The Great Wifi Audit
I’ve had a Backtrack/Kali laptop for experimenting on my home lab for quite some time, and I noticed some anomalies in how it treated Wireless sniffing using the built-in Atheros-based card some time ago and never got around to looking into it. A few days ago, I decided to have another look, rather than doing anything productive, and finally got to the bottom of it.
I started out experimenting with Aircrack-ng, pointing it at my own WAP by selecting the channel and the BSSID, and then set about trying to grab a handshake. This should be trivial stuff, but not so on this machine. Despite seeing the beacon frames, I never caught a handshake, even after forcibly de-authing my phone (both by resetting the phone, and by spamming de-associate packets). A cursory Google search suggested that this may be because the card in question is 802.11b/g only, and my network is both 802.11n and ac, however that didn’t appear to be the case either - when I forced my other laptop’s card to operate only in 802.11b, I still couldn’t capture a handshake. Was a setting wrong? I removed the channel and bssid filters from
airodump-ng and tried again, still nothing.
After about an hour of tinkering with it, on a whim, I replaced this card with another ancient card I had laying around, an Intel one. Running
airodump-ng with the broad settings used immediately prior I was met with unexpected success. Not only did I capture my network’s handshake, I managed to grab one of the neighbours’ handshake by accident too, though I hadn’t realized that at the time. I grabbed the nearest decently-sized wordlist, not expecting much, and pointed
aircrack-ng at the capture files. The dictionary I grabbed isn’t very big, but on this slow laptop (~800keys/sec) it was only about four hours to exhaust the whole list, so I left it go. It took four seconds for the neighbour’s PSK to fall - which was the point at which I’d learned I’d snatched it, and after the entire word list was exhausted ours’ hadn’t been cracked.
Manually checking the wordlist though, I found some rather close cousins of our PSK - which was just a simple passphrase with four dictionary words - close enough to make me want to change it. I knew WEP cracking was trivial, from having done it several years ago, but I never really messed with WPA2 and thought it pretty unlikely someone would crack it without WPS-PIN enabled (which is its own big steaming pile of WTF) - I had no idea exactly how trivial it is, this laptop was made in about 2005 or so and cracked networks without issue. So last night when everyone went to bed, I set a random PSK and reconnected all of our devices using it. With no dictionary words and over 200 bits of entropy, it should be reasonably resistant, and besides… someone will crack the neighbours’ first!
So what was the problem with capturing data using the other card? Not holding my mouth correctly?
No, as it turns out, this is a limitation to monitor mode for some cards. The old card was an
ath5k based card, and I replaced it with a legacy
iwl card. Monitor mode isn’t the only requirement for wireless sniffing, as “supports monitor mode” only implies the ability to capture beacon frames -
iwl got the ability to capture more than beacon frames about 10 years ago, and while I can’t confirm it I’m wondering if the ath5k driver also has such a limitation.
What about the 802.11n explanation I found on StackOverflow? Utterly incorrect. Indeed, the IWL3945abg card doesn’t support 802.11n, 802.11ac, or anything, and yet it will happily capture 802.11n handshakes - I haven’t dug into the 802.11 specs but I suspect the handshakes are all the same regardless of transmission rate. Even better, if you force it onto the 5GHz frequencies, it will capture 802.11ac handshakes as well, as it has a 5GHz radio in it. Not bad for a card released before they even started working on the 802.11ac specifications!