Thursday, May 31, 2018

New WiFi card testing - kismet_shootout

It's been a long time since I've officially tested wifi cards to see what is best and what you should skip.  Well, during the refit of the Wireless Capture The Flag kits, I've done some testing... and now I will share what I do, and what I found.

To start with, all of this is reasonably custom, and some of it I'm simply not sharing at this time.  Much of it, fortunately, is already fully open source, available to you, and already in Pentoo ;-)

This is going to be a multi part series, where I will introduce the tools, how they work, and some preliminary results.  Nothing on this page should be deemed a hardware recommendation, this was me setting up my test rig for the first time in a while.  The setup was physically entirely unfair, with wildly unmatched stock antennas and extremely close sources of noise.  Don't buy anything because you think it performed well here, and if you do, it was your idea not mine.

Part One:

To start with, I like to test a lot of cards:

PHY     Interface       Driver          Chipset
phy7    036ac           8812au          Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter
phy11   036ach          8812au          Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter
phy4    036acs          8812au          Realtek Semiconductor Corp.
phy12   036eac          8812au          Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter
phy2    7822UAC         8812au          Edimax Technology Co., Ltd
phy1    AC56            8812au          ASUSTek Computer, Inc. USB-AC56 802.11a/b/g/n/ac [Realtek RTL8812AU]
phy6    awus1900        8814au          Realtek Semiconductor Corp. RTL8814AU 802.11a/b/g/n/ac
phy9    edup            8812au          Realtek Semiconductor Corp.
phy8    eub1200ac       8812au          Senao EUB1200AC AC1200 DB [Realtek RTL8812AU]
phy0    intel7265       iwlwifi         Intel Corporation Wireless 7265 (rev 61)
phy10   N600UBE         rt2800usb       Ralink Technology, Corp. RT3572
phy5    rlnknano        8812au          Realtek Semiconductor Corp. RTL8811AU 802.11a/b/g/n/ac WLAN Adapter
phy3    wdn4200         rt2800usb       Ralink Technology, Corp. RT3573

I really like to name the cards to make this easier (as you can see), this is done by adding a line for each card to /etc/udev/rules.d/99-nicnames.rules  Basically I plug each card in, and then bind it's mac to a useful name like this:

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:c0:ca:98:73:82", KERNEL=="wlan*", NAME="awus1900"

First, let's see if it monitors, and how well.  For this, I am currently using "kismet_shootout.rb", a ruby plugin for kismet which can be found in the path on Pentoo systems.  This tool is very simple, start kismet, and feed it all the wireless cards you want to test.  Then you start kismet_shootout.rb and tell it which cards to test, and on which channel.  For right now, the testing is fairly dumb, all the tool does it count packets seen, and whomever has the most packets is claimed to be "100%" and every other card then has a lower percent based on nothing but packet count.  This gives you a reasonable estimate of how many packets are coming in, but not if they are valid or not, and nothing is checking if the packets really are the same.  This tool only runs with "old" (stable) kismet right now, and that version of kismet doesn't have all the features the new kismet has, so this is as good as we have right now.  If someone were to reimplement the tool for new kismet, they could take advantage of the dedup mechanism to get hashes for each packet and see for real if the packets seen by all cards are the same.  Then the percentage could be based off the total number of unique packets and how many each card has seen, which would be slightly more useful.

INFO: Locking 036ac, 036ach, 036acs, 036eac, 7822UAC, AC56, awus1900, edup, eub1200ac, N600UBE, wdn4200 to channel 36
INFO: Waiting for sources to settle on channel...
INFO: Started at 2018-05-25 22:43:01 -0400
      Name   PPS  Packets Percent  Total  Elpsd
   N600UBE    30 40562918  93.50%
   wdn4200    59 38580847  88.93%
     036ac    37 42653025  98.32%
    036ach    35 43381613 100.00%
    036acs    29 37327675  86.04%
    036eac    33 39970296  92.14%
   7822UAC    33 40226936  92.73%
      AC56    33 37751328  87.02%
  awus1900    17 14268805  32.89%
      edup    27 35987645  82.96%
  eub1200a    28 36292940  83.66%
                                     361 118h3m
INFO: Locking 036ac, 036ach, 036acs, 036eac, 7822UAC, AC56, awus1900, edup, eub1200ac, N600UBE, rlnknano, wdn4200 to channel 44
INFO: Waiting for sources to settle on channel...
INFO: Started at 2018-05-24 16:25:55 -0400
      Name   PPS  Packets Percent  Total  Elpsd
  rlnknano     0   111123   5.83%
   wdn4200     0  1699403  89.19%
     036ac     0  1905478 100.00%
    036ach     4  1892517  99.32%
    036acs     0  1709680  89.72%
    036eac     1  1845425  96.85%
   7822UAC     2  1878870  98.60%
      AC56     1  1843208  96.73%
  awus1900     4   105650   5.54%
      edup     0  1615999  84.81%
  eub1200a     0  1686462  88.51%
   N600UBE     0  1864576  97.85%
                                      12 30h15m

As you can plainly see, I like to run tests a long time.  At least 4 days is best, because that makes me feel warm and fuzzy about the card not failing during an 8 hour hacking session.  Driver instability is a thing, so is kernel instability, and during just these monitor mode tests I had one card completely fail and get put in the bin.

As you can also plainly see, the Alfa AWUS1900 (the only r8814au tested) performs like crap, despite looking like a 4 antenna monster.  This is common with newer drivers and out of kernel modules (which this is both).  The hardware is probably great, but the driver is so bad that it's nearly unusable.  It's a bit hard to see due to the durations, but channel 44 is actually far more busy in my environment than 36, and the AWUS1900 was hot garbage on a busy channel, only doing slightly better on a very quiet channel.

The two best performers, Alfa 036ach and 036ac, traded spots a little big, but both maintained top performance on both 5GHz channels.  The surprising break out was the Alfa 036eac, which did remarkably well despite having no antenna, outperforming the Alfa 036acs which has an external antenna.

Again, this isn't a hardware recommendation, and this isn't even a completely ideal way to test things.  That said, I don't have an ideal way to test things, and so I'm doing what I can.  Now that I've got some idea of which cards don't suck, I will be redoing this testing (and posting the results for all to see) and start making some actual recommendations.  For now, enjoy kismet_shootout.rb, and if you want to reimplement it for new kismet you can find me both on kismet's discord as well as irc channel, and there will be glorious prizes for doing so :-)


Saturday, December 2, 2017

More words of Wisdom from Wasabi's Corner
BSides Delaware Recap

Another Bsides and WCTF is in the books.  We had a great time and the winner was _r from Team1 with 1910pts.  I will give a brief overview and talk about some of the things I saw.   Thank you for having us Bsides DE and we look forward to next year.

Thank you Dragorn for sitting in on the WCTF and showing off Kismet it looks freaking awesome.

Thank you to all the competitors who came out and gave it a try.  I was glad to see new faces really getting into it.  I will see you next time when your skills are better and you get more points.

It as two days of fun indoors listening to a strange mix of music and banter.  The usual crew were on-site running the WCTF.  The challenges ranged from basic to epic rage quit.  Bribes were accepted and points were awarded.  The cookies and energy drinks were so very much appreciated.

Now onto the beating of the overly dead horse.

The Board

A lot of points were left on the table.  Lots.  A metric ton.  Looking below the scoreboard you can see the available flags and which ones were taken by competitors.  All of the SDR flags are still there and the second day foxes were not captured.  While _r was at the top of the board on the first day he was unable to attend the second day and while it was possible to catch up, and even pass _r no one did.  Between some wifi, a few SDR, and a fox or two another competitor could have crushed the scoreboard easily.  The WCTF is a timed event and there are enough points and varying types of wireless flags to choose your own adventure to be successful.  Get the most bang for your buck.  If something is strange or hard move on and keep trying other things because you might be able to get lots of points instead of pulling out your hair on why WEP is weird and you can't figure it out.

The Foxes

I am not sure what happened.  I can’t tell if it's a lack of gear or a lack of proper explanation.  The foxes were really not on anyone's priority list.  Each fox is 750pts.  And on Saturday no one found a fox.  There were three foxes out at a relatively small conference.  I know not everyone does the WCTF so often that they have all kinds of gear falling out of their bags just ready to do a fox hunt.  If this is something you wish to start doing and winning then a fox hunt must be apart of your plan.  And it will only get harder at conferences that get bigger such as Shmoocon.  Testing your gear and practicing will give you a damn good advantage.  Dont skip out on these huge chunks of points.  Finding a rogue device is a absolute

Cheat Sheets and Guides

Make your own cheat sheets and don't over depend on a cookie cutter guide you found on the internet or got from a class.  A few people used some wireless guide and it was causing lots of grief.  I have heard of reading between the lines but some were skipping right over the text and getting right to the command line parts. 

The challenges are set up in very specific ways to be challenging and emulate things seen in the wild.  Your cookie cutter article for how to crack wep or get a handshake may not and will not work.   Make your own guide so that you don't have to google for all the same articles you have googled at every WCTF.  The aircrack-ng suite has many tools and many ways to use the tools.  A classroom wifi class has a clear order to things, if you do X and Y you will get Z.  A live scenario like the WCTF helps train your creativity that will be helpful on a real engagement.  If the standard way to get WEP is not working it’s time to try something different, or take a deeper look at what you are seeing besides the encryption type.  Just like pentesting a Windows system you have to properly Enumerate these challenges to be successful. 

I will repeat something I said a few times in the WCTF.  WEP is not easy.  It is vulnerable.  You have to do the right things to collect the right things to get the key.  No,  the challenges are not broken and yes they are working.  You need to scan, identify, and notice the “thing” that makes that challenge special and try something and fail.  Then try something else. 

We try to help and we have to find ways to help that don’t immediately give away the answer.   I have sat in your chair and cursed the WCTF team for their vague hints.  But I am better at it now because I was forced to get my lightbulb moments to nail the challenge and get the flag.

Monday, October 23, 2017

Words of Wisdom from Wasabi's Corner

I had a blast.  There were lots of new faces, some old, some familiar, and some only scored 10 points and left.  As usual I walked the floor and tried to help everyone from veteran wctf person to all the new people.  But I think the WCTF team just loves watching the blind leading the blind so they keep inviting me back to help.  HAHA 

We had a great turnout and competition was tough for the top individual score until the wireless fox was found.  Congratulations to all the winners and I hope the new people saw the fun and will be back next time.  The following are my observations and suggestions for the next time you participate in the WCTF.

Ask for help
Yes I know I was vague lots of time when you asked me something.  Sometimes I knew the answer and could not tell you or I had no idea.  I am not told the exact answers to all the problems.  And I only know the ways I would attack it or attempt to find the solution.  Dont sit and stew.   I will help you get on the scoreboard.  I won't do it for you and I won't tell you the exact thing to type into your terminal but I will suggest tools and or reasons why you are having a hard to impossible time with what you are working on.  And BTW it's not like I'm quiet or anything, if you hear me helping someone listen in and write stuff down because it will probably help you too.

People getting stuck on what they thought was easy
I saw a lot of people get stuck on WCTF_01 (WEP).  WEP is not easy stop saying that.  WEP is vulnerable and can only be defeated if you do the right things and collect enough of the right things to exploit the vulnerability.  If what you are doing is not working it might not be broke and you should try something else because that one thing from that one article you read that one time is not working.

Running in VM’s
I will give you the short answer on this.  DONT.  Ok now here is why.  Myself nor anyone else wants to figure out why your system is not working right, not capturing traffic right and any other little quirk or hiccup because you are running in a VM.  (I take that back yes I will help you troubleshoot your IT problem but you won't like my IT Consulting rate and I make no promises it will work)  Yes, I know you don't do this all the time.  So make two bootable USB drives and an extra copy of the ISO.  Do you have to install Pentoo or kali on your laptop? No you don't I have run off a live USB to compete in the WCTF before.  People found out real quick if you don't give enough resources to the VM that using aircrack or SDR is really really really terrible and slow.  And even if you did give tons of resources to your VM USB passthrough and virtualization will still be a problem.

Build your own wireless cheat sheet
Again I know you don't do this all the time.  So why are you still Googleing the same things at every WCTF.  Open the note pad or note taking app of your choice and start writing stuff down and add the link in case you want to do further searching.  Those 30-45 minutes you have to keep Googeling you could be looking for foxes or getting another WPA2 Flag and it could mean the difference between winning or coming in second place.

Hostile Air
I feel bad that two people left out of frustration of the networks intermittent issues.  And while there is no correct answer or solution for this all I can say is welcome to wireless hacking.  The wireless in the room is kinda wonky and all over the place.  People are hacking, cracking, Deauthing, and some new people have no idea what they are doing and might just be flooding the air with craziness. Plus you are at a INFOSEC Security Conference and there are super leet and super script kiddy bull crap going on too.  We saw different things going on and the WCTF team used a little magic of our own and fixed them.  Just be aware this is a thing.

If this is something you wish to pursue personally or professionally then give it a little time, do it legally, and have fun. The WCTF is a competition, it is a game, it is not impossible.  With a little prep work I can't guarantee winning but you will be less frustrated and have lots of success.  Even (insert local sports ball team here) has planning, strategy meetings, and preparation for the next game.  How much would it suck to know that given a little more preparation you would not have lost by 100pts or less.  Just saying.  But what would I know.  And I'm not your supervisor.  You do what you want.  Im sure you know better.  I would agree with you but then we would both be wrong.

Sunday, October 8, 2017


Well BSidesDC 2017 has concluded and we had a great time!  Hope all our players and visitors did as well.  
We were treated to a great presentation by Wasabi covering great information for newbies and veterans alike. 
Thanks brother for all the work and support you gave the Village!

Wiresharknado   2485 Points

  • $250 Gift card to Micro Center
  • 2 x WCTF Challenge Coins
  • 2 x BSidesDC black badges

Crimson Agents  1512 points

  • $100 Micro Center gift card
  • 1 x BSidesDC black badge


Root_Acquired   1375 points

  •  1 x BSidesDC black badge

Sunday, July 30, 2017

DEFCON 25 Wireless Village CTF

Final scores

Thank you soooooooo much to our awesome sponsors who donated the awesome prizes below.

And the winners are......

What does the fox say?

WiFi Pineapple Tetra
5 ESP board
Lock Picks
Telefreaks pager watch
Ettus b200 with metal case
Lan Turtle
Bash Bunny
Hak5 long range amp
WiFi Card
No Starch T-shirt
HFC Shirt
Wide Band
Wireless Village 2017 coin for each member


WiFi Pineapple
3 ESP boards
Hackers for Charity shirt
No starch t-shirt
Aerohive AP
cables and pig tails
4 caffeine vape pens
Pager watch
Wireless Village 2017 coin for each member


Hak5 Everything kit
Hackers for charity shirt
Variety of four No Starch Press Books
Caffeine vape pens
3 ESP boards
Simple WiFi small antenna
Wireless Village 2017 coin for each member

Friday, July 28, 2017

We're winding down to the end of Wireless CTF Day 1 here at DEFCON 2017.

Here are the current scores and challenges status:

WELCOME to the 1980's

DEFCON 25 is on!!!

In-brief is underway and talks begin at 11:30am today.
Check out the schedule here.