Hardware is always an important part of conducting a wireless penetration test - a large antenna or a high powered NIC can sometimes be the factor that helps you get the handshake/IVs required to crack the wireless key. Also, with Wireshark (https://www.wireshark.org/) or airdecap-ng (http://www.aircrack-ng.org/), it is possible to retroactively decrypt all of the wireless traffic you captured that was initiated with the same handshake (as long as the handshake was cracked) and so there’s no excuse for missing out on that plaintext login we’re all looking for.
In order to sniff all of the packets flying through the air, you need at least 3 NICs, plus one for attacking. Carrying around 4 separate NICs can be a pain, and some laptops may not even have that many USB ports. As such, you may be interested in my recent “Wi-Fi Box” build, which is simply a compact, adaptable way of carrying the hardware I use for wireless penetration tests. It is probably not the only one of its kind, nor is it likely the best, but it works for me and is relatively simple. Its configuration can be easily changed to match whatever needs you may have. Plus, Pelican cases are just plain cool.
INGREDIENTS (SEE FOOTNOTES FOR ADDITIONAL DETAILS):
- 1 Pelican 1170 Case
- 4 Male to Female RP-SMA Extension Cables, preferably shielded
- 4 RP-SMA Antennas
- 1 Powered USB hub
- 1 DC Power Jack Socket
- 1 Panel Mount Female to Male USB B Adapter
- 4 Wireless NICs capable of packet injection and compatible with aircrack-ng
- 4 short (6”) Mini USB cables
- 1 DC Power Connector
- Cordless Drill, Drill bits, File
- Soldering iron
- Wire cutter/stripper
- Aircrack-ng suite, tcpdump/wireshark
- Dremel Tool
- Small Wireless Router (I used TP-WR703n)
- Wifi Pineapple
- Remove all of the foam from the case, leaving it empty. The layout I came up with is to use one side of the case as the USB/Power inputs, and the other as the antenna outputs. If you want to space your antenna outputs like I did, you’ll have to use a file or dremel tool to remove the small plastic ridges inside the case (visible above on the left side under the USB input).
- Using a ¼” drill bit, drill 4 holes, evenly spaced, in one side of the case. I used white out to mark where to drill, since neither sharpie nor pencil would show up on the plastic of the case.
- Put the male end of the RP-SMA adapters through the holes, and secure the threads on the outside of the case with the included lock washers.
- Drill a ½” hole in the opposite side of the case, as close to the corner as possible.
- Strip the ends of the DC Power connector and solder it to the DC Power Jack Adapter. (Note: You may want to thread the wire through the hole you drilled in the previous step if the connector is larger than the hole.) The important thing to note here is to match the polarity of the power brick that came with your USB hub to the DC Power Jack. If you have one available, use a multimeter to determine which wire is positive. If you don’t have a multimeter, you can look at the adapter itself. Usually it will have a diagram similar to the one in the bottom right corner of the image below, showing polarity. In most cases, the wire that has writing on it will be the negative wire, whereas the wire with the stripe on it will usually be positive.
- Drill a ⅝” hole in the same side you put the DC power jack in, as well as two ⅛” holes on either side of the ⅝” hole for the panel mount USB adapter. To mark where to drill the holes, I put a tiny drill bit through the side holes on the USB adapter then drilled where the marks were left. Screw the USB Panel mount into the holes you just drilled, aligning the USB input with the large hole in the center.
- Arrange your hardware inside the case, using velcro or mounting tape where necessary. Hook everything up and make sure that when you plug in your box you see the extra NICs in ifconfig or ip link.
Additional Information and Notes
The reason that you only need 3 NICs to sniff the entire 2.4GHz wireless spectrum is because with a channel width of 20MHz (default), all networks must broadcast packets that intersect channels 1, 6, or 11. For more information on this, see http://en.wikipedia.org/wiki/Wifi_channel#Channels_and_frequencies.
In the optional ingredients, I mention the TPLINK TP-WR703N. This is a small size (about 2x2”) router, powered by Micro USB and contains one ethernet port. Most of them come with a Chinese firmware installed, but you can flash an English version of DD-WRT (http://www.dd-wrt.com/site/index) or OpenWrt (https://openwrt.org/) fairly easily. You can also modify this little AP to add an external antenna adapter. Its main use in my wifi box of doom would be as a fake WPA-Enterprise network, configured to authenticate to my malicious RADIUS server. It would also be possible to fully automate credential gathering by adding a customized Raspberry Pi to this setup. This may be a topic of one of my future blogs.
In using this, I developed a very crude bash script to start airmon-ng on all interfaces and to start airodump on channels 1, 6, and 11. (Note that this assumes the wireless interfaces start at wlan1 and that you haven’t started and monitor interfaces yet.)
#!/bin/bash nics=$(ifconfig -a | grep -E "(wlan)([1-99])"| cut -d ' ' -f1) for i in $nics do airmon-ng start $i done sleep 10 mons=$(ifconfig -a | grep -E "(mon)([1-99])"| cut -d ' ' -f1) airodump-ng -c 1 -w auto_dump_ch1 --output-format pcap mon0 >/dev/null 2>/dev/null & airodump-ng -c 6 -w auto_dump_ch6 --output-format pcap mon1 >/dev/null 2>/dev/null & airodump-ng -c 11 -w auto_dump_ch11 --output-format pcap mon2 >/dev/null 2>/dev/null &