Devices with built-in Wireless Adapters are usually fine for accessing local networks such as at home or in the office plus WiFi Hotspots when out in public areas, such as coffee shops or airports, in order to gain access to the Internet.
When Penetration Testing other devices on a corporate network or even attempting to gain access to a network itself these built-in Wireless Adapters are fine for carrying out basic scanning activities for vulnerabilities but they are frequently missing two key features called Monitor Mode and Packet Injection.
Known also as RFMON (Radio Frequency MONitor), this allows the monitoring of all traffic on a wireless channel without having to associate with an Access Point or network i.e. connect to it.
Uses for Monitor Mode include packet analysis, observing traffic, and gaining knowledge of the WiFi technology in use.
When in Monitor Mode the Wireless Adapter is usually unable to transmit and is restricted to the single wireless channel to which it is connected.
Whilst capturing packets the Wireless Adapter does not check to see if the CRC (Cyclic Redundancy Check) values are correct and hence some packets may be rendered corrupted.
Packages such as Airodump-ng and Aireplay-ng require Wireless Adapters to be placed in Monitor Mode in order to operate:
- Airodump-ng – used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP IVs (Initialization Vector) for the intent of using them with aircrack-ng.
- Aireplay-ng – generates traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys.
This is the process of interfering with an existing network connection by making packets appear as if they are part of a normal communication stream. Packet Injection is commonly used in MITM (Man In The Middle) attacks and DoS (Denial of Service) attacks.
MITM attacks can be used to intercept data and steal login credentials, credit card details etc whilst DoS attacks usually are aimed at disrupting websites or other network or online services even to the point of making them crash and then circumvent their security.
Data can be protected from Packet Injection via encryption and in particular using a VPN (Virtual Private Network).
Example MITM attack
A simple MITM attack is ARP Spoofing which can be carried out by using the package ‘arpspoof’. ARP (Address Resolution Protocol) maps an IP address to a MAC address i.e. an address assigned by a network router to the unique physical address of a hardware device such as a Wireless Adapter or Ethernet Card.
ARP Requests are broadcasted to all devices on a network asking who has a particular IP address and only that device will respond with its MAC address.
An ARP Spoofing attack can then be carried out to get a device on the network to send requests to the attacked instead of the Router. Below is an example of the commands to redirect the target’s traffic via our computer rather than to the AP (Access Point) or Router:
Syntax: arpspoof -i [interface] -t [clientIP] Tells target I am AP in 1st window: arpspoof -i wlan0 -t 192.168.1.7 192.168.1.1 Syntax: arpspoof -i [interface] -t [gatewayIP] [clientIP] Tells AP I am target in 2nd window: arpspoof -i eth0 -t 192.168.1.1 192.168.1.7
In addition to the above it may be necessary to enable IP forwarding on Linux machines:
echo 1 > /proc/sys/net/ipv4/ip_forward
In order for a Wireless Adapter to support Monitor Mode and Packet Injection it is important to ensure that the device uses the correct chipset. Note that if a Wireless Adapter supports Packet Injection then it should support Monitor Mode – not necessarily the other way round.
Here are some known chipsets that support Monitor Mode and Packet Injection:
- Atheros AR9271
- Ralink RT3070
- Ralink RT3572
- Ralink RT5572
- Realtek 8187L
- Realtek RTL8812AU
- Ralink RT5370N
Below are some Wireless Adapters available on the market that use one of the above chipsets and support both Monitor Mode and Packet Injection:
Before buying any of the above, it is strongly recommended that you ensure the appropriate drivers are available for your operating system.
Do you have any suggestion to add about factors influencing the choice of a Wireless Adapter for Penetration Testing? Do you have any suggestions on great value or good performing adapters to try out? If so please comment below.