An Introduction to Alfa AWUS036H / AWUS036NH Adapters
If you don’t need to poke and prod in the 5 GHz band, the Alfa AWUS036H (and NH) USB Wi-Fi adapter is one of the best options you have for wireless pen-testing with Kali Linux. This adapter has been a long-time favorite of Kali users given its small size, simple setup (drivers are already built in, just plug and go), excellent range, and cheap price. The only down side is its lack of a 5 GHz radio, but we’ll look beyond that for right now.
The “36H” and “36NH” adapters are virtually identical, sans the NH’s ability to use the 802.11n band, as well as 802.11a, 802.11b, and 802.11g. Both units come with a removable 5dBi antenna, featuring a standard RP-SMA connector, which is nice since it will accommodate different antenna types should the included omni-directional antenna not suit your needs.
Best of all, both of these adapters support monitor mode (aka RFMON mode) and packet injection. Monitor mode is different from promiscuous mode, also used for packet sniffing, because monitor mode doesn’t require association with an access point or ad-hoc network. Packet injection is important because it allows us to send and receive management and control frames from the adapter while it’s operating in monitor mode. This allows us to do things like send deauthentication frames to clients, which forces them to re-authenticate to either their own or a malicious AP, capture a legitimate WPA2-PSK hash, capture the WPA 4-way handshake, reveal a hidden SSID, generate ARP frames for a WEP replay attack, and more.
Adapter Installation and Monitor Mode
Adapter installation is easy, simply plug and play. Even old versions of Kali Linux have baked-in drivers for both of these adapters (and many others).
After plugging in your adapter, running the command airmon-ng will show us all of the wireless adapters that are installed and recognized by the Aircrack suite, which is a popular suite of Wi-Fi pen-testing tools. Here, you can see that Kali recognizes two wireless adapters in my Lenovo T450S – the built-in Intel adapter, as well as the Alfa adapter. The Alfa adapter shows up as a Realtek RTL8187, since this is the chipset it uses. Also important is that the onboard adapter is identified as wlan0, and the Alfa adapter is identified as wlan1.
Even though the Alfa adapter supports monitor mode, it’s not currently in monitor mode. We can use the iwconfig command to get greater detail about each interface by passing the interface name to it as a parameter.
By specifying the name of the adapter, we can see that this is indeed an 802.11 wireless adapter, and that it’s not currently associated with any ESSID. On the second line, we can also see that the mode is currently set to “Managed.” Since “Managed” isn’t “Monitor,” let’s do something about that.
We’ll use the airmon-ng command in conjunction with the adapter name, in this case wlan1, in order to force that interface into monitor mode. There are other methods of doing this, but using the airmon-ng command to perform this action ensures that the Aircrack suite of tools will play nice with our new monitor interface.
After we run the command airmon-ng start wlan1, we are warned that there are some processes that can hinder the operation of the Aircrack tools in conjunction with our newly created monitor mode interface. For now, you should ignore that. If you encounter issues later, then running the airmon-ng check kill command may be required, though running that command will kill several processes. If you are forced to run this, rebooting is the quickest way to get those processes back up and running again. No permanent harm done.
Running iwconfig with no parameters will show us all of our network interfaces. Notice that wlan1 is now gone, and has been replaced with wlan1mon.
The name of wlan1mon is a visual cue that the wlan1 interface is now up and in monitor mode. From now on, in our commands, we’ll reference wlan1mon instead of wlan1. Also note that running the command aircrack-ng stop wlan1mon will take that interface out of monitor mode, put it back in managed mode, and will revert the interface name to wlan1.
Now that we’ve got a monitor mode interface, let’s do something fun with it. Remember that monitor mode is more powerful than promiscuous mode, since it allows us to sniff all radio traffic without having to be connected to an AP or ad-hoc network. This means that we can quickly identify all APs, and even clients, in range. We’ll do this with a utility called airodump-ng.
This command can take several parameters and can perform tons of useful functions, including packet capture to a file, helping us capture WPA2-PSK handshakes, identifying clients connected to a specific AP, and more. For now, let’s view the command in its simplest form by running the command airodump-ng wlan1mon
While this command is running, airodump-ng is scanning all 2.4Ghz channels (since our adapter here doesn’t support 5Ghz) in search of both APs and wireless clients who may be connected to those APs. You’ll notice that in the upper left corner, the channel number is constantly changing. This is because we are searching for all APs and all clients on all wireless channels.
This output will be the basis for almost everything we do with wireless pen-testing, as it provides very useful information. The first column shows the BSSID (MAC address) of each AP that the adapter can see. The second column shows AP power in dB. APs closest to us will have higher numbers, and APs that are further away will have lower numbers. An AP that registers as -30dB might be right next to us, whereas an AP that shows -69dB may be across the street in another building.
The CH column tells us on which channel an AP is currently operating. The ENC column shows us what encryption type is being used on each AP. OPN means that the AP is using no encryption and is open. WEP and WPA2 are the most common other types you’ll see here.
AUTH shows us the authentication type being used to authenticate clients to the AP. This will be blank if no authentication is being used (OPN). PSK indicates that a pre-shared key is being used. This is typically the most common type of authentication used by most people. MGT indicates that a managed form of authentication is being used, which can include the use of 802.1x certificates. Finally, the ESSID column shows us the ESSID (commonly shortened to SSID) that the AP is broadcasting. If no ESSID is being broadcast, we may see the length of the hidden SSID, which can easily be uncovered.
Most of the tools in the Aircrack suite will require us to provide either the ESSID or BSSID, and channel of the AP we’re targeting, so running airodump-ng as we have above is a great way to quickly obtain all of that information, as well as plan our attacks based on what type of encryption and authentication is being used. Understanding the output of airodump-ng and what all of those wireless terms mean are the foundation of anything else you’ll do with the Aircrack suite.