War Room

Shells from above

RSM logo

Home > Events > Recreation > CYA: Cover Your Alfa (Part I)

CYA: Cover Your Alfa (Part I)

By

Those interested in performing this or a similar modification will need at least the following supplies and equipment:

  • A soldering iron with solder and the appropriate cleaning supplies (sponge, tip cleaner)
  • A desoldering pump (“solder sucker”)
  • Wire strippers
  • Heat shrink tubing
  • Epoxy
  • Cable with a standard USB type A female interface
  • Cable with a mini-USB type B male interface
  • Wi-Fi card and Antenna of choice
  • HDD enclosure or similar case

Estimated time for the project is 3 – 5 hours depending on experience.

Part I: Concealment

For security professionals conducting wireless assessments or wireless penetration tests, the Alfa series of USB Wi-Fi cards are popular tools.  They have earned a good reputation due to their transmit power, receive sensitivity, compatibility with the aircrack-ng suite (specifically their ability to be put into monitor mode and inject packets) and reasonable cost.

Among the Alfa cards the AWUS036H is a popular 802.11b/g model that comes well-recommended on the aircrack-ng website. The bulk of this post focuses on the Alfa AWUS036H  because many readers interested in this content may already have one. However, the general idea certainly applies to any USB wireless card.

When it comes to wireless assessments, OPSEC-savvy operators can easily conceal their card’s on a network with tools like macchanger. However, certain scenarios, such as conducting close-target reconnaissance or red-team engagements, may require that security professionals disguise the physical presence of their card. This can be a little trickier.

In an effort to present one possible solution, I’ll disassemble my off-the-shelf AWUS036H and place it in a Sabrent 2.5” IDE HDD enclosure that I happen to have around. The Alfa card and its antenna will be placed inside the enclosure, and it will connect to my PC via USB as always. This will allow me to sit in the open or move about with ease without a shiny silver card and antenna drawing any unnecessary attention, especially from those familiar with the Alfa cards’ reputation as a hacking tool.

Other, potentially more useful applications of repackaging your wireless card would be to conceal it within a device left-behind somewhere to gather data, or weatherproof it by placing it in a water-tight container where it could be a remote sensor for something like snoopy. However, since I don’t have a mission-specific need to fulfill at the moment, I’ll use what I have on-hand to introduce the idea.

I’ll also do some rudimentary testing of the card before, during, and after the modification to see how I’ve affected it. The testing proceedure and its results are covered in Part II of this post.

Exposing the Alfa PCB is simply a matter of depressing the two tabs on the rear of the plastic housing and separating the front and back pieces.

alfa1

The AWUS036H takes up the whole inner area of the housing. Other ALFA cards, depending on the chipsets they use, are smaller.

 

 

alfa2

Notice also that the PCB has stickers on it labeled with its MAC address and serial number.  In the picture to the right, the four solder points that make a square are anchoring the RP-SMA antenna interface to the PCB.  The center solder-point is where the antenna lead connects to the transceiver.

 

With some persistent but gentle prying and wiggling I was able to pop the USB-to-2.5” IDE PCB out of the lid of the HDD enclosure, removing all the stock components and leaving more room for my Alfa and antenna. However, I’ll still need to make two significant modifications to fit my Alfa within this specific enclosure. The first, and most difficult, is to de-solder the RP-SMA interface from the Alfa PCB and solder the antenna lead directly to the board. As a side note, replacing the RP-SMA interface with an antenna lead or different interface (perhaps an N-type pigtail) would be a useful modification for someone to make if they wanted to change their antenna type without using multiple connectors and adapters on their card. Using adapters and connectors does result in loss, but it is generally low unless the connectors are poor quality, or many are daisy-chained together.

The second modification is to adapt the male mini-USB type B to a standard female USB type A so that the HDD enclosure can be plugged in as normal. To do this I’ll simply butcher two cables I have, which will be much easier than making any modifications directly to the Alfa PCB.

There’s enough already on the internet about soldering techniques and USB pin-outs so I won’t replicate that information here.

To fit an antenna within the enclosure I’ll have to use one shorter than the 5dBi antenna that comes with the AWUS036H. I’ll use a 4dBi antenna that comes with the TP-Link TL-WN722N and fits snugly in the Sabrent enclosure. However, since I had to remove the Alfa’s RP-SMA adapter, I’ll also remove the bottom of the antenna so that the lead can be soldered directly to the Alfa PCB. After removing the antenna base, it looks like this:

alfa3

 

 

 

 

So to recap, the steps for this specific modication were:

  1. De-solder the RP-SMA interface from AWUS036H PCB
  2. Remove the base of the antenna, exposing the lead.
  3. Solder the lead to the AWUS036H PCB
  4. Create a male mini-USB type B to female USB type A

alfa4

Here are the assembled components after I made the changes. I ended up having to jump the antenna lead to the PCB so that the antenna could be next to, instead of on top of, the Alfa PCB. Other than placing the whole antenna and transceiver in a metal box, which is not generally recommened to improve reception, I believe jumping the antenna to the PCB accounts for most of the signal and quality loss experienced.

 

I cleaned up that link and the homemade USB cable with some heat-shrink tubing. The cable ended up being longer than necessary, but flexible enough to fit. I secured my solder joints with some epoxy, which could still be peeled off the board should I want to make changes later. I used the same mediocre epoxy to secure the female USB interface to the inside of the enclosure lid, so it’s adequatetly secure but not permanent. So the whole modification, though not easily reversed, is not permanent for either the Alfa or the enclosure.

Once assembled in the enclosure, the card operates fine, but with some quality and signal loss, as one would expect. It’s worth pointing out that in the basic tests I did, it still performed better than the thumbnail Wi-Fi adapters I have, while of course retaining its ability to be placed into monitor mode and inject packets.

I completed this project with materials I had on hand to illustrate the possibility of physically concealing a bulky wireless card in order to arouse less suspicion. However, with an ever-increasing number of tiny computers and peripherals, the possibilities are essentially endless: a remote weatherproof device that collects data and reports it via the mobile network, or an innocuous device in an office environment that stores data until interrogated and retrieved by its owner. All you have to do is be willing to experiment, and perhaps lose a device or two in the process. I’ve been lucky so far.

Remember to check out Part II for specifics on how the modification affected the card’s RF capabilities. Thanks for reading.