VI. Attacking 802.11n Networks

Note: It is highly recommended to read VII. Hardware Modes prior to this section. Note: at the moment, EAPHammer does not support DSSS. This section is written with the implicit understanding that OFDM is being used. If you don't know what any of this means, that's totally fine. I just added this note to save myself time answering nitpicky Github issues.

This section describes how to use EAPHammer to attack networks that use 802.11n. Since attacking these networks effectively requires a basic understanding of 802.11n concepts such as MIMO and channel bonding, it's probably a good idea to give yourself a crash course on 802.11n by reading this short article (or similar):

https://www.computerworld.com/article/2481909/emerging-technology/what-every-it-professional-should-know-about-802-11n--part-1-.html

There are more in-depth tutorials on 802.11n out there, but the one referenced above will get you by. If you're already familiar with 802.11n, feel free to skip it.

VI.1 - 802.11n Basics - Creating Rogue APs with 20Mhz Channel Widths

To perform a basic rogue AP attack using 802.11n, use the --hw-mode n flag as shown below:

./eaphammer -i wlan0 --essid lulz0rz --hw-mode n --channel 1

This will spawn a rogue access point that uses 802.11n with a 20MHz channel width. The actual hardware mode used by the rogue AP will automatically be set to one of the following values:

a - Used when you select a 2.4GHz channel
g - Used when you select a 5GHz channel

VI.2 - Controlling Channel Width, Enabling MIMO / Channel Bonding

The --channel-width flag is used to manually specify the access point's channel width when 802.11n mode is enabled. The access point's channel width can be set to either 20MHz or 40Mhz, as shown in the next two examples.

To create a rogue 802.11n AP with a 20Mhz channel width:

./eaphammer -i wlan0 --essid lulz0rz --hw-mode n --channel 1 --channel-width 20

To create a rogue 892.11n AP with a 40MHz channel width:

./eaphammer -i wlan0 --essid lulz0rz --hw-mode n --channel 1 --channel-width 40

If 802.11n mode is enabled and the --channel-width flag is not used, eaphammer will create a rogue AP with a default 20MHz channel width.

VI.3 - Advanced Usage: Specifying Primary and Secondary Channels, Channel Bonding

Note: this is an Advanced Usage section. The command line options demonstrated in this section can be revealed using eaphammer's advanced help module: ./eaphammer -hh

As we described in VI.1 - 802.11n Basics - Creating Rogue APs with 20Mhz Channel Widths, access points with a channel width greater than 20MHz are created using a process known as Channel Bonding. Simply put: Channel Bonding is the process of combining two 20MHz channels to create a channel that is 40MHz wide. This allows for greater throughput. The two 20MHz channels are referred to as the primary and secondary channel, respectively.

The primary channel is specified using the --channel flag. The secondary channel is automatically calculated at a 20MHz offset from the primary channel.

You can use the --ht40 flag to manually place the secondary channel either above or below the primary channel on the frequency spectrum.

# secondary channel above primary channel
./eaphammer -e spikeyfruit -i wlan0 -c 1 --hw-mode n --ht40 plus

# secondary channel below primary channel
./eaphammer -e spikeyfruit -i wlan0 -c 6 --hw-mode n --ht40 minus

The primary and secondary channel that you choose must combine to create a valid 40Mhz channel. For example, the following command will fail because resulting 40Mhz channel would fall below the 2.4GHz spectrum:

# this will not work: can't have a secondary channel less that 1
./eaphammer -e oops --hw-mode n --channel 1 --channel-width 40 --ht40 minus

To make things easier, you can let eaphammer choose a valid secondary channel for you. This is done either by using --ht40 auto or by omitting the --ht40 flag completely:

# automatically selects a valid secondary channel
./eaphammer -e easyPeasy --hw-mode n --channel 1 --channel-width 40 --ht40 auto

# also automatically selects a valid secondary channel (with less typing)
./eaphammer -e ezpz --hw-mode n --channel 1 --channel-width 40

VI.4 - Advanced Usage: Max Spatial Streams, SMPS, and More

There is a more complete list of 802.11n options intended for advanced users that offer more granular control over eaphammer. To see them, as well as brief descriptions of what they do, use the -hh flag as shown in the following command:

./eaphammer -hh

Note that if you plan on using these advanced options, you should also read the XV.-Advanced-Granular-Controls section of this document.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

VI. Attacking 802.11n Networks

VI.1 - 802.11n Basics - Creating Rogue APs with 20Mhz Channel Widths

VI.2 - Controlling Channel Width, Enabling MIMO / Channel Bonding

VI.3 - Advanced Usage: Specifying Primary and Secondary Channels, Channel Bonding

VI.4 - Advanced Usage: Max Spatial Streams, SMPS, and More

EAPHammer Wiki

Home

Setup Guide

I. Kali Setup Instructions

II. Parrot OS (Security)

III. Ubuntu

IV. Other Distros

Usage Guide

I. x.509 Certificate Generation

II. Stealing RADIUS Credentials Using EAPHammer

III. Stealing AD Credentials Using Hostile Portal Attacks

IV. Indirect Wireless Pivots

V. Performing Captive Portal Attacks

VI. Attacking 802.11n Networks

VII. Hardware Modes

VIII. Attacking WPA EAP and WPA2 EAP Networks

IX. EAPHammer User Database

X. ESSID Cloaking

XI. Using Karma

XII. PMKID Attacks Against WPA PSK and WPA2 PSK Networks

XIII. Password Spraying

XIV. Cert Wizard

XV. Attacking Opportunistic Wireless Encryption

XVI. Protected Management Frames

XVII. ESSID Stripping Attacks

XVIII. Advanced Granular Controls

Acknowledgements

Clone this wiki locally