In the hit Netflix series ‘Stranger Things’, the Upside Down is the parallel dimension inhabited by a monster. It is a dark and cold reflection of the dimension inhabited by humans, containing the same locations and infrastructure. When assessing wireless networks, I like to think of 5GHZ as ‘the upside down’; a dark and cold spectrum where assessors have historically had limited visibility to see what is lurking within when compared to its 2.4GHZ peer.
History
Wireless networks have two common spectrums, 2.4GHZ and 5GHZ. Since 2010, 5GHZ networks have become more prevalent as hardware support became available offering users higher data rates and less radio congestion when compared to its 2.4GHZ peer. The business of wireless assessments and penetration testing, historically we’ve been stuck focusing on 2.4GHZ frequencies and attack vectors. This is due to the fact that most scripts only support 2.4GHZ channels, hardware support with monitor and packet injection is limited to 2.4GHZ, and most rogue AP attacks work regardless of RF frequency. This leaves the 5GHZ spectrum a mysterious place which is often overlooked, resulting in a potentially large user base and entire RF spectrum untested.
The topic was brought up to me by my boss asking if we could harvest users using my crEAP utility on 802.11ac/n frequencies. The case was simple, many organization have both 2.4GHZ and 5GHZ deployed in their environments and we were not seeing the full picture; we set off to fix that.
Hardware:
One of the big issues I came across is the lack of wireless adapter support. Not many adapters support chipsets which allow for monitor mode and packet injection. Various articles exist covering this, but after testing, I found the Alfa AWUS051NH to be the best option for our use cases.
Utilities
The crEAP script which we dropped in Fall 2015 identifies weakness in WPA-Enterprise wireless networks. The script relies heavily on Airodump-ng framework under the hood to do our dirty work. With a few modifications to the script, we had crEAP listening in the 5GHZ spectrum on AC/N bands with supported hardware. During onsite client engagements, we could now tap into a previously untapped RF spectrums and pull usernames, handshakes and other data – data that would have otherwise been overlooked. The ‘upside down’ wasn’t so mysterious any longer. It also yields lots of juicy wifi traffic.
The AWUS051NH adapter will be effective for wifi assessment scripts such as crEAP allowing traffic on 5GHZ spectrum to be monitored and inspected. Through our testing, it was apparent other common wifi utilities are still fragile when supporting 5GHZ (such as Wifite). Attack vectors such as rogue APs don’t necessarily depend on 5GHZ frequencies and thus attacks such as Karma should function regardless of RF frequency.
The updated crEAP script is located in the Shellntel repo.
Good luck with your ventures into ‘the upside down’. Let SynerComm know if you have any questions.