Testing for penetration in wireless networks requires knowledge, special software and specialized devices. One such device is the Wi-Fi adapter. We will talk about this today. Important points when choosing a wi-fi adapter are the ability of the adapter to grasp in monitoring modes, its technical characteristics and compatibility with the software. All this is the key to success with Wardriving.
Wardriving (detection and hacking of Wi-Fi access points) requires special equipment. But it's not necessary to go broke for professional devices. Among the serially produced Wi-Fi adapters, suitable models also come up. To turn them into hacker devices, sometimes some manipulations are required. I'll tell you how to choose such a device, and what to do with it further. Every year, the WirelessHack website publishes a list of the best Wi-Fi adapters for warriors and discusses their compatibility with Kali Linux. However, recently this list began to lose its significance. The reason is simple: the tested models of devices disappear from the sale. Instead, there are cheaper versions, or even new revisions with other chips. The model name often remains the same, but its properties are not. In addition, the most popular adapters start to forge, and it is not so easy to recognize it. Compilers of the list can not check each device themselves. We will try to partially fill this gap and describe the tried and tested method of choice.
Modern wireless communication chips occupy an area of a quarter of a square centimeter or less. Therefore, adapters based on them are produced in different miniature form factors. They can be soldered on a Mini PCI laptop card, M.2 format module (NGFF) or as an expansion card PCMCIA. We are also interested in a more universal option - external adapters with USB interface, which can be connected to anything.
Among such adapters, models with USB 3.1 and 3.0 interface are still very rare. The bulk is still available with a USB 2.0 port. The limitations of the bus transfer speed (480 Mbps) make such adapters unsuitable for attacks on 802.11ac access points (APs). Well at least, most AP today are simultaneously broadcasting according to the b / g / n standards, which leaves a lot of room for warriors.
You ask - Why buy a separate adapter, if today there is a built-in Wi-Fi module in any laptop and tablet? The problem is that it usually turns out to be useless for pentests, since its chip can not be switched to monitoring mode and even more so to use for injecting packets. This is possible only with those chips for which open drivers are written (native or backport). In Linux (including #KaliLinux) their collection is updated, but slowly. To enable such a driver to support the next adapter, the community needs to get the firmware code of its chip and a set of engineering programs specific to each vendor.
Manufacturers rarely disclose detailed specifications, so the guaranteed matching chips in many articles on vandrrayving mention the same - reprinted from the Kali documentation. These are Realtek 8187L, Qualcomm Atheros AR9271 (L), Ralink RT3070 (L) and Ralink RT3572 (L). However, there are much more compatible solutions on the market. Switch to monitoring mode and inject packets can adapters on dozens of other chips.
For "long-range" 802.11b / g standards, these are Ralink RT2070, RT2571W and RT2671, as well as Intersil ISL3880, ISL3886 and ISL3887.
More modern b / g / n standards support Kali-compatible chips Ralink RT2770, RT2870, RT3071, RT3072, RT3370, RT5370, RT5372, RT8070, as well as Atheros AR7010 and AR9271L.
Extended set a / b / g / n supports the chips RT3572, RT5572 and AR9170 (draft-n). The corresponding functions in Linux are provided by the drivers p54usb, rt2500usb, rt2800usb, rt73usb, carl9170, ath5k, ath9k and ath9k_htc. The most suitable adapters are based on Ralink chips, which in the second version of Kali Linux work with the rt2800usb driver.
Here is a list of modern USB Wi-Fi adapters that are supported in Kali Linux
Having done several raids on domestic and foreign equipment shops, I compiled a list of models tested in Kali, which are being sold today. Pay attention to the version number and revision, this is important! Just one other letter or number, and inside will be another chip, useless for warrving.
At a frequency of 2.4 GHz, the following adapters work according to the b / g / n standards:
- Alfa Network TUBE-U (RT3070).
- Tenda UH150 (RT3070).
- Tenda W311M (RT5370).
- Tenda W311MI (RT5370).
- Tenda W322UA (RT3072).
- Tenda W322U v3 (RT5372).
- D-Link DWA-125 rev B1 (RT5370).
- D-Link DWA-140 rev B3 (RT5372).
- D-Link DWA-140 rev D1 (RT5372).
- TP-LINK TL-WN727N v3 (RT5370).
With the expanded set of standards a / b / g / n at 2.4 GHz frequency:
- ASUS USB-N53 (RT3572).
- Tenda W522U (RT3572).
In the dual-band mode (2.4 and 5 GHz) according to the a / b / g / n or n:
- D-Link DWA-160 rev B2 (RT5572).
- Netis WF2150 (RT5572).
- TP-LINK TL-WDN3200 (RT5572).
This list lists only modern USB Wi-Fi adapters with full support in Kali Linux (monitoring mode + packet injection). All these models were released after 2010. Of course, the list could be continued by including old models, the most outstanding ones will be mentioned below.
It may seem that it's easy to choose a USB adapter for wireless network auditing. In theory, it is enough to buy any device with a suitable chip, and you can go to conquer access points. In practice, there are a lot of non-obvious things and important details.
Realtek 8187L (802.11b / g, 2.4GHz)
This is an old chip, working only on standards 802.11b / g. However, the old does not mean bad. In 2007, it was made the legendary adapter Alfa AWUS036H, breaking records of communication range. With it, you can drill access points not only from neighbors, but also in another building. It remains only to discover the hotspots still broadcasting according to the b / g standards.
As with any "Alpha", the main problem is to buy the original. A box and even branded holograms forged learned long ago, so the guaranteed option is only one - to open the case. Look for metal latches, a metal plate over the blue textolite board, and most importantly - look for the MAC address to match on the board, case and box. To accurately not miss, you can check the validity of the adapter on the site by the MAC address and serial number.
RT3070 (802.11b / g / n, 2.4GHz)
This chip was one of the first for the AP, broadcasting in the standard 802.11n. Dateshit appeared on it in September 2008. Then Kali Linux was not there yet, and the driver with monitoring mode support added its predecessor, BackTrack, to the distribution. In 2011, MediaTek merged with Ralink Technology Corporation, so sometimes you can find another designation for this chip - MediaTek RT3070.
To date, more than 150 devices have been released on the basis of the RT3070, but the degree of their suitability for warrving is different. With this chip one must be especially careful, since it is issued in at least two revisions. For audit it is desirable to take exactly RT3070 revision AL1A. The cheaper revision of AL3A is worse - weaker, and it works less stable. It is used in chips labeled 3070L, but not all sellers indicate the last letter. Therefore, read reviews, compare VID and PID, or better - check the designation on the chip itself. Most adapters open elementary: they have either a plastic casing on the latches, or glued from two halves. The latter can be opened neatly, slightly warmed up by the ends with a hairdryer.
Of the proven adapters based on the RT3070, you can recommend Alfa AWUS036NH and Alpha AWUS036NEH. Interestingly, the Chinese adapter EDUP EP-MS8515GS on the same chip does not outwardly copy them, but the newer Alpha model, AWUS036ACH. It has two whip antennas with a claimed gain of 6 dBi. He works very well, but for his low price and generally good.
Another adapter with a chip RT3070 - Tenda UH150 / N150. The declared power of its transmitter is 27 dBm (versus the usual 14-20 dBm), and the gain of the omnidirectional antenna is 5 dBi. This adapter is sold in many Russian stores for the equivalent of 10-12 dollars. You can save a couple of bucks if you are not critical to wait for a parcel from the Middle Kingdom. However, it is useful only for short-range warping. Why? As it turned out, the claimed characteristics are not true. Having discovered this, we began to sin on the complete USB wire - it was very long and thin, that is, it had great resistance. However, its replacement with a cable did not bring anything better. The adapter still saw eight or nine access points where others were catching twenty or more. An autopsy showed that inside the device is all the same stripped-down version of the chip with the index L, and on the board (judging by the markup) there is no part of the elements.
Despite the large antenna and the case of solid dimensions, the power of the adapter in practice was very low.
As a powerful and cheap adapter on the forums are often advised KuWfi Blueway BT-N9000. It has an omni-directional antenna with a declared gain of 8 dBi (in my senses, it's real about 5 dBi). Passport data on the power consumption of 2 W should be taken similarly. In fact, the power is only slightly higher than most USB adapters in this price category. Perhaps with the N9000 it will be possible to see a few more access points around or a bit faster to overcome the nearest one. The adapter costs its money, but no more.
The Netsys 9000WN model captivates with solid sizes, but this is just an example of an easy deception: instead of the RT3070, it uses the RT3070L. However, this adapter has a rather high-quality panel antenna, so it can be recommended for radio etheria exploration or as a donor for antenna repowering to another device. Declared characteristics do not result, because they look crazy - do not even coincide in different paragraphs of the description. However, such shoals are typical for most Chinese products. In practice, the device is pleased with the reception sensitivity. Where other adapters are caught from the power of twenty hotspots, it easily finds more than fifty, especially if it is rotated slowly in the manner of a radar. Despite its impressive dimensions, in the monitoring mode the adapter consumes less than 850 mW. Of the features of the Netsys 9000WN antenna, I note the radiation pattern. Its width is about 60 ° in the horizontal plane and 90 ° in the vertical plane. In practice, such a panel antenna gives something in between a normal whip and directed Uda-Yaga (known to Soviet engineers as a "wave channel"). Therefore, the exact direction to the access point with it is difficult to find. The receiver in this antenna is a group of rectangular metal radiators of the same size symmetrically located above the steel screen (180 x 160 mm). They are squares with a side of 53 mm and are placed at the same distance from each other. The distance between them and the screen is 7 mm. The braid of the antenna cable is connected to the screen, and its central core is soldered to the metal strips. In addition to high-quality antenna, this adapter has one more advantage - price. In Russia, one such socket will cost more than $ 35, and here it is used in the finished device, moreover, along with the chip that is supported in Kali. The downside is a rather old and truncated RT3070L chip. An obvious solution arises: to replace the board by pulling it out of the case of another adapter with a more interesting chip, there is enough space in the antenna stand. To upgrade, you will not only solder the antenna leads, but also replace the full-sized USB port with mini-USB.
Qualcomm Atheros AR9271 (802.11b / g / n, 2.4GHz)
In 2013, Qualcomm opened the source firmware and SDK for AR9271 under the MIT license. Therefore, the AR9271 has become one of the most popular chips for warriving in recent times. It is based on many adapters, the most famous of which is the Alfa AWUS036NHA. The model is so popular that under it there are many fakes. For example, this is a fake. Some warriors buy it, tempted by the price, and then write disappointed reviews, like: "I expected more from Alpha!" So it was not Alfa Networks doing, what were her complaints?
The real "Alpha" in Russia, Ukraine and a number of other countries are selling expensive, and waiting for its delivery from other countries for too long. Therefore, impatient buyers pay attention to cheaper adapters with the same chip. For example, TP-LINK TL-WN722N.
With a rather powerful transmitter (20 dBi), it pleases with its availability (it is still sold in dozens of Russian stores for the equivalent of 8-10 dollars) and the possibility of connecting any external antenna. Indirectly, the power of the adapter can be judged by the value of the power consumption. At its peak, it is almost twice as high as that of the huge Netsys 9000WN.
Other things being equal, it's better to choose adapters with removable antennas. If they use standard SMA connectors, then you can easily replace a regular one with a more powerful one, you can use a directional antenna or even add a signal amplifier.
If you want to experiment and have time to wait, then you can try a cheaper analogue TL-WN722N, produced under the famous Chinese brand NoName. Just remember that the same kind of adapters (and even those made on the same chip) can differ in the element base and in the wiring.
Less common is the reverse situation: you can find a fairly accurate clone of a well-known model, the only notable difference being a logo. For example, there is an adapter such as Sophos AP 5 Rev 1. It can be recommended for those who need an extremely cheap option, but with more or less decent characteristics.
Interestingly, the AR9271 chip has two RX / RF circuits, but most adapter manufacturers put only one antenna for the sake of cheaper price.
This is one of the most modern chips, operating in two bands: 802.11a / b / g / n in the 2.4 GHz band and 802.11n at 5 GHz. Based on it, the adapter Netis WF2150 is available, which costs 15-17 dollars. Low price is the only plus of this adapter. The power consumption in monitoring mode varies between 750-850 mW, so it can not be called powerful. External antennas do not have an adapter, and with miniature built-in ones, you can attack the access point only at the stop. Their gain does not exceed 1.5 dBi in the 2.4 GHz band and 3.5 dBi in the 5 GHz band. For vardrayvinga need a customization: you need to connect to the adapter an external antenna - for example, removed from the "donor" or self-made panel. Between the internal micro-antennas on the board there is an IPX connector, which greatly simplifies the connection of an external antenna with an adapter cable or pigtail.
Surely you have often encountered a cliché phrase: "The manufacturer can change the technical and consumer properties of the product without notice." In practice, this means that by purchasing the same model of the Wi-Fi adapter from different parts, you can find different chips inside. It's good if they are both in the list compatible with Linux. For example, in the first series of the Tenda W322UA adapter, the RT3072 chip was installed. Now they have a newer RT5372L - the same as in the Tenda W322U v3. There is a unification of production, but the problem is that no new designations have appeared on the device - neither the version nor the revision. Looks W322UA interesting, but the chip in it is cheaper version, and a couple of small pin antennas are not very good. They slightly increase the data transfer rate (due to the use of the 2 × 2: 2 MIMO scheme) to the detriment of the signal power. The baby consumes only 660 mW and confidently catches the AP only close. The signal from the routers located behind the wall, with it will always be in the red zone. For vardrayvinga it is better to take one antenna is more powerful, but in this adapter they are not removable. I am glad that the leads of the antenna cable are made on the board separately. They are far from the chip, so it does not overheat when you solder another antenna.
Signal power is the key to successful vending, but sellers understand this too. Deprived of the remnants of conscience, they overstate the characteristics of the goods at times and start up any deception. For example, the reprints of last year's articles are still advised to buy from the Chinese a High Power SignalKing 48DBI device. One of the colleagues decided to check and see what this wonderful adapter has inside. The parcel went for almost two months and ... it would be better if it was lost. The autopsy of the sample sent showed that the omni-directional antennas in this adapter are a dummy, and directed much less in size than you expect, looking at the dimensions of the case. Of course, the gain of the panel antenna and does not closely match the claimed. Say, 48 dBi? There's not even eight. Other adapters from well-known brands show a similar result - they use high-quality 5-6 dBi pin antennas. And communication with them is more stable than with the self-proclaimed "Signal King". Alas, this story is a rule, and not an exceptional case. Most products should be viewed skeptically and not be lazy to count. For example, from a USB port with a limiting current of 500 mA and a working voltage of 5 V, it is impossible to supply a load consuming more than 2.5 W. Do you offer a USB adapter with a capacity of 9W? Smile and look for another. With an antenna at 100500 dBi? Contact the air defense! Someone stole the radar from them!
Buying in a local store does not eliminate the need to think and check. You'll just wait less and make forgery easier, but you'll pay a lot more for the same thing. It is logical that ordering Chinese goods is cheaper in Chinese stores. In addition to AliExpress, there is DealExtreme, FocalPrice, JD and many others.
Tip: suitable adapters are searched in online stores by the chip name, as well as by mentioning Kali Linux, BackTrack, Beini and Xiaopan. Filtering the search results is better not for the price, but for the seller's rating and the number of reviews. On a popular thing, there are always hundreds of them, and photos and test results come across.