aircrack documentation

Table of contents

General questions

Linux questions

Windows questions

Special thanks to

General questions

What is aircrack ?

aircrack is a 802.11 WEP key cracker. It implements the so-called Fluhrer - Mantin - Shamir (FMS) attack, along with some new attacks by a talented hacker named KoreK. When enough encrypted packets have been gathered, aircrack can almost instantly recover the WEP key.

How does aircrack work ?

Every WEP encrypted packet has an associated 3-byte initialization vector (IV). Some IVs leak information about a certain byte of the key, thus statistically the correct key emerges when a sufficient number of IVs have been collected.

Is aircrack different from AirSnort ?

It it much more efficient. AirSnort requires more than four million unique IVs to crack a 104-bit WEP key, whereas aircrack only needs many times less IVs. Additionnaly, post-2002 wifi equipments filter the "interesting" IVs AirSnort relies on; on the other hand, aircrack can break a WEP key without the need for said IVs.

How many packets are needed to recover a WEP key ?

It really depends on your luck and the way the IVs are distributed. Most of the time, one million unique IVs (thus ~2M packets) are enough. If you're very lucky only 500K IVs may be required; and if you're out of luck you could need around 1.5M-2M unique IVs.

The sniffer I use is unable to capture any IVs !

Obviously, you won't be able to capture encrypted data packets if there is no wireless traffic... see question There's not enough wireless traffic, what can I do ? Also, don't bother trying to crack a 11g network if all you have is a 11b card ;-)

I've got x million packets but aircrack doesn't find the key.

WEP cracking is not an exact science. Sometimes luck is on your side, and sometimes not. By gathering as many encrypted packets as possible, you'll greatly increase your chances of finding the key. Also, raising the fudge factor might help.

How do I know when aircrack finds the key ?

Your screen will look like: 

                                 aircrack 2.0

   * Got  569238! unique IVs | fudge factor = 4
   * Elapsed time [00:00:05] | tried 2 keys at 24 k/m

   KB    depth   votes
    0    0/  1   5C(  59) 87(  12) B8(  12) 93(  10) 81(   8) 1F(   5)
    1    0/  2   95( 133) 9B(  52) 56(  25) 33(  13) 55(  13) 58(  12)
    2    0/  1   97( 154) 8F(  20) 41(  13) BB(  13) BC(  13) 25(  12)
    3    0/  1   F3( 182) 1C(  18) EE(  18) 5A(  12) EB(  12) E9(   9)
    4    0/  1   C8( 131) DE(  20) 28(  15) FB(  15) F6(  13) 9C(  11)
    5    0/  1   24( 175) 52(  12) 21(  11) 2B(  11) 57(  11) 78(  11)
    6    0/  6   59(  58) F9(  43) 69(  26) ED(  19) C7(  18) 6B(  15)
    7    0/  8   07(  56) 64(  23) 2E(  22) E8(  22) C2(  19) C5(  19)
    8    0/  2   EA( 120) 4D(  32) 2A(  23) B6(  23) 4C(  20) 7F(  15)
    9    0/  1   71( 142) E0(  26) 8F(  19) 8B(  16) 00(  13) 34(  12)
   10    0/  1   A8( 181) 06(  33) D8(  31) E0(  23) DF(  21) 10(  18)
   11    1/  2   9D( 313) C9( 190) 2A(  85) 71(  79) 54(  75) 29(  71)
   12    0/  1   9D( 162) F1(  23) 17(  21) 1B(  20) A9(  18) 9F(  17)

                 KEY FOUND! [5C:95:97:F3:C8:24:59:07:EA:71:A8:9D:9D]

Linux questions

How do I capture packets ?

First of all, you have to put the wireless interface in monitoring mode; for example, if you have a Prism2 card and use linux-wlan-ng: 

# wlanctl-ng wlan0 lnxreq_ifstate ifstate=enable
# wlanctl-ng wlan0 lnxreq_wlansniff enable=true channel=<AP channel>

# ifconfig wlan0 up
# airodump wlan0 wlan.pcap

Alternatively, if your driver is compatible with the wireless tools: 

# iwconfig wlan0 mode Monitor
# iwconfig wlan0 channel <AP channel>
# ifconfig wlan0 up
# airodump wlan0 wlan.pcap

However, if you use an old (patched) version of the Orinoco driver you must issue this command: 

# iwpriv eth0 monitor 1 <AP channel>

I'd recommend you use airodump instead of tcpdump, because it can handle large (> 2 GB) capture files, and displays more meaningful information about each AP (ESSID, total # of unique IVs ...). Note that you can run both airodump and Kismet at the same time, but in this case it is suggested to lock channel hopping ('L' in Kismet). For wardriving purposes, I've included a shell script (chopper.sh) you can use to hop between 11b/11g channels.

How can I run aircrack in the background ?

For this purpose, you may use the "screen" program.

  • Starting a new session: screen -t title
  • Detaching a session: Ctrl-a <release> d
  • Reattaching a session: screen -r

There's not enough wireless traffic, what can I do ?

If you control a host inside the wlan, you may start a ping flood with ping -f.

Otherwise, you can launch a replay attack based on arp-request packets. Although we cannot say for sure that a packet is one of those (since the data is encrypted), such packets have a fixed length and can be spotted easily. By resending these packets again and again, the other host will respond with encrypted replies thus providing new and possibly weak IVs.

First of all, you have to sniff long enough to get some potential arp- request packets. Then you'll need two wireless cards: card #0 will resend the packets over the air, and card #1 will monitor the encrypted replies. These cards must be at least 50cm away from each other!

If you are far from the Access Point, I suggest you use two strong directionnal antennas and wireless cards with a high output power; otherwise you'll mostly see the very packets that you're resending.

We are going to use HostAP's wlan0ap interface in Master mode on the same channel as the legitimate AP we're trying to crack (thanks to the guy who wrote airpwn for this tip).

  • Step 0: patch and recompile HostAP 

    # wget http://hostap.epitest.fi/releases/hostap-driver-0.2.4.tar.gz
# tar -xvzf hostap-driver-0.2.4.tar.gz
# cd hostap-driver-0.2.4
# patch -Np1 -i ../aircrack-2.0.2/rawsend.patch
# make && make install
# /etc/init.d/pcmcia restart

  • Step 1: monitor the WLAN for arp-requests

    See question How do I capture packets ? above.

  • Step 2: Start the attack 

    # iwpriv wlan0 hostapd 1
# iwpriv wlan0ap host_encrypt 1
# iwpriv wlan0ap host_decrypt 1
# iwconfig wlan0ap retry 1
# iwconfig wlan0ap mode Master
# iwconfig wlan0ap key 01:02:04:08:10
# iwconfig wlan0ap channel <AP channel>
# ifconfig wlan0 hw ether <some random MAC>
# ifconfig wlan0ap up
# aireplay wlan0ap replay.pcap

    If airepleay says it has 0 potential arp-requests, you must go back to step 1. 

    # iwconfig wlan1 mode Monitor
# iwconfig wlan1 channel <AP channel>
# ifconfig wlan1 up
# airodump wlan1 replies.pcap

Windows questions

Which cards are supported under Windows ?

FULLY SUPPORTEDOrinoco (Hermes), Atheros, Realtek
MOSTLY SUPPORTEDSymbol24, Prism2, Aironet
NOT SUPPORTEDUSB/PCI cards, Prism54 (GT), Broadcom, TI, Centrino

How do I know which chipset my card has ?

Have a look at:

http://www.linux-wlan.org/docs/wlan_adapters.html.gz

A Google search (like, "wpc54g+chipset") may also help.

Is it necessary to install a specific driver ?

Yes.

Are additionnal files required to run airodump ?

Yes. You'll need PEEK.DLL and PEEK5.SYS from AiroPeek. Also, you may need MSVCR70.DLL - search Google for "index +of msvcr70". All these files should be put in the same directory as airodump.exe

What is the problem with Aironet and Prism2 cards ?

The 802.11 header appears to be correct, but the encrypted data itself gets corrupted, probably because of the drivers. These cards can be used for wardriving purposes, but are useless for WEP cracking under Windows.

How do I force my Prism2 card to use the Agere driver ?

Open the hardware manager, select your card, "Update the driver", select "Install from a specific location", select "Don't search, I will choose the driver to install", click "Have disk", set the path to where the Agere drivers have been unzipped, uncheck "Show compatible hardware", and finally choose the "D-link Air DWL-660 Wireless PC Card" - answer yes to the warning message. If airodump doesn't appear to work with the D-link, maybe try with the "Samsung SEW-2001p Card".

When using the Agere driver, your Prism2 card can only be used in monitor mode - for some reason, the driver fails to work in managed mode.

How can I generate some wireless traffic ?

From a machine located inside the wireless lan, start ICMP Ping Flood with a large number of pings and a timeout of 0.

How do I recover my WEP key from XP's Wireless Zero Configuration tool ?

You can use the WZCOOK program included in the latest aircrack distribution. This is experimental software, so it may or may not work depending on your service pack level.

Special thanks to:

  • Jouni Malinen for developing the hostap driver
  • Dag Wieers for producing RPM packages of aircrack
  • KoreK for sharing the code of his WEP attacks
  • Erik Winkler for his help in testing and debugging
  • aminal for helping me solve the check_wepkey bug
  • Konstantin Gavrilenko for sending me a copy of Wi-Foo
  • b0nk for his work on optimizing the aireplay attack
  • Joshua Wright for improving arp-requests detection
  • RaiD and Tubez for testing airodump with an Atheros
  • sylvain for his helpful feedback concerning aircrack
  • Alberto Koelie for testing airodump with his Realtek
  • Colin Stubbs for fixing a bug in the iteraction code
  • all the many people who took time to test airodump,
    aireplay and aircrack... you know who you are :-)