Table of contents

General questions

Linux questions

Windows questions

Special thanks to

Quick jump to download aircrack

General questions

What is aircrack ?

aircrack is a 802.11 WEP key cracker. It implements the so-called Fluhrer - Mantin - Shamir (FMS) attack, along with some new attacks by a talented hacker named KoreK. When enough encrypted packets have been gathered, aircrack can almost instantly recover the WEP key.

How does aircrack work ?

Every WEP encrypted packet has an associated 3-byte initialization vector (IV). Some IVs leak information about a certain byte of the key, thus statistically the correct key emerges when a sufficient number of IVs have been collected.

When will aircrack 2.2 be released ?

Probably in 2005.

How many packets are needed to recover a WEP key ?

It really depends on your luck and the key size. For 40-bit WEP keys, ~150.000 unique IVs are usually enough. For 104-bit WEP keys, around 500k - 1M unique IVs will be required.

Your website (www.cr0.net) is down !

No it's not. However it is likely your http proxy blocks connections to port 8040. If that's the case, use this first aircrack mirror, or mirror 2 (thanks WirelessCon), or this third mirror ( zip, tgz - thanks Security Wireless).

The sniffer I use seems unable to capture any IVs !

Obviously, you won't be able to capture encrypted data packets if there is no wireless traffic... Make sure your wireless card is compatible with the wlan: don't bother trying to crack an 11g-only network if all you have is an 11b card ;-)

If you're too far from the Access Point you'll only see the (unencrypted) beacon frames which are at the lowest speed: 1 Mbps - but you won't be able to capture traffic at higher speeds. In this case, using a directionnal antenna with a strong gain may help.

I've got this huge pcap file but aircrack doesn't find any IVs in it ?!

IVs captured from a WPA-protected wireless LAN are useless for WEP cracking, and aircrack will automatically skip them. Also, you may want to specify the MAC address of the Access Point you're attempting to crack; in case of 802.1X (per-client WEP keys) you should rather specify the MAC address of one connected client.

I've got x million IVs but aircrack doesn't find the key.

WEP cracking is not an exact science. Sometimes luck is on your side, and sometimes not. By gathering as many encrypted packets as possible, you'll greatly increase your chances of finding the key; raising the fudge factor might help, too (especially in case of a 40-bit WEP key).

If the WEP key was changed during in the middle of the sniffing session, then it's very likely that aircrack won't be able to recover it, as the statistics will be mixed up. In this case you must start a new pcap file from scratch.

How do I know when aircrack finds the key ?

Your screen will look like:

                                 aircrack 2.1

   * Got  286716! unique IVs | fudge factor = 2
   * Elapsed time [00:00:03] | tried 1 keys at 20 k/m

   KB    depth   votes
    0    0/  1   DA(  60) 70(  23) 55(  15) A2(   5) CD(   5) 3E(   4)
    1    0/  2   BD(  57) 2A(  32) 29(  22) 1D(  13) F9(  13) 9F(  12)
    2    0/  1   8C(  51) 67(  23) 48(  15) DD(  15) D6(  13) FA(  12)
    3    0/  3   1D(  30) A5(  17) 07(  15) 7B(  12) 4B(  10) 63(  10)
    4    0/  1   43(  66) B1(  15) D2(   6) 1A(   5) 20(   5) 21(   5)
    5    0/  5   92(  27) 23(  25) 02(  18) 2F(  17) C1(  16) 36(  12)
    6    0/  1   C6(  51) 54(  17) 50(  15) 66(  15) 01(  13) 4A(  13)
    7    0/  2   84(  29) C0(  17) EE(  13) 80(  12) 49(  11) F6(  11)
    8    0/  1   81(1808) 09( 119) 99( 116) 32(  75) 49(  75) 9D(  65)
    9    0/  1   C4(1947) E1( 125) FC( 123) BD( 105) 8C(  98) 2F(  85)
   10    0/  1   8A( 580) 41( 120) 18(  93) ED(  85) B0(  65) 97(  60)
   11    0/  1   08(  97) FF(  29) 5D(  20) 1E(  17) 18(  15) 5E(  15)
   12    0/  1   1B( 145) DD(  21) 46(  20) 1C(  15) 76(  15) 07(  13)

                 KEY FOUND! [ DABD8C1D4392C68481C48A081B ]

Linux questions

How do I capture packets ?

First of all, you have to put the wireless interface in monitoring mode; for example, if you have a Prism2 card and use linux-wlan-ng:

# wlanctl-ng wlan0 lnxreq_ifstate ifstate=enable
# wlanctl-ng wlan0 lnxreq_wlansniff enable=true channel=<AP channel>

# ifconfig wlan0 up
# airodump wlan0 wlan.pcap

Alternatively, if your driver is compatible with the wireless tools:

# iwconfig wlan0 mode Monitor
# iwconfig wlan0 channel <AP channel>
# iwpriv wlan0 monitor_type 1 (hostap only)
# ifconfig wlan0 up
# airodump wlan0 wlan.pcap

However, if you use a patched version of the Orinoco driver you must issue this command:

# iwpriv eth0 monitor 1 <AP channel>

I'd recommend you use airodump instead of tcpdump, because it can handle large (> 2 GB) capture files, and displays more meaningful information about each AP (ESSID, total number of unique IVs ...).

Note that you can run both airodump and Kismet at the same time, but in this case it is suggested to lock channel hopping ('L' in Kismet). For wardriving purposes, I've included a shell script (hopper.sh) you can use to hop between 11b/11g channels.

How can I run aircrack in the background ?

For this purpose, you may use the "screen" program.

• Starting a new session: screen -t title
• Detaching a session: Ctrl-a <release> d
• Reattaching a session: screen -r

There's not enough wireless traffic, what can I do ?

If you control a host inside the wlan, you may start a ping flood with ping -f.

Otherwise, you can launch a replay attack based on arp-request packets. Although we cannot say for sure that a packet is one of those (since the data is encrypted), such packets have a fixed length and can be spotted easily. By resending these packets again and again, the other host will respond with encrypted replies thus providing new and possibly weak IVs.

First of all, you have to sniff long enough to get some potential arp- request packets. Then you'll need two Prism2 wireless cards: card #0 will resend the packets over the air, and card #1 will monitor the encrypted replies. These cards' antennas must be at least 50cm away from each other!

If you are far from the Access Point, I suggest you use two strong directionnal antennas and wireless cards with a high sensitivity & output power; otherwise you'll mostly see the very packets that you're resending.

We are going to use HostAP's wlan0ap interface in Master mode on the same channel as the legitimate AP we're trying to crack (thanks to the guy who wrote airpwn for this tip).

addenda 2005-03-20: the current aireplay beta now support single-NIC injection/monitor on prism2 (wlan-ng), atheros (madwifi) and prism54. It also implements KoreK's chopchop attack and arp-request forgery. Available here: aireplay-2.2 beta.

• Step 0: patch and recompile HostAP

  # wget http://hostap.epitest.fi/releases/hostap-driver-0.2.4.tar.gz
  # tar -xvzf hostap-driver-0.2.4.tar.gz
  # cd hostap-driver-0.2.4
  # patch -Np1 -i ../aircrack-2.1/rawsend.patch
  # make && make install
  # /etc/init.d/pcmcia restart
  

• Step 1: monitor the wireless lan for arp-requests

  See question How do I capture packets ? above.

• Step 2: Start the attack

  # iwpriv wlan0 hostapd 1
  # iwpriv wlan0ap host_encrypt 1
  # iwpriv wlan0ap host_decrypt 1
  # iwconfig wlan0ap retry 1
  # iwconfig wlan0ap mode Master
  # iwconfig wlan0ap key 01:02:04:08:10
  # iwconfig wlan0ap channel <AP channel>
  # ifconfig wlan0 hw ether <some random MAC>
  # ifconfig wlan0ap up
  # aireplay wlan0ap replay.pcap
  

  If aireplay says it has 0 potential arp-requests, you must go back to step 1.

  # iwconfig wlan1 mode Monitor
  # iwconfig wlan1 channel <AP channel>
  # ifconfig wlan1 up
  # airodump wlan1 replies.pcap
  

Windows questions

Which cards are supported under Windows ?

FULLY SUPPORTED	Orinoco (Hermes), Atheros, Realtek 8180
MOSTLY SUPPORTED	Symbol24, Prism 2 / 2.5, Cisco Aironet
NOT SUPPORTED	USB adapters, Prism54 (GT), Broadcom, TI, Centrino

How do I know which chipset my card has ?

Have a look at:

http://www.linux-wlan.org/docs/wlan_adapters.html.gz

A Google search (like, "wpc54g+chipset") may also help.

Is it necessary to install a specific driver ?

Yes.

• Hermes / Prism2  : Agere driver

• Atheros / Realtek : WildPackets drivers

Are additionnal files required to run airodump ?

Yes. You'll need PEEK.DLL and PEEK5.SYS from AiroPeek. PEEK.DLL itself depends on MSVCR70.DLL - search Google for "index +of msvcr70" (without the quotes ;-). All these files should be put in the same directory as airodump.exe.

Where can I download the PEEK files ?

Thanks to Michigan Wireless, you can download in their tools section the peek driver.

What is the problem with Aironet and Prism2 cards ?

The 802.11 header appears to be correct, but the encrypted data itself gets corrupted, probably because of the drivers. These cards can be used for wardriving purposes, but are useless for WEP cracking under Windows.

How do I force my Prism2 card to use the Agere driver ?

Open the hardware manager, select your card, "Update the driver", select "Install from a specific location", select "Don't search, I will choose the driver to install", click "Have disk", set the path to where the Agere drivers have been unzipped, uncheck "Show compatible hardware", and finally choose the "D-link Air DWL-660 Wireless PC Card" - answer yes to the warning message. If airodump doesn't appear to work with the D-link, maybe try with the "Samsung SEW-2001p Card".

When using the Agere driver, your Prism2 card can only be used in monitor mode - for some reason, the driver fails to work in managed mode.

How can I generate some wireless traffic ?

From a machine located inside the wireless lan, start ICMP Ping Flood with a large number of pings and a timeout of 0. Do not modify the default value for the packet size (64) which is fine.

How do I recover my WEP key from XP's Wireless Zero Configuration tool ?

You can use the WZCOOK program included in the latest aircrack distribution. This is experimental software, so it may or may not work depending on your service pack level.

Does WZCOOK also recovers WPA keys ?

WZCOOK will display the PMK (Pairwise Master Key), a 256-bit value which is the result of your passphrase hashed 4096 times together with the ESSID and the ESSID length. You can't recover the passphrase itself except by performing a bruteforce attack on the PMK. However, knowing the PMK is (in theory) enough to connect to a WPA-protected wireless network.

Special thanks to:

• Jouni Malinen for developing the hostap driver
• Dag Wieers for producing RPM packages of aircrack
• KoreK for sharing the code of his WEP attacks
• Erik Winkler for his help in testing and debugging
• aminal for helping me solve the check_wepkey bug
• Konstantin Gavrilenko for sending me a copy of Wi-Foo
• b0nk for his work on optimizing the aireplay attack
• Joshua Wright for improving arp-requests detection
• RaiD and Tubez for testing airodump with an Atheros
• sylvain for his helpful feedback concerning aircrack
• Alberto Koelie for testing airodump with his Realtek
• Colin Stubbs for fixing a bug in the iteraction code
• Michigan Wireless and TheWatcher for mirroring aircrack
• David Martínez Moreno for packaging aircrack on Debian
• all the many people who took time to test airodump,
  aireplay and aircrack... you know who you are :-)