Assemble the push button to hack into Wi-Fi: USB adapters, “pineapple” routers, antennas and other tools

Assemble the push button to hack into Wi-Fi: USB adapters, “pineapple” routers, antennas and other tools

Vardriving, it intercepts Wi-Fi traffic, always begins with the choice of equipment. That’s what we will do: in a convenient format of questions and answers we will analyze what devices exist in nature, for what tasks they are best suited and what to start with.

Why is warriving cool?

The iPass website has interesting statistics on the growth of Wi-Fi hot spots worldwide. Just take a look at it: from 2013, the growth rate is almost 900%. About the same picture can be seen on the WiGLE website, which collects information about public access points.



That is, Wi-Fi is now everywhere; in more or less large cities the 2.4 GHz range is full. Moscow, by the way, has recently taken the second place in the world for the spread of Wi-Fi in public places, which makes me, as a resident of the capital and a fan of Wi-Fi hacking, incredibly happy. I will tell you about the role played by MosMetro_Free and MT_FREE SSID networks someday.

In general, you have already understood: a specialist who cuts all this good stuff in safety will not be left without a piece of bread.

What are the Wi-Fi standards?

It may surprise you, but Wi-Fi can work not only in 2.4 and 5 GHz frequency bands. Behind the numbers 802.11 hides a whole set of standards for communication of devices in the wireless LAN. The carrier frequencies can be very different. Here is a list of them:



  • 900 MHz – 802.11ah;
  • 2.4 GHz – 802.11b, 802.11g, 802.11n, 802.11ax;
  • 3.6 GHz – 802.11y;
  • 4.9 GHz – 802.11j;
  • 5 GHz – 802.11a, 802.11n, 802.11ac, 802.11ax;
  • 5.9 GHz – 802.11p;
  • 45 GHz – 802.11aj;
  • 60 GHz – 802.11aj, 802.11ay.

If you want to tighten it up again, be sure to scroll through it IEEE 802.11 page on “Wikipedia”, and if that doesn’t seem to be enough, go to the original sources and start scraping with the standards.

 

Radio frequency handling is legally regulated, right

.
Without a license, you can work not on any frequency. Such unlicensed bands are called ISM (Industrial, Scientific, Medical). Grid and power of transmitters for such bands are regulated by the appropriate authorities. Without a license, it is possible to operate only subject to local restrictions.

In Russia, these issues are handled by Roskomnadzor, now well known to everyone. But if in the Internet Roskomnadzor is famous for blocking, in the field of wireless networks, on the contrary, it continues to allow and resolve.

What frequencies can one work without restrictions?

Without the permission of Roskomnadzor it is possible to use the following radio frequency bands, interference-free operation of RPSs in which is not provided: 2400-2483.5 MHz for RPSs with a maximum transmitter power of 0.1 W (channels 1-13), 5150-5350 MHz for RPSs with a maximum transmitter power of 0.2 W and only for use indoors – channels 36-64, UNII-1 and UNII-2.

Range 5650-5825 MHz (channels 132-161) is still open for aircraft that are in flight at an altitude of at least 3000 m. As you understand, all sorts of equipment may live in the unauthorized parts of the spectrum. For example, radars or relays. So it remains to wait for improvements.

In addition, for the 5150-5350 MHz and 5650-5850 MHz bands, the maximum permissible power (up to 10 mW) per 1 MHz has been doubled.

The main choice you have to make is not even a specific device model, but its type. There are USB adapters (they are “dongle” and “whistles”, and in jargon they are sometimes called “cards”), Wi-Fi-routers, and microcontrollers with Wi-Fi support. You can use a phone or tablet, but even here you can achieve much better results in conjunction with an external adapter.

Why do many people bypass the USB adapter (“whistle”)?

It is convenient, familiar and usually cheaper than a router. There is a large selection of well-proven adapters with monitoring mode (you will need it for your attacks). In general, I would advise all beginners to take the whistle – it will come in handy more than once anyway.

 

Should you break Wi-Fi with the help of a laptop-built adapter?

I have to upset you: the chips that are placed in laptops usually cannot be switched to monitoring mode, so there is nothing to talk about. And even if it were possible, the range of the built-in antenna in a notebook is usually small and there is nowhere to connect an external antenna.

 

Where to start choosing an adapter?

There are a great many options, but not all of them are suitable for hacking. I suggest you start by looking at WikiDevi and see the list of recommended adapters. You can also find a lot of information at WirelesSHack under Wi-Fi and Wireless. The main thing to look at when choosing is support for monitoring mode and the ability to connect an external antenna, because without it, there is no range to talk about. And of course, it’s best to take an adapter with a well-proven chip.

 

What are the well-known manufacturers of Wi-Fi chips?

The main chip manufacturers are Qualcomm Atheros, Broadcom, Realtek and MediaTek (formerly Ralink). If you compare manufacturers, Atheros is considered an ideal solution for hacking. For example, the company Ubiquiti mainly uses Atheros chips to create professional-level devices. Most of the Wi-Fi range records were set using Ubiquiti equipment.

.

.

Which adapter is the best one?

Everyone is free to choose what he likes, but for beginners I have recently recommended exclusively TP-Link WN722N. There are a number of reasons for this: cheapness, availability (can be found in most computer stores), support for the required modes, support for mac80211 (the standard de facto for Wi-Fi adapter drivers). For WN722N there are firmware source codes and opensor drivers, which is very useful for making their modifications. Also note the stability and modest power requests (0.5 A at maximum). This makes it possible to connect to mobile devices via OTG cable – in Kali NetHunter this card is supported. With TP-Link WN722N it’s possible to scan the spectrum, as well as perform some advanced attacks on 802.11. In general, everything you need.

.

TP-Link WN722N

.

Fine from reader

.
After publishing the article, the reader under the nickname InfiniteSuns sent an addition: 722N adapters have recently got a second iron revision on the RTL8188EUS crystal.

Thus, what is said about Atheros is only true with respect to 722N revision 1.X. For our purposes, we should look for exactly these adapters.

 

What about the legendary Alpha?

Many novice wardrivers are trying to buy the so-called “Alpha”, that is, one of the Alfa Networks adapters. But this manufacturer produces a lot of devices on a variety of chipsets, so the “same” Alfa can be very different. For me, as for many, it is Alfa AWUS036H. At one time it was the most coveted “card” because it has its own amplifier. The rest of the Alfa devices are also well designed and built, but I wouldn’t say they are unique.

Alas, the best days of the Alfa AWUS036H are behind us. It’s based on a Realtek 8187L chipset that doesn’t know the 802.11n standard as well as access point mode. In attacks on WPS with weak signal strength Alfa AWUS036H is still out of competition, but in all other cases, nothing special in it. Alas, you can’t even connect it to your cell phone – the amplifier requires too much power.

There are Alfa adapters marked Long-Range. They do not have an amplifier, but they have good filters and a TeraLink chip, which already has the “right” wood. So you can consider it as an option.

.

Alfa AWUS036H

Do I need some kind of special cable?

Before you connect the adapter to your computer, you should provide reliable power to avoid malfunctions. This is important for all RF devices, and if you have an Alfa AWUS036H, you should remember about its increased power consumption. Not all USB cables are equally useful and quality can be a factor in current strength (thickness can be an indirect indicator of quality). So when you buy a good “card” it is best not to plug it in any way.

Most adapters are equipped with USB 2.0 because USB 3.0 introduces significant limitations. Serious chip makers (same Atheros) only support the 5GHz range on PCI-E cards – this is what I recommend to take for 5GHz. For the rest USB 2.0 will do.

Can I find a decent adapter for AliExpress?
The Chinese ruins are full of different adapters, including clones of famous brands like Alfa. But when choosing from them, you need to be very careful: the given characteristics often do not correspond to reality, and even the chip can be installed not the same modification that is specified in the description. As a result, we managed to find a good external antenna complete with not the most outstanding “card” (we are talking about Netsys 9000WN), as well as several extremely cheap adapters. In general, if you are looking for adventure and savings – look for, and perhaps you will find something interesting. Don’t forget to share your find in the comments!

When should you take a router and not a USB adapter?

When using the whistle, the program should work on your computer, which is not always convenient. The same attack on WPS can stretch for eight hours, and in street conditions, and even in our harsh climate, to engage in warping with a laptop ahead of time – then another entertainment.

It would be logical to put this work on a separate device, and the router – just such a self-contained device. All you need to do is to find a suitable one and provide it with special firmware. Usually hacker firmware is built based on OpenWrt and adds the necessary software: Aircrack-ng, Reaver, PixieWPS and other utilities. The only ready solution so far is the well-known “Pineapple”, aka WiFi Pineapple.

There is also a class of attacks that cannot be performed using a USB adapter. For example, there is Karma attack which later became known as Mana. It is an “evil” access point. If you try to play it with a “whistle” (for example, the same TP-Link WN722N), you will encounter a restriction of seven clients, which is rigidly spelled in the firmware. The real reason is that the adapter has insufficient internal memory.

What is this “pineapple” router?

WiFi Pineapple started as a custom firmware project for Alfa router and was then called Jasager. Under the leadership of the team from Hak5, the project over the years has grown to a separate and very specific device that allows not only to intercept Wi-Fi, but also to conduct subsequent attacks MiTM in the network. It is available in two versions: as a separate WiFi Pineapple TETRA device or as a USB WiFi Pineapple NANO.

Pineapple NANO and TETRA

.

A “pineapple” is certainly an interesting device that deserves a separate article. It has a convenient and beautiful web-interface and everything is ready for the consumer. But it is not cheap (NANO costs 99, TETRA – 199 dollars), and it is impossible to order it directly from Russia.

 

Routers are available in all tastes and colors, and you can find out about OpenWrt support at the project website. From the stationary ones we can recommend, for example, the TP-Link TL-WDR4300 on the Atheros chip, it allows for simultaneous operation with the 2.4 and 5 GHz bands. However, you can’t take it with you on the field work.

I recently liked the solutions of a Hong Kong company GL.iNet based on SoM Domino Core. GL.iNet offers a full range of solutions from bare boards and components to assembled routers. I got myself a GL-MiFi for $99. It has the following advantages:

    • is an internal battery (as opposed to “Pineapple”);

.

    • in an order you can add a 4G modem Quectel EC-25, which is hababelen and itself;

.

    • can connect external antennas via UFL connectors on the board;

.

    • can be used as a battery to charge your cell phone if you want;

.

    • by the standards of Chinese vendors, GL.iNet is extremely adequate, even making its firmware to work through Tor.

.

GL.iNet products have already been appreciated by the hacker community, and firmware with homemade “Pineapple” has started to appear for them. I’ll praise myself: I’ve built a single repository with all sorts of pineapple handicrafts that can be useful for DIY fans.

.

.

.

.
GL-MiFi in front and back

Which routers-to-broot- (or stand-alone, but with caution)

Although the choice of routers is great, but for hacking is not suitable for everyone. My preference, as in the case of adapters, is on the iron side with Atheros chips. This includes the same TP-Link products, which have long and successfully used by hackers. The TL-WR703N, TL-MR3020, TL-MR3040 have recently been used everywhere for hacker firmware and fashion.

It was based on them that hackers built their “pirate” and “Pineapple” versions with support for Karma attack. Availability of USB port allows you to plug both a 3G/4G modem and an ordinary flash drive with a decent set of software, and the ability to run Python + Scapy will please many fans of network fun.

However, the modest size of ROMs and RAM in these models has become a serious obstacle to create more interesting firmware. So if you are not ready for modding, I would not recommend buying them today.

 

Can I pump up an already bought router?

The small size of ROMs and RAM is not yet a sentence for the device, they can be unsold and replaced relatively cheaply. The chips themselves cost a penny. As a ROM chip I will take the liberty of recommending Winbond W25Q128FV with 16 MB of flash memory.

With RAM it’s still more fun: you might not need to buy anything at all. You can successfully borrow from old DDR1 memory sticks (you saved them by throwing away the old system, right?). If your desk drawer doesn’t have a collection of vintage components, and grandfather didn’t allow his computer to be disassembled, it’s no problem either. The enterprising Chinese sell ready-made whales for replacement – look for RAM in TSOP-II cases with 66 legs.

Before you can expand your memory, you should redo the router. Because the native firmware of most routers often contain hidden addresses, which will not be met with more RAM.

If you have already screwed up the router, U-Boot will save you. In the case of TP-Link routers, all you have to do is whisper the cherished tpl in UART when you boot, and the device will give you access to U-Boot instead of continuing to load a dye kernel.

 

When you do not have the opportunity to turn around with antennas and a laptop, there is a spare option – to use a cell phone for pentesthetists. In short, you will need the distribution Kali NetHunter, one of the compatible phones with supported firmware and of course an external USB adapter connected via an OTG cable.

As a dongle you can take the already mentioned TP-Link WN722N – out of all popular phones only it has low enough power consumption to connect even to low power devices. More expensive and tricky “Alpha” is also quite realistic to adapt to the phone, but not all and not all. A powerful “card” may not work or begin to cleanly suck out the phone’s battery. As a result, people have already begun to invent schemes with external batteries and even solar charging.

.

Kali NetHunter

.

?
With the fashion on IoT spread tiny wireless controller ESP8266, and hackers began to pursue the idea of cutting through it monitoring mode. And in the end it was possible to achieve it! But unfortunately, full-fledged monitoring and injection of packets on this chip is impossible due to hard-warranted restrictions on the buffer size of 128 bytes. Such a buffer, of course, will not be enough for a full-fledged handshake catch. However, it is enough to send deauth-frames… I also want to draw your attention to project on Wi-Fi positioning based on ESP8266.

.

.

What other microcontrollers can I use?

Monitor mode is available on Ti CC3200 as part of their proprietary RFSniffer technology. It should be noted that the ability to monitor on Chipcon series chips by Texas Instruments has already led to the appearance of such products as Yardstick/RFCat and Ubertooth. They are designed for hacking ISM and Bluetooth, respectively.

 

What’s the best thing for a beginner to buy?

If you need to start somewhere, it is enough to take TP-Link WN722N. This is a workhorse, which in the future will come in handy more than once – you can cling to your laptop, tablet, and router. There is a whole class of attacks that can be implemented only with Atheros chip – these are all kinds of custom and advanced attacks.

The router is good when you need to start scanning and leave for a long time. If you often have to work in the field, you can, like me, take GL-MiFi – it will also be useful not only for hacking, but also for more peaceful purposes such as distribution of mobile Internet.

 

What are the antennas?

A special item in the iron list is an antenna, or rather an antenna. The shape of the antenna embodies mathematical calculations and therefore in many cases is even patentable (the Chinese, of course, are aware of and, as usual, resort to piracy).

There are several basic types of antennas, and each of them is good for different tasks. They are divided according to the orientation diagram:

  • for omnidirectional (pin, dipole);
  • direction (wave channel, Uda Yagi);
  • partially directional (panel, sector, plate).

The most universal, of course, is the pin antenna, which stick out of most home routers.

.

.
As you can see, there are curls in the antenna, and this is not a reason. The Wi-Fi-signal is emitted exactly in the plane of the curls. Therefore, you should be careful when installing a Wi-Fi-router at home, or rather the orientation of the plane of its antennas in such a way as not to give out to neighbors from above and below – they will not be useful.

 

What antenna do I end up with?

.
Pin, omni-directional antenna is good when you need to work in the access point mode – to give out the Internet. When we are interested in hacking a certain access point, we use directional antennas. My two main antennas are a pin for Internet distribution and a directional antenna with a large reflector.

.

.

.

.

How do I attach the antenna?

Since the directional antenna needs to be fixed rigidly, the question arises as to why this can be done. I recommend using a tripod from a camera or telescope. Since I only have one tripod, I can’t give advice on which brand and model to use. Mine was bought on the principle of “maximum freedom for a reasonable amount of money”. And of course, pay attention to the weight that a tripod can carry and the quality of its assembly.

Dream Limit is a tripod for the telescope, changing the direction itself with commands via USB or COM port. However, such babies are not cheap. But with them you can talk about scanning not only the air, but also the terrain.

What else can I play with?

Now Japanese SUVs also open via Wi-Fi. And whether there will be more! Now 90% of new cars are supplied with access points. I do not want to talk about the banal routers, printers, cameras and other IoT somehow. Well, if you suddenly pull something new, then you will be waiting for nRF24 and NFC. In general, you won’t be bored!



WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


5 Views

0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments


Do NOT follow this link or you will be banned from the site!
0
Would love your thoughts, please comment.x
()
x

Spelling error report

The following text will be sent to our editors: