Alfa 36 NEH monitor problems in Kali

[cupsdigress]

I could just be forgetting a step, but I haven't found an answer through any other questions

I received my alfa AWUS036NEH from Hakshop about a week ago. I installed Kali in a VirtualBox virtual machine and have tried using the Alfa on a few test networks. (A Linksys, an Arris, and Netgear routers)

I connect the Alfa to the virtual machine and it appears in lsusb and I can see it with Airmon-ng as wlan0.

Starting airmon-ng on wlan0 returns monitor mode on mon0. Airmon-ng does list three running processes as possible issues. I have stopped one at a time and then all three without any difference in the problem.

I start airodump on mon0 and airodump starts cycling through channels. A minute later I receive one Base Station result with no SSID.

Airodump started collecting frames, but then I realized the MAC address the Alfa's Mac address.

I also tried Wireshark on that mon0. It only collected information originating from the Alfa that should be on mon0.

Neither showed any evidence of the multiple networks in the same room.

If pictures would be helpful, I can post those. If any specifics about the setup are needed, just tell me. I'm not sure what is needed to help.

[cooper]

Did you bring down wlan0 before starting monitoring mode?

[DataHead]

have you tried bringing down the coresponding wlan interface after starting monitor mode?

Edit:

Seems me and cooper posted the same thing at the same time

Edited January 12, 2015 by DataHead

[cupsdigress]

Thanks for the help.

New problem and new start now.

• Start Kali
• Login
• Airmon-ng stop wlan0
• ifconfig wlan0 down
• Airmon-ng start wlan0
  • ... mon0
• airodump-ng mon0

Nothing shows up now.

Also tried Airodump-ng wlan0.

Now nothing is showing up.

I also tried again after killing network manager

[cupsdigress]

I don't know if this helps at all, but I also cannot connect to networks normally using the Alfa in Kali. It says connecting for a while and asks me for a WPA password repeatedly, which I give it. Attempting to connect to an open network runs the connection for a few seconds, then disconnects.

[digip]

By default, airodump-ng hop on 2.4GHz channels.

- http://www.aircrack-ng.org/doku.php?id=airodump-ng

I always have issues with capturing via airodump unless I specify specific channels I want to create a pcap on. Once the card is actually in monitor mode(Use airmon-zc instead of ng if you have issues with the card), start airodump on a specific channel: "airodump-ng -c 6 -w dump mon0" where "-c 6" is channel 6 for example and -w will write out your carious pcap files for opening later. If you don't, it hops all of them and can be a bit of a pain to try and lock on to specific access points and data on one frequency. If you can't connect to an AP in managed mode though, something else may be missed in your steps to enable the interface and connect and get it working, so make sure that works first to be sure your card is working. Monitor mode doesn't need association with any AP to see traffic though but if you want good data to work with, specify your channel/frequency first.

[cupsdigress]

I just tried the Airmon-zc, in combination with the above ifconfig wlan0 down and airodump on a specific channel (for a router that is being actively used).

I also tried using the Alfa as a hotspot to see if I could get it to do anything in Kali. The hotspot ability works with the normal network settings in Kali.

Could it be the virtualbox?

[DataHead]

have you tried it from a live / usb / hdd installed boot? Troubleshoot if its the card, linux drivers for you machine, or your host machine drivers interfering with the virtualbox setup

[cooper]

Once in monitor mode, please show the output of the iwconfig command.

[cupsdigress]

iwconfig output:

mon0 IEEE 802.11bgn Mode:Monitor Frequency:2.412 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

eth0 no wireless extensions.

lo no wireless extensions.

wlan0 IEEE 802.11bgn ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off

[digip]

looks to be working, no?

[cupsdigress]

Looks like it, but not in practice. Still no results in Airodump after choosing a channel that matches an actively used network. I've let Airodump run a long time with nothing showing

[cooper]

Note the frequency. Do you know for a fact that there's traffic to be seen on channel 1?

[digip]

mon0 IEEE 802.11bgn Mode:Monitor Frequency:2.412 GHz Tx-Power=20 dBm

Your card appears to only be looking for 2.4ghz channels, and while N can run on both 2.4 and 5ghz, most likely there isn't anything on the 2.4 side near you, or you may not have something setup properly.

1 - As cooper mentioned, are you capturing on a channel that has clients

2 - are there clients on any of the devices using 802.11 A, B or G?

3 - if only your device is in range, and you are only monitoring it, with no clients, and correct channel selected, do you at least see your AP show up?

4 - Is your AP talking on the 802.11 A, B and G channels or N only?

While in monitor mode, open wireshark, and look to see what its capturing from mon0. You should see some beacons and hopefully probes for devices looking for AP's near them. You can also tell airodump, to capture on all channels, without the hopping issues, by chaining multiple channels so it knows to define and look at each one, vs the normal erratic hopping it does, or, load more than one terminal and a session for more than one channel, which I often do, to monitor say channel 1, 6 and 11 individually, the most commonly used 2.4ghz channels.

If the router in question is only using 802.11N, you won't see much of anything, if anything at all, without reinstalling the aircrack suite or configuring it for the 5ghz 802.11N and AC Channels, which start in th 100+ frequencies, not the normal 1-11/14 you would normally see on the 802.11 A, B and G networks. If the nodes connected, are all wired, you will not see anything from your wireless capture other than the AP itself since the clients connected are not over wifi, which means you need to connect in managed mode, and scan the subnet of your wired side for client data.

Also, be sure to select the correct nic in wireshark when capturing, ie: mon0 vs wlan0 or whatever your nics are. Both will show data, but mon0 will be the one that can capture WPA handshakes, see plain text info on open AP's, etc.

[cupsdigress]

Haven't been online for a while. To answer the questions above. I was looking at my own channel, actively streaming youtube.

When it was in the virtual machine, it only received ping requests from itself, and nothing else from any of the ten or more networks in the area.

I got it to work by installing it on a computer without a virtual machine.

The virtual machine does not work still.

Thank you for the help. I'll just continue using a live CD or install to computer. Everything works instantly when installed or live CD.

Maybe it doesn't work in VirtualBox?

Should this be marked as SOLVED?

I can provide more information when I get back to the network if someone wants to continue this

Edited January 16, 2015 by cupsdigress

[digip]

Are you capturing from the VM, wired, or wireless connections? Is the VM set to be isolated to guest network only, or nat, and on its own subnet not the same as the host system? Just wondering how/what is setup and all, topology, settings on the VM, bridged vs nat, etc. Either way, the USB wifi, should see other wireless devices, probes, beacons, etc, from the AP near it.

[cupsdigress]

When I was attempting to capture, I set up the VM both with no network adapters through the VM and with NAT and Bridged. There were a few VM's on different computers while trying this. I attached the NEH then attached that USB connection to the KALI VM with the devices dropdown.

When the NEH was in the VM, it became wlan0, and that's what I used to try capturing.

Edited January 16, 2015 by cupsdigress

[digip]

Have to capture in monitor mode on mon0, or you only see your own traffic in managed mode on wlan0. Even at that, you should have seen your own traffic in wireshark, regardless of using the aircrack suite to find AP's.

[cupsdigress]

Sorry should have said that I used airmon on wlan0 to make mon0 and then used airodump and wireshark on mon0.