Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
I had a few questions about using an Alfa AWUS051NH wireless card, so I figured I would share a quick write-up about it.
Alfa AWUS051NH – Introduction
The nice thing about this particular Alfa card is that it supports 5GHz, as opposed to the AWUS036NHA.
I picked up two of these for any 5GHz engagements that I run into, plus as some primary use wireless cards.
Connecting to Kali
First, I plugged the card into my Mac, and VMware detected it just fine. Ignore the other USB device, that is just one of the wonderful USB-C dongles that I have to deal with.
I passed it through to Kali, and Kali was also able to detect the card.
When I ran iwconfig, the card showed up as wlan0.
root@kali:~# iwconfig lo no wireless extensions. wlan0 IEEE 802.11 ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm Retry short long limit:2 RTS thr:off Fragment thr:off Encryption key:off Power Management:off eth0 no wireless extensions.
Alfa AWUS051NH – Testing and Initial Issues
With the card connected and detected, it was time to put it into monitor mode.
root@kali:~# airmon-ng start wlan0 Found 3 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to run 'airmon-ng check kill' PID Name 521 NetworkManager 651 dhclient 700 wpa_supplicant PHY Interface Driver Chipset phy0 wlan0 rt2800usb Ralink Technology, Corp. RT3572 (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0)
Once I started monitor mode, I verified this by running iwconfig again.
root@kali:~# iwconfig wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm Retry short long limit:2 RTS thr:off Fragment thr:off Power Management:off lo no wireless extensions. eth0 no wireless extensions.
Next, as the card was in monitor mode, it was time to test injection. Unfortunately, aireplay was finding 0 APs. I knew this was incorrect, as my onboard cards were finding plenty of access points in the area.
root@kali:~# aireplay-ng -9 wlan0mon 13:22:21 Trying broadcast probe requests... 13:22:23 No Answer... 13:22:23 Found 0 APs
Additionally, airodump was showing 0 access points as well.
CH 12 ][ Elapsed: 36 s ][ 2017-12-05 13:17
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
BSSID STATION PWR Rate Lost Frames Probe
Fixing and Testing Injection
First, I verified my kernel, just to make sure that the card would work.
root@kali:~# uname -a Linux kali 4.13.0-kali1-686-pae #1 SMP Debian 4.13.10-1kali1 (2017-11-03) i686 GNU/Linux
After a bit of searching and debugging, it appeared that my virtual machine USB settings were the culprit.
I shut down my VM and set the USB Compatibility to USB 3.0.
With the USB settings changed, I verified that the card was still detected by Kali.
root@kali:~# iwconfig eth0 no wireless extensions. wlan0 IEEE 802.11 ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm Retry short long limit:2 RTS thr:off Fragment thr:off Encryption key:off Power Management:off lo no wireless extensions.
With the card detected, it was time to put it back into monitor mode.
root@kali:~# airmon-ng start wlan0 Found 3 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to run 'airmon-ng check kill' PID Name 490 NetworkManager 627 dhclient 797 wpa_supplicant PHY Interface Driver Chipset phy0 wlan0 rt2800usb Ralink Technology, Corp. RT3572 (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0)
This time around, airodump was finding all the access points around me!
CH 1 ][ Elapsed: 18 s ][ 2017-12-05 14:24
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
B8:27:xx:xx:xx:xx -15 13 0 0 6 54e WPA2 CCMP PSK Getxxxxx
A4:6C:xx:xx:xx:xx -44 12 0 0 11 54e. WPA2 CCMP PSK
A4:6C:xx:xx:xx:xx -42 11 10 0 11 54e. WPA2 CCMP PSK GUEST_xxxxx
A4:6C:xx:xx:xx:xx -44 16 0 0 11 54e. WPA2 CCMP PSK WRxxxxx
A4:6C:xx:xx:xx:xx -59 16 26 0 1 54e. WPA2 CCMP PSK GUEST_xxxxx
A4:6C:xx:xx:xx:xx -51 20 0 0 1 54e. WPA2 CCMP PSK WRxxxxx
A4:6C:xx:xx:xx:xx -46 16 197 21 1 54e. WPA2 CCMP PSK
78:BA:xx:xx:xx:xx -58 11 0 0 1 54e. WPA2 CCMP PSK WRxxxxx
78:BA:xx:xx:xx:xx -56 10 3 0 1 54e. WPA2 CCMP PSK
78:BA:xx:xx:xx:xx -59 12 0 0 1 54e. WPA2 CCMP PSK
9C:D2:xx:xx:xx:xx -63 8 0 0 6 54e. WPA2 CCMP PSK HP-Print-35-Color LaserJet MFP
02:6B:xx:xx:xx:xx -65 2 0 0 1 54e WPA2 CCMP PSK DIRECT-xxxxx
F8:A0:xx:xx:xx:xx -67 6 0 0 1 54e. WPA2 CCMP PSK BHxxxxx
I also wanted to verify that the injection speeds were working properly.
root@kali:~# aireplay-ng -9 wlan0mon 14:24:48 Trying broadcast probe requests... 14:24:48 Injection is working! 14:24:49 Found 4 APs 14:24:49 Trying directed probe requests... 14:24:49 A4:6C:xx:xx:xx:xx - channel: 1 - 'WRxxxx' 14:24:50 Ping (min/avg/max): 2.300ms/16.213ms/83.276ms Power: -56.07 14:24:50 30/30: 100% 14:24:50 78:BA:xx:xx:xx:xx - channel: 1 - 'WRxxxx' 14:24:50 Ping (min/avg/max): 1.897ms/9.195ms/26.184ms Power: -64.80 14:24:50 30/30: 100% 14:24:50 F8:A0:xx:xx:xx:xx - channel: 1 - 'BHxxxx' 14:24:52 Ping (min/avg/max): 1.120ms/14.078ms/68.255ms Power: -75.09 14:24:52 22/30: 73% 14:24:52 02:6B:xx:xx:xx:xx - channel: 1 - 'DIRECT-xxxx' 14:24:58 0/30: 0%
It was great to see these numbers, as opposed to my Alfa Long-Range Dual-Band AC1200 card.
Alfa AWUS051NH – Conclusion
While I ran into a few issues, it was super easy to get this card setup and running.
This is now my main wireless card, as it will handle A/B/G/N and 2.4/5GHz without any issues.
Hopefully I’ll be able to share more wireless attacks soon, so let me know if there is anything specific that you’d like to see!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
