my target network transmits, nothing worked at all. When I stopped the device, removed the monitor interfaces, and started again on Channel 1, it would occasionally show packet captures from Channel 11 in Wireshark. Unless anyone else has an explanation for this, I'll chalk it up to "strange virtualized behavior" and move on.

My next stop was my physical machine (the beloved Ubuntu 14.04 box). I inserted the Ralink RT3573 device and used airmon-ng with it. This time, it successfully started in monitor mode. It performed admirably in the 2.4GHz channel. However, when I switched it (and the target network) to 5GHz, it could see beacons from my network router, but it could not see the data carrying packets between the laptop and the router. Effectively, it acted identically to devices 1, 2, and 3 from my original post.

I worked with the RTL8812AU some more. I installed the 8812au Linux driver from before ( https://github.com/gnab/rtl8812au ) and ran the airmon-ng command on it. Below is the output:

Code: [Select]

root@Machine:~# airmon-ng start wlan0 48


Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID Name
25467 wpa_supplicant
25846 avahi-daemon
25847 avahi-daemon
25872 NetworkManager
25896 dhclient


Interface Chipset Driver


root@Machine:~#

Upon doing so, the corresponding output was inserted into dmesg:

Code: [Select]

[94460.327860] RTL871X: _rtw_pwr_wakeup call ips_leave....
[94460.327868] RTL871X: ==>ips_leave cnts:5
[94460.327870] RTL871X: ===>  rtw_ips_pwr_up..............
[94460.327876] RTL871X: ===> ips_netdrv_open.........
[94460.328312] RTL871X:  power-on :REG_SYS_CLKR 0x09=0xb0. REG_CR 0x100=0xea.
[94460.328316] RTL871X:  MAC has not been powered on yet.
[94460.397565] RTL871X:  ===> FirmwareDownload8812() fw source from Header.
[94460.397573] RTL871X:  ===> FirmwareDownload8812() fw:Firmware for NIC, size: 31396
[94460.397577] RTL871X: FirmwareDownload8812: fw_ver=15 fw_subver=0 sig=0x9501
[94460.454197] RTL871X: _FWFreeToGo8812: Checksum report OK! REG_MCUFWDL:0x00070704
[94460.455426] RTL871X: =====> _8051Reset8812(): 8051 reset success .
[94460.484662] RTL871X: _FWFreeToGo8812: Polling FW ready success!! REG_MCUFWDL:0x000707c6
[94460.484670] RTL871X: rtl8812au_hal_init: Download Firmware Success!!
[94460.511547] RTL871X: ===> phy_BB8812_Config_ParaFile() EEPROMRegulatory 0
[94460.864981] RTL871X: pDM_Odm TxPowerTrackControl = 1
[94461.058892] RTL871X: MAC Address from REG_MACID = 68:1c:a2:08:11:04
[94461.058897] RTL871X: rtl8812au_hal_init in 732ms
[94461.058909] RTL871X: <===  rtw_ips_pwr_up.............. in 732ms
[94461.058910] RTL871X: nolinked power save leave
[94461.059014] RTL871X: ==> ips_leave.....LED(0x00282828)...
[94461.524792] RTL871X: rtw_wx_get_rts, rts_thresh=2347
[94461.524797] RTL871X: rtw_wx_get_frag, frag_len=2346
[94461.537450] RTL871X: rtw_wx_get_rts, rts_thresh=2347
[94461.537455] RTL871X: rtw_wx_get_frag, frag_len=2346
[94461.707255] RTL871X: OnAction_p2p
[94461.785109] RTL871X: OnAction_p2p
[94465.891794] RTL871X: survey done event(50)
[94467.072606] RTL871X: ==>rtw_ps_processor .fw_state(8)
[94467.072617] RTL871X: ==>ips_enter cnts:6
[94467.072622] RTL871X: nolinked power save enter
[94467.072626] RTL871X: ===> rtw_ips_pwr_down...................
[94467.072629] RTL871X: ====> rtw_ips_dev_unload...
[94467.096416] RTL871X: usb_read_port_cancel
[94467.096704] RTL871X: usb_read_port_complete() RX Warning! bDriverStopped(0) OR bSurpriseRemoved(0) bReadPortCancel(1)
[94467.096972] RTL871X: usb_read_port_complete() RX Warning! bDriverStopped(0) OR bSurpriseRemoved(0) bReadPortCancel(1)
[94467.097218] RTL871X: usb_read_port_complete() RX Warning! bDriverStopped(0) OR bSurpriseRemoved(0) bReadPortCancel(1)
[94467.097468] RTL871X: usb_read_port_complete() RX Warning! bDriverStopped(0) OR bSurpriseRemoved(0) bReadPortCancel(1)
[94467.097486] RTL871X: usb_write_port_cancel
[94467.097507] RTL871X: ==> rtl8812au_hal_deinit
[94467.102227] RTL871X: =====> _8051Reset8812(): 8051 reset success .
[94467.108706] RTL871X: <=== rtw_ips_pwr_down..................... in 36ms

At that point, the device remained out of monitor mode and no monitor tap was created. Interestingly, the 8812au adapter worked fine to connect to the router on channel 48 and seemed to have reasonable performance.

As a sanity check, I used the Macbook Pro I was targeting and put it into monitor mode and it correctly captured the traffic from the Ubuntu box (it shows up with frequency 5240 with an MCS index of 12, which is how the router was configured for both). But, staring at the two pcaps, the only difference appears to be that one has the QoS Data and the other does not. I'm happy to share the pcaps if that would help.

Thoughts?


-- Craig

[chinese_ys]

Just wonder if you got the RTL8812AU working with monitoring/cracking test? i got a asus usb-ac56 adaptor from work which has the same Realtek RTL8812AU chipset. i need to perform similar wifi analysis on 802.11ac with it...

Correct me if i am wrong, i do not think it will make a huge difference to upgrade to the latest kali linux, right?

[James]

Hi there!

I just got a TP-Link Archer T4U dongle which uses the Realtek rtl8812au and I am about topull my hair. How the heck am I suppsoe to install this in Kali Linux to successfully operate it in monitor mode? I have followed all the instructions from the link and install the github repo... no luck.

Help please! Would eb great that the devs at Kali Linux add this driver to the kernel.

James

[dilipkumarstar]

 @@ James

TP-Link Archer T4U is new model and supported for 802.11 ac standard.

more of the 802.11 ac wireless usb adapter coming to the market on the while.

may be future release's of kali will add 802.11 ac standard adapter to kernel.

i like this one http://www.amazon.com/Alfa-Long-Range-Dual-Band-Removable-Connections/dp/B00MX57AO4 

[SaltwaterC]

Hi,

I am pulling my hair out with the same problem as Craig.

ALFA AWUS051NH / RT2770 / rt2800usb

It can finally see some 802.11n traffic over 5GHz, but the stability is a minefield. Tested it with the latest backports package (3.17-rc3-1) and the mac80211.compat08082009.wl_frag+ack_v1.patch on a up to date Kali.

What it can do:

- capture WPA handshakes (checked with aircrack-ng and a dict containing the actual passphrase to validate the capture)

What it can't do:

- inject (no AP detected when running aireplay-ng -9 mon0)
- deauth (it crashes airodump-ng and the driver)
- properly change channels (started to dump on channel 36, then moved on to channel 40, then went back to channel 36 - no more stations in airodump-ng, had to reload the rt2800usb module)

Basically it can only be used for a completely passive attack against WPA/WPA2, therefore one needs patience to capture a handshake. Besides the usual Wi-Fi junk and the handshake, I can't see actual data packages in the capture. Still an improvement from the initial driver included in Kali which couldn't even see the associated stations or capture handshakes. The 802.11ac stations also show up, but they don't appear in airodump-ng as associated to the AP.

Netis WF2190 / RTL8812AU / 8812au

Used the 4.3.8 GPL driver from Realtek which has no monitor support. It's beyond me how Realtek can actually write GPL drivers, but can not be bothered to contribute a driver that follows the current mac80211 stack. In fact, I'm surprised that the OP got EDIMAX EW-7811UTC going as from my understanding RTL8811AU is basically the 1x1:1 version of RTL8812AU.



As I already have 5 USB adapters, I guess it wouldn't hurt to get a OvisLink AirLive X.USB-3 (AR9001U-2NX / AR9170 AR9104 / carl9170 driver) which is also a dual-band adapter and the chipset isn't included in the list provided by Craig. It would be to find some information about it though. Other than this, I couldn't find any other 802.11abgn chipset that's old enough to be supported and it doesn't show up as being broken under 5GHz.

Thanks,
SaltwaterC

[winst]

Is there any adapter on the market with 5GHz 802.11n/ac support compatible with aircrack-ng and the recent version of Kali?

If no is there any chance that such a device will be available soon?

Is it possible to modify RTL8812AU vendor's driver sources to make it work with aircrack-ng?

Thank you.

[joedirgy]

I do not mean to bring back a potentially dead thread but as far as I can tell there still appears to be no solutions to this problem?  Perhaps someone out there may know?

[misterx]

Atheros Minipcie (ath9k)

[joedirgy]

From a couple google searches looks like the form factor are all pci based.  Is there a USB solution?

[misterx]

ath9k_htc can do capture if you know what you're doing. Or Airpcap on windows.