Wireless Sniffing Using 802.11n Hardware

This all started when looking for random wireless kit in the local trading rag after getting jacked trying to get SD storage working on a WRT54GL running Kamikaze. After locating kit and getting model numbers, would head over to http://openwrt.org/ and check the support status. While doing this came across some 802.11n AP's which triggered more searching and ultimately lead me to http://wireless.kernel.org/en/users/Drivers/ar9170. What, you can sniff 802.11n from USB adapters, lets try some of this.

1] Acquiring hardware

Yep, after checking the list of supported devices, found a shop that was doing TP-Link's TL-WN821N's for $50AUD. No idea of what hardware version they stocked but headed on down to the shop and grabbed a v2 adapter. The dude pulled a v1 off the shelf so words were exchanged and a v2 was located. Hey, v2 was on the list...

2] Initial run-up

Being a fan of Backtrack, that was the distro that I plugged my shinny new adapter into and guess what, no joy. Bit of research and found that BT4 didn't support the v2 hardware in its ar9170usb driver. Commands used to acknowledge fail...

List USB device information:
# lsusb
[SNIP]
Bus 002 Device 003: ID 0cf3:1002 Atheros Communications, Inc.

List supported devices from the ar9170usb device driver
# modinfo ar9170usb
filename: /lib/modules/2.6.30.5/kernel/drivers/net/wireless/ar9170/ar9170usb.ko
firmware: ar9170-2.fw
firmware: ar9170-1.fw
description: Atheros AR9170 802.11n USB wireless
license: GPL
author: Christian Lamparter
author: Johannes Berg
alias: usb:v04BBp093Fd*dc*dsc*dp*ic*isc*ip*
alias: usb:v2019p5304d*dc*dsc*dp*ic*isc*ip*
alias: usb:v083ApF522d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0CDEp0026d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0CDEp0023d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0586p3417d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0ACEp1221d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0846p9001d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0846p9010d*dc*dsc*dp*ic*isc*ip*
alias: usb:v07D1p3C10d*dc*dsc*dp*ic*isc*ip*
alias: usb:vCACEp0300d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0CF3p1001d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0CF3p9170d*dc*dsc*dp*ic*isc*ip*
depends: mac80211,led-class
vermagic: 2.6.30.5 SMP mod_unload 686
parm: nohwcrypt:Disable hardware encryption. (bool)

3] More hardware

Weighing up the time to build recent code vs another trip to the shop to get the v1 TP-Link adapter, I opted for fork out cash. You can never have enough wireless adapters right. So know I have two TP-LINK TL-WN821N adapters...

# lsusb
[SNIP]
Bus 002 Device 003: ID 0cf3:1002 Atheros Communications, Inc.
Bus 002 Device 002: ID 0cf3:9170 Atheros Communications, Inc. AR9170 802.11

At least I get a hit on a supported device.

4] Run up take II

Now assuming I had supported hardware good to go, I attempted to get some acknowledgment from the OS that it had something plugged in. Learned the iw command backwards but couldn't get anything working. Ref: http://wireless.kernel.org/en/users/Documentation/iw. At one stage I was looking at building my own ar9170 firmware using the SH2 toolchain... wtf... Not having a late 2.6 kernel handy at the time, opted for something else, gentoo...

5] OS build - Gentoo

Not going into details here I started building gentoo on a eeePC 1000H. Let's just say I ended up with a kernel with supported ar9170usb module but this time I actually downloaded the firmware files from the links on this page: http://wireless.kernel.org/en/users/Drivers/ar9170 and put into the appropriate location. Gentoo is hard work... emerge... wtf. Using the iw command, I could set up some monitor interfaces, pointed kismet at is and started sniffing. Also, since I was running the latest kernel, drivers, etc. I found I had support for both versions of the adapter hardware... yeeharr...

iw commands went something like:
# iw phy phy0 interface add moni0 type monitor
# iw phy phy1 interface add moni1 type monitor

6] Sniffing

Living in a very lightly populated wireless area, one of the first things I did was take it for a drive to get a feel for what it would pick up. Found that the card would take quite a few bad reads which can be identified by random MAC addresses, corrupt SSID's, etc. I sat it at work all day just to see the number of detected networks keep ticking over. I would get the occasional bad read running kismet and alfa's (802.11g) but not at this volume.

7] Fedora

So I parked it for a while, until Fedora 12 came along. Different laptop, standard build, uploaded all three pieces of firmware, svn kismet, iw command for monitor interface and cranked it up. Additions to Fedora went along the lines of:

Kismet

# mkdir /pentest/svn
# cd /pentest/svn
# svn co https://www.kismetwireless.net/code/svn/trunk kismet-devel
# yum install libpcap-devel.x86_64
# yum install libnl-devel.x86_64
# cd kismet-devel
# ./configure --prefix=/pentest/wireless/kismet 2>&1|tee make.conf.1
# make dep
# make 2>&1|tee make.out.1
# make install 2>&1|tee make.install.1

AirCrack-NG

# cd /pentest/svn
# svn co http://trac.aircrack-ng.org/svn/trunk aircrack-ng
# cd aircrack-ng/
# make 2>&1|tee make.out.1
# make install 2>&1|tee make.install.1

Giskismet

# cd /pentest/svn
# svn co https://my-svn.assembla.com/svn/giskismet/trunk giskismet
# cd giskismet
# yum install perl-libxml-perl.noarch
# yum install libxml.x86_64
# yum install libdbi.x86_64
# yum install libdbi-dbd-sqlite.x86_64
# yum install perl-DBD-SQLite.x86_64
# yum install perl-XML-LibXML.x86_64
# perl Makefile.PL
# make 2>&1|tee make.out.1
# make install 2>&1|tee make.install.1

Random

# yum install macchanger.x86_64
# yum install gpsd.x86_64
# yum install dsniff.x86_64
# yum install wireshark.x86_64

I guess the drivers are getting better because the volume of bad reads is well down.

8] Bt4 fail

I went back to BT4 download the two bits of firmware the module wanted and plugged in the v1 TP-Link adapter. Spun up kismet and watched mass packet carnage. At my place I sit in a room and usually pick up 2 AP's one of which is mine. After 5 minutes on BT4 I have 10 different variations of my SSID with random MAC's all over the place. So far, Fedora has worked the best I guess from more recent code...

TODO:

• Get an 802.11n AP, hook up a legit client and work out how to set channel width for optimal monitoring. (more reading required, wtf channel width). Iw command lets you set it...
• Packet injection on the what now...
• Find out what the hell is the QSS thing is on the side of the TL-WN821N v2 adapter. (scratch that, QSS thing is a button for Quick Secure Setup)

Links

• ar9170usb driver
• iw command
• Kismet
• Aircrack-ng
• Giskismet
• TP-Link TL-WN821N

exit 0