How to force a Wi-Fi USB adapter on a Synology DiskStation to use 5GHz ac from 2.4GHz

Useful if your SSIDs are identical for 5GHz and 2.4GHz. Having your SSIDs setup like this seems to confuse Synology DSM, and for me it would always connect to the 2.4GHz network.

I had this particular issue where my TP-Link T4U ac wifi adapter for my Synology kept dropping down to using the 2.4GHz network, which slows it down dramatically.

To fix this, here’s what I did. Your mileage may vary, and you may end up disconnecting your Synology from the network, so make sure you have another way of getting to it (such as Ethernet) before proceeding with any of this!

SSH to the DiskStation, login as admin.

sudo -s to root account (same password as admin account)

Make a copy of your existing wifi config file inside /usr/syno/etc/wifi/

For me, I did:

Edit the original file with vi. If you don’t know how to use vi, do a web searhc (it’s not hard, but not easy either).

What you need to do is remove reference to the 2.4ghz network, which you can identify from the bssid, which is the MAC address of your router’s 2.4ghz radio. Once you’re done, the file should just contain details for the bssid that’s your 5ghz network. On my router, the MAC address for the 5GHz network was one hex number higher than the 2.4GHz network.

Next, make a copy of the wpa_supplicant file in /usr/syno/etc. For me, this was called: wpa_supplicant.conf.wlan0

Now edit the file, and change the bssid (which will be the 2.4ghz bssid MAC address) to the bssid MAC address of the 5ghz network.

Reboot the Synology diskstation, and when it comes back, it should be on the 5GHz network.

Notes: Cracking WEP on the Windows command line with Aircrack-ng and AirPcap Tx

ARP injection in Windows using AirPcap Tx

Finally, I’ve had time to write down my notes on using aircrack-ng with the Airpcap Tx adapter in Windows. Before you read on, please be aware that this isn’t meant to be a guide or tutorial, it’s just my notes. Thanky 🙂

Basics

Start capturing:

Fake auth:

Start attack:

Deauth (if we need ARPs):

aireplay-ng –deauth 3 -a BSSIDMAC -c CLIENTMAC \\.\airpcap00

Start cracking:

Worked example:

Download

I’ve prepared a special release of the aircrack-ng tools originally prepared by CACE Technologies on the AirPcap CDROM. It replaces the new aireplay-ng.exe with an older one which, in my tests, appears to perform better.

Download the release of aircrack-ng for AirPcap Tx

Cracking WEP with aircrack-ptw in Windows with AirPcap and Cain

Every time you deploy a WEP Access Point, a fluffy kitty dies.

Primer

Recently a team of German cryptography researchers perfected methods to recover a WEP key faster than ever before. The older Weak IV attacks generally needed between 500,000 and 2,000,000 packets to recover a 128-bit WEP key. In contrast, the new PTW method needs a mere 85,000 packets to have a 95% chance of recovering the WEP key.

Unlike the Weak IV attack, instead of collecting weak IVs, the PTW method collects ARP requests and responses to attack the encryption. ARP requests can either be collected naturally, or can be generated via packet injection. Until recently, packet injection was only possible in Linux. With the advent of the AirPcap USB adapter, and some unsupported beta drivers, it’s possible to inject packets in Windows. Update: CACE have released AirPcap Tx, which features fully supported packet injection, for an added premium.

In this tutorial, I’ll guide you through the process of recovering a WEP key, via the PTW attack, in Windows. For this you’ll be using the AirPcap USB adapter, Cain, aircrack-ptw, and the aircrack-ng suite.

Legalities

It’s important to point out that these methods should only be applied with permission from the owner of the target AP. You should either be auditing, penetration testing, or demonstrating the weaknesses of WEP in a Test Lab environment. You should not be using these methods to get “Free internet”!

Preparation

You’ll need:

Now you’ll need to prepare the environment:

  • Install the beta drivers (or if you have AirPcap Tx, install the drivers from the CD-ROM)
  • Plug in the AirPcap
  • Install Cain
  • Extract aircrack-ng to c:\airpcap\
  • Extract aircrack-ptw to c:\airpcap\
  • Move aircrack-ptw.exe to the bin folder (this is no longer required – see my notes)
  • Optional: To make things easier, move the contents of the bin folder to c:\airpcap\. You’ll then be able to run aircrack-ptw.exe with just c:\airpcap\aircrack-ptw.exe mycapture.cap

Let’s get cracking

I added narration to the video this evening at 20:36. It’s my first attempt at narration, and a little noisy, but I’m sure things will improve as time goes on! 🙂

Get the Flash Player to see the wordTube Media Player.

Youtube Video Link

Countermeasures

The primary counter measure to this WEP attack is to cease using WEP and switch your Access Points to WPA encryption. As you’ve seen in this video, WEP is just too easy to crack. For further reading, Wikipedia has an excellent entry on WPA.

Access Points are so cheap now that, if your AP doesn’t support WPA via a firmware upgrade, you can easily afford a new one with full WPA or WPA2 support.

Notes

Note 1: After recording this tutorial, I’ve become aware that, as of version 0.9, aircrack-ng.exe natively supports the PTW attack by using the -z switch. For example: aircrack-ng.exe -z mycapturefile.cap. If you want to use this attack, download aircrack-ng from the authors, and replace aircrack-ng.exe in c:\airpcap with the new one.

Note 2: The whole process from starting capture to recovering the WEP key takes about 10 minutes.

Note 3: It is important that you get the Packet Injection drivers and the aircrack-ng release specifically for the AirPcap adapter, or this will not work.

Note 4: Just to summarise the steps in the video:

  1. Run Cain and passively scan for the target AP, making a note of the Channel number.
  2. Using the channel number, tell AirPcap to inject packets once it has collected an ARP request. (You can sometimes force an ARP by sending Deauth. To do that, right click on the client. Otherwise, repair the Wireless connection on the client connected to the AP)
  3. To use the PTW attack, you need to collect all packets. By running airodump-ng you can collect all the packets generated by Cain. The reason we use airodump-ng instead of Cain, is that Cain only collects WEP IVs.
  4. Once you’ve collected enough packets, run aircrack-ptw against the capture file.

Aircrack-PTW for Windows

Update

As of version 0.9, the aircrack-ng suite natively supports the PTW attack. Download it here. To invoke the PTW attack in aircrack-ng, run it with the -z switch: aircrack-ng.exe -z mycapturefile.cap.

A French chap has compiled Aircrack-PTW for Windows. This is great for anyone using the AirPcap adapter to inject packets in Windows, as the new PTW attack dramatically reduces the amount of packets you need to collect before attempting to crack the WEP key. Notice in the screenshot below, only 83,000 packets were needed to break a 128bit key; as opposed to around 400,000 with the KoreK attack.

aircrack-ptw on Windows

The executable is in French but it’s still perfectly usable; All you’re looking for is the WEP key!

Just run it with:

aircrack-ptw.exe yourcapturefile.cap

When I get some time I’ll try to compile a version in English, but for now you can grab the French version: Download Aircrack-PTW for Windows.

I’m in the process of writing up and recording a demonstration of cracking WEP in Windows with AirPcap, Cain, and aircrack-ptw. Expect to see something within a week! Update: Check it out here

Cracking WEP with AirPcap and Cain and Abel

This video tutorial demonstrates how to crack WEP in Windows using AirPcap and Cain and Abel.

Preparation

You’ll need:

Note: It is possible to get this working by using the cheaper “Classic” AirPcap, in conjunction with the old 2.0 Beta Tx Drivers for AirPcap, to enable packet injection capability, but this is entirely unsupported, and is not guaranteed to work. YMMV.

Notes

  • To begin ARP injections, AirPcap must capture at least 1 ARP request from a system on the target AP. You can usually force this by sending a Deauth to a connected client.
  • Make sure you have over 250,000 IVs before attempting to crack the WEP key.
  • In my tests, the old AirPcap (silver-grey) appears to perform significantly faster than the new AirPcap (dark-grey). I think it’s about 10x faster.

The Video

Get the Flash Player to see the wordTube Media Player.

Click Play to get things started.

Additional

Download the full resolution video (Thanks to TAz00 from the Oxid.it forums for the hosting!)

View the video on Youtube