BT5 Alfa AWUS036NH

Here's whats weird about it: 1st off, it works totally fine in parallels 6, which I've just tested and had zero problems whatsoever, so I'm sure that it has something to do with the way VMware and Virtualbox deal with the USB devices as they're plugged in. On top of that, if you're using it from a hard boot, and only have rt2800usb loaded, then you dhcp and wicd manager work perfectly fine...

I thought that you needed to use rt2870sta if you wanted to connect regularly for browsing the web or whatever, but I guess not.

Anyways, you certainly should have rt2870sa blacklisted, theres no way that it will work for injection otherwise.

Thanx man ! my dlink dwl-g122 works!
Your made my day! :D

Quote:

---

Originally Posted by inverser

Hey there, I'm trying to get my AWUS036NH working on BT5 too. I followed your instructions very closely but receive this error when patching:

Code:

---

cat mac80211_2.6.32.2-wl_frag+ack_radiotap.patch | patch -p1
patching file include/net/ieee80211_radiotap.h
Hunk #1 FAILED at 240.
1 out of 1 hunk FAILED -- saving rejects to file include/net/ieee80211_radiotap.h.rej
patching file net/mac80211/tx.c
Hunk #1 FAILED at 678.
Hunk #2 FAILED at 974.
Hunk #3 FAILED at 1025.
Hunk #4 FAILED at 1088.
4 out of 4 hunks FAILED -- saving rejects to file net/mac80211/tx.c.rej

---

I ignored this message and continued with your instructions and was able to get mon0 enabled, but something is definitely wrong because airodump-ng mon0 shows 0 APs.

---

hi guys,
tried to run Alfa AWUS036NH on BT5 ghnom 64, VM v.7, installed older compat-wireless ant tried a newer one also, patched 'maxim' but still cnat get a decent handshake...
my mon0 channel is circling throw all channel like hell and just cant get it fixed.
i red that some have made throw this hell-installation-configuration a got fixed the channel problem but a lot more say like i did, cant fix the channel problem..
i'm thinking maybe to get back to BT4 and then use the old version of compat-wireless + maxim patch.

Hi everyone,

I'm new here and i joined specifically because of this thread. ... I have the us036nh on an
older Thinkpad with BT5-GNOME installed about 10 days ago. I finally got everything
working last night and nnmap'd a net of interest all night long with xml results on the
drive when i got up. The AWUS036NH is definitely superior to anything out there in
that price range. The reception sensitivity is nearly double that of the AWUS036.
I have an engineer friend who claims that's not possible but I don't care because I
know it is. Alfa definitely did something innovative with this little gem.

I did install compat-wireless-2-6.38-2-2.tar.bz2 from wireless.kernel.org since the BT5
kernel is 2.6.38. Not sure if the 2010-04-20 package would have worked but don't really
care right now. No aircrack-ng patches were needed. In the driver folder, I ran
./scripts/driver-select rt2x00. All the drivers can be seen in lsmod:

rt2800usb which is apparently the top driver in the device driver chain
rt2800 lib using rt2800usb
rt2x00usb using rt2800usb
rt2x00libusing rt2800usb, rt2800lib, rt2x00usb
mac80211 using everything above
cfg80211 using rt2x00lib and mac80211

These are all the drivers needed. Nothing else is needed. You don't need to blacklist anything
or use modprobe to delete any. I don't know where that information came from regarding
rt2870sta and everything but it simply is not true.

The make should be clean. Then make install and make unload. You don't need to modprobe
the usb driver. Just reboot with the Alfa now plugged it. The drivers will all load automatically.

Now, here's the catch. At this point, Aircrack-ng runs perfectly. Injection worked fine
with aireplay-ng and airodump-ng picks up networks I never dreamt existed. But I could
not get an i.p., either using WICD or, from the terminal, iwconfig & dhclient. In fact,
ifconfig does not show the adaptor. You have to bring it up manually. But even then
wicd will not connect UNLESS you restart it with /etc/init.d/wicd restart. Then I get
internet.

You tell me why and we'll both know...

I am having a little problem with AWUS036NH on BT5, I tried "aireplay-ng -9 mon0" and it shows that injection is working!

Code:

---

aireplay-ng -9 mon0
23:14:20  Trying broadcast probe requests...
23:14:20  Injection is working!
23:14:22  Found 3 APs

---

after that I tried "aireplay-ng -9 -i mon0 wlan0" and got this:

Code:

---

aireplay-ng -9 -i mon0 wlan0

23:14:33  Trying broadcast probe requests...
23:14:33  Injection is working!
23:14:35  Found 3 APs

23:14:35  Trying directed probe requests...
23:14:35  **:**:**:**:**:** - channel: 6 - 'xxxxx'
23:14:35  Ping (min/avg/max): 2.191ms/2.563ms/6.497ms Power: -68.79
23:14:35  28/30:  93%

23:14:35  **:**:**:**:**:** - channel: 6 -  'xxxxx'
23:14:36  Ping (min/avg/max): 2.224ms/3.588ms/11.204ms Power: -61.86
23:14:36  28/30:  93%

23:14:36  **:**:**:**:**:**- channel: 6 -  'xxxxx'
23:14:36  Ping (min/avg/max): 2.131ms/2.529ms/4.409ms Power: -74.00
23:14:36  30/30: 100%


23:14:36  Trying card-to-card injection...
23:14:40  Attack -0:          Failed
23:14:44  Attack -1 (open):    Failed
23:14:49  Attack -1 (psk):    Failed
23:14:53  Attack -2/-3/-4/-6:  Failed

---

I tried to test my WPA security but couldn't initiate packet injection! Any advice??

@Robbb: What are you using to start up airmon? if you use the -c option to specify a channel, then it should lock onto that channel. If that doesn't work right away, the first thing to do is to make sure you dont have something else running thats scanning the channels (ie- aireplay -9 or another instance of airodump w/out the -c option specified). Next, I would do

Code:

---

iwconfig wlan0 channel <CHANNEL>
iwconfig mon0 channel <CHANNEL>

---

Once you've done that then try starting airodump -c with the same channel. Another thing is that it can be very very difficult to gather a WPA handshake. The problem is that even if you can hear the router that your trying to crack, you need to be able to hear the packets coming from the client as well. Not only that, but both the router and the client have to be able to hear the packets you're sending them as well. My setup is this 18db gain directional antenna hooked up to the 36NH running at 31db, and I have to aim this thing around until I get it pointed directly at the target client until I can get a handshake. Even then, it's very touchy and takes a lot of time to get a good one. Use this:

Code:

---

wireshark -R eapol <CAP FILE>

---

to inspect the packets. You'll see on the right something like "key request (1/4)" and so on. You need all 4 packets to get a full handshake. You will know which one you're not hearing by the source and dest. of the packets you're looking at.

@calig - Yes, you dont need to blacklist rt2870sta because an update in BT5 actually did it for you already. Those comments describing that mod are from before the patch was released, so at one point that was actually what you had to do to get it working. I've also had trouble obtaining an IP address with the nh sometimes, but if I modprobe -r the drivers, and then replug the thing, eventually I can get one.

If you dont see the adapter in ifconfig, but you do in iwconfig, then you can do

Code:

---

ifconfig wlan0 up

---

to manually put it up. But, I get the feeling that it's a problem with the driver because I can get and I.P. fine on any network in windows or on OS X with the same adapter, yet for some reason it struggles in BT5. Still workin on it tho.

@Doppler - What is it that you're trying to do there? If you want to crack wpa, you don't at all need to use the wlan0 interface, you can simply capture packets with airodump-ng, and use aireplay-ng -0 to de-auth clients.

With this, I am just trying to test my wireless adapter injection! For the comparison test can you explain whole WPA crack procedure!?

i had the same problem but i am new to Linux all i did to fix it is key start networking

Quote:

---

Originally Posted by dem0critus

@Robbb: What are you using to start up airmon? if you use the -c option to specify a channel, then it should lock onto that channel. If that doesn't work right away, the first thing to do is to make sure you dont have something else running thats scanning the channels (ie- aireplay -9 or another instance of airodump w/out the -c option specified). Next, I would do

Code:

---

iwconfig wlan0 channel <CHANNEL>
iwconfig mon0 channel <CHANNEL>

---

Once you've done that then try starting airodump -c with the same channel. Another thing is that it can be very very difficult to gather a WPA handshake. The problem is that even if you can hear the router that your trying to crack, you need to be able to hear the packets coming from the client as well. Not only that, but both the router and the client have to be able to hear the packets you're sending them as well. My setup is this 18db gain directional antenna hooked up to the 36NH running at 31db, and I have to aim this thing around until I get it pointed directly at the target client until I can get a handshake. Even then, it's very touchy and takes a lot of time to get a good one. Use this:

Code:

---

wireshark -R eapol <CAP FILE>

---

to inspect the packets. You'll see on the right something like "key request (1/4)" and so on. You need all 4 packets to get a full handshake. You will know which one you're not hearing by the source and dest. of the packets you're looking at.

@calig - Yes, you dont need to blacklist rt2870sta because an update in BT5 actually did it for you already. Those comments describing that mod are from before the patch was released, so at one point that was actually what you had to do to get it working. I've also had trouble obtaining an IP address with the nh sometimes, but if I modprobe -r the drivers, and then replug the thing, eventually I can get one.

If you dont see the adapter in ifconfig, but you do in iwconfig, then you can do

Code:

---

ifconfig wlan0 up

---

to manually put it up. But, I get the feeling that it's a problem with the driver because I can get and I.P. fine on any network in windows or on OS X with the same adapter, yet for some reason it struggles in BT5. Still workin on it tho.

@Doppler - What is it that you're trying to do there? If you want to crack wpa, you don't at all need to use the wlan0 interface, you can simply capture packets with airodump-ng, and use aireplay-ng -0 to de-auth clients.

---

@mreidiv - obviously that doesn't solve the problem for everyone.. I'm not sure what it is you're getting at...?

Thank dem0critus,
i tried to run airmon with -c but it wont lock on the specified channel;

Code:

---

airmon-ng start wlan0 channel x

---

and then i get a few process that can interrupt like dhclient3 so i use

Code:

---

pkill dhclient3

---

then -

Code:

---

airodump-ng mon0
airodump-ng --bssid (xxxxxxxxxxxx) -c x -w somthing mon0

---

did you mean, run airodump like this:

Code:

---

airodump-ng mon0 channel x

---

i'm getting the beacons abd i can see the packets, the router is really not far, just one floor under me... but i'm still getting the bouncing channel so no handshake.

thanks again dem0critus, i appreciate it.

Rob