Alfa AWUS051NH Installation and Configuration (VMware on MacOS)

I had a few questions about using an Alfa AWUS051NH wireless card, so I figured I would share a quick write-up about it.

Alfa AWUS051NH - Introduction

The nice thing about this particular Alfa card is that it supports 5GHz, as opposed to the AWUS036NHA.

I picked up two of these for any 5GHz engagements that I run into, plus as some primary use wireless cards.

Alfa AWUS051NH - Wireless Card

Connecting to Kali

First, I plugged the card into my Mac, and VMware detected it just fine. Ignore the other USB device, that is just one of the wonderful USB-C dongles that I have to deal with.

Alfa AWUS051NH - VMWare Connection

I passed it through to Kali, and Kali was also able to detect the card.

Alfa AWUS051NH - Connected

When I ran iwconfig, the card showed up as wlan0.

root@kali:~# iwconfig
lo        no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          
eth0      no wireless extensions.

Alfa AWUS051NH - Testing and Initial Issues

With the card connected and detected, it was time to put it into monitor mode.

root@kali:~# airmon-ng start wlan0

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run ‘airmon-ng check kill’

  PID Name
  521 NetworkManager
  651 dhclient
  700 wpa_supplicant

PHY	Interface	Driver		Chipset

phy0	wlan0		rt2800usb	Ralink Technology, Corp. RT3572

		(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
		(mac80211 station mode vif disabled for [phy0]wlan0)

Once I started monitor mode, I verified this by running iwconfig again.

root@kali:~# iwconfig
wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off
          
lo        no wireless extensions.

eth0      no wireless extensions.

Next, as the card was in monitor mode, it was time to test injection. Unfortunately, aireplay was finding 0 APs. I knew this was incorrect, as my onboard cards were finding plenty of access points in the area.

root@kali:~# aireplay-ng -9 wlan0mon
13:22:21  Trying broadcast probe requests...
13:22:23  No Answer...
13:22:23  Found 0 APs

Additionally, airodump was showing 0 access points as well.

 CH 12 ][ Elapsed: 36 s ][ 2017-12-05 13:17                                    
                                                                               
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                               
                                                                               
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe     

Fixing and Testing Injection

First, I verified my kernel, just to make sure that the card would work.

root@kali:~# uname -a
Linux kali 4.13.0-kali1-686-pae #1 SMP Debian 4.13.10-1kali1 (2017-11-03) i686 GNU/Linux

After a bit of searching and debugging, it appeared that my virtual machine USB settings were the culprit.

I shut down my VM and set the USB Compatibility to USB 3.0.

Alfa AWUS051NH - USB 3.0

With the USB settings changed, I verified that the card was still detected by Kali.

root@kali:~# iwconfig
eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          
lo        no wireless extensions.

With the card detected, it was time to put it back into monitor mode.

root@kali:~# airmon-ng start wlan0

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run ‘airmon-ng check kill’

  PID Name
  490 NetworkManager
  627 dhclient
  797 wpa_supplicant

PHY	Interface	Driver		Chipset

phy0	wlan0		rt2800usb	Ralink Technology, Corp. RT3572

		(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
		(mac80211 station mode vif disabled for [phy0]wlan0)

This time around, airodump was finding all the access points around me!

 CH  1 ][ Elapsed: 18 s ][ 2017-12-05 14:24                                         
                                                                                                               
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                               
 B8:27:xx:xx:xx:xx  -15       13        0    0   6  54e  WPA2 CCMP   PSK  Getxxxxx                     
 A4:6C:xx:xx:xx:xx  -44       12        0    0  11  54e. WPA2 CCMP   PSK                           
 A4:6C:xx:xx:xx:xx  -42       11       10    0  11  54e. WPA2 CCMP   PSK  GUEST_xxxxx                            
 A4:6C:xx:xx:xx:xx  -44       16        0    0  11  54e. WPA2 CCMP   PSK  WRxxxxx                         
 A4:6C:xx:xx:xx:xx  -59       16       26    0   1  54e. WPA2 CCMP   PSK  GUEST_xxxxx                            
 A4:6C:xx:xx:xx:xx  -51       20        0    0   1  54e. WPA2 CCMP   PSK  WRxxxxx                         
 A4:6C:xx:xx:xx:xx  -46       16      197   21   1  54e. WPA2 CCMP   PSK                           
 78:BA:xx:xx:xx:xx  -58       11        0    0   1  54e. WPA2 CCMP   PSK  WRxxxxx                         
 78:BA:xx:xx:xx:xx  -56       10        3    0   1  54e. WPA2 CCMP   PSK                           
 78:BA:xx:xx:xx:xx  -59       12        0    0   1  54e. WPA2 CCMP   PSK                           
 9C:D2:xx:xx:xx:xx  -63        8        0    0   6  54e. WPA2 CCMP   PSK  HP-Print-35-Color LaserJet MFP       
 02:6B:xx:xx:xx:xx  -65        2        0    0   1  54e  WPA2 CCMP   PSK  DIRECT-xxxxx                     
 F8:A0:xx:xx:xx:xx  -67        6        0    0   1  54e. WPA2 CCMP   PSK  BHxxxxx 

I also wanted to verify that the injection speeds were working properly.

root@kali:~# aireplay-ng -9 wlan0mon
14:24:48  Trying broadcast probe requests...
14:24:48  Injection is working!
14:24:49  Found 4 APs

14:24:49  Trying directed probe requests...
14:24:49  A4:6C:xx:xx:xx:xx - channel: 1 - ‘WRxxxx’
14:24:50  Ping (min/avg/max): 2.300ms/16.213ms/83.276ms Power: -56.07
14:24:50  30/30: 100%

14:24:50  78:BA:xx:xx:xx:xx - channel: 1 - ‘WRxxxx’
14:24:50  Ping (min/avg/max): 1.897ms/9.195ms/26.184ms Power: -64.80
14:24:50  30/30: 100%

14:24:50  F8:A0:xx:xx:xx:xx - channel: 1 - ‘BHxxxx’
14:24:52  Ping (min/avg/max): 1.120ms/14.078ms/68.255ms Power: -75.09
14:24:52  22/30:  73%

14:24:52  02:6B:xx:xx:xx:xx - channel: 1 - ‘DIRECT-xxxx’
14:24:58   0/30:   0%

It was great to see these numbers, as opposed to my AC1200 card.

Alfa AWUS051NH - Conclusion

While I ran into a few issues, it was super easy to get this card setup and running.

This is now my main wireless card, as it will handle A/B/G/N and 2.4/5GHz without any issues.

Hopefully I'll be able to share more wireless attacks soon, so let me know if there is anything specific that you'd like to see!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.