Freebsd logo

TLDR;

With one of our testers building a new FreeBSD pentesting laptop, and playing with the nuances of the FreeBSD kernel and packages. This blog post is a short run through of their experience on how to get some of the more popular USB WiFi cards working with monitor mode and packet injection. For the purposes of WiFi pentesting and security audits.

We have the following cards and chipset, and we cover each one in turn

  • Alfa AWUS036ACH Dual Band USB Adaptor AC1200 (rtl8812au)
  • Alfa AWUS036NEH (rt3070)
  • Signal-King High-Gain Antenna (ath9000)

RTL8812AU

The Realtek drivers are include in Freebsd 13.0 kernel, however in 12.0 or below you may need to install the pkg:

pkg install rtwn

The Alfa AWUS036ACH Dual Band USB Adaptor AC1200 is an example of this chipset.

rlt8812au

Getting this WiFi Card into monitor mode is as easy as:

ifconfig wlan1 create wlandev rtwn0 wlanmode monitor

If you get an error message about a license you may need to add the following lines to /boot/loader.conf

if_rtwn_pci_load="YES"
legal.realtek.license_ack=1

RT3070

Another wireless car in our arsenal is the Alfa AWUS036NEH, the drivers for this card are included within the Freebsd kernel. However, the card failed to work correctly ? The solution we found was to load the drivers as kernel modules at boot, then the WiFi card behaves as expected.

To make Freebsd 13.0 use the kernel modules include the following into /boot/loader.conf:

if_run_load="YES"
runfw_load="YES"

The only minor issue is that the kernel loads the drivers with US channel specification. But we can easily put the card into monitor mode and change the Country schema like so:

ifconfig wlan1 create wlandev run0 wlanmode monitor country GB regdomain ETSI up

Remember: the country code should be altered to your correct code, to comply with the frequency bands setup within your country. Incorrectly setting this code, could mean variations in channel numbering, space and radio power.

ATH9000

Signal King

In order for Freebsd 13.0 to correctly recognise this device, we had to load the atheros kernel module. This can be achieved by including the following line into /boot/loader.conf:

if_ath_load="YES"

The signal-king was obtained a few years ago from eBay, we believe the units are now sold out but alternatives maybe availabel on aliexpress.

Native scanning

With any WiFi interface you can use ifconfig to issue a simple neighbourhood scan

ifconfig wlan1 scan

In some cases, ifconfig does not work (it didnt with our ath9000 chipset). However, we achieved full scanning and packet injection capabillity using Aircrack-ng.

Aircrack-ng

To install aircrack-ng, its as easy as:

pkg install aircrack-ng

As Freebsd natively supports monitor mode, you dont need to mess around with airomon-ng. You can use airodump-ng (as root or sudo) to dump WiFi packets, and inject packets with aireplay-ng.

References

Share on: