Pentesting Dual Frequency Routers

[Darksider666]

Hi,

 

let me give you some introduction:

I bought the nano months ago and pentested some of my old routers. Unfortunately I had to realize that the nano only can handle the 2.4 GHz frequency, but no problem, great product anyway.

Most newer routers support both 2.4 to 5 GHz, so I decided to buy the tetra to continue pentesting with my network that has one brand new access point with both frequencies up at the same time.

The start with the tetra was great, because with the "Recon" tab it's possible to scan both frequencies at the same time. Sorry I'm not a fan of the "Modules" so I always continue with an ssh connection and use the aircrack-ng tools.

 

Here comes the question:

Why can I scan my networks (2.4 and 5 GHz on same AP), but the injection does not work on the 5 GHz frequency? I know that the MAC Address changes in the last character, but I started to airodump my 5 GHz and fixed the channel (also tried different ones), but it is still not working. What am I doing wrong? Screenshots included.

Scan results: http://i.imgur.com/2QV8OkJ.png

Airodump: http://imgur.com/taEl4EY

Aireplay: http://imgur.com/wRSW3ed

 

Second test with another router (also dual frequencies):

I'm wondering how I can capture my WPA2 handshake when I'm connected to the 2.4 GHz frequency and when I try to deauth my phone for example, it will reconnect to the 5 GHz frequency without giving the handshake. Same goes if I'm connected to the 5 GHz first and deauth it, the reconnect goes to the 2.4 GHz. I know that is normal behavior for modern devices, but can you please give me some advices how to handle this? Maybe a script with a loop of switching frequenies and deauth could work?

 

Thank You!

[Foxtrot]

Hello!

Thanks for making a detailed post with screenshots, it was nice for me to use the exact same commands when testing myself.

I did the same as you did (Power on, scan with the Recon module, run airodump, and send deauth frames to a 5ghz AP with aireplay) and it worked fine for me:

Forgive my censors.

 

Could you try testing again, and also include information about what firmware version you're running and include the output of dmesg in a reply?

[Zylla]

I'm having no issues when i'm de-authing, both on 2.4GHz and 5GHz. Never had.

[Darksider666]

Hello again,

 

I've done some researching on the internet and checked the router I'm pentesting. The 5 GHz channel was on 802.11ac mode and that is not supported by the Tetra :(

BUT:

I changed it to 802.11n and tried a different channel. Same results..... not able to inject anything. I switched the "-0" to "-9" (injection test) and it says "No Answer..." "Found 0 APs".

 

Don't forget my second test:

Injection is working with another router!

 

@Foxtrot 

Firmware of the Tetra is the latest(1.1.2?), I just received this tool two days ago ;)

Here is my dmesg: http://textuploader.com/d992d

[Zylla]

On 12.5.2017 at 6:19 PM, Darksider666 said:

Hello again,

 

I've done some researching on the internet and checked the router I'm pentesting. The 5 GHz channel was on 802.11ac mode and that is not supported by the Tetra :(

BUT:

I changed it to 802.11n and tried a different channel. Same results..... not able to inject anything. I switched the "-0" to "-9" (injection test) and it says "No Answer..." "Found 0 APs".

 

Don't forget my second test:

Injection is working with another router!

 

@Foxtrot 

Firmware of the Tetra is the latest(1.1.2?), I just received this tool two days ago ;)

Here is my dmesg: http://textuploader.com/d992d

Are you able to test injection on another access-point? It even works against my phones wireless ICS.

[Darksider666]

Quote

Don't forget my second test:

Injection is working with another router!

 

Like I said, it is working with another AP...

 

I never gave up testing and the result: Deauth is working one the router with the tool mk3 even in ac mode. I'm confused....

[Zylla]

On 15.5.2017 at 9:30 PM, Darksider666 said:

 

Like I said, it is working with another AP...

 

I never gave up testing and the result: Deauth is working one the router with the tool mk3 even in ac mode. I'm confused....

Sorry, i didn't pick up on that you've already tested it on another AP.
Well... That's confusing to say the least. Especially considering that mdk3 and aircrack-ng both uses the osdep-library.
I'm not sure if both have 100% "identical" de-auth methods/packets (when analyzed), but it would be interesting to see a packet-capture of the failure compared against the successful one.

[esa]

On 2017-5-16 at 3:30 AM, Darksider666 said:

 

Like I said, it is working with another AP...

 

I never gave up testing and the result: Deauth is working one the router with the tool mk3 even in ac mode. I'm confused....

Ensure that your interface is set to the correct channel. 

run aireplay-ng with an additional -D parameter. 

[Darksider666]

On 17.5.2017 at 5:11 PM, Zylla said:

I'm not sure if both have 100% "identical" de-auth methods/packets (when analyzed), but it would be interesting to see a packet-capture of the failure compared against the successful one.

I was able to sort out the difference in the attack, I think.

With Wireshark filter MAC addresses and 802.11 packets, I could see that MDK3 would be sending both disassociation and de-authentication packets, where aireplay-ng only sent de-authentication packets.

 

greetings ;)