Lab Spectrum Analyzer

Spectrum analyzers are a very important tool for anyone working in the wireless field. Getting one for your lab to get some hands-on experience with is invaluable. Unfortunately they can be very costly. Enter the Cisco 3502 series access point with Clean Air technology, available on E-Bay for less than $100. Utilizing the on-board spectrum chip we are able to turn this access point into a remote sensor for use with the Cisco Spectrum Expert software. This process also works for any of the Clean Air enabled access points.

While this functionality exists in both the lightweight & autonomous version of the access point, we are going to focus on setting this up in autonomous mode. You can easily convert from lightweight to autonomous, even without a controller, you will just need a copy of the autonomous image. An excellent write up on image conversion can be found at the following links http://mrncciew.com/2012/10/20/lightweight-to-autonomous-conversion/ & http://mrncciew.com/2013/12/13/ap-conversion-using-mode-button/.

My choice method is as follows, it seems to be the quickest & doesn't require holding down the mode button or re-configuring your computer. 

Console into the AP & login with the defaults. First we set the AP with a static IP & gateway pointing to itself. This seems to get the AP hung up on "Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)" allowing us to download the image before it forces DHCP renew which would disconnect us from the tftp.

AP1cdf.0f94.f201> AP1cdf.0f94.f201>en Password: Cisco (default) AP1cdf.0f94.f201# AP1cdf.0f94.f201#capwap ap ip address 172.16.0.250 255.255.255.0 AP1cdf.0f94.f201#capwap ap ip default-gateway 172.16.0.250

This debug command gets us into a mode that allows us to use the archive command, which we use to download an autonomous image over tftp.

AP1cdf.0f94.f201#debug capwap console cli AP1cdf.0f94.f201#archive download-sw /overwrite /force-reload tftp://172.16.0.3/ap3g1-k9w7-tar.153-3.JC.tar

After this the AP will reboot & come back up as an autonomous AP. It takes very minimal configuration to get it ready for spectrum mode.

examining image... Loading ap3g1-k9w7-tar.153-3.JC.tar from 172.16.0.3 (via BVI1): ! extracting info (278 bytes) Image info: Version Suffix: k9w7-.153-3.JC Image Name: ap3g1-k9w7-mx.153-3.JC Version Directory: ap3g1-k9w7-mx.153-3.JC Ios Image Size: 8489472 Total Image Size: 10486272 Image Feature: WIRELESS LAN Image Family: AP3G1 Wireless Switch Management Version: 8.2.100.0 MwarVersion:08026400.First AP Supported Version:07000000. Image version check passed Extracting files... <ommitted> [OK - 10526720 bytes] Deleting current version: flash:/ap3g1-rcvk9w8-mx... Set booting path to recovery image: 'flash:/ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-mx'... done. New software image installed in flash:/ap3g1-k9w7-mx.153-3.JC Configuring system to use new image.. Writing out the event log to flash:/event.log ... .done. Requested system reload in progress... archive download: takes 144 seconds Write of event.log done

Login to the device using the defaults & set a hostname, this step is optional.

ap>en Password: Cisco (default) ap#conf t ap(config)#hostname SE1

Enable the 2.4Ghz radio for spectrum operation & enable the radio.

SE1(config)#int dot11r0 SE1(config-if)#station-role spectrum SE1(config-if)#no shut

Enable the 5Ghz radio for spectrum operation & enable the radio.

SE1(config-if)#int dot11r1 SE1(config-if)#station-role spectrum SE1(config-if)#no shut SE1(config-if)#end

Take note of the NSI key from the output of show spectrum status, this will be needed when configuring Cisco Spectrum Expert. Also be aware that this value changes on reboot.

SE1#show spectrum status Spectrum FW status slot 0: version: 1.15.4 status: up, crashes 0, resets 0 load: 75.50 61.50 63.00 59.50 NSI Key: B7AE153050EC2C4C95E2965DDA02DFBE NSI: configured reg_wdog: 2 0 0 dfs_wdog: 2 dfs_freq: 0 Spectrum FW status slot 1: version: 1.15.4 status: up, crashes 0, resets 0 load: 23.75 21.75 22.00 21.75 NSI Key: B7AE153050EC2C4C95E2965DDA02DFBE NSI: configured reg_wdog: 0 0 0 dfs_wdog: 0 dfs_freq: 0 SE1#

Now that the AP is setup we'll need a copy of Cisco Spectrum Expert. This is available on Cisco's software site. Once downloaded run the installer & accept the defaults.

When you first load it up a box will pop up. This is where you enter the IP address of your remote sensor, the NSI key & the band you want to look at.

Click OK to be presented with loads of spectrum goodness

If you'd like to look at both bands simultaneously then you can just load up another instance of the software & point it to the other band instead.

Giving you even more spectrum goodness.

Now that you have an inexpensive spectrum analyzer for your home lab you can start learning about layer 1 with hands-on experience. While this solution is great for the lab it lacks in portability. For a more robust & easier to carry solution check out offerings from AirMagnet & Metageek.

WiFi Book Club Q1 2016

Welcome to the second edition of the WiFi Book Club! A series dedicated to getting the WLAN community reading & discussing the many books out there related to wireless. The goal is to read a book as part of the club once per quarter.

During the first month of a quarter I'll post a poll with a list of books to vote on. At the end of that month the votes will be tallied & the next book posted. A review & discussion of the current book will follow. Recommendations for books can be made via email, twitter, comments or carrier pigeon. While reading the book use the hashtag #WiFiBookClub to discuss on twitter. Authoring a book report is also a great way to get your creative juices flowing & add content to your blog.


Without further ado I present the next book up for review, Next Generation Wireless LANs.

"If you've been searching for a way to get up to speed on IEEE 802.11n and 802.11ac WLAN standards without having to wade through the entire specification, then look no further. This comprehensive overview describes the underlying principles, implementation details and key enhancing features of 802.11n and 802.11ac. For many of these features the authors outline the motivation and history behind their adoption into the standard. A detailed discussion of key throughput, robustness, and reliability enhancing features (such as MIMO, multi-user MIMO, 40/80/160 MHz channels, transmit beamforming and packet aggregation) is given, plus clear summaries of issues surrounding legacy interoperability and coexistence. Now updated and significantly revised, this 2nd edition contains new material on 802.11ac throughput, including revised chapters on MAC and interoperability, plus new chapters on 802.11ac PHY and multi-user MIMO. An ideal reference for designers of WLAN equipment, network managers, and researchers in the field of wireless communications."

Now to the part you've all been waiting for, the unboxing! Or maybe not. My order of the physical book was lost in transit, so I've gone the eBook route this time.

Opening the book gives you a nice About This Book popup.

Obligatory cover picture.

I've found the physical copy of this book on sale for a good bit cheaper than Amazon, notably at Abebooks. As always, do your research before purchase to make sure you are getting not only a good deal but the actual item you are looking for.

I'm really looking forward to reading this book & sharing in the discussion with everyone. Don't forget to send me your recommendations for future WiFi Book Club reads.

Building out ESXi for the CCIE Wireless V3

One of the more important components of a home lab is the ability to virtualize. Having one box that can perform the role of many is very handy, not to mention the ability to very quickly spin up a needed service. For a CCIE Wireless home lab we can virtualize our instances of Prime, MSE, ISE, Windows server & as many client machines as needed. I was fortunate to pick up an HP DL380 G6 with two Intel Xeon L5520s, 72GB of ram & 2.4TB raw storage for my ESXi server. I also purchased a SanDisk 16GB USB flash drive to serve as my boot drive.

I decided to go with ESXi 5.5 for my build out as this is the officially supported version for most of the Cisco virtual appliances. While searching for documentation concerning this I came across a link to get a perpetually licensed ESXi 5.5 installation for lab use, https://my.vmware.com/web/vmware/evalcenter?p=free-esxi5&lp=default. Visit the link, register an account if needed & obtain the license key. Now we can manually download ESXi 5.5 Update 2d ISO image (Includes VMware Tools) & Download VMware vSphere Client 5.5 Update 2. I opted to not get VCenter as this is a single ESXi host & I didn't feel any of the features were needed for a simple wireless lab.

Although installing ESXi to boot from USB is pretty straight forward there are some gotchas. For creation of a bootable USB flash drive I used a tool called Rufus. Insert a USB drive, >4GB in size, into the PC & load Rufus. 

Change the source to iso & select the ESXi 5.5 iso, then click start.

On this error message click Yes to continue.

Click OK to this warning message. If a read error appears just click retry.

Once Rufus finishes writing to the USB drive it can be removed & inserted into the server. Set the server to boot from USB per manufacturer instructions. 

Seeing this screen is good news!

Accept the EULA

Select the installation USB drive, this works because the installation files are loaded into memory.

Select OK here to overwrite

Select keyboard & set root password. Then press F11 to install.

Yay! Press enter to reboot.

Following the reboot this is the screen we want. Picture taken before memory upgrade to 72GB.

Press F2 to Customize System. Login with the root password we previously set.

Now we can configure the management network allowing us to manage the box with vSphere.

Install VMware vSphere Client 5.5 Update 2, taking the defaults, & connect to the ESXi host.

Install & ignore the certificate warning.

Say OK to the evaluation warning.

Click on inventory, ESXi host, licensed features & then edit.

Enter the license key obtained from VMWare & click OK.

Now we can finish tweaking the ESXi installation & start deploying VMs. Make sure to at least setup storage & date/time. To obtain a copy of Cisco Prime Infrastructure 2.2 & Mobility Services Engine 8.0 visit the following link Cisco Promotional Software Store & login with a CCO account. This will allow us to download the Prime Express ova & the MSE standard ova, with a default username/password of root/password for the MSE. The downloaded files will not have an extension, change that to .rar & extract the ova. See CPI 2.2 NFR License for instruction regarding a 365 day Prime license. I have yet to find a promotional download for ISE but with a valid contract an ISE eval ova is able to downloaded from Cisco software center.

For the windows server we can download Windows 2008 R2 iso from Microsoft with 180 day eval, vist Official Microsoft Download Center. Go to the Windows Edition Comparison Guide for help choosing the version that has the features required for your lab. For the windows client we can download a legit iso from Microsoft, with a valid license key, but this doesn't always work. You may have to go searching for a mirror to get a working iso. As a note, with Windows 7 you can convert any iso to all in one media, instructions for doing so at How to Choose Desired Windows 7 Edition / Version During Setup?.

Current virtual environment showing hard drive, memory & cpu requirements.

Having a client with a wireless connection makes testing the lab scenarios much easier. Relying on a laptop to do this might be cost prohibitive especially when we can add wireless to a VM. To do this in ESXi we first need to create the client. Once created right click the VM, select edit settings & click Add Hardware.

Select USB Controller & click Next

Take the default & click Next then finish.

Now select USB Device & click next.

Select the USB wireless device & click next then finish.

Following these steps the wireless USB NIC should show up in the guest operating system allowing it to function as the wireless client for testing purposes. It should be noted that, by trial & error, I've found devices using RALINK chipsets to have greater reliability. I've been unable to get Atheros based devices to work with USB passthrough. There is very little documentation available on this, no guarantees that your USB wireless device will work. I'll update this section once I've found a device I'm happy with.

On my journey to the CCIE Wireless I'll be utilizing the materials provided by IPexpert & attempting to mimic their rack rental topology. An overview of the hardware list & topology is available at CCIE Wireless (v3) Rack Rental

IPexpert Topology.

WiFi Book Club Q4 2015

Welcome to the first edition of the WiFi Book Club! A series dedicated to getting the WLAN community reading & discussing the many books out there related to wireless. The goal is to read a book as part of the club once per quarter.

About one month before the end of each quarter I'll post a poll with a list of books to vote on. At the end of the quarter the votes will be tallied & the next book posted along with a review & discussion of the current book. Recommendations for books can be made via email, twitter, comments or carrier pigeon. While reading the book use the hashtag #WiFiBookClub to discuss on twitter.  In the interest of getting this off the ground quickly, I decided to fast forward the process & skip the voting for the first book. 


Without further ado I present the first book up for review, Hacking Wireless Exposed, Third Edition.

"Exploit and defend against the latest wireless network attacks

Learn to exploit weaknesses in wireless network environments using the innovative techniques in this thoroughly updated guide. Inside, you’ll find concise technical overviews, the latest attack methods, and ready-to-deploy countermeasures. Find out how to leverage wireless eavesdropping, break encryption systems, deliver remote exploits, and manipulate 802.11 clients, and learn how attackers impersonate cellular networks. Hacking Exposed Wireless, Third Edition features expert coverage of ever-expanding threats that affect leading-edge technologies, including Bluetooth Low Energy, Software Defined Radio (SDR), ZigBee, and Z-Wave.

• Assemble a wireless attack toolkit and master the hacker’s weapons
• Effectively scan and enumerate WiFi networks and client devices
• Leverage advanced wireless attack tools, including Wifite, Scapy, Pyrit, Metasploit, KillerBee, and the Aircrack-ng suite
• Develop and launch client-side attacks using Ettercap and the WiFi Pineapple
• Hack cellular networks with Airprobe, Kraken, Pytacle, and YateBTS
• Exploit holes in WPA and WPA2 personal and enterprise security schemes
• Leverage rogue hotspots to deliver remote access software through fraudulent software updates
• Eavesdrop on Bluetooth Classic and Bluetooth Low Energy traffic
• Capture and evaluate proprietary wireless technology with Software Defined Radio tools
• Explore vulnerabilities in ZigBee and Z-Wave-connected smart homes and offices
• Attack remote wireless networks using compromised Windows systems and built-in tools"

Now to the part you've all been waiting for, the unboxing!

If you purchase the paperback from Amazon it may arrive in a package similar to the above or it may not. The eBook version comes packaged in magic, so I was unable to obtain a photo.

After opening the package you will find the book inside & that's it.

I'm really looking forward to reading this book & sharing in the discussion with everyone. Don't forget to send me your recommendations for future WiFi Book Club reads.