Quick jump to download aircrack
aircrack is a 802.11 WEP key cracker. It implements the so-called Fluhrer - Mantin - Shamir (FMS) attack, along with some new attacks by a talented hacker named KoreK. When enough encrypted packets have been gathered, aircrack can almost instantly recover the WEP key. Every WEP encrypted packet has an associated 3-byte initialization vector (IV). Some IVs leak information about a certain byte of the key, thus statistically the correct key emerges when a sufficient number of IVs have been collected. When will aircrack 2.2 be released ? Probably in 2005. How many packets are needed to recover a WEP key ? It really depends on your luck and the key size. For 40-bit WEP keys, ~150.000 unique IVs are usually enough. For 104-bit WEP keys, around 500k - 1M unique IVs will be required. Your website (www.cr0.net) is down ! No it's not. However it is likely your http proxy blocks connections to port 8040. If that's the case, use this first aircrack mirror, or mirror 2 (thanks WirelessCon), or this third mirror ( zip, tgz - thanks Security Wireless). The sniffer I use seems unable to capture any IVs ! Obviously, you won't be able to capture encrypted data packets if there is no wireless traffic... Make sure your wireless card is compatible with the wlan: don't bother trying to crack an 11g-only network if all you have is an 11b card ;-) I've got this huge pcap file but aircrack doesn't find any IVs in it ?! IVs captured from a WPA-protected wireless LAN are useless for WEP cracking, and aircrack will automatically skip them. Also, you may want to specify the MAC address of the Access Point you're attempting to crack; in case of 802.1X (per-client WEP keys) you should rather specify the MAC address of one connected client. I've got x million IVs but aircrack doesn't find the key. WEP cracking is not an exact science. Sometimes luck is on your side, and sometimes not. By gathering as many encrypted packets as possible, you'll greatly increase your chances of finding the key; raising the fudge factor might help, too (especially in case of a 40-bit WEP key). How do I know when aircrack finds the key ? Your screen will look like:aircrack 2.1 * Got 286716! unique IVs | fudge factor = 2 * Elapsed time [00:00:03] | tried 1 keys at 20 k/m KB depth votes 0 0/ 1 DA( 60) 70( 23) 55( 15) A2( 5) CD( 5) 3E( 4) 1 0/ 2 BD( 57) 2A( 32) 29( 22) 1D( 13) F9( 13) 9F( 12) 2 0/ 1 8C( 51) 67( 23) 48( 15) DD( 15) D6( 13) FA( 12) 3 0/ 3 1D( 30) A5( 17) 07( 15) 7B( 12) 4B( 10) 63( 10) 4 0/ 1 43( 66) B1( 15) D2( 6) 1A( 5) 20( 5) 21( 5) 5 0/ 5 92( 27) 23( 25) 02( 18) 2F( 17) C1( 16) 36( 12) 6 0/ 1 C6( 51) 54( 17) 50( 15) 66( 15) 01( 13) 4A( 13) 7 0/ 2 84( 29) C0( 17) EE( 13) 80( 12) 49( 11) F6( 11) 8 0/ 1 81(1808) 09( 119) 99( 116) 32( 75) 49( 75) 9D( 65) 9 0/ 1 C4(1947) E1( 125) FC( 123) BD( 105) 8C( 98) 2F( 85) 10 0/ 1 8A( 580) 41( 120) 18( 93) ED( 85) B0( 65) 97( 60) 11 0/ 1 08( 97) FF( 29) 5D( 20) 1E( 17) 18( 15) 5E( 15) 12 0/ 1 1B( 145) DD( 21) 46( 20) 1C( 15) 76( 15) 07( 13) KEY FOUND! [ DABD8C1D4392C68481C48A081B ] First of all, you have to put the wireless interface in monitoring mode; for example, if you have a Prism2 card and use linux-wlan-ng: How can I run aircrack in the background ? For this purpose, you may use the "screen" program. There's not enough wireless traffic, what can I do ? If you control a host inside the wlan, you may start a ping flood with ping -f. Which cards are supported under Windows ?
How do I know which chipset my card has ? Have a look at: Is it necessary to install a specific driver ? Yes. Are additionnal files required to run airodump ? Yes. You'll need PEEK.DLL and PEEK5.SYS from AiroPeek. PEEK.DLL itself depends on MSVCR70.DLL - search Google for "index +of msvcr70" (without the quotes ;-). All these files should be put in the same directory as airodump.exe. Where can I download the PEEK files ? Thanks to Michigan Wireless, you can download in their tools section the peek driver. What is the problem with Aironet and Prism2 cards ? The 802.11 header appears to be correct, but the encrypted data itself gets corrupted, probably because of the drivers. These cards can be used for wardriving purposes, but are useless for WEP cracking under Windows. How do I force my Prism2 card to use the Agere driver ? Open the hardware manager, select your card, "Update the driver", select "Install from a specific location", select "Don't search, I will choose the driver to install", click "Have disk", set the path to where the Agere drivers have been unzipped, uncheck "Show compatible hardware", and finally choose the "D-link Air DWL-660 Wireless PC Card" - answer yes to the warning message. If airodump doesn't appear to work with the D-link, maybe try with the "Samsung SEW-2001p Card". How can I generate some wireless traffic ? From a machine located inside the wireless lan, start ICMP Ping Flood with a large number of pings and a timeout of 0. Do not modify the default value for the packet size (64) which is fine. How do I recover my WEP key from XP's Wireless Zero Configuration tool ? You can use the WZCOOK program included in the latest aircrack distribution. This is experimental software, so it may or may not work depending on your service pack level. Does WZCOOK also recovers WPA keys ? WZCOOK will display the PMK (Pairwise Master Key), a 256-bit value which is the result of your passphrase hashed 4096 times together with the ESSID and the ESSID length. You can't recover the passphrase itself except by performing a bruteforce attack on the PMK. However, knowing the PMK is (in theory) enough to connect to a WPA-protected wireless network.
|